Scientists Extract RSA Key From GnuPG Using Sound of CPU

kthreadd writes "In their research paper titled RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis, Daniel Genkin, Adi Shamir and Eran Tromer et al. present a method for extracting decryption keys from the GnuPG security suite using an interesting side-channel attack. By analysing the acoustic sound made by the CPU they were able to extract a 4096-bit RSA key in about an hour (PDF). A modern mobile phone placed next to the computer is sufficient to carry out the attack, but up to four meters have been successfully tested using specially designed microphones."

Remember TEMPEST?

[Bruce+Perens]

TEMPEST was a details-secret government requirement meant to defeat means of eavesdropping on classified computer data from its electromagnetic emissions. I guess they need to include audio too.

My impression is that the noise comes from the power supply, not the CPU. I can certainly hear it with some computers, and it is related to work on the video card in my experience. I'm astonished that you can actually pull data from that, and in fact I'd like to see independent confirmation before I believe it.

Re:Remember TEMPEST?

[Hatta]

Seems like GPG could defeat this pretty easily by putting in some random HLTs.

Re:Remember TEMPEST?

[Desler]

In almost all machines, it is possible to distinguish an idle CPU (x86 "HLT") from a busy CPU.

Since they can detect when its idle how would your idea work? Making it "random" doesn't make it undetectable.

Re:Remember TEMPEST?

[K.+S.+Kyosuke]

I don't think you need that. It shouldn't be all that surprising. It's all a matter of the signal/noise ratio of how a "slice" of a program's execution trace maps onto something you can measure from the outside. I'm more wary of the "one hour" requirement. If it's one hour of continuous execution of RSA routines, it's not exactly practical. But it shows how dangerous making assumptions can be ("hardware protection (386 protected mode, HW virtualization etc.) is sufficient for preventing information leaks!"). I can't wait until someone starts breaking TPM modules and such.

Re:Remember TEMPEST?

[Gothmolly]

Or HCF, if you wanted to be really sure.

Re:Remember TEMPEST?

It also needs to include LEDs. In fact, some other security standard already warns against this.

People used to hook LEDs almost directly to serial data buses (or, to be exact, a high-impedance LED driver was hooked directly to the serial data bus) to implement "activity" LEDs, and was quite an effective data leak for a very wide range of frequencies.

Re:Remember TEMPEST?

GPG already defeated this by adding basic anti-DPA measures (random whitening value).

Re:Remember TEMPEST?

[DaveAtWorkAnnoyingly]

I'm not a computer scientist by trade, I'm an engineer (nukes), and this sounds dubious. Perhaps I'm way behind the curve on acoustic engineering, but being able to pull a 4096 bit key from noise that not only is pretty polluted, but also, surely depending on what the PC is doing, could be dependent of lots of other things?

Also, it's Bruce Perens. Hi!

Re:Remember TEMPEST?

[Cid+Highwind]

Right, but all the sound reveals is whether the CPU is busy or idle (or more likely, how much current it's drawing). Adding random-length pauses exactly at the steps where knowing whether the CPU goes idle leaks part of the key would break this sort of listening attack.

With multi-core processors it might even be possible to mask the sound by starting up another thread to do useless work that sounds like encryption but isn't...

Re:Remember TEMPEST?

I remember tempest being specific to displays. More specifically CRT displays because of how they operated.
CRT displays are high voltage electronics that modulate at high frequencies to turn on an off an electron beam (And use electric magnets to move the beam over the screen in a zig-zag pattern) These sorts of things happen to generate a whole lot of radio signals that are easy to pick up from a distance. Really, you just have to find the "song" the electronics that modulate the electron beam sings and it's not hard to extrapolate an image out of that.

You could buy "tempest shielded" displays (and an infamous black tempest shielded compact Macintosh) that were basically housed in Faraday cages.

Re:Remember TEMPEST?

[Desler]

Q12: Won't the attack be foiled by loud fan noise, or by multitasking, or by several computers in the same room?

Usually not. The interesting acoustic signals are mostly above 10KHz, whereas typical computer fan noise and normal room noise are concentrated at lower frequencies and can thus be filtered out. In task-switching systems, different tasks can be distinguished by their different acoustic spectral signatures. Using multiple cores turns out to help the attack (by shifting down the signal frequencies). When several computers are present, they can be told apart by spatial localization, or by their different acoustic signatures (which vary with the hardware, the component temperatures, and other environmental conditions).

