[SEC] AES/Rijndael implementation is vulnerable to cache attacks

[pornin]

(Tags: nbc-audit-2020-0, difficulty:high, severity:low, bug)

The AES implementation in rijndael.nim is a classic implementation based on look-up tables. Since it involves lookups at addresses that depend on secret data, it is vulnerable to cache attacks. In fact, a similar table-based AES implementation was the context in which cache attacks were first demonstrated in 2005.

On x86 systems, it is highly recommended to use the dedicated hardware instructions for AES, which are inherently immune to such attacks; they are also vastly faster. Similar dedicated instructions exist in the recent CPU relevant to other architectures, such as ARM or POWER8.

If a fully portable, Nim-only implementation is needed, a constant-time implementation of AES is still possible; see for instance the aes_ct and aes_ct64 implementations in BearSSL. On a platform with native 64-bit registers, the aes_ct64 implementation achieves about half the bandwidth of a classic table-based implementation when encrypting or decrypting with a mode amenable to parallelism (e.g. CTR, or CBC decryption, but not CBC encryption, which is not parallel).

[eschorn1]

I have reviewed https://github.com/cheatfate/nimcrypto/pull/43/files and observe that the code is now a Nim version of aes_ct.c and aes_ct64.c from BearSSL project. As such, this finding can be closed. Thank you!!