Paper 2019/996

Pseudorandom Black Swans: Cache Attacks on CTR_DRBG

Shaanan Cohney, Andrew Kwong, Shachar Paz, Daniel Genkin, Nadia Heninger, Eyal Ronen, and Yuval Yarom


Modern cryptography requires the ability to securely generate pseudorandom numbers. However, despite decades of work on side channel attacks, there is little discussion of their application to pseudorandom number generators (PRGs). In this work we set out to address this gap, empirically evaluating the side channel resistance of common PRG implementations. We find that hard-learned lessons about side channel leakage from encryption primitives have not been applied to PRGs, at all levels of abstraction. At the design level, the NIST-recommended CTR_DRBG design does not have forward security if an attacker is able to compromise the state via a side-channel attack. At the primitive level, popular implementations of CTR_DRBG such as OpenSSL's FIPS module and NetBSD's kernel use leaky T-table AES as their underlying block cipher, enabling cache side-channel attacks. Finally, we find that many implementations make parameter choices that enable an attacker to fully exploit the side-channel attack in a realistic scenario and recover secret keys from TLS connections. We empirically demonstrate our attack in two scenarios. In the first, we carry out an asynchronous cache attack that recovers the private state from vulnerable CTR_DRBG implementations under realistic conditions to recover long-term authentication keys when the attacker is a party in the TLS connection. In the second scenario, we show that an attacker can exploit the high temporal resolution provided by Intel SGX to carry out a blind attack to recover CTR\_DRBG's state within three AES encryptions, without viewing output, and thus to decrypt passively collected TLS connections from the victim.

Available format(s)
Publication info
Published elsewhere. MINOR revision.To appear in the IEEE Symposium on Security & Privacy, May 2020
pseudo-randomness attack side-channel TLS
Contact author(s)
shaanan @ cohney info
ankwong @ umich edu
shaharps @ tau ac il
genkin @ umich edu
nadiah @ cs ucsd edu
er @ eyalro net
yval @ cs adelaide edu au
2019-09-12: revised
2019-09-05: received
See all versions
Short URL
Creative Commons Attribution


      author = {Shaanan Cohney and Andrew Kwong and Shachar Paz and Daniel Genkin and Nadia Heninger and Eyal Ronen and Yuval Yarom},
      title = {Pseudorandom Black Swans: Cache Attacks on CTR_DRBG},
      howpublished = {Cryptology ePrint Archive, Paper 2019/996},
      year = {2019},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.