Verifiable Side-Channel Security of Cryptographic Implementations: Constant-Time MEE-CBC.

To solve this problem, we define a methodology for proving security of implementations in the presence of timing attackers: first, prove black-box security of an algorithmic description of a cryptographic ... This bug (now fixed) allowed bypassing the balancing countermeasures against timing attacks deployed in the implementation of the MAC-then-Encode-then-CBC-Encrypt (MEE-CBC) component, creating a timing ... The figures for our verified implementation of MEE-CBC show both the cost of formal verification and the cost of full constant-time guarantees. ...

doi:10.1007/978-3-662-52993-5_9 fatcat:w63ll54mvbefrkl36eij3fhf5a

This makes automated verification of constant-time code an essential component for building secure software. We propose a novel approach for verifying constanttime security of real-world code. ... Our approach is based on a simple reduction of constant-time security of a program P to safety of a product program Q that simulates two executions of P. ... Acknowledgements The first two authors were funded by Project "TEC4Growth -Pervasive Intelligence, Enhancers and Proofs of Concept with Industrial Impact/NORTE-01-0145-FEDER-000020", which is financed ...

dblp:conf/uss/AlmeidaBBDE16 fatcat:7mhfdhrxrfhrrgr3atqbjerb3a

Constant-time programming is an established discipline to secure programs against timing attackers. ... We present verification results on various real-world constant-time programs and report on a successful verification of a challenging SHA-256 implementation that was out of scope of previous tool-assisted ... The authors also implemented a verified analyzer to ensure absence of timing and cache based side channels. ...

doi:10.3233/jcs-181136 fatcat:bwmih55tzravnath74fwwi3tpy

Constant-time programming is an established discipline to secure programs against timing attackers. ... We present verification results on various real-world constant-time programs and report on a successful verification of a challenging SHA-256 implementation that was out of scope of previous tool-assisted ... The authors also implemented a verified analyzer to ensure absence of timing and cache based side channels. ...

doi:10.1007/978-3-319-66402-6_16 fatcat:skkbqsdq2neohd3uxscudvdq4a

Cryptographic constant-time (CT) is a popular programming discipline used by cryptographic libraries to protect themselves against timing attacks. ... We found a bug in OpenSSL and provided a formally verified fix. ... We would then use this extension to prove preservation of constant-time and to formally verify constanttime of a broad corpus of cryptographic implementations. ...

dblp:journals/iacr/ShivakumarBGLP22 fatcat:wkrzckmqbvgnxmrlowmqutkkq4

At the time of its release, Amazon announced that s2n had undergone three external security evaluations and penetration tests. ... Our work highlights the challenges of protecting implementations against sophisticated timing attacks. ... of this work. ...

doi:10.1007/978-3-662-49890-3_24 fatcat:lv4a4ukxeradpcy53iwoawbfda

We thank the participants of the Dagstuhl Seminar on Secure Compilation for early feedback on this work, especially Tamara Rezk. ... curve implementations. ... Almeida et. al [4] verify AWS Lab's s2n MEE-CBC implementation (after identifying a vulnerability); they also verify security properties of NaCl libraries [6] . ...

doi:10.1145/3314221.3314605 dblp:conf/pldi/CauligiSJBWRGBJ19 fatcat:2ildtv2lx5fh5plm7vt2hwwit4

Our implementation is the first to achieve simultaneously the four desirable properties (efficiency, correctness, provable security, and side-channel protection) for a non-trivial cryptographic primitive ... Our implementation is written in the Jasmin programming language, and is formally verified for functional correctness, provable security and timing attack resistance in the EasyCrypt proof assistant. ... to prove the INT-PTXT security of a compiled executable implementation of TLS 1.2's notorious MAC-then-Encode-then-CBC-Encrypt (TLS-MEE-CBC) against timing-aware attackers. ...

doi:10.1145/3319535.3363211 dblp:conf/ccs/AlmeidaBBBDGL0S19 fatcat:ywk5fizlmrcoti6g3uhph7s7h4

Our version of the attack exploits distinguishable cache access times enabled by VM deduplication to detect dummy function calls that only happen in case of an incorrectly CBC-padded TLS packet. ... In fact, the new side channel is significantly more accurate, thus yielding a much more effective attack. We briefly survey prominent cryptographic libraries for this vulnerability. ... In essence, all libraries were fixed to remove the timing side channel exploited by Lucky 13, i.e. implementations were updated to handle different CBC-paddings in constant time. ...

doi:10.1145/2714576.2714625 dblp:conf/ccs/ApececheaIES15 fatcat:wdfl4jazofas7j5vp2chs7jjcq

