Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Breaking RSA Keys by Listening to Your Computer

Posted by Hemos on Sat May 08, 2004 11:06 AM
from the sssh-i'm-hunting-for-wabbits dept.
Security Technology
An anonymous reader writes "Adi Shamir and crew gave a talk on preliminary results in extracting a private RSA key just by listening to the computer!. Similar to power analysis and LED leakage, this is a non-invasive, side channel attack that may have applications to tamper-resistant systems. It appears to be related to noisy capacitors on the motherboard, an effect which has been observed when CPU power saving is enabled on laptops."
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Breaking RSA Keys by Listening to Your Computer 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • That's it... screw the enviroment (Score:5, Funny)

    by Anonymous Coward on Saturday May 08 2004, @11:09AM (#9093907)
    No power saving for me! My encrypted porn is far too important.

  • Lucky for me... (Score:5, Funny)

    by relyter (696205) on Saturday May 08 2004, @11:13AM (#9093948)
    I've got so many fans running in my computer that you can't even hold a conversation in the same room, much less listen for capacitors

    • not so lucky (Score:4, Insightful)

      by hatchetman82 (719635) on Saturday May 08 2004, @11:23AM (#9094004)
      "...For example, a high-quality analog equalizer can be used to attenuate strong low-frequency fan hums and background noise..."
      taken from the article.
      you'd need background noise in the same frequency area (dummy CPU ?)

  • If you have phsysical access (Score:4, Insightful)

    by foidulus (743482) on Saturday May 08 2004, @11:14AM (#9093954)
    Wouldn't it just be easier to use money/women/men/donkeys to bribe the person to cough up a password?
    I guess you could always "bug" a place, but if you were significantly paranoid about security(to the point where someone would try to listen your key away from you) wouldn't you have a copper cage around your building?
  • The article does not deal with actually computing the encoding (Pe) and decoding functions (Pd) for q,n,d. Where q,n are unique primes. The only thing their interference spotted is the markings between computing each function for the signature, and this drastically varies based on the machine. They do have a Proof of Conept, but no quantifiable data.
    My $0.02.

    artlu [artlu.net]
  • Investigations are an important part of the justice system. Though the tenet is "innocent until proven guilty", it's only possible to prove someone guilty by means of an investigation.

    By encrypting your data, you are bringing unnecessary suspicion upon yourself. I wouldn't be surprised if the FBI's powers are enhanced to include surveillance of you and your data.
    • Even if the FBI/NSA can't manage to decode your data, the fact remains if they get to look at your HD via a warrent and they discover 20 GB of encrypted data rather than anything readable, they know you're hiding something from their view.

      That discovery encrypted data can still be used as evidence in justifying further warrants... while discovering 20 GB of Britney Spears music in readable form would most likely cause the investigation to give up on worrying about the contents of that hard drive.

    • Encryption is part of checks and balances. (Score:5, Insightful)

      by Roman_(ajvvs) (722885) on Saturday May 08 2004, @11:47AM (#9094134) Journal
      By encrypting your data, you are bringing unnecessary suspicion upon yourself

      Encryption inhibits surveillance by ANYONE. That the government falls under the category of anyone is secondary to most encryption desires and uses.

      If someone was attempting avoidence/prevention of potential government investigation, then the act of encrypting wouldn't make it more or less likely. They make use of encryption because they have some information they don't want the government to know. It's not because they use encryption but due to any relevant knowledge they have, that a person should ellicit investigation by their government. And then knowledge pertaining only to those things that governments should worry about (murder, fraud, and other criminal acts).

      So by encrypting the code on my laptop as a security precaution, you're saying I bring unnecessary suspicion upon myself? Noone but my company and its business competitors has an interest in the trade secrets I manage and create during the course of my business. Therefore I use encryption as a means of self-defense. I inhibit investigation by those not authorized by me or my company. The act of investigation could very well be illegal. I would not give my government blanket access to my trade secrets, when I have no control over what they do with them. They should have no interest in them. in fact, by wanting to enhance surveillance of those things which they declare to not have an interest in and would normally have no involvement in is suspicious in itself. Encryption is a tool and is about as dangerous as a screwdriver.

