1. Pseudo Constant Time Implementations of TLS Are Only Pseudo Secure 2018 CCS SideChannels TLS
    Eyal Ronen, Kenneth G. Paterson and Adi Shamir
    [View PDF on eprint.iacr.org]
    [Show BibTex Citation]

    @inproceedings{Ronen:2018:PCT:3243734.3243775,
    author = {Ronen, Eyal and Paterson, Kenneth G. and Shamir, Adi},
    title = {Pseudo Constant Time Implementations of TLS Are Only Pseudo Secure},
    booktitle = {Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security},
    series = {CCS '18},
    year = {2018},
    isbn = {978-1-4503-5693-0},
    location = {Toronto, Canada},
    pages = {1397--1414},
    numpages = {18},
    url = {http://doi.acm.org/10.1145/3243734.3243775},
    doi = {10.1145/3243734.3243775},
    acmid = {3243775},
    publisher = {ACM},
    address = {New York, NY, USA},
    keywords = {TLS, lucky 13 attack, plaintext recovery, side-channel cache attacks},
    }

Today, about 10% of TLS connections are still using CBC-mode cipher suites, despite a long history of attacks and the availability of better options (e.g. AES-GCM). In this work, we present three new types of attack against four popular fully patched implementations of TLS (Amazon’s s2n, GnuTLS, mbed TLS and wolfSSL) which elected to use “pseudo constant time” countermeasures against the Lucky 13 attack on CBC-mode. Our attacks combine several variants of the PRIME+PROBE cache timing technique with a new extension of the original Lucky 13 attack. They apply in a cross-VM attack setting and are capable of recovering most of the plaintext whilst requiring only a moderate number of TLS connections. Along the way, we uncovered additional serious (but easy to patch) bugs in all four of the TLS implementations that we studied; in three cases, these bugs lead to Lucky 13 style attacks that can be mounted remotely with no access to a shared cache. Our work shows that adopting pseudo constant time countermeasures is not sufficient to attain real security in TLS implementations in CBC mode.

  1.