This project is an ongoing experiment testing the theoretical aspects of side channel attacks on cryptographic operations such as signature verification. Currently this tool can execute a timing attack against a local or remote server that is using a linear time equality check to verify a signature. Unfortuantely right now time is not being measured in the most precise way (python urlib module).
- Find a more accurate way to measure response times such as TCP RTT
- Write unit tests for determining the byte based on timestamps
git clone git@github.com:dkhonig/web_timing_attack.git
pip install -r requirements.txt
./server.py
./web_timing_attack.py (look at usages below)
usage: web_timing_attack.py [-h] [-u URL] [-i ITERATIONS] [-b BYTES]
[-e EVENTID] [-f] [-v] [--version]
Timing attack against event id url signatures.
optional arguments:
-h, --help show this help message and exit
-u URL The target url.
-i ITERATIONS The # of iterations to perform per byte. Default is 2.
-b BYTES The # of bytes to guess. Default is 8.
-e EVENTID The EventID. Default is 19295929.
-f Save data to CSVs.
-v Log to console in debug mode.
--version show program's version number and exit
- Fork it!
- Create your feature branch:
git checkout -b my-new-feature - Commit your changes:
git commit -am 'Add some feature' - Push to the branch:
git push origin my-new-feature - Submit a pull request :D
The underlying source code used in this project is licensed under the MIT license.