Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Encryption Cellphones GNU is Not Unix Privacy Security Technology

RSA Keys Can Be Harvested With Microphones (theregister.co.uk) 157

Researchers have now demonstrated that even with modern laptop, desktop, and server computers, an inexpensive attack can harvest 4,096-bit encryption keys using a parabolic microphone within 33 feet -- or even from 12 inches away, using a cellphone microphone. An anonymous reader quotes this article from The Register: In both cases it took an hour of listening to get the 4,096-bit RSA key... As a computer's processor churns through the encryption calculations, the machine emits a high-frequency "coil whine" from the changing electrical current flowing through its components... The team recommends encryption software writers build in "blinding" routines that insert dummy calculations into cryptographic operations. After discussions with the team, GNU Privacy Guard now does this.
This discussion has been archived. No new comments can be posted.

RSA Keys Can Be Harvested With Microphones

Comments Filter:
  • I'm safe! (Score:1, Funny)

    by Anonymous Coward
    Even if they have my RSA keys, they don't have my RSA locks!
  • Old news (Score:5, Informative)

    by NotInHere ( 3654617 ) on Sunday June 05, 2016 @08:39AM (#52253209)

    How is this not a reiteration of this old attack from 2014: http://www.tau.ac.il/~tromer/h... [tau.ac.il]

    • Re: (Score:3, Interesting)

      by Anonymous Coward

      It's a different side channel attack, by some of the same people from the same lab.

  • by Anonymous Coward on Sunday June 05, 2016 @08:51AM (#52253275)

    Play an MP3 at the same time so they get a audio download then send them a DCMA takedown notice :)

  • by Anonymous Coward

    I wonder how vulnerable smart cards are. In particular, I've been using an YubiKey for most of my RSA needs.

  • Car analogy please (Score:5, Insightful)

    by wonkey_monkey ( 2592601 ) on Sunday June 05, 2016 @09:13AM (#52253399) Homepage

    Can someone explain, vaguely, possibly with a car analogy, how they go about determining keys with coil whine? Is it because the same calculations are made over and over as it churns through data encrypting/decrypting it, so after listening long enough some kind of clues can be gathered about what bytes are in the key? I mean, I assume it's not as a simple as listening and going "Ooh, 14.5Khz, that's 0xBE."

    • by Opportunist ( 166417 ) on Sunday June 05, 2016 @09:32AM (#52253487)

      What happens in such attacks is that there are different calculation paths for different results, and by "watching" (or in this case, listening to) the CPU perform, you can tell what calculation paths it took and determine from this what input it used.

      A vague analogy would be that the CPU is giving off long and short beeps, and by listening to them and noticing when and how long it beeps you can assemble something akin to a Morse alphabet.

      • So we are supposed to believe that different paths, which incidentally occur at a rate of around 4GHz or so, can be 'heard' in an audio stream that has a resolution of maybe 44KHz or so? In an environment that is not free of noise either - fans, other components doing other things, etc.

        I find the whole thing very hard to believe.

        • So we are supposed to believe that different paths, which incidentally occur at a rate of around 4GHz or so, can be 'heard' in an audio stream that has a resolution of maybe 44KHz or so? In an environment that is not free of noise either - fans, other components doing other things, etc.

          I find the whole thing very hard to believe.

          Indeed, but proof of concept is amazing.

          I recall 25 years ago some guy with "$2000 of Radio Shack hardware" was able to discern key strokes and video signals from the electron gun of the monitor tube. Nobody thought this possible. Now the government has their Faraday cage room for sensitive computers.

          Everything since then has been refinement on this. They could do this already based on EMF, but on audio whine is doubly impressive.

          • by Shinobi ( 19308 )

            25 years ago? Try the late 70's, when multiple groups all over the world independently discovered it, one of those teams being engineers at Ericsson. The first public description of the issue was in 1985, by Wim Van Eck.

            • by q4Fry ( 1322209 )

              Van Eck's exploit was used in a pivotal part of the Cryptonomicon that was honestly kind of silly. (MILD SPOILERS) If an adversary can do screen mirroring while you're in a prison they control, it is probably a given that they are also using statistical analysis on the sound made by your keyboard keys and the voltage fluctuations on the plug you're using to power your computer. Or (here's a thought) they could just film you from every angle.

