@inproceedings{aab17e19509748a586c9a6a6dabc5233,
title = "Pseudo constant time implementations of TLS are only pseudo secure",
abstract = "Today, about 10% of TLS connections are still using CBC-mode cipher suites, despite a long history of attacks and the availability of better options (e.g. AES-GCM). In this work, we present three new types of attack against four popular fully patched implementations of TLS (Amazon{\textquoteright}s s2n, GnuTLS, mbed TLS and wolfSSL) which elected to use “pseudo constant time” countermeasures against the Lucky 13 attack on CBC-mode. Our attacks combine several variants of the PRIME+PROBE cache timing technique with a new extension of the original Lucky 13 attack. They apply in a cross-VM attack setting and are capable of recovering most of the plaintext whilst requiring only a moderate number of TLS connections. Along the way, we uncovered additional serious (but easy to patch) bugs in all four of the TLS implementations that we studied; in three cases, these bugs lead to Lucky 13 style attacks that can be mounted remotely with no access to a shared cache. Our work shows that adopting pseudo constant time countermeasures is not sufficient to attain real security in TLS implementations in CBC mode.",
keywords = "Lucky 13 attack, Plaintext recovery, Side-channel cache attacks, TLS",
author = "Eyal Ronen and Paterson, {Kenneth G.} and Adi Shamir",
note = "Publisher Copyright: {\textcopyright} 2018 Copyright held by the owner/author(s). Publication rights licensed to ACM.; 25th ACM Conference on Computer and Communications Security, CCS 2018 ; Conference date: 15-10-2018",
year = "2018",
month = oct,
day = "15",
doi = "https://doi.org/10.1145/3243734.3243775",
language = "الإنجليزيّة",
series = "Proceedings of the ACM Conference on Computer and Communications Security",
pages = "1397--1414",
booktitle = "CCS 2018 - Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security",
}