|
constexpr static const std::size_t | block_bits = policy_type::block_bits |
|
constexpr static const std::size_t | block_words = policy_type::block_words |
|
constexpr static const std::size_t | key_bits = policy_type::key_bits |
|
constexpr static const std::size_t | key_words = policy_type::key_words |
|
constexpr static const std::uint8_t | rounds = policy_type::rounds |
|
constexpr static const std::size_t | word_bits = policy_type::word_bits |
|
constexpr static const std::size_t | word_bytes = policy_type::word_bytes |
|
template<std::size_t KeyBits, std::size_t BlockBits>
class nil::crypto3::block::rijndael< KeyBits, BlockBits >
Rijndael. AES competition winner.
Generic Rijndael cipher implementation. Contains AES-standardized cipher modifications with timing-attack and cache-line leaking attack preventing mechanisms. Optimized for particular architecture used. AES-standartized version comes in three variants, AES-128, AES-192, and AES-256.
The standard 128-bit block cipher. Many modern platforms offer hardware acceleration. However, on platforms without hardware support, AES implementations typically are vulnerable to side channel attacks. For x86 systems with SSSE3 but without AES-NI, crypto3 has an implementation which avoids known side channels.
This implementation is intended to be based on table lookups which are known to be vulnerable to timing and cache based side channel attacks. Some countermeasures are used which may be helpful in some situations:
- Only a single 256-word T-table is used, with rotations applied. Most implementations use 4 T-tables which leaks much more information via cache usage.
- The TE and TD tables are computed at runtime to avoid flush+reload attacks using clflush. As different processes will not share the same underlying table data, an attacker can't manipulate another processes cache lines via their shared reference to the library read only segment.
- Each cache line of the lookup tables is accessed at the beginning of each call to encrypt or decrypt. (See the Z variable below)
If available SSSE3 or AES-NI are used instead of this version, as both are faster and immune to side channel attacks.
Some AES cache timing papers for reference:
Software mitigations to hedge AES against cache-based software side channel vulnerabilities
Cache Games - Bringing Access-Based Cache Attacks on AES to Practice
Cache-Collision Timing Attacks Against AES. Bonneau, Mironov
- Template Parameters
-
KeyBits | Key length used in bits. Available values are: 128, 192, 256 |
BlockBits | Block length used in bits. Available values are: 128, 192, 256 |