Paper 2018/747
Pseudo Constant Time Implementations of TLS Are Only Pseudo Secure
Eyal Ronen, Kenneth G. Paterson, and Adi Shamir
Abstract
Today, about 10% of TLS connections are still using CBC-mode cipher suites, despite a long history of attacks and the availability of better options (e.g. AES-GCM). In this work, we present three new types of attack against four popular fully patched implementations of TLS (Amazon's s2n, GnuTLS, mbed TLS and wolfSSL) which elected to use ``pseudo constant time'' countermeasures against the Lucky 13 attack on CBC-mode. Our attacks combine several variants of the PRIME+PROBE cache timing technique with a new extension of the original Lucky 13 attack. They apply in a cross-VM attack setting and are capable of recovering most of the plaintext whilst requiring only a moderate number of TLS connections. Along the way, we uncovered additional serious (but easy to patch) bugs in all four of the TLS implementations that we studied; in three cases, these bugs lead to Lucky 13 style attacks that can be mounted remotely with no access to a shared cache. Our work shows that adopting pseudo constant time countermeasures is not sufficient to attain real security in TLS implementations in CBC mode.
Metadata
- Available format(s)
- Category
- Implementation
- Publication info
- Published elsewhere. CCS ’18: 2018 ACM SIGSAC Conference on Computer & Communications Security
- DOI
- 10.1145/3243734.3243775
- Keywords
- Lucky 13 attackTLSSide-channel cache attacksPlaintext recovery
- Contact author(s)
- eyal ronen @ weizmann ac il
- History
- 2018-08-17: received
- Short URL
- https://ia.cr/2018/747
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2018/747, author = {Eyal Ronen and Kenneth G. Paterson and Adi Shamir}, title = {Pseudo Constant Time Implementations of {TLS} Are Only Pseudo Secure}, howpublished = {Cryptology {ePrint} Archive, Paper 2018/747}, year = {2018}, doi = {10.1145/3243734.3243775}, url = {https://eprint.iacr.org/2018/747} }