          • Analog signals are captured in analog fashion and can be used to reconstruct the original image. Sure, I buy that. But this... No, sorry. If anything, I'm inclined to believe that this news is simply a smoke screen; some method to point at when a private key has mysteriously been recovered using other ways (like a built-in weakness in the algorithm, for example).

        • The actual multiplications are nowhere near as fast. A multiplication of an RSA-sized number takes thousands of cycles (see here [slashdot.org]), and modular arithmetic of that size is even slower. 44kHz corresponds to a sample per 45k 2GHz cycles, and Montgomery multiplication as in the link above takes up to two adds per bit if you do it quickly and insecurely, with each taking on the order of 100 cycles. An exponentiation of a 1024-bit message will need therefore around 100k (average-case) cycles i.e. 2.5 audio sam

    • Re: (Score:3, Funny)

      by PopeRatzo ( 965947 )

      Can someone explain, vaguely, possibly with a car analogy, how they go about determining keys with coil whine?

      OK, imagine a '63 Bel Air with hydraulic suspension and a horn that plays "La Cucaracha". It is traveling from Modesto to the Reservoir at exactly 48mph. Now imagine a 2006 Mercedes G-Class with extra-large wheels and spinning hubs that is booming some old-school NWA. It is traveling from Oakland to the Reservoir at exactly 52 mph.

      If someone had a listening device installed in both cars, the prob

    • by michelcolman ( 1208008 ) on Sunday June 05, 2016 @10:09AM (#52253677)

      If you listen to a car going round a race track, the tire noise, engine rpms and gear shifts, all of that together could give you a pretty good idea of the length of the straights, the intensity of the curves, and the smoothness of the road surface in various places. Listen to enough cars, and you may be able to reconstruct the entire track.

      The cpu is the race car, the track is the RSA algorithm for that specific key.

    • by AmiMoJo ( 196126 )

      It takes an hour of continuous use it the key before they can reproduce it. The measurements they take on each use of the key are not very accurate, but with millions of them they can narrow the possibilities down to something they can brute force.

      • How likely is it for a computer to be continuously encrypting/decrypting for an hour with the same key?

        • If the people running the attack can access the surface you're protecting with crypto, 100%
      • by Lumpy ( 12016 )

        in otherwords... it's a non exploit and only a proof of concept under very controlled environment and test parameters.

    • Can someone explain, vaguely, possibly with a car analogy,

      Paul Kocher gets in a car, drives to work, gathers data from a sensor near a device performing the same calculation many times, does bayesian statistics on the data to determine what is noise and what is signal, then recovers the key.

    • Follow-up question: can someone explain how I got modded "Insightful" for asking a question and specifically demonstrating my lack of knowledge?

    • by jrumney ( 197329 )
      It's like when your mechanic hears your car drive up and says "ohh, it's going to cost you" before he's even seen your car.
  • These "attacks" are always on carefully selected hardware running custom software. There is no way on a real system this would work.
    • Re:Baloney (Score:5, Insightful)

      by Antique Geekmeister ( 740220 ) on Sunday June 05, 2016 @09:47AM (#52253595)

      There is a great deal of "carefully selected hardware" in the world, especially in secure civilian and military installations, equipment which could present a broad and lucrative attack surface to such tools. And a good security vulnerability report is also much like a good scientific experiment: enough detail is included to allow clear repetition of the attack, without accidental disparities in the testing conditions obscuring the results.

    • There is no way on a real system this would work.

      Especially since that loud knocking my hard drive's been making for the past week would totally drown out the coil whine.

      I'm hoping that knocking sound goes away. Sometimes these things fix themselves, you know?

      • Re:Baloney (Score:5, Funny)

        by EvilSS ( 557649 ) on Sunday June 05, 2016 @10:17AM (#52253707)

        There is no way on a real system this would work.

        Especially since that loud knocking my hard drive's been making for the past week would totally drown out the coil whine.

        I'm hoping that knocking sound goes away. Sometimes these things fix themselves, you know?

        Well the good news is that it's pretty much guaranteed to go away on it's own. Now as for the bad news....

      • Re:Baloney (Score:4, Funny)

        by JustAnotherOldGuy ( 4145623 ) on Sunday June 05, 2016 @10:35AM (#52253785) Journal

        I'm hoping that knocking sound goes away. Sometimes these things fix themselves, you know?

        The knocking sound means that your system is low on hard drive oil.

