AES cache timing attack
Jerrold Leichter
jerrold.leichter at smarts.com
Tue Jun 21 18:00:50 EDT 2005
| Uhh, that wasn't really what I was after, that's pretty much textbook stuff,
| what I wanted was specifically advice on how to use block ciphers in a way
| that avoids possibilities for side-channel (and similar) attacks. I have some
| initial notes that can be summarised as "Don't let yourself be used as an
| oracle" that I was planning to add after I've fleshed them out a bit.
It strikes me that block ciphers in *communications*get used in two
different contexts:
- With a long-lived key. This is in protocols like Kerberos,
where the long-lived key is used as part of a mechanism
to produce a session key. In most more recent protocols,
some combination of D-H or public key plays this role.
- With a session key.
Usage in first of these may be subject to Bernstein's attack. It's much
harder to see how one could attack a session key in a properly implemented
system the same way. You would have to inject a message into the ongoing
session. However, if the protocol authenticates its messages, you'll never
get any response to an injected message. At best, you might be able to
observe some kind of reaction to the injected message. But that's a channel
that can be made very noisy, since it shouldn't occur often. (BTW, if you use
encrypt-then-authenticate, you're completely immune to this attack, since the
implementation won't ever decrypt the injected message. Of course, there may
be a timing attack against the *authentication*!)
By their nature, the first class of uses don't usually require the ultimate in
performance. Since they receive and respond to small messages involving the
encryption of a small amount of data, the encryption portion of the what they
do is rarely the major time cost.
If this dicotomy holds up, it leads to a simple recommendation: Use a
constant-time implementation in the first role; use the highest-performance
implementation in the second role.
-- Jerry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list