Re:Remember TEMPEST?

[chuckugly]

The article says the second to last revision of the crypto did this, and that the change made it more vulnerable. Apparently it's a difficult problem.

Re:Remember TEMPEST?

[ArbitraryName]

I remember tempest being specific to displays.

You remember incorrectly. TEMPEST covers compromising emanations of any types, from teleprinters to LCD displays to blinkenlights to keypress sniffing. The most "famous" demonstration was van Eck and CRTs, which is probably what you remember.

Re:Remember TEMPEST?

[Opportunist]

But with plenty of different compilation and optimization options, not to mention a lot of compilers to choose from, the "sound" of the CPU should definitely change from binary to binary.

Re:Remember TEMPEST?

Since it's open source, your programmer can add a "Send private key to Eve" feature. What's your point?

Re:Remember TEMPEST?

[scottbomb]

I was wondering how far I'd have to scroll down to see someone call BS on this. Wish I had mod points now.

Re:Remember TEMPEST?

[Bruce+Perens]

First, you'd need a GPG port to Commodore 64.

Re:Remember TEMPEST?

Good luck with that on anything approaching modern transmission speeds. Can a consumer grade LED actually switch fast enough to leak 56kbps, much less 50mbps?

Re:Remember TEMPEST?

[Opportunist]

Well, think of it like trying to hear an opera singer in between a lot of traffic noise. Even your ear can do that to some degree, but for software it is fairly trivial to separate the song from the other noises, especially if you know what opera is being sung. The singer might not be singing in the key you know or he might have a bit of variety in the way he interprets the song, but you know in general what it should sound like so you know what to look for, and then you work from there.

Re:Remember TEMPEST?

[Bruce+Perens]

Using multiple cores turns out to help the attack (by shifting down the signal frequencies).

Say what? Through what mechanism would multiple cores shift down the frequency? And what about parallel instruction streams contributing to noise?

Re:Remember TEMPEST?

[Etcetera]

Good luck with that on anything approaching modern transmission speeds. Can a consumer grade LED actually switch fast enough to leak 56kbps, much less 50mbps?

Yep!

As the saying goes.... "You must be new here" ;)
http://slashdot.org/story/02/03/06/1221224/led-lights-friend-or-foe

Re:Remember TEMPEST?

[Bruce+Perens]

The "audio" in question is most likely all below 24 kHz, that being the Nyquist limit for the 48 kHz sampling hardware, unless it happens that some phones can actually sample faster, and have microphones that can respond to higher frequencies.

The instruction rate of the CPUs in question is many times that frequency.

It doesn't sound likely.

Re:Remember TEMPEST?

[zlives]

I am sure it is my shortcoming:
i wonder if a single core processor with a single repeating process in isolation could eventually reveal the process if additional processes are added later, but then again i am flabbergasted as to how it actually reveals the code... to me it has the sense of dousing for encryption keys...

Re:Remember TEMPEST?

[Bruce+Perens]

Hi.

the Nyquist limit of the audio sampling hardware of a cell phone over instruction rate of a modern CPU is a pretty small fraction.

Re:Remember TEMPEST?

[phantomfive]

Thus far, it seems theoretical more than practical. Not only is it a chosen-plaintext attack, it also requires the user repeatedly decipher the text many times before the key can be extracted. I can't think of any practical way of getting people to do that (unless you can somehow get to the key in a Visual Basic Outlook script or something). That's my understanding of the paper, with this relevant quote:

In a nutshell, the key extraction attack relies on crafting chosen ciphertexts that cause numerical cancellations deep inside GnuPG’s modular exponentiation algorithm. This causes the special value zero to appear frequently in the innermost loop of the algorithm, where it affects control flow. A single iteration of that loop is much too fast for direct acoustic observation, but the effect is repeated and amplified over many thousands of iterations, resulting in a gross leakage effect that is discernible in the acoustic spectrum over hundreds of milliseconds

Since microphones can't grab frequencies in the Ghz range (where CPUs operate), they can't directly observe individual instructions. But with multiple passes over the same operation, they can use statistics to determine what the instructions were.