  • Does anyone... (Score:5, Interesting)

    by centralizati0n (714381) <tommy.yorkNO@SPAMgmail.com> on Saturday May 08 2004, @11:17AM (#9093969) Homepage Journal
    Does anyone know the range of how far you can be away from the computer to hear the sounds? The proof-of-concept website just seemed to be "look, here are pictures of computer operations... in sound! Yay!" without enlightening us on any details.
    • Really, it depends on what equipment is being used to pick up the sounds.

      Think about WiFi. Your standard access point and and laptop card will work for about 300 feet. However, somebody 1000 feet away could interact with that network using a simple pringles can attenna.

      The same theory basically can be applied to sound, the more directional microphone and the better it is at filtering unwanted sound, the better the signal-to-noise ratio will get. So, putting walls and other background noises into the probl

    • mod parent down, -1 stupid (Score:2, Informative)

      by Anonymous Coward
      Did you even read the article? This comes from before the pictures of the sounds, even, and I quote:

      The recordings below were made under nearly ideal conditions: the microphone was placed 20cm from the recorded computer, the PC case was opened and noisy fans were disconnected (where applicable). Comparable results where achieved under more realistic conditions (i.e., the subject computer is intact and placed 1m to 2m from the microphone) using more expensive audio equipment.

  • found a way to stop it (Score:3, Funny)

    by DrLZRDMN (728996) on Saturday May 08 2004, @11:18AM (#9093978)
    the wont be able to hear it if you've got one of these [newegg.com]
    • Or how about one of these [cluboverclocker.com]? They're old-school and no one in their right mind uses them anymore, but damn those little things could push air (due to the fact they were going at 8000(!) RPM).

  • reminds me of the old days (Score:5, Interesting)

    by belmolis (702863) <billposer@@@alum...mit...edu> on Saturday May 08 2004, @11:22AM (#9093996) Homepage

    Twenty years ago at Bell Labs one of the speech machines (an SEL with homebrew audio i/o) had output to loudspeakers that went through unshielded speaker wires that ran past the CPU, so if you weren't playing anything back the speakers played back CPU noise. We could tell what stage a compilation was at by the noise that came over the speakers.

  • Aha! (Score:5, Funny)

    by dupper (470576) * <adamlouis@gmail.com> on Saturday May 08 2004, @11:22AM (#9093998) Journal
    Now I have an excuse to play loud music at work: security!
  • As much as this technology is a risk and therefore a potential threat, unless you are of the reaslly paranoid (which would mean this interests you considerably) there are far easier ways of attacking a computer.

    This attack came to show how to attack the key, which is why it interests these folks, I suppose, but it would be much easier to use TEMPEST if you get access to actually install some tool to hear && (record || trasmit) the audio.

    I would suggest TEMPEST would also be more reliable, but some

  • Patenting. (Score:3, Interesting)

    by Zangief (461457) on Saturday May 08 2004, @11:36AM (#9094076) Homepage Journal
    If you go to the site of the DPA attack [cryptography.com],Cryptographic Research, you can see that they have already have patents on Systems to protect against these kind of attacks. So it's not like they have developed anything (I don't know if they have) but you can already pay them to get protection from this kind of attack! yay!

  • Kinda like that CPU speed crack (Score:5, Informative)

    by suso (153703) on Saturday May 08 2004, @11:41AM (#9094101) Homepage Journal
    This sounds kinda like that crack that the college student found in 1995 dealing with the speed of the CPU determining what random numbers the host would pick. A good reason not to keep your CPU info in the HINFO line of a DNS zone file.

  • Is this actually possible? (Score:5, Interesting)

    by idiot900 (166952) * on Saturday May 08 2004, @11:42AM (#9094111)
    Even at a 96 kHz sampling rate, the maximum frequency that can be sampled is 44 kHz. How could one hope to extract a certain few bits from a recording when the CPU's instruction throughput is many times that? Most of the information that would need to be examined wouldn't make it onto the recording. Correct me if I'm wrong, but it seems Nyquist leaves this idea dead in the water.
    • > How could one hope to extract a certain few bits from a recording when
      > the CPU's instruction throughput is many times that?

      The few bits you're trying to extract may have an observable influence on global statistics, especially when you can affect the value of some other bits. See for example Boneh and Brumley's timing attack on OpenSSL [stanford.edu].

