Skip to content

Timing Attack Counter Measure AES #146

Closed
@plestrin

Description

@plestrin

For both Rijndael::Enc::ProcessAndXorBlock and Rijndael::Dec::ProcessAndXorBlock there is some code to avoid timing attacks:

    word32 u = 0;
#ifdef CRYPTOPP_ALLOW_UNALIGNED_DATA_ACCESS
    for (i=0; i<2048; i+=cacheLineSize)
#else
    for (i=0; i<1024; i+=cacheLineSize)
#endif
        u &= *(const word32 *)(((const byte *)Te)+i);
    u &= Te[255];
    s0 |= u; s1 |= u; s2 |= u; s3 |= u;

As far as I understand it, the goal is to do at least one read per cache line in order to preload Te into the cache. However when looking at the x86 binary (obtained in the Debian package), I noticed that if the loop structure remains, the memory reads have been optimized away:

.text:00280499     mov     edx, ds:(_ZN8CryptoPP15g_cacheLineSizeE_ptr - 3A4000h)[ebx]
.text:0028049F     mov     ecx, [edx]
.text:002804A1     xor     edx, edx
.text:002804A3     nop
.text:002804A4     lea     esi, [esi+0]
.text:002804A8
.text:002804A8 loc_2804A8:                             ; CODE XREF: CryptoPP::Rijndael::Enc::ProcessAndXorBlock(uchar const*,uchar const*,uchar *)+D0�j
.text:002804A8     add     edx, ecx
.text:002804AA     cmp     edx, 7FFh
.text:002804B0     jbe     short loc_2804A8

This counter measure seems to be removed by the compiler. Hence, the binary may be vulnerable to timing attacks.

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions