Pseudorandom Black Swans: Cache Attacks on CTR_DRBG

Modern cryptography requires the ability to securely generate pseudorandom numbers. However, despite decades of work on side-channel attacks, there is little discussion of their application to pseudorandom number generators (PRGs). In this work we set out to address this gap, empirically evaluating the side-channel resistance of common PRG implementations.We find that hard-learned lessons about side-channel leakage from encryption primitives have not been applied to PRGs, at all abstraction levels. At the design level, the NIST-recommended CTR_DRBG does not have forward security if an attacker is able to compromise the state (e.g., via a side-channel). At the primitive level, popular implementations of CTR_DRBG such as OpenSSL’s FIPS module and NetBSD’s kernel use leaky T-table AES as their underlying cipher, enabling cache side-channel attacks. Finally, we find that many implementations make parameter choices that enable an attacker to fully exploit side-channels and recover secret keys from TLS connections.We empirically demonstrate our attack in two scenarios. First, we carry out a cache attack that recovers the private state from vulnerable CTR_DRBG implementations when the TLS client connects to an attacker-controlled server. We then subsequently use the recovered state to compute the client’s long-term authentication keys, thereby allowing the attacker to impersonate the client. In the second scenario, we show that an attacker can exploit the high temporal resolution provided by Intel SGX to carry out a blind attack to recover CTR_DRBG’s state within three AES encryptions, without viewing output, and thus decrypt passively collected TLS connections from the victim.

[1]  Hovav Shacham,et al.  When private keys are public: results from the 2008 Debian OpenSSL vulnerability , 2009, IMC '09.

[2]  Alex Biryukov,et al.  Substitution-Permutation (SP) Network , 2005, Encyclopedia of Cryptography and Security.

[3]  Herbert Bos,et al.  RIDL: Rogue In-Flight Data Load , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[4]  Thomas F. Wenisch,et al.  Foreshadow-NG: Breaking the virtual memory abstraction with transient out-of-order execution , 2018 .

[5]  Thomas Shrimpton,et al.  Salvaging Weak Security Bounds for Blockcipher-Based Constructions , 2016, ASIACRYPT.

[6]  Mengyuan Li,et al.  STACCO: Differentially Analyzing Side-Channel Traces for Detecting SSL/TLS Vulnerabilities in Secure Enclaves , 2017, CCS.

[7]  Thomas Pornin Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA) , 2013, RFC.

[8]  Joseph Bonneau,et al.  Robust Final-Round Cache-Trace Attacks Against AES , 2006, IACR Cryptol. ePrint Arch..

[9]  Eli Biham,et al.  Differential Fault Analysis of Secret Key Cryptosystems , 1997, CRYPTO.

[10]  Adi Shamir,et al.  Efficient Cache Attacks on AES, and Countermeasures , 2010, Journal of Cryptology.

[11]  Dan Shumow,et al.  An Analysis of the NIST SP 800-90A Standard , 2018, IACR Cryptol. ePrint Arch..

[12]  Naomi Benger,et al.  "Ooh Aah... Just a Little Bit" : A Small Amount of Side Channel Can Go a Long Way , 2014, CHES.

[13]  Adi Shamir,et al.  Cache Attacks and Countermeasures: The Case of AES , 2006, CT-RSA.

[14]  Matthew Green,et al.  Practical State Recovery Attacks against Legacy RNG Implementations , 2018, CCS.

[15]  Tanja Lange,et al.  Flush, Gauss, and reload : a cache attack on the BLISS lattice-based signature scheme , 2016 .

[16]  Thomas F. Wenisch,et al.  Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution , 2018, USENIX Security Symposium.

[17]  Thomas Plos,et al.  Cache-Access Pattern Attack on Disaligned AES T-Tables , 2013, COSADE.

[18]  Gorka Irazoqui Apecechea,et al.  CacheZoom: How SGX Amplifies The Power of Cache Attacks , 2017, CHES.

[19]  Adi Shamir,et al.  IoT Goes Nuclear: Creating a ZigBee Chain Reaction , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[20]  Klaus Wagner,et al.  Flush+Flush: A Fast and Stealthy Cache Attack , 2015, DIMVA.

[21]  Frank Piessens,et al.  Fallout: Leaking Data on Meltdown-resistant CPUs , 2019, CCS.

[22]  Joshua Jaffe,et al.  A First-Order DPA Attack Against AES in Counter Mode with Unknown Initial Counter , 2007, CHES.

[23]  Mathy Vanhoef,et al.  Dragonblood: A Security Analysis of WPA3's SAE Handshake , 2019, IACR Cryptol. ePrint Arch..

[24]  Ramesh Karri,et al.  MAGIC: Malicious Aging in Circuits/Cores , 2015, TACO.

[25]  Daniel Bleichenbacher,et al.  Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1 , 1998, CRYPTO.

[26]  Billy Bob Brumley,et al.  Amplifying side channels through performance degradation , 2016, ACSAC.

[27]  Tanja Lange,et al.  On the Practical Exploitability of Dual EC in TLS Implementations , 2014, USENIX Security Symposium.

[28]  Wilson Kan Analysis of Underlying Assumptions in NIST DRBGs , 2007, IACR Cryptol. ePrint Arch..

[29]  Ning Zhang,et al.  TruSpy: Cache Side-Channel Information Leakage from the Secure World on ARM Devices , 2016, IACR Cryptol. ePrint Arch..

