## Cryptology ePrint Archive: Report 2018/747

Pseudo Constant Time Implementations of TLS Are Only Pseudo Secure

Eyal Ronen and Kenneth G. Paterson and Adi Shamir

Abstract: Today, about 10% of TLS connections are still using CBC-mode cipher suites, despite a long history of attacks and the availability of better options (e.g. AES-GCM). In this work, we present three new types of attack against four popular fully patched implementations of TLS (Amazon's s2n, GnuTLS, mbed TLS and wolfSSL) which elected to use pseudo constant time'' countermeasures against the Lucky 13 attack on CBC-mode. Our attacks combine several variants of the PRIME+PROBE cache timing technique with a new extension of the original Lucky 13 attack. They apply in a cross-VM attack setting and are capable of recovering most of the plaintext whilst requiring only a moderate number of TLS connections. Along the way, we uncovered additional serious (but easy to patch) bugs in all four of the TLS implementations that we studied; in three cases, these bugs lead to Lucky 13 style attacks that can be mounted remotely with no access to a shared cache. Our work shows that adopting pseudo constant time countermeasures is not sufficient to attain real security in TLS implementations in CBC mode.

Category / Keywords: implementation / Lucky 13 attack, TLS, Side-channel cache attacks, Plaintext recovery

Original Publication (in the same form): CCS ’18: 2018 ACM SIGSAC Conference on Computer & Communications Security
DOI:
10.1145/3243734.3243775

Date: received 11 Aug 2018, last revised 16 Aug 2018

Contact author: eyal ronen at weizmann ac il

Available format(s): PDF | BibTeX Citation

Short URL: ia.cr/2018/747

[ Cryptology ePrint archive ]