Stealing Keys From a Laptop In Another Room — and Offline 58
Motherboard carries a report that with equipment valued at about $3,000, a group of Israeli researchers have been able to extract cryptographic keys from a laptop that is not only separated by a physical wall, but protected by an air gap. This, they say, "is the first time such an approach has been used specifically against elliptic curve cryptography running on a PC." From the article:
The method is a so-called side-channel attack: an attack that doesn't tackle an encryption implementation head on, such as through brute force or by exploiting a weakness in the underlying algorithm, but through some other means. In this case, the attack relies on the electromagnetic outputs of the laptop that are emitted during the decryption process, which can then be used to work out the target's key.
Specifically, the researchers obtained the private key from a laptop running GnuPG, a popular implementation of OpenPGP. (The developers of GnuPG have since released countermeasures to the method. Tromer said that the changes make GnuPG âoemore resistant to side-channel attack since the sequence of high-level arithmetic operations does not depend on the secret key.â)
Re: (Score:2)
Freezer is better. Put it next to your car keys.
TEMPEST in a teacup..... (Score:2)
Heh, time for TEMPEST. But isn't this what the spread-spectrum bus modes are supposed to help reduce?
Re: (Score:1)
No, they aren't "bus modes", they are just a way to spread out RF energy so the motherboard can pass EMC tests.
Re: (Score:2)
Note that I'm not just talking about PCs.
Re: (Score:1)
This was proposed fairly clearly in the "Leveraging the Analog Domain for Security (LADS) Program, DARPABAA1561" published September 25, 2015- as well as a bunch of other really interesting Analog attacks.
Van Eck Phreaking (Score:1, Interesting)
Part of the plot in the 1999 novel Cryptonomicon by Neal Stephenson so this isnt new.
Re:Van Eck Phreaking (Score:5, Funny)
Absolutely. Someone thinking about the possibility of something happening and someone implementing it are equivalent.
Re:Van Eck Phreaking (Score:5, Funny)
This is why I'll jest let out a big yawn when we finally discover faster-than-light travel.
Re: (Score:1)
Re: (Score:2)
Re: (Score:3)
Its more than just cases, you have to "clean" every cable connected to the machine as well. If the laptop had been connected to power, the researcher's job would have been much easier.
Re: (Score:2)
Not if a $0.29 ferrite bead was put around it.
Re: (Score:2)
I'm not sure whether the bead will help, but I know that noise suppression that's required by usual regulations (CE label in the EU) doesn't prevent information leakage.
Tinfoil (Score:1)
Are there any computer or laptop cases which can help to shield or contain information leakage like this from getting out?
Tinfoil would seem an obvious solution. :-)
Re: (Score:3, Insightful)
In the case of laptops, it would add so much weight to do it right, that it would render them unfit for purpose. The problem is that shielding doesn't completely nix the EM emissions, but it removes a percentage. The trouble with that is that if someone has a sufficiently good antenna and low-noise amplifier, even a tiny fraction of the original EM emission could give you away, so standard anti-EM foil isn't going to cut it. For now, it's better to try to design our software in such a way that it emits the
Re: (Score:2)
Tempest protocol (Score:5, Informative)
This is why our government uses the "Tempest" [wikipedia.org] certification on buildings, categorizing whether information can be stolen from electromagnetic emanations within neighboring wall, room, just outside the building, etc.
It's called Van Eck phreaking [wikipedia.org], and it's one of the many modern day forms of wizardry. Essentially different components of your computer communicate via high frequency electric currents. These currents broadcast corresponding EM waves somewhere in the radio spectrum, and you decode the corresponding frequency components into your own information, which if you know what monitor they're using, for instance, you can catch the signal from their wires and reproduce their monitor image on your screen.
Re:Tempest protocol (Score:5, Informative)
One of the key concepts to realize with 'van Eck phreaking' is that no shielding provides infinite attenuation at all frequencies. Even solid copper shielding has a finite, if very large, attenuation. With a cryogenic-cooled HEMT or similar front-end and a high gain antenna, the requirements for shielding could be as high as an attenuation of 100dB or more (copper screen is good for 30dB or so typically).
A cryo HEMT front-end isn't that far out of reach, even on pennies, as dry ice can get the temps low enough to foil thin shielding, and thicker shielding can be defeated with liquid nitrogen temps. Specialized near-field antennas that work on magnetic induction principles foil even the thickest pure copper, tin, or aluminum shielding; you need a ferromagnetic shield (mu metal is good) in addition to the copper to shield then.
Vent holes are the hardest, as you then want copper honeycomb material to act as 'waveguide beyond cutoff' attenuators. Slots and gaps of any kind can act as antennas; the Parkes radio telescope, for instance, has a webcam that required a very special enclosure where even the screw spacing had to be controlled. (see http://www.atnf.csiro.au/outre... [csiro.au] for details).
Re: (Score:1)
One of the key concepts to realize with 'van Eck phreaking' is that no shielding provides infinite attenuation at all frequencies.
Much to my surprize, I was able to get WiFI inside a TEMPEST approved room soon after it was built (but before it was placed in service). This was in an old office building, so that particular room is no longer in use (which might be a good thing).
