AES Implementation is not Cache-Timing Safe

[sarciszewski]

https://github.com/keybase/triplesec/blob/ecf9dccd9352d624a0658f8e38c63a9235e268c7/lib/aes.js#L148-L173

• http://blog.ircmaxell.com/2014/11/its-all-about-time.html
• http://cr.yp.to/antiforgery/cachetiming-20050414.pdf

[Aranjedeath]

Potentially great additional place to start

https://crypto.stanford.edu/sjcl/

[maxtaco]

Thanks for the comments. @Aranjedeath, seems like the SJCL uses the same implementation, so they are likely susceptible to the same attacks. Please correct me if I'm wrong.

[maxtaco]

BTW, it also looks like the Go implementation also uses the same algorithm. Any good implementations that you recommend checking out?

[maxtaco]

After a bit more reading, it seems constant-time AES implementations seem mainly academic and not commonly implemented.

While I agree with the points in Dan Bernstein's paper, the practical take-away is just to use salsa20 instead, whose main design goals include no secret-based lookups on the critical path. It's a little bit of an advertisement for his own work.

Well, you've come to the right place, if you encrypt with TripleSec, you get Salsa20 as one of the ciphers, and an adversary who successfully pulls of a cache-timing attack against you would still have to break Salsa20 to recover full keys or plaintexts.