"Since the timing characteristics of symmetric algorithms are not as key dependent as asymmetric algorithms, they are more resistant against timing attacks."
This is largely but not absolutely true.
Data-dependent (including key-dependent) timing characteristics come essentially from
- Conditional execution, as occur in if this bit of the secret exponent/multiplier is set, then… common in RSA and ECC. There is rarely such thing in symmetric algorithms, and when there is the potential of having such conditional execution (e.g. in AES, XOR with a fixed polynomial when a bit shifted out is set), there are easy alternatives without.
- Multiplication, which on many CPUs takes time dependent on the argument. There is rarely such thing in symmetric algorithms (exception: IDEA), but that's central to RSA and ECC (except on binary curves).
- Division (seldom used in symmetric crypto, and at the instruction level in asymmetric crypto too, because it's slow, especially when there is no hardware support).
- Data-dependent rotation; that's rare (exception: RC5, RC6).
- Table lookups (e.g. substitution tables), due to cache effects. This is common in some symmetric algorithms including DES and AES, and the most important exception to the quote. However there is no table lookup in many other algorithms, including hashes (e.g. SHA-256) and the Chacha stream cipher. And cache-dependent timing dependencies are small and thus rather hard to exploit remotely (that's another matter when adversaries have a foot in the CPU: they can make timing measurements with better accuracy, and can flush the cache; they can also probe the cache, but then that's no longer a pure timing attack).
Note: the quote suggests that only key-dependent timing variations matter. This is not entirely true: any timing dependency on non-public data could in theory be a potential attack vector, in that it can leak information on the data.
