You are looking at a specific version 20190912:181021 of this paper. See the latest version.

Paper 2019/996

Pseudorandom Black Swans: Cache Attacks on CTR_DRBG

Shaanan Cohney and Andrew Kwong and Shachar Paz and Daniel Genkin and Nadia Heninger and Eyal Ronen and Yuval Yarom

Abstract

Modern cryptography requires the ability to securely generate pseudorandom numbers. However, despite decades of work on side channel attacks, there is little discussion of their application to pseudorandom number generators (PRGs). In this work we set out to address this gap, empirically evaluating the side channel resistance of common PRG implementations. We find that hard-learned lessons about side channel leakage from encryption primitives have not been applied to PRGs, at all levels of abstraction. At the design level, the NIST-recommended CTR_DRBG design does not have forward security if an attacker is able to compromise the state via a side-channel attack. At the primitive level, popular implementations of CTR_DRBG such as OpenSSL's FIPS module and NetBSD's kernel use leaky T-table AES as their underlying block cipher, enabling cache side-channel attacks. Finally, we find that many implementations make parameter choices that enable an attacker to fully exploit the side-channel attack in a realistic scenario and recover secret keys from TLS connections. We empirically demonstrate our attack in two scenarios. In the first, we carry out an asynchronous cache attack that recovers the private state from vulnerable CTR_DRBG implementations under realistic conditions to recover long-term authentication keys when the attacker is a party in the TLS connection. In the second scenario, we show that an attacker can exploit the high temporal resolution provided by Intel SGX to carry out a blind attack to recover CTR\_DRBG's state within three AES encryptions, without viewing output, and thus to decrypt passively collected TLS connections from the victim.

Metadata
Available format(s)
PDF
Category
Applications
Publication info
Published elsewhere. Minor revision. To appear in the IEEE Symposium on Security & Privacy, May 2020
Keywords
pseudo-randomness attack side-channel TLS
Contact author(s)
shaanan @ cohney info,ankwong @ umich edu,shaharps @ tau ac il,genkin @ umich edu,nadiah @ cs ucsd edu,er @ eyalro net,yval @ cs adelaide edu au
History
2019-09-12: revised
2019-09-05: received
See all versions
Short URL
https://ia.cr/2019/996
License
Creative Commons Attribution
CC BY
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.