Slashdot Mirror

← Back to Stories (view on slashdot.org)

Breaking RSA Keys by Listening to Your Computer

Posted by Hemos on from the sssh-i'm-hunting-for-wabbits dept.

An anonymous reader writes "Adi Shamir and crew gave a talk on preliminary results in extracting a private RSA key just by listening to the computer!. Similar to power analysis and LED leakage, this is a non-invasive, side channel attack that may have applications to tamper-resistant systems. It appears to be related to noisy capacitors on the motherboard, an effect which has been observed when CPU power saving is enabled on laptops."

8 of 186 comments (clear)

  1. If you have phsysical access by foidulus · · Score: 3, Insightful

    Wouldn't it just be easier to use money/women/men/donkeys to bribe the person to cough up a password?
    I guess you could always "bug" a place, but if you were significantly paranoid about security(to the point where someone would try to listen your key away from you) wouldn't you have a copper cage around your building?

  2. Extracting the Actual Numbers? by artlu · · Score: 5, Insightful

    The article does not deal with actually computing the encoding (Pe) and decoding functions (Pd) for q,n,d. Where q,n are unique primes. The only thing their interference spotted is the markings between computing each function for the signature, and this drastically varies based on the machine. They do have a Proof of Conept, but no quantifiable data.
    My $0.02.

    artlu

    --
    -------
    artlu.net
  3. not so lucky by hatchetman82 · · Score: 4, Insightful

    "...For example, a high-quality analog equalizer can be used to attenuate strong low-frequency fan hums and background noise..."
    taken from the article.
    you'd need background noise in the same frequency area (dummy CPU ?)

  4. no disrespect to Adi Shamir, but... by Gadi+Evron · · Score: 2, Insightful

    As much as this technology is a risk and therefore a potential threat, unless you are of the reaslly paranoid (which would mean this interests you considerably) there are far easier ways of attacking a computer.

    This attack came to show how to attack the key, which is why it interests these folks, I suppose, but it would be much easier to use TEMPEST if you get access to actually install some tool to hear && (record || trasmit) the audio.

    I would suggest TEMPEST would also be more reliable, but some testing is in order, as well as a lot of research for every CPU you intend to attack.

    Cost vs. benfit? I can't really see it.

    This is pretty cool though!! :)

    (adding another mark on my paranoia list).

  5. Re:RSA sucks anyway by kasperd · · Score: 5, Insightful

    Nope, for it's DSA/DSS all the way, and all the noisy capacitors in the world won't help you break it.
    That wouldn't change anything. RSA as well as DSS is based on modulus exponentiation with a secret exponent. If you can get the exponent you have broken the system, it is as simple as that.

    Why do I trust it? Because it was developed by the NSA, not a bunch left leaning MIT eggheads.
    That kind of logic is useless in the security business. Basing your trust upon who designed the algorithm is stupid. How many (and who) tried to break the algorithm and failed at that is a better meassure on the security. A good rationale behind the design is another good meassure on the security. And finally mathematical proofs.

    --

    Do you care about the security of your wireless mouse?
  6. Encryption is part of checks and balances. by Roman_(ajvvs) · · Score: 4, Insightful
    By encrypting your data, you are bringing unnecessary suspicion upon yourself

    Encryption inhibits surveillance by ANYONE. That the government falls under the category of anyone is secondary to most encryption desires and uses.

    If someone was attempting avoidence/prevention of potential government investigation, then the act of encrypting wouldn't make it more or less likely. They make use of encryption because they have some information they don't want the government to know. It's not because they use encryption but due to any relevant knowledge they have, that a person should ellicit investigation by their government. And then knowledge pertaining only to those things that governments should worry about (murder, fraud, and other criminal acts).

    So by encrypting the code on my laptop as a security precaution, you're saying I bring unnecessary suspicion upon myself? Noone but my company and its business competitors has an interest in the trade secrets I manage and create during the course of my business. Therefore I use encryption as a means of self-defense. I inhibit investigation by those not authorized by me or my company. The act of investigation could very well be illegal. I would not give my government blanket access to my trade secrets, when I have no control over what they do with them. They should have no interest in them. in fact, by wanting to enhance surveillance of those things which they declare to not have an interest in and would normally have no involvement in is suspicious in itself. Encryption is a tool and is about as dangerous as a screwdriver.

    --
    click-clack, front and back. I'm not moving this car otherwise.
  7. Re:Is this actually possible? by Insount · · Score: 4, Insightful

    > How could one hope to extract a certain few bits from a recording when
    > the CPU's instruction throughput is many times that?

    The few bits you're trying to extract may have an observable influence on global statistics, especially when you can affect the value of some other bits. See for example Boneh and Brumley's timing attack on OpenSSL.

  8. Re:Some guy was investigated for excercising the F by Jane_Dozey · · Score: 2, Insightful

    Steganography anyone?
    I odn't think any government who has reason to believe you to be hiding something would fail to check if it was in plain view or not.
    Otherwise criminals would all be using those ghost markers kids use :)

    --
    Silly rabbit