In this paper we analyze the case of AES and present an attack which is capable of recovering the full secret key in almost realtime for AES-128, requiring only a very limited number of observed encryptions. Unlike most other attacks, ours neither needs to know the ciphertext, nor does it need to know any information about the plaintext (such as its distribution, etc.). Moreover, for the first time we also show how the plaintext can be recovered without having access to the ciphertext. Further, our spy process can be run under an unprivileged user account. It is the first working attack for implementations using compressed tables, where it is not possible to find out the beginning of AES rounds any more -- a corner stone for all efficient previous attacks. All results of our attack have been demonstrated by a fully working implementation, and do not solely rely on theoretical considerations or simulations.
A contribution of probably independent interest is a denial of service attack on the scheduler of current Linux systems (CFS), which allows to monitor memory accesses with novelly high precision. Finally, we give some generalizations of our attack, and suggest some possible countermeasures which would render our attack impossible.Category / Keywords: implementation / AES; side channel; access-based cache-attacks; Publication Info: extended abstracts have appeared at "Security and Privacy 2011" and "COSADE 2011" Date: received 22 Nov 2010, last revised 19 Oct 2011 Contact author: stephan krenn at bfh ch Available format(s): PDF | BibTeX Citation Version: 20111019:073729 (All versions of this report) Short URL: ia.cr/2010/594 Discussion forum: Show discussion | Start new discussion