aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorlloyd <[email protected]>2008-11-19 15:45:23 +0000
committerlloyd <[email protected]>2008-11-19 15:45:23 +0000
commitd8551e51613d5c853277e22a2cdb0f98931a79b2 (patch)
tree037c785cab051851ed4d8aff8d3767703e15ca49 /src
parent8a80c94fc6f9333315f56940ca3a659c18d8825f (diff)
Add a comment WRT timing attacks on the AES implementation
Diffstat (limited to 'src')
-rw-r--r--src/block/aes/aes.cpp14
1 files changed, 14 insertions, 0 deletions
diff --git a/src/block/aes/aes.cpp b/src/block/aes/aes.cpp
index 473fad2e1..1c3f12aa0 100644
--- a/src/block/aes/aes.cpp
+++ b/src/block/aes/aes.cpp
@@ -64,6 +64,20 @@ void AES::enc(const byte in[], byte out[]) const
TE2[get_byte(2, T1)] ^ TE3[get_byte(3, T2)] ^ K7;
}
+ /*
+ Joseph Bonneau and Ilya Mironov's paper
+ <a href = "http://icme2007.org/users/mironov/papers/aes-timing.pdf">
+ Cache-Collision Timing Attacks Against AES</a> describes an attack
+ that can recover AES keys with as few as 2<sup>13</sup> samples.
+
+ """In addition to OpenSSL v. 0.9.8.(a), which was used in our
+ experiments, the AES implementations of Crypto++ 5.2.1 and
+ LibTomCrypt 1.09 use the original Rijndael C implementation with
+ very few changes and are highly vulnerable. The AES implementations
+ in libgcrypt v. 1.2.2 and Botan v. 1.4.2 are also vulnerable, but
+ use a smaller byte-wide final table which lessens the effectiveness
+ of the attacks."""
+ */
out[ 0] = SE[get_byte(0, B0)] ^ ME[0];
out[ 1] = SE[get_byte(1, B1)] ^ ME[1];
out[ 2] = SE[get_byte(2, B2)] ^ ME[2];