Giters

keybase / triplesec

Triple Security for the browser and Node.js

Home Page:https://keybase.io/triplesec

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

AES Implementation is not Cache-Timing Safe

sarciszewski opened this issue · comments

commented

triplesec/lib/aes.js

Lines 148 to 173 in ecf9dcc

AES.prototype._doCryptBlock = function(M, offset, keySchedule, SUB_MIX, SBOX) {
var ksRow, round, s0, s1, s2, s3, t0, t1, t2, t3, _i, _ref;
s0 = M[offset] ^ keySchedule[0];
s1 = M[offset + 1] ^ keySchedule[1];
s2 = M[offset + 2] ^ keySchedule[2];
s3 = M[offset + 3] ^ keySchedule[3];
ksRow = 4;
for (round = _i = 1, _ref = this._nRounds; 1 <= _ref ? _i < _ref : _i > _ref; round = 1 <= _ref ? ++_i : --_i) {
t0 = SUB_MIX[0][s0 >>> 24] ^ SUB_MIX[1][(s1 >>> 16) & 0xff] ^ SUB_MIX[2][(s2 >>> 8) & 0xff] ^ SUB_MIX[3][s3 & 0xff] ^ keySchedule[ksRow++];
t1 = SUB_MIX[0][s1 >>> 24] ^ SUB_MIX[1][(s2 >>> 16) & 0xff] ^ SUB_MIX[2][(s3 >>> 8) & 0xff] ^ SUB_MIX[3][s0 & 0xff] ^ keySchedule[ksRow++];
t2 = SUB_MIX[0][s2 >>> 24] ^ SUB_MIX[1][(s3 >>> 16) & 0xff] ^ SUB_MIX[2][(s0 >>> 8) & 0xff] ^ SUB_MIX[3][s1 & 0xff] ^ keySchedule[ksRow++];
t3 = SUB_MIX[0][s3 >>> 24] ^ SUB_MIX[1][(s0 >>> 16) & 0xff] ^ SUB_MIX[2][(s1 >>> 8) & 0xff] ^ SUB_MIX[3][s2 & 0xff] ^ keySchedule[ksRow++];
s0 = t0;
s1 = t1;
s2 = t2;
s3 = t3;
}
t0 = ((SBOX[s0 >>> 24] << 24) | (SBOX[(s1 >>> 16) & 0xff] << 16) | (SBOX[(s2 >>> 8) & 0xff] << 8) | SBOX[s3 & 0xff]) ^ keySchedule[ksRow++];
t1 = ((SBOX[s1 >>> 24] << 24) | (SBOX[(s2 >>> 16) & 0xff] << 16) | (SBOX[(s3 >>> 8) & 0xff] << 8) | SBOX[s0 & 0xff]) ^ keySchedule[ksRow++];
t2 = ((SBOX[s2 >>> 24] << 24) | (SBOX[(s3 >>> 16) & 0xff] << 16) | (SBOX[(s0 >>> 8) & 0xff] << 8) | SBOX[s1 & 0xff]) ^ keySchedule[ksRow++];
t3 = ((SBOX[s3 >>> 24] << 24) | (SBOX[(s0 >>> 16) & 0xff] << 16) | (SBOX[(s1 >>> 8) & 0xff] << 8) | SBOX[s2 & 0xff]) ^ keySchedule[ksRow++];
M[offset] = t0;
M[offset + 1] = t1;
M[offset + 2] = t2;
return M[offset + 3] = t3;
};

commented

Potentially great additional place to start

https://crypto.stanford.edu/sjcl/

commented

Thanks for the comments. @Aranjedeath, seems like the SJCL uses the same implementation, so they are likely susceptible to the same attacks. Please correct me if I'm wrong.

commented

BTW, it also looks like the Go implementation also uses the same algorithm. Any good implementations that you recommend checking out?

commented

After a bit more reading, it seems constant-time AES implementations seem mainly academic and not commonly implemented.

While I agree with the points in Dan Bernstein's paper, the practical take-away is just to use salsa20 instead, whose main design goals include no secret-based lookups on the critical path. It's a little bit of an advertisement for his own work.

Well, you've come to the right place, if you encrypt with TripleSec, you get Salsa20 as one of the ciphers, and an adversary who successfully pulls of a cache-timing attack against you would still have to break Salsa20 to recover full keys or plaintexts.