Re:Remember TEMPEST?

It's been too long since I learned signal processing, but the Nyquist limit is for unaliased signals. Higher frequencies would be present in the audio samples, just aliased to lower frequencies. So long as there are no confusing lower frequencies, would it be that hard to pick out details from the aliased higher frequencies?

Re:Remember TEMPEST?

Hi Perens, I could have sworn you were incinerated at grid control.

Re:Remember TEMPEST?

"Boss, we have a new security requirement for protecting our keys. It's called 'music'. We need to have music playing at every workstation."

Re:Remember TEMPEST?

[muridae]

Using multiple cores turns out to help the attack (by shifting down the signal frequencies).

Say what? Through what mechanism would multiple cores shift down the frequency? And what about parallel instruction streams contributing to noise?

Cache misses

Re:Remember TEMPEST?

[jaseuk]

This article reminded me of that one. Nice to see that one again.

Jason.

Re:Remember TEMPEST?

If you really want to be sure, you have to take off and nuke it from orbit.

Re:Remember TEMPEST?

[DigitAl56K]

Particularly relevant high-level from the PDF:

In a nutshell, the key extraction attack relies on crafting chosen ciphertexts that cause numerical
cancellations deep inside GnuPG’s modular exponentiation algorithm. This causes the special value
zero to appear frequently in the innermost loop of the algorithm, where it affects control flow. A single
iteration of that loop is much too fast for direct acoustic observation, but the effect is repeated and
amplified over many thousands of iterations, resulting in a gross leakage effect that is discernible in the
acoustic spectrum over hundreds of milliseconds.

Re:Remember TEMPEST?

[loufoque]

In the situation in question, they fully control the load of the computer.

Re:Remember TEMPEST?

Yes.
Pretty much any plain old small LED can do 100MHz decently.

Re:Remember TEMPEST?

[Prune]

>The "audio" in question is most likely all below 24 kHz, that being the Nyquist limit for the 48 kHz sampling hardware, unless it happens that some phones can actually sample faster, and have microphones that can respond to higher frequencies. The instruction rate of the CPUs in question is many times that frequency. It doesn't sound likely.

Your objection was directly addressed in the article:

"Cryptanalytic side-channel attacks typically require measurements with temporal resolution similar to the time scale of the target operation, but here the target cryptographic computation is many orders of magnitude faster....the key extraction attack relies on crafting chosen ciphertexts that cause numerical cancellations deep inside GnuPG's modular exponentiation algorithm. This causes the special value zero to appear frequently in the innermost loop of the algorithm, where it affects control flow. A single iteration of that loop is much too fast for direct acoustic observation, but the effect is repeated and amplified over many thousands of iterations, resulting in a gross leakage effect that is discernible in the acoustic spectrum over hundreds of milliseconds

I dare suggest that sometimes even the experts need to RTFA. :)

Re:Remember TEMPEST?

[Prune]

Their attack is based on spectral analysis, not time series analysis, so this sort of obfuscation would not work well. Please RTFA.

Re:Remember TEMPEST?

[bug1]

you know in general what it should sound like so you know what to look for, and then you work from there

If it was just one opera singer it might be reasonable to "work from there", but keys need to be 100% correct unless they are combinign it with a brute force attack, but then they would still need to know whci hbits they heard correctly.

But i still call bullshit, what if there are more than one opera singers singing, or its some new age music that has elements of opera, but isnt really opera at all.

What if a bug flys into your fan ?

Re:Remember TEMPEST?

[king+neckbeard]

I'm not current on the relevant literature, but I thought that this is something that computers tend to be generally inferior to humans at. Think about voice recognition and how awful almost all of it is.

Re:Remember TEMPEST?

[chuckugly]

Hi.

the Nyquist limit of the audio sampling hardware of a cell phone over instruction rate of a modern CPU is a pretty small fraction.

Also, potatoes are delicious. Both statements have very little to do with the paper in question.

Re:Remember TEMPEST?

Yeah, I was pretty skeptical but their paper makes it seem plausible.

Re:Remember TEMPEST?

