AES cache timing attack
Victor Duchovni
Victor.Duchovni at MorganStanley.com
Mon Jun 20 12:36:08 EDT 2005
On Mon, Jun 20, 2005 at 01:54:46AM -0000, D. J. Bernstein wrote:
> One can carry out the final search with nothing more than known
> ciphertext: try decrypting the ciphertext with each key and see which
> result looks most plausible. It should even be possible to carry out a
> timing attack with nothing more than known ciphertext, by focusing on
> either the time variability in the last AES-encryption round or the time
> variability in the first AES-decryption round.
>
Dan, have you looked into or thought about the applicability of your
attack to the Kerberos ticket granting service (measure error response
time for authenticator + "random" ticket). The KDC needs to decrypt the
ticket with the TGS key, recover the session key and principal name, then
check the authenticator. Presumably the time to perform AES decryption
will show the same key/data correlations.
Quantizing the error response delay could solve this problem, though
I for one don't know how to do that portably in a way that guarantees
no leakage of timing information.
--
/"\ ASCII RIBBON NOTICE: If received in error,
\ / CAMPAIGN Victor Duchovni please destroy and notify
X AGAINST IT Security, sender. Sender does not waive
/ \ HTML MAIL Morgan Stanley confidentiality or privilege,
and use is prohibited.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list