The attacks are based on a delicate timing analysis of decryption processing in the two protocols. ... Finally, we discuss the wider implications of our attacks for the cryptographic design used by TLS and DTLS. ... Careful implementation of MEE-TLS-CBC decryption: Our final option is to encourage more careful implementation of MEE-TLS-CBC decryption. ...

doi:10.1109/sp.2013.42 dblp:conf/sp/AlFardanP13 fatcat:uipdsa4jxzafjgy3kltnzgifie

Particularly, we consider a category of side-channel attacks against SSL/TLS implementations in secure enclaves, which we call the control-flow inference attacks. ... We also conducted CBC padding oracle attacks against the latest GnuTLS running in Graphene-SGX and an open-source SGX-implementation of mbedTLS (i.e., mbedTLS-SGX) that runs directly inside the enclave ... Security Analysis of TLS Implementations There has been work on verifying constant-time implementation for SSL/TLS libraries [14, 15] . ...

doi:10.1145/3133956.3134016 dblp:conf/ccs/XiaoLCZ17 fatcat:smeafct6pjhyzka23kxg57ej5e

Multiple Versions

Moreover, the framework includes highly automated tools for proving memory safety and constant-time security (for protecting against cache-based timing attacks). ... We also demonstrate the effectiveness of the verification tools on a large set of cryptographic routines. ... ONR Grants N000141210914 and N000141512750, by Google Chrome University, by Cátedra PT-FLAD em Smart Cities & Smart Governance, and by Project "TEC4Growth -Pervasive Intelligence, Enhancers and Proofs of ...

doi:10.1145/3133956.3134078 dblp:conf/ccs/AlmeidaBBBGLOPS17 fatcat:vyxyeu3mtvff7bsios5hdfj5se

governing relevant stakeholders at the time of standardisation. ... In an attempt to place TLS within the broader realm of standardisation, we perform a comparative analysis of standardisation models and discuss the standardisation of TLS within this context. ... Van der Merwe was supported by the EPSRC as part of the Centre for Doctoral Training in Cyber Security at Royal Holloway, University of London. ...

doi:10.1007/978-3-319-49100-4_7 fatcat:33ngau3bv5a5lb3purmdqqtmxe

Concretely, we present a PoC that recovers the AES key of an implementation of AES written in FaCT, a domain-specific language for constant-time programming. ... Third, we implement one of our countermeasures in the FaCT compiler and evaluate performance overhead for core cryptographic routines from several open-source projects. ... ACKNOWLEDGEMENTS This research was supported by the Air Force Office of Scientific Research (AFOSR) under award number FA9550- ...

dblp:journals/iacr/ShivakumarBBCCG22 fatcat:enmmmqbaqvht3j2gxpr7flckti

Secure Socket Layer (SSL) and Transport Layer Security (TLS) protocols use cryptographic algorithms to secure data and ensure security goals such as Data Confidentiality and Integrity in networking. ... The existing versions of the protocols as well as the cryptographic algorithms they use have vulnerabilities and is not resistant towards Man-In-The-Middle (MITM) attacks. ... The server uses Message Encode-then-Encrypt (MEE) policy to achieve a constant response time for both correct and incorrect encryptions. ...

doi:10.5815/ijcnis.2016.02.02 fatcat:uwdcva2fq5c5xcgqpuqhocanyy

Open Access

Verifiable Side-Channel Security of Cryptographic Implementations: Constant-Time MEE-CBC [chapter]

Preserved Fulltext

Verifying Constant-Time Implementations

Preserved Fulltext

Verifying constant-time implementations by abstract interpretation

Preserved Fulltext

Verifying Constant-Time Implementations by Abstract Interpretation [chapter]

Preserved Fulltext

Enforcing fine-grained constant-time policies [article]

Preserved Fulltext

Lucky Microseconds: A Timing Attack on Amazon's s2n Implementation of TLS [chapter]

Preserved Fulltext

FaCT: a DSL for timing-sensitive computation

Preserved Fulltext

Machine-Checked Proofs for Cryptographic Standards

Preserved Fulltext

Lucky 13 Strikes Back

Preserved Fulltext

Lucky Thirteen: Breaking the TLS and DTLS Record Protocols

Preserved Fulltext

STACCO

Preserved Fulltext

Other Versions

Jasmin

Preserved Fulltext

Reactive and Proactive Standardisation of TLS [chapter]

Preserved Fulltext

Spectre Declassified: Reading from the Right Place at the Wrong Time [article]

Preserved Fulltext

Taxonomy of SSL/TLS Attacks

Preserved Fulltext