Slashdot Mirror

← Back to Stories (view on slashdot.org)

Breaking RSA Keys by Listening to Your Computer

Posted by Hemos on from the sssh-i'm-hunting-for-wabbits dept.

An anonymous reader writes "Adi Shamir and crew gave a talk on preliminary results in extracting a private RSA key just by listening to the computer!. Similar to power analysis and LED leakage, this is a non-invasive, side channel attack that may have applications to tamper-resistant systems. It appears to be related to noisy capacitors on the motherboard, an effect which has been observed when CPU power saving is enabled on laptops."

6 of 186 comments (clear)

  1. No by Transient0 · · Score: 5, Informative

    at best, they have shown that they can detect differences in the types of instructions the processor is executing by listening to the sounds of the capacitors. It is a long way from there to the point where they can extract the key itself from the information. In fact, I would venture that the data is far too noisy (haha) for any significant part of the key to ever be extracted, reagardless of the amount of computational power thrown at the problem. What they might be able to do however is use the information gleaned to eliminate large swaths of the set of possible keys. This could make cracking the key by conventional means a computationally easier task.

    So, in all, this paper is not insignificant, but it's also not a reason to completely give up on security or to install a cone of silence around your computer.

    --
    lysergically yours
  2. Kinda like that CPU speed crack by suso · · Score: 4, Informative

    This sounds kinda like that crack that the college student found in 1995 dealing with the speed of the CPU determining what random numbers the host would pick. A good reason not to keep your CPU info in the HINFO line of a DNS zone file.

  3. The other shoe dropping by Effugas · · Score: 4, Informative

    Shamir, once again pointing out something absolutely brilliant and (in retrospect) totally obvious, did forget to include something rather important in his announcement:

    The particular pattern of CPU operations executed while an RSA private key is executed varies depending on that RSA private key. Given a rough estimate of the pattern of CPU operations executed, the set of possible RSA private keys is greatly reduced. So it becomes much, much easier -- possibly trivial, particularly if you have a chosen plaintext scenario -- to extract a private key from an otherwise secure system. Consider an e-voting machine with an audio system for handicapped access -- with nothing but a very sensitive microphone in the booth, you might be able to determine the private key used to sign votes (and thus gain the capability to spoof votes elsewhere).

    And of course, this would be a very, very successful attack against an RSA private key embedded within a trusted computing environment. Processors -- even those encased in epoxy -- still need power, and variable amounts depending on what they're doing. The brilliance here is that rather than needing some very expensive analog energy drain measurement equipment, you just need a sound card. It's a side channel attack for the masses.

    Very very cool work. Wow.

    --Dan

  4. Re:Is this actually possible? by Doctor+Wonky · · Score: 5, Informative

    What they did was, create tight loops performing the same operation over and over. And found that different operations tend to result in different sorts of noise on the power supply, resulting in different sounds from the capacitors.

    Remember though with their 96,000 Hz sampling rate, a 1 Ghz CPU performs over 10,000 instructions per sample.

    Air does not vibrate fast enough, and there are no microphones with frequency response high enough to let you look at individual operations.

    So I guess, if you knew the characteristics well enough, you could record the sound of the capacitors and say 'Hey, this guy is running GnuPG' on it. I don't see a concievable way to figure out the keys and this article doesn't suggest one.

  5. No no (Re:No) by po8 · · Score: 4, Informative

    Uh, no. Your analysis runs contrary to cryptanalytic principles and the history of these sorts of attacks.

    If you spot me 1 bit of key information, you have by definition halved the work for an attack. In this specific analysis, I need only consider those settings of key bits (in this case, bits of p and q) that correspond to observed behavior for an interval of the spectogram. This means that I can potentially crack the key in time almost linear in the size of the key, rather than completely exponential.

    The work on timing attacks and power attacks uses very similar sorts of information, and the anlysis used here will likely be similar also. This is why Shamir, who is certainly qualified to evaluate the work at this point, describes it as "proof of concept": it would be surprising if the observed information fails to extend to a practical attack. It's just that in science, you publish when you have anything interesting to report, so that folks know you got there first.

  6. FAQ by Insount · · Score: 4, Informative

    (I'm a co-author of the presentation.)

    The web page was extended to include a FAQ discussing the issues brought up here.