Scientists Extract RSA Key From GnuPG Using Sound of CPU 264
kthreadd writes "In their research paper titled RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis, Daniel Genkin, Adi Shamir and Eran Tromer et al. present a method for extracting decryption keys from the GnuPG security suite using an interesting side-channel attack. By analysing the acoustic sound made by the CPU they were able to extract a 4096-bit RSA key in about an hour (PDF). A modern mobile phone placed next to the computer is sufficient to carry out the attack, but up to four meters have been successfully tested using specially designed microphones."
Remember TEMPEST? (Score:5, Interesting)
TEMPEST was a details-secret government requirement meant to defeat means of eavesdropping on classified computer data from its electromagnetic emissions. I guess they need to include audio too.
My impression is that the noise comes from the power supply, not the CPU. I can certainly hear it with some computers, and it is related to work on the video card in my experience. I'm astonished that you can actually pull data from that, and in fact I'd like to see independent confirmation before I believe it.
Daisy, Daisy... (Score:5, Interesting)
In High School, we had a program we would run on the IBM 1620 (this was in ancient history...) that would play a song on a transistor radio placed on the console. Somebody figured out what instructions to run to create different frequencies.
We used to just leave the radio there even when not running that program.
"That's a loop!"
"Whoa! A "FORMAT" statement!"
One can easily see how A leads to B.
It's not the fan or mechanical components (Score:5, Interesting)
It's more awesome than that. The white noise generated by the fan doesn't matter at all.
"The acoustic signal of interest is generated by vibration of electronic components (capacitors and coils) in the voltage regulation circuit, as it struggles to maintain a constant voltage to the CPU despite the large fluctuations in power consumption caused by different patterns of CPU operations. The relevant signal is not caused by mechanical components such as the fan or hard disk, nor by the laptop's internal speaker."
The attack scenarios are even more fantastical. I have no idea how plausible they are, but wow, regardless:
"We discuss some prospective attacks in our paper. In a nutshell:
Install an attack app on your phone. Set up a meeting with your victim, and during the meeting, place your phone on the desk next to the the victim's laptop (see Q2).
Break into your victim's phone, install your attack app, and wait until the victim inadvertently places his phone next to the target laptop.
Have a web page use the microphone of the the computer running the browser (using Flash or HTML Media Capture). Use that to steal the user's GnuPG key.
Put your stash of eavesdropping bugs and laser microphones to a new use.
Send your server to a colocation facility, with a good microphone inside the box. Then acoustically extract keys from all nearby servers.
Get near a TEMPEST/1-92 protected machine, such as the one pictured to the right. Put your microphone next to its ventilation holes and extract its supposedly-protected secrets."
Re:Daisy, Daisy... (Score:5, Interesting)
In High School, we had a program we would run on the IBM 1620 (this was in ancient history...) that would play a song on a transistor radio placed on the console. Somebody figured out what instructions to run to create different frequencies.
We used to just leave the radio there even when not running that program.
"That's a loop!"
"Whoa! A "FORMAT" statement!"
One can easily see how A leads to B.
Back when the 486dx4 was out, I'd tune my FM radio to ~100mHz and listen to the weird whirs and buzzes that occurred during disk access or mouse movement. Many years later, during a security class of all things, when I suggested using this as a method to leak information out of a secure room, the speaker said using radio transmission to leak information was much too sophisticated to be a viable attack for anything but the government and military.
Re:Remember TEMPEST? (Score:5, Interesting)
Also, it's Bruce Perens. Hi!
New? (Score:5, Interesting)
Wait, this is a new paper? Neat, they updated it since 2004. Um, this is a pretty old technique, I've seen it demonstrated, on GnuPG, no less, before. RSA squares and multiply have different loops. This one, I know, GCHQ did first.
It's one of the reasons we like Ed25519 and the other safecurves - constant time loops, no key-dependent branches, massively reduces side-channel attack potential.
Re:Remember TEMPEST? (Score:5, Interesting)
Q12: Won't the attack be foiled by loud fan noise, or by multitasking, or by several computers in the same room?
Usually not. The interesting acoustic signals are mostly above 10KHz, whereas typical computer fan noise and normal room noise are concentrated at lower frequencies and can thus be filtered out. In task-switching systems, different tasks can be distinguished by their different acoustic spectral signatures. Using multiple cores turns out to help the attack (by shifting down the signal frequencies). When several computers are present, they can be told apart by spatial localization, or by their different acoustic signatures (which vary with the hardware, the component temperatures, and other environmental conditions).
Re:Not a Problem (Score:5, Interesting)
I'll be playing a recording of my system decrypting data with my throw-away RSA key then.
Reminiscent of other attacks (Score:5, Interesting)
There have been other attacks previous discussed here as I recall, such as using power fluctuations or timing attacks, and so on, as cribs to retrieve a key. It appears this sort of attack that exploits the characteristics of the system performing the encryption will continue to be an attack vector of growing importance.
Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems [cryptography.com]
Abstract. By carefully measuring the amount of time required to perform private key operations, attackers may be able to find fixed Diffie-Hellman exponents, factor RSA keys, and break other cryptosystems. Against a vulnerable system, the attack is computationally inexpensive and often requires only known ciphertext. Actual systems are potentially at risk, including cryptographic tokens, network-based cryptosystems, and other applications where attackers can make reasonably accurate timing measurements. Techniques for preventing the attack for RSA and Diffie-Hellman are presented. Some cryptosystems will need to be revised to protect against the attack, and new protocols and algorithms may need to incorporate measures to prevent timing attacks.
Breaking DES with side-channel attacks [isy.liu.se]
This lab will demonstrate how power analysis of cryptographic hardware can reveal the key. We will be using basic electronic measurement tools such as oscilloscopes to demonstrate this side-channel attack.
You will be using a small hardware board (fig. 1) with a generic microprocessor programmed to perform DES encryption and decryption. The scenario is that you are the attacker and want to find out the secret key stored inside the board. There is no way of getting to the key directly, so you will need to perform a side-channel attack by measuring the power consumption of the board while the algorithm is running. The hardware board also allows the user to load a custom key in order to compare the power consumption.
And to think that there were people poopooing NSA for pulling cables and servers that Snowden had access to. More attack vectors for everybody!
The technology inside Apple’s $50 Thunderbolt cable [arstechnica.com]
A source within the telecom industry explained to Ars that active cables are commonly used at data rates above 5Gbps. These cables contain tiny chips at either end that are calibrated to the attenuation and dispersion properties of the wire between them. Compensating for these properties "greatly improves the signal-to-noise ratio" for high-bandwidth data transmission.