AES cache timing attack

Thor Lancelot Simon tls at rek.tjls.com
Sun Jun 26 19:56:30 EDT 2005 

On Tue, Jun 21, 2005 at 10:38:42PM -0400, Perry E. Metzger wrote:
> 
> Jerrold Leichter <jerrold.leichter at smarts.com> writes:
> > Usage in first of these may be subject to Bernstein's attack.  It's much 
> > harder to see how one could attack a session key in a properly implemented 
> > system the same way.  You would have to inject a message into the ongoing 
> > session.
> 
> I gave an example yesterday. Perhaps you didn't see it.
> 
> The new 802.11 wireless security protocols encrypt the on-air portion
> of communications, and are typically attached to ethernet bridges.

Sorry I didn't respond to this earlier -- I was on vacation last week.

It is simple to practice this attack against an 802.11 network that is
behind a NAT or routing firewall, rather than just a simple Ethernet
bridge.  It's only moderately harder when the 802.11 network is separated
from the public Internet by a proxy firewall.

In fact, I can run it right here in my house:

>From the west-facing window of my apartment building, I can see over
50 different 802.11 networks as I scan the buildings across the street
with a reasonably tight antenna.  Many of those networks are connected
to the public Internet by a cablemodem network to which I also have
access.

A small number of those networks use WPA with AES (I'm lucky I have so
many networks to choose from; this isn't common on residentail networks --
yet).

So, to obtain encryption timing data, I can:

1) Do two quick tcpdumps, imported them into SPSS, and look for the
   best-correlated wireless and wired activity times.  This gives me a
   good guess as to which wireless network had which public address (it
   also, presumably, gives me en/deryption timing data, for known, even,
   but not chosen plaintext; but that's just gravy).

2) Look at the tcpdump for the wired segment again (or run a new one) to
   find some open TCP connections.  These will pretty much all correspond
   to open TCP connections on the "inside"; routing firewalls and almost
   all NAT boxes will just pass packets sent from the outside straight
   through (a proxy firewall will require an application-layer attack)

3) Send duplicate ACKs (or wholly spurious ACKs) to the public address
   of the firewall in question and watch the wireless segment to see
   how long it takes to encrypt them.  Oh, by the way, they're chosen
   plaintext...

Thor

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list