Abstract: A method for side-channel attack mitigation in streaming encryption includes reading an input stream into a decryption process, extracting an encryption envelope having a wrapped key, a cipher text, and a first message authentication code (MAC) from the input stream, generating a second MAC using the wrapped key of the encryption envelope, and performing decryption of the cipher text in constant time by determining whether the encryption envelope is authentic by comparing the first MAC extracted from the encryption envelope and the second MAC generated using the wrapped key.

Abstract: Key management for encrypted data includes establishing a cache of key decryption keys and periodically evicting the keys from the cache. A pool of key encryption keys also is created and periodically, selected key encryption keys are removed from service. Notably, the rate of removal of the encryption keys differs from the rate of cache eviction for the decryption keys. Thereafter, clear data is encrypted with a cipher to produce cipher text, and the cipher is encrypted with a selected key encryption key from the pool. Finally, in response to an access request for the clear data, an attempt to locate in the cache a key decryption key for the encrypted cipher is made. If attempt fails, the key decryption key is retrieved from remote memory. Finally, the encrypted cipher is decrypted with the located key, and the cipher text decrypted to produce the clear data.

Abstract: A method for side-channel attack mitigation in streaming encryption includes reading an input stream into a decryption process, extracting an encryption envelope having a wrapped key, a cipher text, and a first message authentication code (MAC) from the input stream, generating a second MAC using the wrapped key of the encryption envelope, and performing decryption of the cipher text in constant time by determining whether the encryption envelope is authentic by comparing the first MAC extracted from the encryption envelope and the second MAC generated using the wrapped key.

Abstract: Key management for encrypted data includes establishing a cache of key decryption keys and periodically evicting the keys from the cache. A pool of key encryption keys also is created and periodically, selected key encryption keys are removed from service. Notably, the rate of removal of the encryption keys differs from the rate of cache eviction for the decryption keys. Thereafter, clear data is encrypted with a cipher to produce cipher text, and the cipher is encrypted with a selected key encryption key from the pool. Finally, in response to an access request for the clear data, an attempt to locate in the cache a key decryption key for the encrypted cipher is made. If attempt fails, the key decryption key is retrieved from remote memory. Finally, the encrypted cipher is decrypted with the located key, and the cipher text decrypted to produce the clear data.

Abstract: A method for side-channel attack mitigation in streaming encryption includes reading into a decryption process executing in memory of a computer, an input stream and extracting from the input stream both an encryption envelope and cipher text and extracting from the encryption envelope, a wrapped key. Then, decryption may be performed in constant time of the cipher text using one of two different keys, a first for authenticated decryption comprising the wrapped key, and a second for unauthenticated encryption comprising a dummy key, with no difference in timing of execution regardless of which of the two different keys are utilized during decryption of the cipher text.

Abstract: Key management for encrypted data includes establishing a cache of key decryption keys and periodically evicting the keys from the cache. A pool of key encryption keys also is created and periodically, selected key encryption keys are removed from service. Notably, the rate of removal of the encryption keys differs from the rate of cache eviction for the decryption keys. Thereafter, clear data is encrypted with a cipher to produce cipher text, and the cipher is encrypted with a selected key encryption key from the pool. Finally, in response to an access request for the clear data, an attempt to locate in the cache a key decryption key for the encrypted cipher is made. If attempt fails, the key decryption key is retrieved from remote memory. Finally, the encrypted cipher is decrypted with the located key, and the cipher text decrypted to produce the clear data.

Abstract: Embodiments of the present invention provide a method, system and computer program product for side-channel attack mitigation in streaming encryption. In an embodiment of the invention, a method for side-channel attack mitigation in streaming encryption includes reading into a decryption process executing in memory of a computer, an input stream and extracting from the input stream both an encryption envelope and cipher text and extracting from the encryption envelope, a wrapped key. Then, decryption may be performed in constant time of the cipher text using one of two different keys, a first for authenticated decryption comprising the wrapped key, and a second for unauthenticated encryption comprising a dummy key, with no difference in timing of execution regardless of which of the two different keys are utilized during decryption of the cipher text.