[dm-devel] dm-crypt performance
Mikulas Patocka
mpatocka at redhat.com
Tue Apr 9 18:08:59 UTC 2013
On Tue, 26 Mar 2013, Milan Broz wrote:
> - Are we sure we are not inroducing some another side channel in disc
> encryption? (Unprivileged user can measure timing here).
> (Perhaps stupid reason but please do not prefer performance to security
> in encryption. Enough we have timing attacks for AES implementations...)
So use serpent - it is implemented without any data-dependent lookup
tables, so it has no timing attacks.
AES uses data-dependent lookup tables, on CPU with hyperthreding, the
second thread can observe L1 cache footprint done by the first thread and
get some information about data being encrypted...
Mikulas
More information about the dm-devel
mailing list