Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Encryption Security Wireless Networking

Stealing Keys From a Laptop In Another Room — and Offline 58

Motherboard carries a report that with equipment valued at about $3,000, a group of Israeli researchers have been able to extract cryptographic keys from a laptop that is not only separated by a physical wall, but protected by an air gap. This, they say, "is the first time such an approach has been used specifically against elliptic curve cryptography running on a PC." From the article: The method is a so-called side-channel attack: an attack that doesn't tackle an encryption implementation head on, such as through brute force or by exploiting a weakness in the underlying algorithm, but through some other means. In this case, the attack relies on the electromagnetic outputs of the laptop that are emitted during the decryption process, which can then be used to work out the target's key. Specifically, the researchers obtained the private key from a laptop running GnuPG, a popular implementation of OpenPGP. (The developers of GnuPG have since released countermeasures to the method. Tromer said that the changes make GnuPG âoemore resistant to side-channel attack since the sequence of high-level arithmetic operations does not depend on the secret key.â)
This discussion has been archived. No new comments can be posted.

Stealing Keys From a Laptop In Another Room — and Offline

Comments Filter:
  • Heh, time for TEMPEST. But isn't this what the spread-spectrum bus modes are supposed to help reduce?

    • by Anonymous Coward

      No, they aren't "bus modes", they are just a way to spread out RF energy so the motherboard can pass EMC tests.

    • by Anonymous Coward

      This was proposed fairly clearly in the "Leveraging the Analog Domain for Security (LADS) Program, DARPABAA1561" published September 25, 2015- as well as a bunch of other really interesting Analog attacks.

  • Van Eck Phreaking (Score:1, Interesting)

    by Anonymous Coward

    Part of the plot in the 1999 novel Cryptonomicon by Neal Stephenson so this isnt new.

  • Tempest protocol (Score:5, Informative)

    by WSOGMM ( 1460481 ) on Thursday February 18, 2016 @12:24PM (#51535535)

    This is why our government uses the "Tempest" [wikipedia.org] certification on buildings, categorizing whether information can be stolen from electromagnetic emanations within neighboring wall, room, just outside the building, etc.

    It's called Van Eck phreaking [wikipedia.org], and it's one of the many modern day forms of wizardry. Essentially different components of your computer communicate via high frequency electric currents. These currents broadcast corresponding EM waves somewhere in the radio spectrum, and you decode the corresponding frequency components into your own information, which if you know what monitor they're using, for instance, you can catch the signal from their wires and reproduce their monitor image on your screen.

    • Re:Tempest protocol (Score:5, Informative)

      by lowen ( 10529 ) on Thursday February 18, 2016 @12:58PM (#51535837)

      One of the key concepts to realize with 'van Eck phreaking' is that no shielding provides infinite attenuation at all frequencies. Even solid copper shielding has a finite, if very large, attenuation. With a cryogenic-cooled HEMT or similar front-end and a high gain antenna, the requirements for shielding could be as high as an attenuation of 100dB or more (copper screen is good for 30dB or so typically).

      A cryo HEMT front-end isn't that far out of reach, even on pennies, as dry ice can get the temps low enough to foil thin shielding, and thicker shielding can be defeated with liquid nitrogen temps. Specialized near-field antennas that work on magnetic induction principles foil even the thickest pure copper, tin, or aluminum shielding; you need a ferromagnetic shield (mu metal is good) in addition to the copper to shield then.

      Vent holes are the hardest, as you then want copper honeycomb material to act as 'waveguide beyond cutoff' attenuators. Slots and gaps of any kind can act as antennas; the Parkes radio telescope, for instance, has a webcam that required a very special enclosure where even the screw spacing had to be controlled. (see http://www.atnf.csiro.au/outre... [csiro.au] for details).

      • by Anonymous Coward

        One of the key concepts to realize with 'van Eck phreaking' is that no shielding provides infinite attenuation at all frequencies.

        Much to my surprize, I was able to get WiFI inside a TEMPEST approved room soon after it was built (but before it was placed in service). This was in an old office building, so that particular room is no longer in use (which might be a good thing).

      • So you're saying that Julian Assange, holed up in the Ecuadorian embassy and using varying forms of encryption and probably decent attempts at shielding EM leaks, is probably pwned?

        If so, why did the UK authorites waste $18m [slashdot.org] monitoring him in person? Or was $17m spent on setting up Van Eck phreaking, while $1m was spent on humans, donuts and coffee.

  • Better summary (Score:5, Informative)

    by Anonymous Coward on Thursday February 18, 2016 @12:27PM (#51535559)

    When performing different operations, computers emit different EM signals. EM antennae and post-processing software have become sufficiently fast and accurate that if you know the source code of an encryption algorithm, you can trace through the code non-intrusively, simply by watching for patterns in the emitted EM radiation. As it happens, GnuPG's EEC implementation performed different operations depending on the private key, so you can reconstruct the private key. GnuPG's developers addressed this by changing the implementation to try to ensure that the same sequence of operations will always get executed, regardless of the key. This is similar to how cryptographic string comparisons always compare all characters in a string and don't stop when they encounter the first difference, as normal string comparisons do.

