Paper 2018/747

Pseudo Constant Time Implementations of TLS Are Only Pseudo Secure

Eyal Ronen, Kenneth G. Paterson, and Adi Shamir

Abstract

Today, about 10% of TLS connections are still using CBC-mode cipher suites, despite a long history of attacks and the availability of better options (e.g. AES-GCM). In this work, we present three new types of attack against four popular fully patched implementations of TLS (Amazon's s2n, GnuTLS, mbed TLS and wolfSSL) which elected to use ``pseudo constant time'' countermeasures against the Lucky 13 attack on CBC-mode. Our attacks combine several variants of the PRIME+PROBE cache timing technique with a new extension of the original Lucky 13 attack. They apply in a cross-VM attack setting and are capable of recovering most of the plaintext whilst requiring only a moderate number of TLS connections. Along the way, we uncovered additional serious (but easy to patch) bugs in all four of the TLS implementations that we studied; in three cases, these bugs lead to Lucky 13 style attacks that can be mounted remotely with no access to a shared cache. Our work shows that adopting pseudo constant time countermeasures is not sufficient to attain real security in TLS implementations in CBC mode.

Metadata
Available format(s)
PDF
Category
Implementation
Publication info
Published elsewhere. CCS ’18: 2018 ACM SIGSAC Conference on Computer & Communications Security
DOI
10.1145/3243734.3243775
Keywords
Lucky 13 attackTLSSide-channel cache attacksPlaintext recovery
Contact author(s)
eyal ronen @ weizmann ac il
History
2018-08-17: received
Short URL
https://ia.cr/2018/747
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2018/747,
      author = {Eyal Ronen and Kenneth G.  Paterson and Adi Shamir},
      title = {Pseudo Constant Time Implementations of {TLS} Are Only Pseudo Secure},
      howpublished = {Cryptology {ePrint} Archive, Paper 2018/747},
      year = {2018},
      doi = {10.1145/3243734.3243775},
      url = {https://eprint.iacr.org/2018/747}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.