[Burz]

Yet the processing for that key nevertheless stretches out quite a while in computing terms; Choose the right time scales at which to analyze the acoustic signal, and perhaps something like an RSA key can be recovered where most other types of info are beyond reach because they are processed only fleetingly.

Re:Remember TEMPEST?

[lister+king+of+smeg]

exsept that would show up when you run a diff of the sourcecode

Re:Remember TEMPEST?

[Algae_94]

I was wondering how far I'd have to scroll down to see someone agree with me. Wish I had mod points now.

FTFY

Re:Remember TEMPEST?

[AHuxley]

Tempest started in for real in the early 1950's by the CIA. The UK discovered the same method via a cypher machine allowing plain text. The early use by the UK was against keyboard using a microphone - e.g. Egyptian Embassy in London under an ~1956 operation called "Engulf".
http://cryptome.org/tempest-time.htm
The US and UK later targeted the French embassy cypher machines in London and Washington until the early 1960's. France finally installed copper shielding in the early 1960's :)
The real trick with tempest was allowing US/UK and NATO allies to have a system safe from Soviet man in the middle attacks along a telco/radio like network but allow plain text to be totally captured as entered/printed by the NSA/GCHQ and others.
The range was a problem- acoustic, electromagnetic fields, type of power supply - a few hundred yards.
The use of microwave or laser beam systems could also be used to get some neat reverberations from a room of interest e.g. as the plain text message was typed on the keyboard.
In the 1960's the UK did their best to ensure that NATO was safe from tempest via Soviet efforts but always held back just enough information to ensure its own efforts where still usable :)
Sell junk kit to NATO allies, neutrals - get all the plain text - just like todays perfect "academic, gov and .com" passed internet junk crypto standards :)
As for the CPU and sound ?? Your US "OS", your US/UK encryption, malware all seems to be waiting for 'free' or on expensive systems :)

Re:Remember TEMPEST?

[EdIII]

the key extraction attack relies on crafting chosen ciphertexts that cause numerical cancellations deep inside GnuPG's modular exponentiation algorithm

So do this mean that they can analyze it only be introducing specific ciphertext into the communication?

That does not seem all that useful when you have no control over the hardware, and no influence on the communication.

Re:Remember TEMPEST?

True but *you* need to change the program used making it harder for a 3rd party to perform the attack. If the sysadmin/programmer has had access to change the binary doing the encryption you're screwed anyway - they could insert code to send it through any number of other channels (Internet, airgap etc).

Re:Remember TEMPEST?

When recovering an under sampled signal through repetition, the ratio of the sampling rate to the frequencies of interest is pretty important to figuring out a lower bound on how long it will take.

Re:Remember TEMPEST?

[Vegemeister]

In practice though, I though GPG was used to encrypt a randomly generated AES key, because symmetric ciphers are much faster than most asymmetric ones. There's no way to conduct a chosen plaintext attack, because the plaintext is a tiny fragment of random data with no particular significance.

Re:Remember TEMPEST?

[dwywit]

Add a few HCF instructions here and there. You might be lucky enough for it to cause some consternation at the listener's end.

Re:Remember TEMPEST?

[viperidaenz]

They're not listening for individual instructions. they're listening for branches in specific loops.

Re:Remember TEMPEST?

if your area is TEMPEST-compliant then one would need a portable device (PED) within the area to do this, outside the secure area would be too far away. then only those who have been cleared and delegated access would have unsupervised access, others would be escorted by authorized personnel.

so TEMPEST protects against visitors and cross-contamination, however like anything else the insider threat risk remains.

Re:Remember TEMPEST?

I'm an engineer (nukes)

Great, I hope your latest designs will be even more efficient and cost-effective to kill and maim people for generations to come.

Re:Remember TEMPEST?

In the situation in question, they fully control the load of the computer.

Are they also in full control of the installation and execution of "copy key somewhere and say we cracked it"-program on said computer?

Re:Remember TEMPEST?

[AmiMoJo]

It's not so bad if they need chosen cyphertexts. I have long wondered why data is not whitened with a random seed before encryption to prevent injection of chosen cyphertexts.

Re:Remember TEMPEST?

Why? When we have people like you quoting relevant parts. Welcome to /.

