Lucky Microseconds: A Timing Attack on Amazon’s s2n Implementation of TLS

  • Martin R. AlbrechtEmail author
  • Kenneth G. PatersonEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9665)


s2n is an implementation of the TLS protocol that was released in late June 2015 by Amazon. It is implemented in around 6,000 lines of C99 code. By comparison, OpenSSL needs around 70,000 lines of code to implement the protocol. At the time of its release, Amazon announced that s2n had undergone three external security evaluations and penetration tests. We show that, despite this, s2n — as initially released — was vulnerable to a timing attack in the case of CBC-mode ciphersuites, which could be extended to complete plaintext recovery in some settings. Our attack has two components. The first part is a novel variant of the Lucky 13 attack that works even though protections against Lucky 13 were implemented in s2n. The second part deals with the randomised delays that were put in place in s2n as an additional countermeasure to Lucky 13. Our work highlights the challenges of protecting implementations against sophisticated timing attacks. It also illustrates that standard code audits are insufficient to uncover all cryptographic attack vectors.


TLS CBC-mode encryption Timing attack Plaintext recovery Lucky 13 s2n 



We would like to thank Colm MacCarthaigh and the rest of the s2n development team for pointing out the randomised waiting countermeasure and for helpful discussions on an earlier draft of this work.


  1. [ABBD15]
    Almeida, J.B., Barbosa, M., Barthe, G., Dupressoir, F.: Verifiable side-channel security of cryptographic implementations: constant-time MEE-CBC. IACR Cryptology ePrint Archive, 2015:1241 (2015)Google Scholar
  2. [ABP+13]
    AlFardan, N.J., Bernstein, D.J., Paterson, K.G., Poettering, B., Schuldt, J.C.N.: On the security of RC4 in TLS. In: King, S.T. (ed.) Proceedings of the 22nd USENIX Security Symposium, Washington D.C., USA, pp. 305–320. USENIX, August 2013Google Scholar
  3. [AIES15]
    Apecechea, G.I., Inci, M.S., Eisenbarth, T., Sunar, B.: Lucky 13 strikes back. In: Bao, F., Miller, S., Zhou, J., Ahn, G.-J. (eds.) Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, ASIA CCS 2015, Singapore, April 14–17, pp. 85–96. ACM (2015)Google Scholar
  4. [AP12]
    AlFardan, N., Paterson, K.G.: Plaintext-recovery attacks against datagram TLS. In: Network and Distributed System Security Symposium (NDSS 2012) (2012)Google Scholar
  5. [AP13]
    AlFardan, N., Paterson, K.G.: Lucky thirteen: breaking the TLS and DTLS record protocols. In: Sommer, R. (ed.) Proceedings of the 2013 IEEE Symposium on Security and Privacy (S&P 2013), San Diego, CA, USA, pp. 526–540. IEEE Press, May 2013Google Scholar
  6. [CHVV03]
    Canvel, B., Hiltgen, A.P., Vaudenay, S., Vuagnoux, M.: Password interception in a SSL/TLS channel. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 583–599. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  7. [CK10]
    Coron, J.-S., Kizhvatov, I.: Analysis and improvement of the random delay countermeasure of CHES 2009. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 95–109. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  8. [GPdM15]
    Garman, C., Paterson, K.G., Van der Merwe, T.: Attacks only get better: Password recovery attacks against RC4 in TLS. In: Jung, J., Holz, T. (eds.) 24th USENIX Security Symposium, USENIX Security 15, Washington, D.C., USA, August 12–14, pp. 113–128. USENIX Association (2015)Google Scholar
  9. [KBC97]
    Krawczyk, H., Bellare, M., Canetti, R.: HMAC: Keyed-Hashing for Message Authentication. RFC 2104 (Informational), February 1997Google Scholar
  10. [Lab15]
    Amazon Web Services Labs. s2n: an implementation of the TLS/SSL protocols (2015).
  11. [Lan13]
    Langley, A.: Lucky thirteen attack on TLS CBC, February 2013.
  12. [Mav13]
    Mavrogiannopoulos, N.: Time is money (in CBC ciphersuites), February 2013.
  13. [MDK14]
    Möller, B., Duong, T., Kotowicz, K.: This POODLE bites: Exploiting the SSL 3.0 fallback, September 2014Google Scholar
  14. [Moe04]
    Moeller, B.: Security of CBC ciphersuites in SSL/TLS: Problems and countermeasures. Unpublished manuscript, May 2004.
  15. [PRS11]
    Paterson, K.G., Ristenpart, T., Shrimpton, T.: Tag size Does matter: attacks and proofs for the TLS record protocol. In: Wang, X., Lee, D.H. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 372–389. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  16. [Sch15]
    Schmidt, S.: Introducing s2n, a new open source TLS implementation, June 2015.
  17. [Vau02]
    Vaudenay, S.: Security flaws induced by CBC padding - applications to SSL, IPSEC, WTLS. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 534–546. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  18. [VF15]
    Valsorda, F., Fitzpatrick, B.: crypto/tls: implement countermeasures against CBC padding oracles, December 2015.
  19. [VZRS15]
    Varadarajan, V., Zhang, Y., Ristenpart, T., Swift, M.M.: A placement vulnerability study in multi-tenant public clouds. In: Jung, J., Holz, T. (eds.) 24th USENIX Security Symposium, USENIX Security 15, Washington, D.C., USA, August 12–14, pp. 913–928. USENIX Association (2015)Google Scholar

Copyright information

© International Association for Cryptologic Research 2016

Authors and Affiliations

  1. 1.Information Security GroupRoyal Holloway, University of LondonSurreyUK

Personalised recommendations