[Botan-announce] 1.8.10 - AES timing attack countermeasures, changes to private key encryption

Jack Lloyd lloyd at randombit.net
Tue Aug 31 13:04:59 EDT 2010

I've released botan 1.8.10, available here:


This is a fairly minor release. The most notable changes are

 - AES now uses a smaller table in the first round, this helps
   avoid/make more difficult certain forms of cache analysis attacks.
   (Though it's very likely any table-based AES implementation is
   vulnerable to such attacks; if you are worried about them consider
   using the constant time SSSE3 version of AES added in 1.9.10).

 - Private keys are now encrypted with AES-256 instead of 3DES. In
   addition the default iteration count used for encrypting new keys
   defaults to 10000 (rather than 2048).

 - A new PBKDF interface that takes, along with the passphrase and
   desired output length, the salt and iteration count to use.

   In 1.9, the older version that only takes the passphrase and output
   length, and assumes you set a salt and iteration count earlier, has
   been removed. (That version remains in 1.8).

 - In 1.9, the class S2K was renamed PBKDF because S2K caused some
   confusion, and PBKDF is the more conventional name for this type of
   algorithm (and is also easier to google for). A typedef of PBKDF to
   S2K is used there for backwards compatability, but in this release
   there is also a forwards compatability typedef of S2K to PBKDF,
   along with a function get_pbkdf so you can start using the name now
   if desired.

Finally, if you haven't already, fill out the survey! It will take
just a few minutes and it lets me know what needs to be fixing. Even
if the answer is 'Nothing you damn fool quit changing stuff'. Maybe
especially that.



More information about the botan-announce mailing list