        Just get a can of WD-40, drill a small (1/8") hole in the drive, and spray a couple of healthy blasts of the WD-40 into the drive. This will almost always cure the knocking sound.

        • this trick can also save your cars blinker lights when they get low on blinker fluid. but wd-40 can't be used to save rear muffler bearings, you need something more viscous like jello

        • The knocking sound means that your system is low on hard drive oil.

          The guy from Geek Squad told me it was because I was using an unleaded power strip. He said they're better for the environment, but really mess up computer performance.

        • I'm hoping that knocking sound goes away. Sometimes these things fix themselves, you know?

          The knocking sound means that your system is low on hard drive oil.

          Just get a can of WD-40, drill a small (1/8") hole in the drive, and spray a couple of healthy blasts of the WD-40 into the drive. This will almost always cure the knocking sound.

          People never seem to get this straight: WD-40 is a water displacer. While it may help keep your hard drive from corroding, it won't properly lubricate the moving parts.

          You need to squirt a generous amount of a suitable machine oil into your hard drive to properly address the noise. And don't forget to tape the hole when you're done: the oil can attract dirt that would mess up the delicate drive heads.

        • You're crazy!

          There's no way you need a 1/8" hole to put the WD-40 through, 1/16" is fine. In true Slashdot form, your idea sucks.

        • Now I can't access the drive at ALL!! I'm really hoping it comes back I have a lot of photos and music that aren't backed up. Also, the knocking is still there.
          • Now I can't access the drive at ALL!! I'm really hoping it comes back I have a lot of photos and music that aren't backed up. Also, the knocking is still there.

            Just use more WD-40, a few more blasts ought to do it. Keep spraying until the knocking goes away.

    • There is no way on a real system this would work.

      Famous last words.

      • Re:Baloney (Score:5, Funny)

        by JustAnotherOldGuy ( 4145623 ) on Sunday June 05, 2016 @10:41AM (#52253831) Journal

        There is no way on a real system this would work.

        Famous last words.

        Along with:

        "He'll stop, we have the right of way!"
        "I'm sure it's unloaded."
        "Of course I'm sure that the other guy shut the power off."
        "If taking one of these pills is good, taking three means it'll work really fast."
        "Oh yeah, it's strong enough to hold us."
        "Watch this!"

        • by Anonymous Coward

          What? No "Hold my beer"?

        • Along with:

          "He'll stop, we have the right of way!" "I'm sure it's unloaded." "Of course I'm sure that the other guy shut the power off." "If taking one of these pills is good, taking three means it'll work really fast." "Oh yeah, it's strong enough to hold us." "Watch this!"

          *Pulls finger*

    • These "attacks" are always on carefully selected hardware running custom software. There is no way on a real system this would work.

      Yes. However these attacks show an attack works in principle and helps you understand what the bounds of the problem are and how to defend against it. The end result is that real products get made with all sort of mitigations against impractical attacks that might become practical given enough time or money.

    • Probably.

      I suspect that the exact signature of the coil whine is extremely system-dependent. Given that manufacturers often change parts even within a given model (especially of parts like capacitors) even "identical" models might have different coil whines. Coil whine is probably also very temperature sensitive, both to ambient temperature and how hard your PC is working.

      One other thought is that TFA says that RSA keys can be extracted "within one hour". Does that mean you need to listen to coil whine f

    • The initial research has to be done that way. Just like any other kind of research and development, you need to eliminate variables to determine what can work and what won't.

      Once you validate the concept, then you can start looking at implementing real-world, cost-controlled, mass-produced refinements.

      I suspect it will be far more difficult in a real-world scenario because the real world is always more complex than the lab, but the underlying vulnerability is definitely there.

      Fortunately or unfortunately, w

  • Whilst I am prepared to accept the findings of this research and happy to accept that in principle it is possible to infer the calculations being performed by a computer system using nothing more than the "background noise", they produce, I have to believe that there are a myriad of easier ways that the same information could be obtained:-

    https://xkcd.com/538/ [xkcd.com]

    It is likely that these attacks may be attempted by government agencies looking to crack encryption operated by foreign powers. However, in the
    • by epine ( 68316 )

      After only the thousandth trip down the rubber hose, $5 wrench, and single-ended extension cord & lavage basin aisle (special today-only if purchased together) I finally figured out that the core of this joke is actually narcissism.