    • This technique is facinating. GnuPG came under a similar attack a year or two ago for its implementation of RSA. (By the R, I believe)

      That they patched that instance, but did not fix their other implementations is a bit disturbing to me.

      • Re: (Score:2, Interesting)

        by Anonymous Coward

        These things are notoriously easy to overlook. For example, there have been versions of cryptographic string comparisons that were vulnerable to a compiler optimisation which caused them to bail out at the first difference, which was really hard to see because at first glance the loop looked like it would iterate over all characters.
        Here's an article by the authors with nice graphs [tau.ac.il] (why wasn't that in the summary) and here's what a fix looks like [gnupg.org]. I'll let you judge for yourself whether you'd have realised

        • Seeing the bugfix, I would have assumed it was fixing an off-by-one error or similar. But yeah, I totally don't even understand why that fixes the problem with it staring me in the face.

          I grant spying the problem is hard. It just seems like this is now a class of problems, like null pointer dereferencing or writing off the end of the array, that comes up frequently (and exclusively) in cryptography. In much the same way that we expect realtime high-performance programmers to be very concerned with cache

  • Offline as in not connected not offline as in off.

  • 300 processes (Score:5, Interesting)

    by dargaud ( 518470 ) <slashdot2@nOSpaM.gdargaud.net> on Thursday February 18, 2016 @12:36PM (#51535671) Homepage
    I currently have 300 processes running on my laptop, more on my server. I really wonder how they can filter out the noise of 299 of them to find out the electromagnetic noise of the PGP process (which lasts for only a split second) and THEN exploit that. It's one thing to get the Van Eck of an analog signal of a monitor (two very regular frequencies), another one entirely to get this of an 8 core CPU which uses variable frequencies depending on load.
    • by burni2 ( 1643061 ) on Thursday February 18, 2016 @12:53PM (#51535801)

      Because even if you have 300 processes running, the 299 could be ignored because of their "cpu fingerprint".

      They do not occupy one CPU to the max, most processes running on a computer do just a bit more than nothing.

      I have the uncanny feeling that GnuPG is not parallalized at all.

      A crypto application however runs - if it's not parallelized - on one CPU-Core 100% for a depending on the processing power of the machine certain amount of time.

      (In crypto does not like timing sidechannel attacks)

      I guess, without having read the article, this specific burst of activity is where a crypto "broadcast" can be identified by.

      When I would attack a webservers private key using this tactic, I would just initiate a https connection and send certain data and than would see the what the spectrum says, I would then repeat it .. and I recognize patterns, and a again and again and again, till I have gathered enough data.

      However I think your point hints at a possible counter measure, having similar fingerprints also similarly timed it would interfere with the "broadcast".

      • by dargaud ( 518470 )

        However I think your point hints at a possible counter measure, having similar fingerprints also similarly timed it would interfere with the "broadcast".

        Yeah, when you are about to do a decryption, spawn a bunch of other processes tasked at decrypting bullshit at the same time.

    • by Anonymous Coward

      It's just a matter of sensitivity, repetition, and brain power. If your friend says something in a crowded room and you can't quite make out what they're saying, you ask them to repeat themselves. After several repetitions you can piece together what's being said. How many repetitions you require is a function sensitivity (& noise) and your predictive power.

      Same situation here. The attack took several dozen runs of the victim using his key. That didn't net them the entire key, just enough bits to be abl

    • by lowen ( 10529 )

      Regardless of number of processes or threads total only X can run at any given timeslice, where X equals the number of CPU's/cores (virtual cores for HT) that you have. Finding the RF signature for a context switch would not be hard, since it is so repetitious.

  • That's kind of amazing. We've all heard about it being theoretically true, and assumed it was totally implausible.

    Scary, and a little too sci-fi turned real.

  • *sigh* (Score:4, Insightful)

    by sootman ( 158191 ) on Thursday February 18, 2016 @01:13PM (#51535925) Homepage Journal

    Tromer said that the changes make GnuPG Ãoemore resistant to side-channel attack since the sequence of high-level arithmetic operations does not depend on the secret key.Ã

    Hey, speaking of character encoding on Slashdot...
    - or -
    Hey, use the "Preview" button!

    Bonus funny: that changed from a lowercase 'a' with a '^' to an uppercase 'A' with a '~' while posting.

  • You can limit but not eliminate some of this risk by using high end low powered physical key pad based flash drives. They come with an internal security, all powered by a tiny watch battery.

    While you can still do some side surfing on them, the minute power of the battery makes using Van Eck phreaking much harder. Of course, you still have the problem of the monitor, but at least you have kept the keys secret.

  • by wonkey_monkey ( 2592601 ) on Thursday February 18, 2016 @01:40PM (#51536109) Homepage

    not only separated by a physical wall, but protected by an air gap

    Normally you put the most surprising thing second. In this context a physical wall is an "air gap."

    • Not sure in the article but I would say not.
      The wall implies there was a way between the two computer but the air gap implies that the target, or attacker, computer were not on a network.
    • In this case, given the context, it is the less surprising thing: The researchers do not have physical access to the target. Then follows the more surprising in that they don't have remote access either, just proximity alone.

Every nonzero finite dimensional inner product space has an orthonormal basis. It makes sense, when you don't think about it.

Working...