Cryptology ePrint Archive: Report 2019/996

Pseudorandom Black Swans: Cache Attacks on CTR_DRBG

Shaanan Cohney and Andrew Kwong and Shachar Paz and Daniel Genkin and Nadia Heninger and Eyal Ronen and Yuval Yarom

Abstract: Modern cryptography requires the ability to securely generate pseudorandom numbers. However, despite decades of work on side channel attacks, there is little discussion of their application to pseudorandom number generators (PRGs). In this work we set out to address this gap, empirically evaluating the side channel resistance of common PRG implementations. We find that hard-learned lessons about side channel leakage from encryption primitives have not been applied to PRGs, at all levels of abstraction. At the design level, the NIST-recommended CTR_DRBG design does not have forward security if an attacker is able to compromise the state via a side-channel attack. At the primitive level, popular implementations of CTR_DRBG such as OpenSSL's FIPS module and NetBSD's kernel use leaky T-table AES as their underlying block cipher, enabling cache side-channel attacks. Finally, we find that many implementations make parameter choices that enable an attacker to fully exploit the side-channel attack in a realistic scenario and recover secret keys from TLS connections. We empirically demonstrate our attack in two scenarios. In the first, we carry out an asynchronous cache attack that recovers the private state from vulnerable CTR_DRBG implementations under realistic conditions to recover long-term authentication keys when the attacker is a party in the TLS connection. In the second scenario, we show that an attacker can exploit the high temporal resolution provided by Intel SGX to carry out a blind attack to recover CTR\_DRBG's state within three AES encryptions, without viewing output, and thus to decrypt passively collected TLS connections from the victim.

Category / Keywords: applications / pseudo-randomness attack side-channel TLS

Original Publication (with minor differences): To appear in the IEEE Symposium on Security & Privacy, May 2020

Date: received 2 Sep 2019, last revised 12 Sep 2019

Contact author: shaanan at cohney info,ankwong@umich edu,shaharps@tau ac il,genkin@umich edu,nadiah@cs ucsd edu,er@eyalro net,yval@cs adelaide edu au

Available format(s): PDF | BibTeX Citation

Version: 20190912:181021 (All versions of this report)

Short URL: ia.cr/2019/996


[ Cryptology ePrint archive ]