Paper 2018/747

Pseudo Constant Time Implementations of TLS Are Only Pseudo Secure

Eyal Ronen, Kenneth G. Paterson, and Adi Shamir


Today, about 10% of TLS connections are still using CBC-mode cipher suites, despite a long history of attacks and the availability of better options (e.g. AES-GCM). In this work, we present three new types of attack against four popular fully patched implementations of TLS (Amazon's s2n, GnuTLS, mbed TLS and wolfSSL) which elected to use ``pseudo constant time'' countermeasures against the Lucky 13 attack on CBC-mode. Our attacks combine several variants of the PRIME+PROBE cache timing technique with a new extension of the original Lucky 13 attack. They apply in a cross-VM attack setting and are capable of recovering most of the plaintext whilst requiring only a moderate number of TLS connections. Along the way, we uncovered additional serious (but easy to patch) bugs in all four of the TLS implementations that we studied; in three cases, these bugs lead to Lucky 13 style attacks that can be mounted remotely with no access to a shared cache. Our work shows that adopting pseudo constant time countermeasures is not sufficient to attain real security in TLS implementations in CBC mode.

Available format(s)
Publication info
Published elsewhere. CCS ’18: 2018 ACM SIGSAC Conference on Computer & Communications Security
Lucky 13 attackTLSSide-channel cache attacksPlaintext recovery
Contact author(s)
eyal ronen @ weizmann ac il
2018-08-17: received
Short URL
Creative Commons Attribution


      author = {Eyal Ronen and Kenneth G.  Paterson and Adi Shamir},
      title = {Pseudo Constant Time Implementations of {TLS} Are Only Pseudo Secure},
      howpublished = {Cryptology ePrint Archive, Paper 2018/747},
      year = {2018},
      doi = {10.1145/3243734.3243775},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.