On Wed, Jun 15, 2005 at 10:05:09AM -0700, Kastus wrote:

On Wed, Jun 15, 2005 at 12:20:47PM +0200, Sven 'Darkman' Michels wrote:

...

FYI: http://www.daemonology.net/hyperthreading-considered-harmful/

According to http://news.netcraft.com/archives/2005/05/20/researcher_attack_could_expose_..., it's not hyperthreading-specific. If you follow the link on that page to http://cr.yp.to/antiforgery/cachetiming-20050414.pdf you can see how to recover all 128 bits of a randomly-generated AES key in around a day on P3 without multithreading.

Yes, but this is another issue. It is based on the AES implementation that uses secrets for calculating indices to an array (s-box cache). (But DJB also points out other (hardware, CPU) sources that can lead to timing-attacks) AFAIK the OpenSSL developers prepare patches for this too to create a constant-time AES (maybe others?) implementation. BTW, ever tried the code attached to Bernstein's paper? Does it work?

-Kastus

-- Bye, Thomas -- Thomas Biege <thomas@suse.de>, SUSE LINUX, Security Support & Auditing -- Ray's Rule of Precision: Measure with a micrometer. Mark with chalk. Cut with an axe.