Shabbir Bashir wrote:
Hi List,
Doing some research on http://nvd.nist.gov, I came across a "high"
vulnerability tagged CVE-2005-1797. I cannot seem to find out if this
is fixed in later versions after searching the net for an hour.
Summary of the above vulnerability is listed below, anyone has any ideas ?
Summary:
"The design of Advanced Encryption Standard (AES), aka Rijndael,
allows remote attackers to recover AES keys via timing attacks on
S-box lookups, which are difficult to perform in constant time in AES
implementations. "
Shabbir
NIST gets its vulnerability data from a number of sources. This one
came from SecurityFocus:
http://www.securityfocus.com/bid/13785/info
And the paper the SecurityFocus vulnerability was derived from:
http://cr.yp.to/antiforgery/cachetiming-20050414.pdf
(Cute domain name, BTW)
Only those on the OpenSSL team will be able to shed some light on if
this issue has been resolved in the latest builds of OpenSSL (probably
has - they like to make sure the product is generally secure). Note the
date on the vulnerability. Several releases of OpenSSL have come out
since then. In the future you might want to see the changelog for
OpenSSL to determine if any of the changes had the potential to address
this issue instead of searching the Internet. Search engines have
limitations...they aren't the be-all-end-all solution.
--
Thomas Hruska
Shining Light Productions
Home of BMP2AVI, Nuclear Vision, ProtoNova, and Win32 OpenSSL.
http://www.slproweb.com/
Ask me about discounts on any Shining Light Productions product!
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