[30]  Jean-Pierre Seifert,et al.  Advances on Access-Driven Cache Attacks on AES , 2006, Selected Areas in Cryptography.

[31]  Yuval Yarom,et al.  RAMBleed: Reading Bits in Memory Without Accessing Them , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[32]  Onur Mutlu,et al.  Vulnerabilities in MLC NAND Flash Memory Programming: Experimental Analysis, Exploits, and Mitigation Techniques , 2017, 2017 IEEE International Symposium on High Performance Computer Architecture (HPCA).

[33]  Stephan Krenn,et al.  Cache Games -- Bringing Access-Based Cache Attacks on AES to Practice , 2011, 2011 IEEE Symposium on Security and Privacy.

[34]  Cesar Pereida García,et al.  Constant-Time Callees with Variable-Time Callers , 2017, USENIX Security Symposium.

[35]  Sylvain Ruhault,et al.  SoK: Security Models for Pseudo-Random Number Generators , 2017, IACR Trans. Symmetric Cryptol..

[36]  Srdjan Capkun,et al.  Software Grand Exposure: SGX Cache Attacks Are Practical , 2017, WOOT.

[37]  Josep Torrellas,et al.  Cache Telepathy: Leveraging Shared Resource Attacks to Learn DNN Architectures , 2018, USENIX Security Symposium.

[38]  Eric Wustrow,et al.  Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices , 2012, USENIX Security Symposium.

[39]  Nikolas Ioannou,et al.  From random block corruption to privilege escalation: A filesystem attack vector for rowhammer-like attacks , 2017, WOOT.

[40]  Hovav Shacham,et al.  A Systematic Analysis of the Juniper Dual EC Incident , 2016, IACR Cryptol. ePrint Arch..

[41]  Michael K. Reiter,et al.  Cross-Tenant Side-Channel Attacks in PaaS Clouds , 2014, CCS.

[42]  Yuval Yarom,et al.  FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack , 2014, USENIX Security Symposium.

[43]  Chris Fallin,et al.  Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[44]  Mihir Bellare,et al.  PSS: Provably Secure Encoding Method for Digital Signatures , 1998 .

[45]  Shoichi Hirose Security Analysis of DRBG Using HMAC in NIST SP 800-90 , 2008, WISA.

[46]  Gorka Irazoqui Apecechea,et al.  Wait a Minute! A fast, Cross-VM Attack on AES , 2014, RAID.

[47]  Nadia Heninger,et al.  Biased Nonce Sense: Lattice Attacks against Weak ECDSA Signatures in Cryptocurrencies , 2019, IACR Cryptol. ePrint Arch..

[48]  Jakob Jonsson,et al.  PKCS #1: RSA Cryptography Specifications Version 2.2 , 2016, RFC.

[49]  Stefan Mangard,et al.  Cache Template Attacks: Automating Attacks on Inclusive Last-Level Caches , 2015, USENIX Security Symposium.

[50]  Burton S. Kaliski,et al.  PKCS #1: RSA Encryption Version 1.5 , 1998, RFC.

[51]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.3 , 2018, RFC.

[52]  Chester Rebeiro,et al.  A Cache Trace Attack on CAMELLIA , 2011, InfoSecHiComNet.

[53]  Michael Hamburg,et al.  Spectre Attacks: Exploiting Speculative Execution , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[54]  Thomas Roche,et al.  Combined Fault and Side-Channel Attack on Protected Implementations of AES , 2011, CARDIS.

[55]  Matthew J. Campagna Security Bounds for the NIST Codebook-based Deterministic Random Bit Generator , 2006, IACR Cryptol. ePrint Arch..

[56]  Carl A. Gunter,et al.  Leaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX , 2017, CCS.

[57]  Marcus Peinado,et al.  Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems , 2015, 2015 IEEE Symposium on Security and Privacy.

[58]  Hovav Shacham,et al.  Are AES x86 cache timing attacks still feasible? , 2012, CCSW '12.

[59]  Michael Hamburg,et al.  Meltdown: Reading Kernel Memory from User Space , 2018, USENIX Security Symposium.

[60]  Naomi Benger,et al.  Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack , 2014, IACR Cryptol. ePrint Arch..

[61]  Marcus Peinado,et al.  Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing , 2016, USENIX Security Symposium.

[62]  Andrew W. Appel,et al.  Verified Correctness and Security of mbedTLS HMAC-DRBG , 2017, CCS.

[63]  TU Dresden mhaehnel High-Resolution Side Channels for Untrusted Operating Systems , 2017 .

[64]  Yuval Yarom,et al.  To BLISS-B or not to be: Attacking strongSwan's Implementation of Post-Quantum Signatures , 2017, IACR Cryptol. ePrint Arch..

[65]  Jörg Schwenk,et al.  Randomly Failed! The State of Randomness in Current Java Implementations , 2013, CT-RSA.

[66]  Craig Disselkoen,et al.  Prime+Abort: A Timer-Free High-Precision L3 Cache Attack using Intel TSX , 2017, USENIX Security Symposium.

[67]  Samira Briongos,et al.  Cache Misses and the Recovery of the Full AES 256 Key , 2019, Applied Sciences.

[68]  Frank Piessens,et al.  A Systematic Evaluation of Transient Execution Attacks and Defenses , 2018, USENIX Security Symposium.

[69]  David Pointcheval,et al.  Security analysis of pseudo-random number generators with input: /dev/random is not robust , 2013, CCS.