Slashdot Mirror
Breaking RSA Keys by Listening to Your Computer
An anonymous reader writes "Adi Shamir and crew gave a talk on preliminary results in extracting a private RSA key
just by listening to the computer!. Similar to power analysis and LED leakage, this is a non-invasive, side channel attack that may have applications to tamper-resistant systems. It appears to be related to noisy capacitors on the motherboard, an effect which has been observed when CPU power saving is enabled on laptops."
No power saving for me! My encrypted porn is far too important.
I've got so many fans running in my computer that you can't even hold a conversation in the same room, much less listen for capacitors
The article does not deal with actually computing the encoding (Pe) and decoding functions (Pd) for q,n,d. Where q,n are unique primes. The only thing their interference spotted is the markings between computing each function for the signature, and this drastically varies based on the machine. They do have a Proof of Conept, but no quantifiable data.
My $0.02.
artlu
-------
artlu.net
Does anyone know the range of how far you can be away from the computer to hear the sounds? The proof-of-concept website just seemed to be "look, here are pictures of computer operations... in sound! Yay!" without enlightening us on any details.
Twenty years ago at Bell Labs one of the speech machines (an SEL with homebrew audio i/o) had output to loudspeakers that went through unshielded speaker wires that ran past the CPU, so if you weren't playing anything back the speakers played back CPU noise. We could tell what stage a compilation was at by the noise that came over the speakers.
Now I have an excuse to play loud music at work: security!
"...For example, a high-quality analog equalizer can be used to attenuate strong low-frequency fan hums and background noise..."
taken from the article.
you'd need background noise in the same frequency area (dummy CPU ?)
at best, they have shown that they can detect differences in the types of instructions the processor is executing by listening to the sounds of the capacitors. It is a long way from there to the point where they can extract the key itself from the information. In fact, I would venture that the data is far too noisy (haha) for any significant part of the key to ever be extracted, reagardless of the amount of computational power thrown at the problem. What they might be able to do however is use the information gleaned to eliminate large swaths of the set of possible keys. This could make cracking the key by conventional means a computationally easier task.
So, in all, this paper is not insignificant, but it's also not a reason to completely give up on security or to install a cone of silence around your computer.
lysergically yours
This sounds kinda like that crack that the college student found in 1995 dealing with the speed of the CPU determining what random numbers the host would pick. A good reason not to keep your CPU info in the HINFO line of a DNS zone file.
Nope, for it's DSA/DSS all the way, and all the noisy capacitors in the world won't help you break it.
That wouldn't change anything. RSA as well as DSS is based on modulus exponentiation with a secret exponent. If you can get the exponent you have broken the system, it is as simple as that.
Why do I trust it? Because it was developed by the NSA, not a bunch left leaning MIT eggheads.
That kind of logic is useless in the security business. Basing your trust upon who designed the algorithm is stupid. How many (and who) tried to break the algorithm and failed at that is a better meassure on the security. A good rationale behind the design is another good meassure on the security. And finally mathematical proofs.
Do you care about the security of your wireless mouse?
Even at a 96 kHz sampling rate, the maximum frequency that can be sampled is 44 kHz. How could one hope to extract a certain few bits from a recording when the CPU's instruction throughput is many times that? Most of the information that would need to be examined wouldn't make it onto the recording. Correct me if I'm wrong, but it seems Nyquist leaves this idea dead in the water.
...but all I heard was "Dave, what are you doing Dave?"
Hmm, maybe I should put away the screwdriver.
Encryption inhibits surveillance by ANYONE. That the government falls under the category of anyone is secondary to most encryption desires and uses.
If someone was attempting avoidence/prevention of potential government investigation, then the act of encrypting wouldn't make it more or less likely. They make use of encryption because they have some information they don't want the government to know. It's not because they use encryption but due to any relevant knowledge they have, that a person should ellicit investigation by their government. And then knowledge pertaining only to those things that governments should worry about (murder, fraud, and other criminal acts).
So by encrypting the code on my laptop as a security precaution, you're saying I bring unnecessary suspicion upon myself? Noone but my company and its business competitors has an interest in the trade secrets I manage and create during the course of my business. Therefore I use encryption as a means of self-defense. I inhibit investigation by those not authorized by me or my company. The act of investigation could very well be illegal. I would not give my government blanket access to my trade secrets, when I have no control over what they do with them. They should have no interest in them. in fact, by wanting to enhance surveillance of those things which they declare to not have an interest in and would normally have no involvement in is suspicious in itself. Encryption is a tool and is about as dangerous as a screwdriver.
click-clack, front and back. I'm not moving this car otherwise.
use money/women/men/donkeys
Btw, if you meet a woman with a donkey, don't forget that great opening line:
"Hey babe, nice ass!"
Sorry.
Shamir, once again pointing out something absolutely brilliant and (in retrospect) totally obvious, did forget to include something rather important in his announcement:
The particular pattern of CPU operations executed while an RSA private key is executed varies depending on that RSA private key. Given a rough estimate of the pattern of CPU operations executed, the set of possible RSA private keys is greatly reduced. So it becomes much, much easier -- possibly trivial, particularly if you have a chosen plaintext scenario -- to extract a private key from an otherwise secure system. Consider an e-voting machine with an audio system for handicapped access -- with nothing but a very sensitive microphone in the booth, you might be able to determine the private key used to sign votes (and thus gain the capability to spoof votes elsewhere).
And of course, this would be a very, very successful attack against an RSA private key embedded within a trusted computing environment. Processors -- even those encased in epoxy -- still need power, and variable amounts depending on what they're doing. The brilliance here is that rather than needing some very expensive analog energy drain measurement equipment, you just need a sound card. It's a side channel attack for the masses.
Very very cool work. Wow.
--Dan
If you really want to do some acoustic evesdropping, listen to the keyboard. It's got a much larger signal to begin with (from across the room, instead of having to paste your ear to the computer case.) Since there are always slight mechanical differences between keys on any given keyboard, I would think that the sound spectrum would also be slightly different. Being able to always listen in on the same user would also help, since most people are somewhat consistent regarding which finger they use on which key. (Evesdropping on people who were smart enough to take a touch-typing class in high school is also a big plus.)
Assuming you could discern between the acoustic fingerprint of 100 different keys, then it's just a matter of figuring out which sound goes with which key. It's a simple substitution cypher, which are almost trivial to break.
Sneak your cell phone into your boss's office, set it to silent mode and plug in a headset so that you can set it to auto-answer when a call comes in. Then, while your boss is busy typing dirty notes to his mistress, you call your cell phone, start recording it, and presto, you've got a keylogger without ever having touch his computer or the software on it. Then, at your next performance review, you convince him to give you a hefty raise.
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
R = Ron Rivest
S = Adi Shamir
A = Len Adleman
Uh, no. Your analysis runs contrary to cryptanalytic principles and the history of these sorts of attacks.
If you spot me 1 bit of key information, you have by definition halved the work for an attack. In this specific analysis, I need only consider those settings of key bits (in this case, bits of p and q) that correspond to observed behavior for an interval of the spectogram. This means that I can potentially crack the key in time almost linear in the size of the key, rather than completely exponential.
The work on timing attacks and power attacks uses very similar sorts of information, and the anlysis used here will likely be similar also. This is why Shamir, who is certainly qualified to evaluate the work at this point, describes it as "proof of concept": it would be surprising if the observed information fails to extend to a practical attack. It's just that in science, you publish when you have anything interesting to report, so that folks know you got there first.
(I'm a co-author of the presentation.)
The web page was extended to include a FAQ discussing the issues brought up here.