diff options
author | lloyd <[email protected]> | 2008-11-19 15:45:23 +0000 |
---|---|---|
committer | lloyd <[email protected]> | 2008-11-19 15:45:23 +0000 |
commit | d8551e51613d5c853277e22a2cdb0f98931a79b2 (patch) | |
tree | 037c785cab051851ed4d8aff8d3767703e15ca49 /src | |
parent | 8a80c94fc6f9333315f56940ca3a659c18d8825f (diff) |
Add a comment WRT timing attacks on the AES implementation
Diffstat (limited to 'src')
-rw-r--r-- | src/block/aes/aes.cpp | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/src/block/aes/aes.cpp b/src/block/aes/aes.cpp index 473fad2e1..1c3f12aa0 100644 --- a/src/block/aes/aes.cpp +++ b/src/block/aes/aes.cpp @@ -64,6 +64,20 @@ void AES::enc(const byte in[], byte out[]) const TE2[get_byte(2, T1)] ^ TE3[get_byte(3, T2)] ^ K7; } + /* + Joseph Bonneau and Ilya Mironov's paper + <a href = "http://icme2007.org/users/mironov/papers/aes-timing.pdf"> + Cache-Collision Timing Attacks Against AES</a> describes an attack + that can recover AES keys with as few as 2<sup>13</sup> samples. + + """In addition to OpenSSL v. 0.9.8.(a), which was used in our + experiments, the AES implementations of Crypto++ 5.2.1 and + LibTomCrypt 1.09 use the original Rijndael C implementation with + very few changes and are highly vulnerable. The AES implementations + in libgcrypt v. 1.2.2 and Botan v. 1.4.2 are also vulnerable, but + use a smaller byte-wide final table which lessens the effectiveness + of the attacks.""" + */ out[ 0] = SE[get_byte(0, B0)] ^ ME[0]; out[ 1] = SE[get_byte(1, B1)] ^ ME[1]; out[ 2] = SE[get_byte(2, B2)] ^ ME[2]; |