Re: (Score:1)
So you're saying that Julian Assange, holed up in the Ecuadorian embassy and using varying forms of encryption and probably decent attempts at shielding EM leaks, is probably pwned?
If so, why did the UK authorites waste $18m [slashdot.org] monitoring him in person? Or was $17m spent on setting up Van Eck phreaking, while $1m was spent on humans, donuts and coffee.
Better summary (Score:5, Informative)
When performing different operations, computers emit different EM signals. EM antennae and post-processing software have become sufficiently fast and accurate that if you know the source code of an encryption algorithm, you can trace through the code non-intrusively, simply by watching for patterns in the emitted EM radiation. As it happens, GnuPG's EEC implementation performed different operations depending on the private key, so you can reconstruct the private key. GnuPG's developers addressed this by changing the implementation to try to ensure that the same sequence of operations will always get executed, regardless of the key. This is similar to how cryptographic string comparisons always compare all characters in a string and don't stop when they encounter the first difference, as normal string comparisons do.
Re: (Score:3)
This technique is facinating. GnuPG came under a similar attack a year or two ago for its implementation of RSA. (By the R, I believe)
That they patched that instance, but did not fix their other implementations is a bit disturbing to me.
Re: (Score:2, Interesting)
These things are notoriously easy to overlook. For example, there have been versions of cryptographic string comparisons that were vulnerable to a compiler optimisation which caused them to bail out at the first difference, which was really hard to see because at first glance the loop looked like it would iterate over all characters.
Here's an article by the authors with nice graphs [tau.ac.il] (why wasn't that in the summary) and here's what a fix looks like [gnupg.org]. I'll let you judge for yourself whether you'd have realised
Re: (Score:2)
Seeing the bugfix, I would have assumed it was fixing an off-by-one error or similar. But yeah, I totally don't even understand why that fixes the problem with it staring me in the face.
I grant spying the problem is hard. It just seems like this is now a class of problems, like null pointer dereferencing or writing off the end of the array, that comes up frequently (and exclusively) in cryptography. In much the same way that we expect realtime high-performance programmers to be very concerned with cache
Oh you mean offline not offline. (Score:2)
Offline as in not connected not offline as in off.
Re: (Score:2)
This isn't the 1970s, so yes.
300 processes (Score:5, Interesting)
Guess: Yes, because .. (Score:5, Interesting)
Because even if you have 300 processes running, the 299 could be ignored because of their "cpu fingerprint".
They do not occupy one CPU to the max, most processes running on a computer do just a bit more than nothing.
I have the uncanny feeling that GnuPG is not parallalized at all.
A crypto application however runs - if it's not parallelized - on one CPU-Core 100% for a depending on the processing power of the machine certain amount of time.
(In crypto does not like timing sidechannel attacks)
I guess, without having read the article, this specific burst of activity is where a crypto "broadcast" can be identified by.
When I would attack a webservers private key using this tactic, I would just initiate a https connection and send certain data and than would see the what the spectrum says, I would then repeat it .. and I recognize patterns, and a again and again and again, till I have gathered enough data.
However I think your point hints at a possible counter measure, having similar fingerprints also similarly timed it would interfere with the "broadcast".
Re: (Score:2)
However I think your point hints at a possible counter measure, having similar fingerprints also similarly timed it would interfere with the "broadcast".
Yeah, when you are about to do a decryption, spawn a bunch of other processes tasked at decrypting bullshit at the same time.
Re: (Score:1)
It's just a matter of sensitivity, repetition, and brain power. If your friend says something in a crowded room and you can't quite make out what they're saying, you ask them to repeat themselves. After several repetitions you can piece together what's being said. How many repetitions you require is a function sensitivity (& noise) and your predictive power.
Same situation here. The attack took several dozen runs of the victim using his key. That didn't net them the entire key, just enough bits to be abl
Re: (Score:2)
Regardless of number of processes or threads total only X can run at any given timeslice, where X equals the number of CPU's/cores (virtual cores for HT) that you have. Finding the RF signature for a context switch would not be hard, since it is so repetitious.
Wow ... Cryptonomicon? (Score:2)
That's kind of amazing. We've all heard about it being theoretically true, and assumed it was totally implausible.
Scary, and a little too sci-fi turned real.
*sigh* (Score:4, Insightful)
Tromer said that the changes make GnuPG Ãoemore resistant to side-channel attack since the sequence of high-level arithmetic operations does not depend on the secret key.Ã
Hey, speaking of character encoding on Slashdot...
- or -
Hey, use the "Preview" button!
Bonus funny: that changed from a lowercase 'a' with a '^' to an uppercase 'A' with a '~' while posting.
Re: (Score:2)
> Hey, speaking of character encoding on Slashdot...
You must be new here.
Limit with external hard drives (Score:2)
While you can still do some side surfing on them, the minute power of the battery makes using Van Eck phreaking much harder. Of course, you still have the problem of the monitor, but at least you have kept the keys secret.
Not only but also (Score:3)
not only separated by a physical wall, but protected by an air gap
Normally you put the most surprising thing second. In this context a physical wall is an "air gap."
Re: (Score:2)
The wall implies there was a way between the two computer but the air gap implies that the target, or attacker, computer were not on a network.
Re: (Score:2)