Re: AES cache timing attack

2005-06-26 Thread Thor Lancelot Simon
On Tue, Jun 21, 2005 at 10:38:42PM -0400, Perry E. Metzger wrote: Jerrold Leichter [EMAIL PROTECTED] writes: Usage in first of these may be subject to Bernstein's attack. It's much harder to see how one could attack a session key in a properly implemented system the same way. You

Re: AES cache timing attack

2005-06-25 Thread Bill Stewart
At 02:44 AM 6/20/2005, Peter Gutmann wrote: Stephan Neuhaus [EMAIL PROTECTED] writes: Concerning the practical use of AES, you may be right (even though it would be nice to have some advice on what one *should* do instead). Would switching to triple-AES (or double-AES) or something help? Yeah,

Re: AES cache timing attack

2005-06-22 Thread Perry E. Metzger
Jerrold Leichter [EMAIL PROTECTED] writes: Usage in first of these may be subject to Bernstein's attack. It's much harder to see how one could attack a session key in a properly implemented system the same way. You would have to inject a message into the ongoing session. I gave an

Re: AES cache timing attack

2005-06-22 Thread Jerrold Leichter
| It's much harder to see how one could attack a session key in a properly | implemented system the same way. You would have to inject a message into | the ongoing session. However, if the protocol authenticates its messages, | you'll never get any response to an injected message. At best,

Re: AES cache timing attack

2005-06-21 Thread Peter Gutmann
Ian G [EMAIL PROTECTED] writes: Definitely. Maybe time for a BCP, not just for AES but for general block ciphers? What is a BCP? Best Coding Practices? Block Cipher Protocol? Best Current Practice, a special-case type of RFC. Based on recent experience with this style of collaborative

Re: AES cache timing attack

2005-06-21 Thread Peter Gutmann
Ian G [EMAIL PROTECTED] writes: On Tuesday 21 June 2005 13:45, Peter Gutmann wrote: Best Current Practice, a special-case type of RFC. Based on recent experience with this style of collaborative document editing, I've set up a wiki at http://blockcipher.pbwiki.com/, blank username, password

Re: AES cache timing attack

2005-06-21 Thread Jerrold Leichter
| Uhh, that wasn't really what I was after, that's pretty much textbook stuff, | what I wanted was specifically advice on how to use block ciphers in a way | that avoids possibilities for side-channel (and similar) attacks. I have some | initial notes that can be summarised as Don't let yourself

Re: AES cache timing attack

2005-06-21 Thread Ian Grigg
On Tuesday 21 June 2005 23:00, Jerrold Leichter wrote: It's much harder to see how one could attack a session key in a properly implemented system the same way. You would have to inject a message into the ongoing session. However, if the protocol authenticates its messages, you'll never

Re: AES cache timing attack

2005-06-21 Thread Peter Gutmann
Ian Grigg [EMAIL PROTECTED] writes: Alternatively, if one is in the unfortunate position of being an oracle for a single block encryption then the packet could be augmented with a cleartext random block to be xor'd with the key each request. Moves you from being an encryption oracle to a

Re: AES cache timing attack

2005-06-20 Thread D. J. Bernstein
http://cr.yp.to/talks.html#2005.06.01 has slides that people might find useful as an overview of what's going on. In particular, there's a list of six obstacles to performing array lookups in constant time. People who mention just one of the obstacles are oversimplifying the problem. Hal Finney

Re: AES cache timing attack

2005-06-20 Thread Perry E. Metzger
[EMAIL PROTECTED] (Peter Gutmann) writes: [EMAIL PROTECTED] (Hal Finney) writes: Steven M. Bellovin writes: Dan Bernstein has a new cache timing attack on AES: http://cr.yp.to/antiforgery/cachetiming-20050414.pdf This is a pretty alarming attack. It is? Recovering a key from a

Re: AES cache timing attack

2005-06-20 Thread Stephan Neuhaus
Peter Gutmann wrote: Stephan Neuhaus [EMAIL PROTECTED] writes: Concerning the practical use of AES, you may be right (even though it would be nice to have some advice on what one *should* do instead). Definitely. Maybe time for a BCP, not just for AES but for general block ciphers? I

Re: AES cache timing attack

2005-06-20 Thread Peter Gutmann
Stephan Neuhaus [EMAIL PROTECTED] writes: Concerning the practical use of AES, you may be right (even though it would be nice to have some advice on what one *should* do instead). Definitely. Maybe time for a BCP, not just for AES but for general block ciphers? But as far as I know, resistance

Re: AES cache timing attack

2005-06-20 Thread Victor Duchovni
On Mon, Jun 20, 2005 at 01:54:46AM -, D. J. Bernstein wrote: One can carry out the final search with nothing more than known ciphertext: try decrypting the ciphertext with each key and see which result looks most plausible. It should even be possible to carry out a timing attack with

Re: AES cache timing attack

2005-06-17 Thread Peter Gutmann
[EMAIL PROTECTED] (Hal Finney) writes: Steven M. Bellovin writes: Dan Bernstein has a new cache timing attack on AES: http://cr.yp.to/antiforgery/cachetiming-20050414.pdf This is a pretty alarming attack. It is? Recovering a key from a server custom-written to act as an oracle for the

Re: AES cache timing attack

2005-06-17 Thread Victor Duchovni
On Fri, Jun 17, 2005 at 11:57:29PM +1200, Peter Gutmann wrote: [EMAIL PROTECTED] (Hal Finney) writes: Steven M. Bellovin writes: Dan Bernstein has a new cache timing attack on AES: http://cr.yp.to/antiforgery/cachetiming-20050414.pdf This is a pretty alarming attack. It is?

Re: AES cache timing attack

2005-06-17 Thread Hal Finney
Peter Gutman writes: [EMAIL PROTECTED] (Hal Finney) writes: Steven M. Bellovin writes: Dan Bernstein has a new cache timing attack on AES: http://cr.yp.to/antiforgery/cachetiming-20050414.pdf This is a pretty alarming attack. It is? Recovering a key from a server custom-written

Re: AES cache timing attack

2005-06-17 Thread Brian Gladman
Hal Finney wrote: Steven M. Bellovin writes: Dan Bernstein has a new cache timing attack on AES: http://cr.yp.to/antiforgery/cachetiming-20050414.pdf This is a pretty alarming attack. Bernstein was actually able to recover the AES key using a somewhat artificial server which reported

AES cache timing attack

2005-06-16 Thread Steven M. Bellovin
Dan Bernstein has a new cache timing attack on AES: http://cr.yp.to/antiforgery/cachetiming-20050414.pdf (This was mentioned in Bruce Schneier's CRYPTO-GRAM newsletter.) Briefly, the attack relies on the fact that retrieving an S-box entry from the cache is much faster than retrieving it

Re: AES cache timing attack

2005-06-16 Thread Hal Finney
Steven M. Bellovin writes: Dan Bernstein has a new cache timing attack on AES: http://cr.yp.to/antiforgery/cachetiming-20050414.pdf This is a pretty alarming attack. Bernstein was actually able to recover the AES key using a somewhat artificial server which reported its own timing to do