On Fri, Jun 17, 2005 at 11:57:29PM +1200, Peter Gutmann wrote: > [EMAIL PROTECTED] ("Hal Finney") writes: > >Steven M. Bellovin writes: > >> Dan Bernstein has a new cache timing attack on AES: > >> http://cr.yp.to/antiforgery/cachetiming-20050414.pdf > >This is a pretty alarming attack. > > It is? Recovering a key from a server custom-written to act as an oracle for > the attacker? By this I don't even mean the timing-related stuff, but just > one that just acts as a basic encryption oracle. Try doing that with TLS or > SSH, you'll get exactly one unrelated packet back, which is the connection > shutdown message. So while it's a nice attack, section 15 should really be > simplified to: > > Don't do that, then.
Doesn't the Kerberos TGS, for example, somewhat resemble Dan's server? Yes, it does not report fine-grained time-stamps or do everything in mememory. Still, if one sends data that looks like authenticator + TGT, the TGS is going to decrypt the TGT with the ticket granting service key, getting nonsense and will report an error. The time taken to report the error will be data dependent, and Dan's attack may apply. This is speculative. Has anyone studied the applicability of Dan's attack to a Kerberos 5 KDC with an AES TGS key? -- /"\ ASCII RIBBON NOTICE: If received in error, \ / CAMPAIGN Victor Duchovni please destroy and notify X AGAINST IT Security, sender. Sender does not waive / \ HTML MAIL Morgan Stanley confidentiality or privilege, and use is prohibited. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]