A new timing attack against the AES algorithm can be used to extract entire Advanced Encryption Standard keys from remote servers.
Daniel Bernstein, an associate professor at the University of Illinois at Chicago, recently released a paper showing how an attack against a server running the OpenSSL AES implementation could recover the entire encryption key.
The attack is based on an attacker watching the victim machine and observing how long it takes to perform various cryptographic functions in AES. Through that observation, the attacker can glean certain data about the secret key and use statistical analysis to recover the key. "This attack should be blamed on the AES design, not on the particular AES library used by the [target] server," Bernstein wrote in his paper.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.