On Mon, Jun 20, 2005 at 01:54:46AM -0000, D. J. Bernstein wrote:

> One can carry out the final search with nothing more than known
> ciphertext: try decrypting the ciphertext with each key and see which
> result looks most plausible. It should even be possible to carry out a
> timing attack with nothing more than known ciphertext, by focusing on
> either the time variability in the last AES-encryption round or the time
> variability in the first AES-decryption round.

Dan, have you looked into or thought about the applicability of your
attack to the Kerberos ticket granting service (measure error response
time for authenticator + "random" ticket). The KDC needs to decrypt the
ticket with the TGS key, recover the session key and principal name, then
check the authenticator. Presumably the time to perform AES decryption
will show the same key/data correlations.

Quantizing the error response delay could solve this problem, though
I for one don't know how to do that portably in a way that guarantees
no leakage of timing information.


 /"\ ASCII RIBBON                  NOTICE: If received in error,
 \ / CAMPAIGN     Victor Duchovni  please destroy and notify
  X AGAINST       IT Security,     sender. Sender does not waive
 / \ HTML MAIL    Morgan Stanley   confidentiality or privilege,
                                   and use is prohibited.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to