Paper 2015/1129

Lucky Microseconds: A Timing Attack on Amazon's s2n Implementation of TLS

Martin R. Albrecht and Kenneth G. Paterson

Abstract

s2n is an implementation of the TLS protocol that was released in late June 2015 by Amazon. It is implemented in around 6,000 lines of C99 code. By comparison, OpenSSL needs around 70,000 lines of code to implement the protocol. At the time of its release, Amazon announced that s2n had undergone three external security evaluations and penetration tests. We show that, despite this, s2n - as initially released - was vulnerable to a timing attack in the case of CBC-mode ciphersuites, which could be extended to complete plaintext recovery in some settings. Our attack has two components. The first part is a novel variant of the Lucky 13 attack that works even though protections against Lucky 13 were implemented in s2n. The second part deals with the randomised delays that were put in place in s2n as an additional countermeasure to Lucky 13. Our work highlights the challenges of protecting implementations against sophisticated timing attacks. It also illustrates that standard code audits are insufficient to uncover all cryptographic attack vectors.

Note: Update to fix small error in attack description.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Preprint. MINOR revision.
Keywords
TLStiming attack
Contact author(s)
Kenny Paterson @ rhul ac uk
History
2016-02-17: last of 2 revisions
2015-11-23: received
See all versions
Short URL
https://ia.cr/2015/1129
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2015/1129,
      author = {Martin R.  Albrecht and Kenneth G.  Paterson},
      title = {Lucky Microseconds: A Timing Attack on Amazon's s2n Implementation of TLS},
      howpublished = {Cryptology ePrint Archive, Paper 2015/1129},
      year = {2015},
      note = {\url{https://eprint.iacr.org/2015/1129}},
      url = {https://eprint.iacr.org/2015/1129}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.