Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [side-channel-attack]

attacks using information leaked by implementations of cryptographic algorithms to obtain information about keys or (plaintext) data, instead of (or additional to) using cryptographic weaknesses.

Examples include measuring timing, power consumption, electromagnetic radiation or sound, while an implementation performs the algorithm.

Social engineering (e.g. convincing people with legitimate knowledge of the secrets to share them) is not considered a side channel attack (and off topic on crypto.stackexchange.com).

234 questions
47
votes
1 answer

Why use argon2i or argon2d if argon2id exists?

I am currently working on a project where I want to implement Argon2. The problem is that I dont really know a lot about it. Internet research is not really helpful, because Argon2 is only 2 years old so all that really exists are scientific papers…
Richard R. Matthews
  • 4,545
  • 9
  • 31
  • 49
36
votes
3 answers

Practical disadvantages of GCM mode encryption

It seems that GCM mode encryption has a clear advantage over CBC + HMAC in the sense that it only requires a single key. But it seems that there are some experts here that do not trust it enough to recommend it. This question is a call to those…
Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
33
votes
3 answers

How practical are side-channel attacks and how much of a concern are they?

I see a lot of research in very sophisticated side-channel attacks on crypto systems. Most (but definitely not all) seem to follow a trend, namely, the crypto system does something very dumb like decrypt any block given to it with no IV or nonce (so…
mikeazo
  • 39,117
  • 9
  • 118
  • 183
27
votes
2 answers

How are side-channel attacks executed? What does an attacker need to execute a side channel attack?

I've been reading about side-channel attacks on Wikipedia, and it seems that some of these can only be executed on the victim's computer. (I am specifically asking about the side-channel attacks listed on the Wikipedia page and any more that are…
09182736471890
  • 516
  • 4
  • 9
27
votes
5 answers

Timing-Safety in JVM-Languages

How is it possible to write timing-safe code in JVM-languages (Java, Scala, Clojure...)? Is it possible to make libraries like BouncyCastle safe against timing-attacks? I know that even in C it is very hard to get those things right – and in C you…
K. Biermann
  • 586
  • 7
  • 16
23
votes
3 answers

Known methods for constant time (table-free) AES implementation using 'standard' operations?

There are several known methods for implementing AES in constant time using SIMD operations, mostly based around fast byte shuffling (for instance Hamburg and Kasper/Schwabe). Are there any similar approaches that allow a constant-time AES to be…
Jack Lloyd
  • 1,764
  • 17
  • 22
23
votes
2 answers

RSA least significant bit oracle attack

I have been reading up on RSA attacks and came across one that could be called a least-significant-bit (LSB) oracle attack. For the sake of clarity lets define RSA primes $(p, q)$, private key $d$ and the public key $(e, N)$ where $N$ is the…
Pankrates
  • 603
  • 1
  • 5
  • 13
19
votes
4 answers

Should I delete cryptographic data from memory?

When dealing with cryptographic data, is there a chance that attacker recovers portion of data I used in my program? Should I try to delete every bit of keys and encrypted data that I used, overwrite it with zeroes? And one extra, how is situation…
user1687327
  • 193
  • 1
  • 5
19
votes
1 answer

If a single bit was known through all states in AES, which would cause the most information to leak?

This question is motivated by some bad Verilog. Due to someone being sloppy with port assignments and a output statement, I have an AES core that has a single-bit from a S-Box in the key schedule tied to a pin. This was caught in my audit of the…
b degnan
  • 5,110
  • 1
  • 27
  • 49
19
votes
3 answers

Can deterministic ECDSA be protected against fault attacks?

In a paper by Barenghi and Pelosi, it was described that fault attacks could be used to derive the secret key when using deterministic ECDSA as described in RFC6979 by @Thomas_Pornin Deterministic (EC)DSA. The purpose of the attacker in this case…
Yustack
  • 361
  • 1
  • 5
16
votes
1 answer

Why not use `<`, `>` or `==` in constant time comparison?

I am comparing secret data stored in arrays a and b to see which holds a greater value. My current (pseudo)code looks like this: unsigned char smaller = 0, bigger = 0; for (i = 0; i < size; ++i) { smaller |= (!bigger) & (a[i] < b[i]); bigger…
Sebastian
  • 461
  • 3
  • 7
14
votes
1 answer

Why do crypto libs use table lookups when they're vulnerable to timing attacks?

AESEngine.java, from BouncyCastle, uses table lookups as does aes_x86core.c, in OpenSSL. But per Cache-timing attacks on AES table lookups like what OpenSSL and BouncyCastle are doing are vulnerable to timing attacks. So why would they use them?
Julie Applegate
  • 175
  • 5
13
votes
1 answer

Safely sorting secret data

Suppose you have a secret list of n distinct integers. How would you sort this list in a way that is not vulnerable to timing attacks? I tried looking up "constant time sorting" and other related queries but that expectedly lead nowhere.
Kai Arakawa
  • 145
  • 9
13
votes
1 answer

Is it possible to test implementation for side-channel attacks?

When it comes to implementing cryptographic algorithms, there seems to be a big focus on the difficulty of doing so without introducing the potential for side channel attacks and the knowledge required. Along with that seems to go the assumption…
DasIch
  • 233
  • 1
  • 6
13
votes
5 answers

Are garbage-collection programming languages inherently unsafe for use in cryptography

In JP Aumasson's cryptocoding guidelines, he states that memory containing secret data should be cleared before it goes out of scope. This is to prevent vulnerabilities where, for example, an attacker could access the core dump file or use other…
DerekKnowles
  • 594
  • 2
  • 13
1
2 3
15 16