AES cache timing attack
Perry E. Metzger
perry at piermont.com
Tue Jun 21 22:38:42 EDT 2005
Jerrold Leichter <jerrold.leichter at smarts.com> writes:
> Usage in first of these may be subject to Bernstein's attack. It's much
> harder to see how one could attack a session key in a properly implemented
> system the same way. You would have to inject a message into the ongoing
> session.
I gave an example yesterday. Perhaps you didn't see it.
The new 802.11 wireless security protocols encrypt the on-air portion
of communications, and are typically attached to ethernet bridges. If
you want to, you can send any packet you like at an arbitrary box on
the wireless segment from the main network, and have the wireless
router act as a fine quality oracle for you for the AES key being used
on air.
It would be possible, though perhaps less convenient (since it would
require tapping rather than just listening) to do something similar to
a wide variety of VPN protocols.
> However, if the protocol authenticates its messages, you'll never
> get any response to an injected message.
You don't need to in the above instances. You just need to be able to
inject.
People like to downplay the impact of attacks like this, but there are
just too many scenarios "one didn't think of" in the security
universe. Doubtless some other usage cases may get badly bitten by AES
side channel attacks.
Perry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list