AES cache timing attack
Victor Duchovni
Victor.Duchovni at MorganStanley.com
Fri Jun 17 10:53:30 EDT 2005
On Fri, Jun 17, 2005 at 11:57:29PM +1200, Peter Gutmann wrote:
> hal at finney.org ("Hal Finney") writes:
> >Steven M. Bellovin writes:
> >> Dan Bernstein has a new cache timing attack on AES:
> >> http://cr.yp.to/antiforgery/cachetiming-20050414.pdf
> >This is a pretty alarming attack.
>
> It is? Recovering a key from a server custom-written to act as an oracle for
> the attacker? By this I don't even mean the timing-related stuff, but just
> one that just acts as a basic encryption oracle. Try doing that with TLS or
> SSH, you'll get exactly one unrelated packet back, which is the connection
> shutdown message. So while it's a nice attack, section 15 should really be
> simplified to:
>
> Don't do that, then.
Doesn't the Kerberos TGS, for example, somewhat resemble Dan's server?
Yes, it does not report fine-grained time-stamps or do everything in
mememory. Still, if one sends data that looks like authenticator + TGT,
the TGS is going to decrypt the TGT with the ticket granting service
key, getting nonsense and will report an error. The time taken to
report the error will be data dependent, and Dan's attack may apply.
This is speculative. Has anyone studied the applicability of Dan's
attack to a Kerberos 5 KDC with an AES TGS key?
--
/"\ ASCII RIBBON NOTICE: If received in error,
\ / CAMPAIGN Victor Duchovni please destroy and notify
X AGAINST IT Security, sender. Sender does not waive
/ \ HTML MAIL Morgan Stanley confidentiality or privilege,
and use is prohibited.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list