    • Re:Is this actually possible? (Score:5, Informative)

      by Doctor Wonky (105398) on Saturday May 08 2004, @12:08PM (#9094231)
      What they did was, create tight loops performing the same operation over and over. And found that different operations tend to result in different sorts of noise on the power supply, resulting in different sounds from the capacitors.

      Remember though with their 96,000 Hz sampling rate, a 1 Ghz CPU performs over 10,000 instructions per sample.

      Air does not vibrate fast enough, and there are no microphones with frequency response high enough to let you look at individual operations.

      So I guess, if you knew the characteristics well enough, you could record the sound of the capacitors and say 'Hey, this guy is running GnuPG' on it. I don't see a concievable way to figure out the keys and this article doesn't suggest one.
    • I don't think the idea is to extract certain bits. This hasn't moved out of the concept phase. Even when it does it probably won't go extrodinarily far in terms of practical applications. The point is just that information can be gathered. It may not be bits, but it can tell you how much work the computer is doing, when it's doing it, and as the examples show there is a possibility of determining what type of operations are being performed. Your not going to "hear" they key or anything like that. But

  • I've tried this... (Score:5, Funny)

    by bhmit1 (2270) on Saturday May 08 2004, @11:44AM (#9094121) Homepage
    ...but all I heard was "Dave, what are you doing Dave?"
    Hmm, maybe I should put away the screwdriver.
  • Obviously this attack requires physical access to the machine. And with physical access to the machine there are easier ways to extract keys. So this is really only relevant if you want to protect against somebody with physical access, that wouldn't perform a simpler attack, which could involve disassembling the machine. I think some chipcards you would use to protect keys is a case, where you might worry about such attacks. But how much noise does a chipcard produce, I think with those it would make more s
  • Eavesdropping is an old technique, it's interesting that it's being touted as something new. Okay so the context is a bit different but not all that different. Is even the context all that new? It may be new to the authors (and readers?) but it's probably not new to those folks that employ creative techniques to snoop. A microphone works great to "log" keystrokes. The delays between key presses can be used to create a pattern that in turn can define exactly what's been typed. Passive listening devices
  • It tells me to troll Slashdot, and buy Kenny G albums.

    I'm starting to think it doesn't have my best interests at heart...
  • Anyone who uses software powersaving/CPU cooling in windows or linux has heard this noise. Programs like CPUIdle [cpuidle.de] et all put the processor into an HLT state and cool it significantly (12+ degrees here). I run the thing to cool my massive laptop [chrisevans3d.com] which would get quite hot during renders and things, what with it's 10K RAID etc.. I hear this hum in a lot of electronics that have no moving parts (routers, computers, etc..), and have always wondered about it. In a chat on IRC we chalked it up to electric freque

    • Re:Noise from HLT state etc.. (Score:4, Interesting)

      by 0x0d0a (568518) on Saturday May 08 2004, @12:34PM (#9094348) Journal
      The most common thing I've found to induce audible noise (I use a SB Live, and can easily hear this with even cheap speakers) is to demute the sound card inputs that aren't connected to anything -- like CD audio and whatnot -- and then start moving my PS/2 mouse, which generates a fairly slow sequence of signals, producing a definite buzz. Video redraw also can do this -- dragging windows works well as well, and what's on the screen (oddly enough, lots of white areas seems to cause more of a buzz) has an impact.

      It's really amazing how dirty a computer power supply is -- I also picked up a headphone preamp that fits inside a 5.25" drive bay, and can optionally run off the computer power supply. If it's running off the power supply, I get a *very* noisy signal that is affected by things like hard drive access.

  • The other shoe dropping (Score:5, Informative)

    by Effugas (2378) on Saturday May 08 2004, @12:06PM (#9094220) Homepage
    Shamir, once again pointing out something absolutely brilliant and (in retrospect) totally obvious, did forget to include something rather important in his announcement:

    The particular pattern of CPU operations executed while an RSA private key is executed varies depending on that RSA private key. Given a rough estimate of the pattern of CPU operations executed, the set of possible RSA private keys is greatly reduced. So it becomes much, much easier -- possibly trivial, particularly if you have a chosen plaintext scenario -- to extract a private key from an otherwise secure system. Consider an e-voting machine with an audio system for handicapped access -- with nothing but a very sensitive microphone in the booth, you might be able to determine the private key used to sign votes (and thus gain the capability to spoof votes elsewhere).

