Re: AES Timing Attack Implementation & Karl Malbrain code...



Ed Weir (ComCast) wrote:
"BRG" <brg@xxxxxxxxxxx> wrote in message
news:4444c4bd$0$9266$ed2619ec@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
| Ed Weir (ComCast) wrote:
| > "BRG" <brg@xxxxxxxxxxx> wrote in message
| > news:4444a7d5$0$9249$ed2619ec@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
| > | rohit wrote:
| > | > Dear All,
| > | >
| > | > I was analysing Cache-timing attacks on AES by Daniel J. Bernstein,
and
| > | > tried running the source posted by Karl Malbrain at following URL:
| > | >
| > | > http://www.geocities.com/malbrain/aestable_c.html
| > |
| > | This code implements AES without using large tables. It will be very
| > | slow but will not (typically) be vulnerable to the DJB attack since
this
| > | depends on a lot of cache space being used for tables.
| > |
| > | [snip]
| > | > to replicate the bernstein results. The program executes fine but it
| > | > just remains iterating in the Encrypt functions, Its been more than
30
| > | > minutes the executable is running but I couldnot see any output of
the
| > | > revealed keys yet.
| > |
| > | This is not surprising since you are using an implementation that is
not
| > | typically vulnerable to this attack.
| > |
| > | > What can be the reason ? Is it becoz the SBox is entirely fitting
into
| > | > the Level1 and Level2 cache ? Do I need to run multiple processes so
| > | > that the SBOX data shall be kicked out of the cache ?
| > |
| > | The S-Box tables are too small to make this attack productive (at
least
| > | in general). Fast versions of AES use much larger tables and it is
these
| > | large tables that introduce the potential vulnerability.
| > |
| > | [snip]
| > |
| > | Brian Gladman
| >
| > Does this imply that an algorithm using large tables is susceptible to
this
| > type of attack? Unsettling. 3DES, AES, ...
|
| This type of attack needs to be considered in any situation in which (a)
| a keyed algorithm uses large tables on a cache based machine, (b)
| algorithm timing might be key and/or data dependent, and (c) statistics
| for the time the algorithm takes to run with different keys and/or data
| might be available to an attacker.
|
| I don't _personally_ worry a lot about this attack for most systems that
| I have been involved with since (c) above hasn't applied. But it does
| need to be thought about during system design in order to determine
| whether it might apply and might hence require some form of defence to
| be implemented.
|
| [snip]
|
| Brian Gladman

Seems to me that (a, b) could be compiled rather quickly yielding (c). And
most all contemporary machines have extensive caching with AES (a). If (b)
is large enough a successful attack could be imminent.

Tell me how wrong I am

My view is that: (a) if an attacker has been able to put a timing
process onto your machine, then this timing attack is the very least of
your worries; (b) in a remote attack it will take a large number of
timing measurements to compile the statistical data needed to eliminate
noise from other sources - secure systems need to be alert to such
unusual patterns of use (if they are not unusual then the attack needs
to be covered); (c) IF this attack is is considered feasible there are a
lot of ways of obscuring timing data in such a way that it will not be
possible to collect the volume of timing data needed to remove this masking.

Brian Gladman
.



Relevant Pages

  • Re: Only people who originally frequent sci.crypt reply to this
    ... The mode of a cipher is one of the many, ... you need to get right in order to turn a secure algorithm into a secure ... there are no known attacks against AES. ... attack of any kind against a cipher, ...
    (sci.crypt)
  • Re: AES Timing Attack Implementation & Karl Malbrain code...
    ... |> Does this imply that an algorithm using large tables is susceptible to ... | This type of attack needs to be considered in any situation in which ... | need to be thought about during system design in order to determine ... most all contemporary machines have extensive caching with AES. ...
    (sci.crypt)
  • Re: Cross-Site History Manipulation (XSHM)
    ... vulnerability" and "compromise web applications" caught my eye. ... timing, cache timing, CSS:visited, probing frames.length and other ... The problem of unconstrained Internet -> ... whether a security attack such as XSS or XSRF succeeded. ...
    (Bugtraq)
  • Re: Steps back to trust in hardware?
    ... side-channel (including timing) attacks were ... However power analysis via his ground loop attack is feasible. ... Yes - there's control path leakage but there's also data path leakage. ...
    (comp.arch)
  • RE: Security Practices
    ... If my understanding of the paper is correct, then that attack would ... includes RC4, AES, blowfish, and DES, so you don't have much ... > away from md5 as a hashing algorithm, ... > SHA512, or something like whirlpool. ...
    (SSH)