Pseudo constant time implementations of TLS are only pseudo secure

Eyal Ronen, Kenneth G. Paterson, Adi Shamir

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

Today, about 10% of TLS connections are still using CBC-mode cipher suites, despite a long history of attacks and the availability of better options (e.g. AES-GCM). In this work, we present three new types of attack against four popular fully patched implementations of TLS (Amazon’s s2n, GnuTLS, mbed TLS and wolfSSL) which elected to use “pseudo constant time” countermeasures against the Lucky 13 attack on CBC-mode. Our attacks combine several variants of the PRIME+PROBE cache timing technique with a new extension of the original Lucky 13 attack. They apply in a cross-VM attack setting and are capable of recovering most of the plaintext whilst requiring only a moderate number of TLS connections. Along the way, we uncovered additional serious (but easy to patch) bugs in all four of the TLS implementations that we studied; in three cases, these bugs lead to Lucky 13 style attacks that can be mounted remotely with no access to a shared cache. Our work shows that adopting pseudo constant time countermeasures is not sufficient to attain real security in TLS implementations in CBC mode.

Original languageEnglish
Title of host publicationCCS 2018 - Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security
PublisherAssociation for Computing Machinery
Pages1397-1414
Number of pages18
ISBN (Electronic)9781450356930
DOIs
StatePublished - 15 Oct 2018
Externally publishedYes
Event25th ACM Conference on Computer and Communications Security, CCS 2018 - Toronto, Canada
Duration: 15 Oct 2018 → …

Publication series

NameProceedings of the ACM Conference on Computer and Communications Security
ISSN (Print)1543-7221

Conference

Conference25th ACM Conference on Computer and Communications Security, CCS 2018
Country/TerritoryCanada
CityToronto
Period15/10/18 → …

Keywords

  • Lucky 13 attack
  • Plaintext recovery
  • Side-channel cache attacks
  • TLS

Fingerprint

Dive into the research topics of 'Pseudo constant time implementations of TLS are only pseudo secure'. Together they form a unique fingerprint.

Cite this