    And of course, this would be a very, very successful attack against an RSA private key embedded within a trusted computing environment. Processors -- even those encased in epoxy -- still need power, and variable amounts depending on what they're doing. The brilliance here is that rather than needing some very expensive analog energy drain measurement equipment, you just need a sound card. It's a side channel attack for the masses.

    Very very cool work. Wow.

    --Dan
      • Well, to use the scientific term, "it depends". I've been thinking about this (like about ten thousand other crypto people) throughout the day. Certainly, Brumley and Boneh's attack will work (and probably better, because 1/44,100 is microsecond resolution): http://crypto.stanford.edu/~dabo/papers/ssl-timin g .pdf

        We do have more data than just time, too -- we have instruction profiles. If it's possible to absolutely know the input to the RSA signing function, and it's possible to alter that input whi

  • Forget capacitors, listen to the keyboard. (Score:5, Interesting)

    by Hans Lehmann (571625) on Saturday May 08 2004, @12:07PM (#9094227)
    Other than fans & hard drives, I don't think I've ever heard noise from any machine I've ever worked on, though back in the old days we would hold an AM radio next to the computer, which would give very distinct noise patterns as the CPU went about its business.

    If you really want to do some acoustic evesdropping, listen to the keyboard. It's got a much larger signal to begin with (from across the room, instead of having to paste your ear to the computer case.) Since there are always slight mechanical differences between keys on any given keyboard, I would think that the sound spectrum would also be slightly different. Being able to always listen in on the same user would also help, since most people are somewhat consistent regarding which finger they use on which key. (Evesdropping on people who were smart enough to take a touch-typing class in high school is also a big plus.)

    Assuming you could discern between the acoustic fingerprint of 100 different keys, then it's just a matter of figuring out which sound goes with which key. It's a simple substitution cypher, which are almost trivial to break.

    Sneak your cell phone into your boss's office, set it to silent mode and plug in a headset so that you can set it to auto-answer when a call comes in. Then, while your boss is busy typing dirty notes to his mistress, you call your cell phone, start recording it, and presto, you've got a keylogger without ever having touch his computer or the software on it. Then, at your next performance review, you convince him to give you a hefty raise.

    ...Profit!!!

  • I've heard of Tempest emanations/ Van Ecks for eavesdropping. Supposedly the technique can grab keystrokes from remote machies. Just google for "tempest eavesdropping" if you want info on this.

  • Interesting... (Score:5, Interesting)

    by boola-boola (586978) on Saturday May 08 2004, @12:35PM (#9094360)
    It is interesting to note that Adi Shamir (one of the co-authors) is one of the three people who came up with RSA-encryption [thefreedictionary.com]

    R = Ron Rivest
    S = Adi Shamir
    A = Len Adleman

  • Sounds, Electronics, and the Hound :) (Score:3, Interesting)

    by Zizkus (658125) on Saturday May 08 2004, @01:02PM (#9094498)
    Having worked in telecommunications as well as consumer electronics and computing, I've played a lot :) One of the more interesting things for fun was to poke around with a induction amplifier, you know, the "hound" in the fox and hound tone generator/ handheld probe that the phone guys use for tracing copper thru a building. It is pretty sensitive and I've found many fun sounds by waving it around in various analog and digital equipment, it kinda gives a unique viewpoint. Used in different locations in a PC it picks up various interesting sounds that are very different according to what the system is doing, and where you are probing, memory, chipset, io/chips, cpu etc. Never found it very good for troubleshooting PC's, but lots of fun! Also, I think the sounds you can hear around running electronics is partly caused by sympathetic viberation induced in the air molecules by high frequency energy changes happening, especially on the buses where there are long runs exposed, as well as perhaps by the caps, (?), could it be the aluminum in the caps is reacting to the energy field?, most of the round tall caps you see on a board are used on low frequency mainly power filtering applications.

  • Playing TI-99/4 games by ear (Score:3, Interesting)

    by LoadWB (592248) on Saturday May 08 2004, @01:39PM (#9094734) Homepage Journal
    I recall reading rumors of a blind fella who could play MunchMan on the TI-99/4 just by listening to the sounds in the background of the game.

