Closed pornin closed 3 years ago
I have reviewed https://github.com/cheatfate/nimcrypto/pull/43/files and observe that the code is now a Nim version of aes_ct.c
and aes_ct64.c
from BearSSL project. As such, this finding can be closed. Thank you!!
(Tags: nbc-audit-2020-0, difficulty:high, severity:low, bug)
The AES implementation in
rijndael.nim
is a classic implementation based on look-up tables. Since it involves lookups at addresses that depend on secret data, it is vulnerable to cache attacks. In fact, a similar table-based AES implementation was the context in which cache attacks were first demonstrated in 2005.On x86 systems, it is highly recommended to use the dedicated hardware instructions for AES, which are inherently immune to such attacks; they are also vastly faster. Similar dedicated instructions exist in the recent CPU relevant to other architectures, such as ARM or POWER8.
If a fully portable, Nim-only implementation is needed, a constant-time implementation of AES is still possible; see for instance the
aes_ct
andaes_ct64
implementations in BearSSL. On a platform with native 64-bit registers, theaes_ct64
implementation achieves about half the bandwidth of a classic table-based implementation when encrypting or decrypting with a mode amenable to parallelism (e.g. CTR, or CBC decryption, but not CBC encryption, which is not parallel).