Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932440AbcCHQzZ (ORCPT ); Tue, 8 Mar 2016 11:55:25 -0500 Received: from mga04.intel.com ([192.55.52.120]:32795 "EHLO mga04.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933430AbcCHQyc (ORCPT ); Tue, 8 Mar 2016 11:54:32 -0500 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.22,557,1449561600"; d="scan'208";a="62214643" Subject: Re: [PATCH 1/3] crypto: authenc - add TLS type encryption To: Cristian Stoica , "herbert@gondor.apana.org.au" References: <20160306012044.6369.63924.stgit@tstruk-mobl1> <20160306012049.6369.99836.stgit@tstruk-mobl1> <56DD90CB.4080704@intel.com> Cc: "linux-crypto@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "davem@davemloft.net" From: Tadeusz Struk Message-ID: <56DF02B3.1070006@intel.com> Date: Tue, 8 Mar 2016 08:49:55 -0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1013 Lines: 15 Hi Cristian, On 03/08/2016 12:20 AM, Cristian Stoica wrote: > There is also a follow-up in the next paragraph: > > "That pretty much sums up the new attack: the side-channel defenses that were hoped to be sufficient were found not to be (again). So the answer, this time I believe, is to make the processing rigorously constant-time." > > The author makes new changes and continues instrumenting the code and still finds 20 CPU cycles (out of 18000) difference between medians for different paddings. This small difference was detected also on a timing side-channel - which is the point I'm making. > > SSL/TLS is prone to this implementation issue and many user-space libraries got this wrong. It would be good to see some numbers to back-up the claim of timing differences as not being an issue for this one. It is hard to get the implementation right when the protocol design is error prone. Later we should run some tests on it and see how relevant will this be for a remote timing attack. Thanks, -- TS