Pseudorandom Black Swans: Cache Attacks on CTR_DRBG

Explore a presentation from WAC 2020 examining cache attacks on CTR_DRBG, a standardized pseudorandom number generator. Delve into the design flaws of CTR_DRBG, including key rotation issues and lack of entropy. Investigate the feasibility of side-channel attacks on this generator and their implications for TLS handshakes. Analyze attack scenarios targeting TLS 1.2 RSA key exchange with client authentication, and examine state recovery techniques. Study the differential structure of AES internal states and learn about experimental setups for interrupting SGX execution. Gain insights into the complexities of cryptographic implementations and the importance of robust security measures in standardized designs.

Intro
Lesson Learned (the hard way)
Standardized Designs
CTR_DRBG: Design
CTR_DRBG: Generate Function
Key Rotation Flaw
Problem 1: Key Not Rotated Often Enough
Problem 2: Lack of Entropy
Is a side-channel attack on CTR_DRBG realistic?
FIPS Requirements
Finding long PRG outputs in TLS handshake
Attack Scenario
Attacking TLS 1.2 RSA key exchange with client auth
Results: State Recovery
Attack Complexity
AES Internal State
Examining the Differential Structure
Differential Attack
Towards a realistic attack
Interrupting SGX Execution
First Attempt
Experimental Setup
Lessons