      ***

      Two agents dressed in black are confronted with a hapless chump, yanked out of bed at 04:00, now seated securely in front of them in a creaky wooden chair (missing most of its seat bottom) in his Dr No. vs Dr Evil footie pyjamas, refusing to give up his password at least u

    • Its probably easier to gain someone's password by listening to their keyboard presses.

    • by Qzukk ( 229616 )

      The wrench is unbeatable when you have a specific person in mind. Sure, there's probably less violent and, shall we say... satisfying ways of getting the information, but application of the wrench doesn't require any fancy analysis or much know-how at all.

      However, what if we wish to apply the wrench to every single person? That takes a lot of time and manpower. Even without the wrench, having someone take a look at the computer to see what is exploitable on it is a bit on the time consuming side, even if

  • by jones_supa ( 887896 ) on Sunday June 05, 2016 @10:22AM (#52253727)

    This possibly can't be real or, these guys are geniuses. Certainly the coil whine will change depending on the load of the machine. However, there's so much stuff happening in a CPU and the system bus that I find it extremely hard to believe that you could listen to any specific numbers. There's also all sorts of power filtering going on and there's decoupling capacitors on the chips.

    However, if this is real, then I assume that listening to network traffic would be doable as well.

    • Seems a hoax; CPU processes using electrons; sound travel is mechanical. air-molecules vibrating can never carry the bandwidth of the coil-whine (whatever that is, I assume a disturbance in air surrounding the electro-magnetic changes inside the CPU). Is it april 1?
    • That's the first thing I thought myself. Actually, I looked for a April 1 timestamp.

    • by swalve ( 1980968 )
      It belongs in the bin with the "you can spy on someone's internet by recording the LEDs!" Nonsense.
    • Someone obviously didn't read the article.

      The microphone listened while the system processed chosen ciphertext.

      It is necessary to interact with the server somehow while recording, as it must be decrypting specific data.

      This limits the scope of the attack significantly, but extremely resourceful organizations could probably manage it somehow.

  • A good covert attack (Score:4, Interesting)

    by Anonymous Coward on Sunday June 05, 2016 @10:41AM (#52253829)

    Reminds me of a differential power analysis attack but that requires physical access to the machine. With this microphone attack you just need to know which type of machine it is and proceed in a completely covert manner.

    It always amazes me how inventive a determined attacker can be. On a defense project back in the 90's we had to keep our analog phones six feet away from CRTs to prevent monitor EMI from entering the phone line. That EMI could be analyzed by a third party to recreate the monitor's image.

    • The scanning frequency of a CRT monitor is much higher than what a phone captures. There's no realistic way in which the other end could've recreated the picture.
      • by Shinobi ( 19308 )

        He's not talking about audio, he's talking about EM, which could indeed be snooped upon via induction in cables etc, even when you couldn't snoop in on the monitor directly.

  • How the hell do they isolate the key from all that is going on around it?

    • by avoisin ( 105703 )

      Looking for a pattern, that's why it takes an hour. You're looking for a pattern in the noise that repeats, then looking for subtle variations in the pattern to pick out the specific bits. There's a lot of other noise from other sources, but if you listen long enough, you know the length and frequency of the pattern you're looking for, you'll still be able to pick it out.

      This won't work as something that happens in a one off, and you still need the target machine to be compromised to be repeatably getting

  • In order to obtain the laboratory effect of single threaded decryption of 4,096 approximately 1Mbit files in sequence you would have to be root and generally have all "messy" asynchronous processing such as interrupts from the network card disabled. This is a lab-only non-realistic attack. If you had that much control over the CPU you might as well just read the key out of the registers as it is used.
    • Not true. See https://youtu.be/DU-HruI7Q30 [youtu.be] as posted by someone else. If the machine was really busy doing other stuff, you'd have trouble, but if the machine is MOSTLY idle, apart from running GPG on your chosen cyphertexts, then occasional network interrupts and short-lived cronjobs and stuff won't be too much of a distraction. He even demonstrates that his machine is running something really short every second, doesn't matter, you can trick GPG into making your machine emit the tell-tale squeals for a de
  • Video (Score:5, Informative)

    by nsaspook ( 20301 ) on Sunday June 05, 2016 @01:37PM (#52254703) Homepage
  • How do they come up with this stuff? Seriously?

FORTUNE'S FUN FACTS TO KNOW AND TELL: A guinea pig is not from Guinea but a rodent from South America.

Working...