Add a comment WRT timing attacks on the AES implementation

author: lloyd <[email protected]> 2008-11-19 15:45:23 +0000
committer: lloyd <[email protected]> 2008-11-19 15:45:23 +0000
commit: d8551e51613d5c853277e22a2cdb0f98931a79b2 (patch)
tree: 037c785cab051851ed4d8aff8d3767703e15ca49 /src/block/aes
parent: 8a80c94fc6f9333315f56940ca3a659c18d8825f (diff)
1 files changed, 14 insertions, 0 deletions
diff --git a/src/block/aes/aes.cpp b/src/block/aes/aes.cpp
index 473fad2e1..1c3f12aa0 100644
--- a/src/block/aes/aes.cpp
+++ b/src/block/aes/aes.cpp
@@ -64,6 +64,20 @@ void AES::enc(const byte in[], byte out[]) const
            TE2[get_byte(2, T1)] ^ TE3[get_byte(3, T2)] ^ K7;
       }
 
+   /*
+   Joseph Bonneau and Ilya Mironov's paper
+   <a href = "http://icme2007.org/users/mironov/papers/aes-timing.pdf">
+   Cache-Collision Timing Attacks Against AES</a> describes an attack
+   that can recover AES keys with as few as 2<sup>13</sup> samples.
+
+   """In addition to OpenSSL v. 0.9.8.(a), which was used in our
+   experiments, the AES implementations of Crypto++ 5.2.1 and
+   LibTomCrypt 1.09 use the original Rijndael C implementation with
+   very few changes and are highly vulnerable. The AES implementations
+   in libgcrypt v. 1.2.2 and Botan v. 1.4.2 are also vulnerable, but
+   use a smaller byte-wide final table which lessens the effectiveness
+   of the attacks."""
+   */
    out[ 0] = SE[get_byte(0, B0)] ^ ME[0];
    out[ 1] = SE[get_byte(1, B1)] ^ ME[1];
    out[ 2] = SE[get_byte(2, B2)] ^ ME[2];
author	lloyd <[email protected]>	2008-11-19 15:45:23 +0000
committer	lloyd <[email protected]>	2008-11-19 15:45:23 +0000
commit	d8551e51613d5c853277e22a2cdb0f98931a79b2 (patch)
tree	037c785cab051851ed4d8aff8d3767703e15ca49 /src/block/aes
parent	8a80c94fc6f9333315f56940ca3a659c18d8825f (diff)