    While my experience is no where near that in-depth, I do remember that the computer made distinct sounds when performing certain tasks, such as reading GROM, initializing, running BASIC programs (I recall that some statements also have distinct sounds as well.)

    Since then I have been able to detect certain sounds from my machines which indicate normal operations; to some extent I think we all do, just as we do with cars to "know" that something isn't right. And it's been pretty consistent through all of my computers: Commodore 64, 128D, Atari 800XL, various Amigas (amazing things heard by holding your ear to the A500 power supply,) many desktop PCs and notebooks. Even some console systems generate sounds under operation (an old NES on my shelf with a bad filter cap is good for this.)

    I'm curious to know what correlations between design type, grounding, processor architecture, and other factors exist for this. Might be worth investigating like this chap did, should I find the time to do so.

  • FAQ (Score:5, Informative)

    by Insount (11174) * <slashdot2eran@trome[ ]rg ['r.o' in gap]> on Saturday May 08 2004, @04:37PM (#9095804) Homepage
    (I'm a co-author of the presentation.)

    The web page [weizmann.ac.il] was extended to include a FAQ discussing the issues brought up here.
    • I usually get this on my own setup a P4b-266 w/1.7(oc'd to 1874), but only after a reboot; and only do you hear it on re-init's prior to loading windows(pick a flavor) or BSD. Not when the machine is running.

      I'm thinking that it's the little critters getting just abit too hot, I found that increasing the airflow and cooling everything down by a couple of degrees seems to make the noise go away. Unless...it's in the winter...in which case...the house is more then cool enough and you don't have to worry ab
    • i've got the wonderful feature of sound effects from my box when performing just about any GUI operation you care to mention, i originally thought that it was a monitor issue, now you tell me my privacy is at risk because of it!

      time to fit more fans and drown out the noise.

    • No (Score:5, Informative)

      by Transient0 (175617) on Saturday May 08 2004, @11:25AM (#9094012) Homepage
      at best, they have shown that they can detect differences in the types of instructions the processor is executing by listening to the sounds of the capacitors. It is a long way from there to the point where they can extract the key itself from the information. In fact, I would venture that the data is far too noisy (haha) for any significant part of the key to ever be extracted, reagardless of the amount of computational power thrown at the problem. What they might be able to do however is use the information gleaned to eliminate large swaths of the set of possible keys. This could make cracking the key by conventional means a computationally easier task.

      So, in all, this paper is not insignificant, but it's also not a reason to completely give up on security or to install a cone of silence around your computer.
      • So, in all, this paper is not insignificant, but it's also not a reason to completely give up on security or to install a cone of silence around your computer.

        I'm not sure that I could fit this [cinerhama.com] around a computer in the first place.

      • No no (Re:No) (Score:5, Informative)

        by po8 (187055) on Saturday May 08 2004, @12:39PM (#9094376)

        Uh, no. Your analysis runs contrary to cryptanalytic principles and the history of these sorts of attacks.

        If you spot me 1 bit of key information, you have by definition halved the work for an attack. In this specific analysis, I need only consider those settings of key bits (in this case, bits of p and q) that correspond to observed behavior for an interval of the spectogram. This means that I can potentially crack the key in time almost linear in the size of the key, rather than completely exponential.

        The work on timing attacks and power attacks uses very similar sorts of information, and the anlysis used here will likely be similar also. This is why Shamir, who is certainly qualified to evaluate the work at this point, describes it as "proof of concept": it would be surprising if the observed information fails to extend to a practical attack. It's just that in science, you publish when you have anything interesting to report, so that folks know you got there first.

    • Re:RSA sucks anyway (Score:5, Insightful)

      by kasperd (592156) on Saturday May 08 2004, @11:42AM (#9094107) Homepage Journal
      Nope, for it's DSA/DSS all the way, and all the noisy capacitors in the world won't help you break it.
      That wouldn't change anything. RSA as well as DSS is based on modulus exponentiation with a secret exponent. If you can get the exponent you have broken the system, it is as simple as that.

      Why do I trust it? Because it was developed by the NSA, not a bunch left leaning MIT eggheads.
      That kind of logic is useless in the security business. Basing your trust upon who designed the algorithm is stupid. How many (and who) tried to break the algorithm and failed at that is a better meassure on the security. A good rationale behind the design is another good meassure on the security. And finally mathematical proofs.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.