计算机工程与应用 ›› 2009, Vol. 45 ›› Issue (16): 130-133.DOI: 10.3778/j.issn.1002-8331.2009.16.038

• 网络、通信、安全 • 上一篇    下一篇

针对AES加密前两轮的访问驱动Cache攻击方法

赵新杰,米 东,王 韬,郑媛媛,陈财森,郑 伟   

  1. 军械工程学院 计算机工程系,石家庄 050003
  • 收稿日期:2008-04-10 修回日期:2008-06-23 出版日期:2009-06-01 发布日期:2009-06-01
  • 通讯作者: 赵新杰

Access-driven Cache attack method against AES on the first two rounds

ZHAO Xin-jie,MI Dong,WANG Tao,ZHENG Yuan-yuan,CHEN Cai-sen,ZHENG Wei   

  1. Department of Computer Engineering,Ordnance Engineering College,Shijiazhuang 050003,China
  • Received:2008-04-10 Revised:2008-06-23 Online:2009-06-01 Published:2009-06-01
  • Contact: ZHAO Xin-jie

摘要: 高速缓存Cache具有数据访问时间不确定和多进程资源共享两大特征,AES加密快速实现中使用了大量查表操作进行Cache访问,查表索引值会影响Cache命中与否,而查表的索引值和密钥存在密切关系。针对128位AES加密算法,利用间谍进程采集AES进程加密时Cache访问特征信息,通过对AES前两轮加密过程中查表索引值、明文和初始密钥之间关系进行分析,第一轮分析可获取64位密钥,第二轮分析可获取剩余密钥,最终成功获取AES全部密钥。

关键词: 访问驱动, Cache, 计时攻击, 高级加密标准, 查表索引

Abstract: The memory Cache has the features of data access time uncertainty and multi-process resource sharing.The AES software implementation uses lots of table lookup operations,while these indices will affect the Cache hit or miss,and these indices have a close connection with the secret key.According to the 128 bit AES,authors use a spy process to gather cache access patterns of the AES process,after analyzing the relationship among the table lookup indices,the plaintext and the initial key during the first two rounds encryption,64 bit partial key can be recovered through the first round analysis,the extra key can be found through the second round analysis,finally the full 128 bit AES key can be successfully got.

Key words: access-driven, Cache, timing attack, Advanced Encryption Standard(AES), table lookup indices