From c9ebbd58435069cc74fbe4c22f6e7c45c3aced22 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 20 Aug 2020 12:17:05 +0200 Subject: [PATCH 1/2] Add a ChangeLog entry for local Lucky13 variant MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- ChangeLog.d/local-lucky13.txt | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 ChangeLog.d/local-lucky13.txt diff --git a/ChangeLog.d/local-lucky13.txt b/ChangeLog.d/local-lucky13.txt new file mode 100644 index 000000000..5a3eed0ba --- /dev/null +++ b/ChangeLog.d/local-lucky13.txt @@ -0,0 +1,9 @@ +Security + * Fix a local timing side channel vulnerability in (D)TLS record decryption + when using a CBC ciphersuites without the Encrypt-then-Mac extension. In + those circumstances, a local attacker able to observe the state of the + cache could use well-chosen functions to measure the exact computation + time of the HMAC, and follow up with the usual range of Lucky 13 attacks, + including plaintext recovery and key recovery. Found and reported by Tuba + Yavuz, Farhaan Fowze, Ken (Yihan) Bai, Grant Hernandez, and Kevin Butler + (University of Florida) and Dave Tian (Purdue University). From f0a3cddefecaa9509a06e65881f9f9f3a6431809 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 26 Aug 2020 10:10:11 +0200 Subject: [PATCH 2/2] Clarify that the Lucky 13 fix is quite general MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- ChangeLog.d/local-lucky13.txt | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/ChangeLog.d/local-lucky13.txt b/ChangeLog.d/local-lucky13.txt index 5a3eed0ba..adf493abe 100644 --- a/ChangeLog.d/local-lucky13.txt +++ b/ChangeLog.d/local-lucky13.txt @@ -1,9 +1,11 @@ Security - * Fix a local timing side channel vulnerability in (D)TLS record decryption - when using a CBC ciphersuites without the Encrypt-then-Mac extension. In - those circumstances, a local attacker able to observe the state of the - cache could use well-chosen functions to measure the exact computation - time of the HMAC, and follow up with the usual range of Lucky 13 attacks, - including plaintext recovery and key recovery. Found and reported by Tuba - Yavuz, Farhaan Fowze, Ken (Yihan) Bai, Grant Hernandez, and Kevin Butler + * In (D)TLS record decryption, when using a CBC ciphersuites without the + Encrypt-then-Mac extension, use constant code flow memory access patterns + to extract and check the MAC. This is an improvement to the existing + countermeasure against Lucky 13 attacks. The previous countermeasure was + effective against network-based attackers, but less so against local + attackers. The new countermeasure defends against local attackers, even + if they have access to fine-grained measurements. In particular, this + fixes a local Lucky 13 cache attack found and reported by Tuba Yavuz, + Farhaan Fowze, Ken (Yihan) Bai, Grant Hernandez, and Kevin Butler (University of Florida) and Dave Tian (Purdue University).