Raccoon Attack - Finding and Exploiting Most-Significant-Bit-Oracles in TLS-DH(E)

Explore the intricacies of the Raccoon Attack, a cryptographic vulnerability affecting TLS-DH(E), in this conference talk delivered by Robert Merget at the Workshop on Attacks in Cryptography during Crypto 2021. Delve into the fundamentals of TLS-DH(E) and constant time execution before examining the attack's methodology for retrieving the PMS (Pre-Master Secret). Analyze key derivation processes in TLS, including the Merkle-Damgård construction and hashfunction performance expectations. Investigate SSL 3 key derivation, TLS 1.0/1.1 PRF, and the role of HMAC in the PRF. Learn about measurement errors, special timing measurement equipment, and the challenges of direct Raccoon attacks with non-determinism. Assess the impact of the Raccoon Attack and explore potential countermeasures. Extend the discussion to Raccoon's implications for ECDH(E), TLS 1.3, and eTLS/ETS. Examine the underlying reasons for these vulnerabilities and their relation to the PRF-ODH assumption. Conclude by considering Raccoon's potential effects on other protocols, gaining a comprehensive understanding of this significant cryptographic exploit.

Intro
TLS-DH(E)
Constant Time Execution
Attack Overview
Retrieving the PMS
Key Derivation in TLS
Merkle-Damgård-Construction
Hashfunction Performance (expectation)
SSL 3 Key Derivation
TLS 1.0/1.1 PRF
HMAC in the PRF
Attacker can choose Hash Functions
Measurement Errors
Special Timing Measurement Equipment
Direct Raccoon + Non-Determinism
Impact
Countermeasure
So.... no Side-Channel?
Raccoon and ECDH(E)
Raccoon and TLS 1.3
Raccoon and eTLS/ETS
Why the mess?
Raccoon & DH(E) Proofs
PRF-ODH Assumption
Raccoon and other Protocols
Conclusion