### Pseudorandom Black Swans: Cache Attacks on CTR_DRBG

Shaanan Cohney, Andrew Kwong, Shachar Paz, Daniel Genkin, Nadia Heninger, Eyal Ronen, and Yuval Yarom

##### Abstract

Modern cryptography requires the ability to securely generate pseudorandom numbers. However, despite decades of work on side channel attacks, there is little discussion of their application to pseudorandom number generators (PRGs). In this work we set out to address this gap, empirically evaluating the side channel resistance of common PRG implementations. We find that hard-learned lessons about side channel leakage from encryption primitives have not been applied to PRGs, at all levels of abstraction. At the design level, the NIST-recommended CTR_DRBG design does not have forward security if an attacker is able to compromise the state via a side-channel attack. At the primitive level, popular implementations of CTR_DRBG such as OpenSSL's FIPS module and NetBSD's kernel use leaky T-table AES as their underlying block cipher, enabling cache side-channel attacks. Finally, we find that many implementations make parameter choices that enable an attacker to fully exploit the side-channel attack in a realistic scenario and recover secret keys from TLS connections. We empirically demonstrate our attack in two scenarios. In the first, we carry out an asynchronous cache attack that recovers the private state from vulnerable CTR_DRBG implementations under realistic conditions to recover long-term authentication keys when the attacker is a party in the TLS connection. In the second scenario, we show that an attacker can exploit the high temporal resolution provided by Intel SGX to carry out a blind attack to recover CTR\_DRBG's state within three AES encryptions, without viewing output, and thus to decrypt passively collected TLS connections from the victim.

Available format(s)
Category
Applications
Publication info
Published elsewhere. MINOR revision.To appear in the IEEE Symposium on Security & Privacy, May 2020
Keywords
pseudo-randomness attack side-channel TLS
Contact author(s)
shaanan @ cohney info
ankwong @ umich edu
shaharps @ tau ac il
genkin @ umich edu
er @ eyalro net
yval @ cs adelaide edu au
History
2019-09-12: revised
See all versions
Short URL
https://ia.cr/2019/996

CC BY

BibTeX

@misc{cryptoeprint:2019/996,
author = {Shaanan Cohney and Andrew Kwong and Shachar Paz and Daniel Genkin and Nadia Heninger and Eyal Ronen and Yuval Yarom},
title = {Pseudorandom Black Swans: Cache Attacks on CTR_DRBG},
howpublished = {Cryptology ePrint Archive, Paper 2019/996},
year = {2019},
note = {\url{https://eprint.iacr.org/2019/996}},
url = {https://eprint.iacr.org/2019/996}
}

Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.