Re:Remember TEMPEST?

Adaptive filtering and understanding are two different things.

Voice recognition is painfully awful, yet the algorithms used to extract voice from background noise are amazing.

Re:Remember TEMPEST?

[wiredlogic]

That's the thing. They used a specially crafted test case that doesn't reflect real world usage.

Re:Remember TEMPEST?

[Agripa]

Absolutely. Optocouplers are slow because of transistor storage time and not the LED which is why if you have access to the base of the transistor, you can make the optocoupler much faster.

Re:Remember TEMPEST?

[nctritech]

I actually know people who would find this useful. Us CBM die-hards are a strange lot.

Re:Remember TEMPEST?

I think what they did was force decryption of the same known ciphertext patterns thousands of times, which is what allowed them to derive meaningful data from what appeared at lower harmonics.

I'm not surprised at this. My old ears probably only go to about 15Khz, but I can fire up a prime number generator, close my eyes and just listen to my computer and tell whether it's still working on a 1023-bit factor R or whether it's found one and is checking to see if 2QR+1 is prime.

Re:Remember TEMPEST?

in other news, moron software developer bruce perens places head in sand, news at 11

Re:Remember TEMPEST?

I suspect that if it's possible to identify a specific algorithm, it should also be possible to identify when CPU switches tasks, which is no trivial operation. Alternatively, with enough samples, you could filter out the noise (sorry about the terrible pun), since hashing and key operations are fairy repetitive in nature.

Re:Remember TEMPEST?

Back in the day work had a 286 we used for billing, the CPU on it
was pretty noisy in the audible frequencies. Easy to tell when it
was under load. The best way I can describe it is not too far from
transformer squeel.

In the modern day you wouldn't be able to easily listen on GHz freq's,
but perhaps there are overtones/harmonics down into the 100s of kHz that
you could still exploit.

Does it state whether they are listing to EM noise or audible hum?

Re:Remember TEMPEST?

[DarwinSurvivor]

So basically they first need to trick you into decrypting (or signing) a particular piece of data, then make you do it over and over again. Sounds like a lot of other things need to be "just right" for this to work.

Re:Remember TEMPEST?

[YoungManKlaus]

I know a similar behaviour from my old laptop ... when something caused the screen to repaint (eg. scrolling in the browser was a prime candidate), the audio-channel would get an oh-so-slight buzz for that time

Re:Remember TEMPEST?

Using multiple cores turns out to help the attack (by shifting down the signal frequencies).

Say what? Through what mechanism would multiple cores shift down the frequency? And what about parallel instruction streams contributing to noise?

It is not the cores specifically but a mathematical property commonly used in radio communication.
sin(a)*sin(b) = 1/2 * (cos(a-b) - cos(a+b))
A transistor working in the non-linear section will have an exponential function. This will give a function similar to (a+b)^2 = a^2 + 2ab + b^2 (Not really, but close, the important part is that you get the product of the signals. The rest will be high frequency noise.)

This means that if you have two frequencies that are cos to each other, like 3000000kHz and and 3000001kHz the interaction between them will create a component at 6000001kHz and one a 1kHz.
Pretty much all audio equipment you can find will gladly filter out the higher frequencies and let the 1kHz component through.
The frequency variations in the ~1kHz component will give you information about the runtimes of the instructions.

Re:Remember TEMPEST?

Seems like GPG could defeat this pretty easily by putting in some random HLTs.

HLT is a privileged instruction. If you try to use it in user mode, the process is killed.

Re:Remember TEMPEST?

[sonamchauhan]

Also, it's Bruce Perens. Hi!

Also, while we are still in 'appeal to authority' mode, the coauthor of the paper is Adi Shamir, the 'S' in RSA.

Re:Remember TEMPEST?

[StripedCow]

Your analogy may work if you add that the sound of the singer is at frequencies near 1GHz (a high-frequency coloratura soprano?), and the sound is filtered as usual through a 44kHz lowpass filter before being recorded.

Re:Remember TEMPEST?

[rioki]

Q11: Can you realistically perform the chosen-ciphertext attack on GnuPG?

To apply the attack to GnuPG, we found a way to cause GnuPG to automatically decrypt ciphertexts chosen by the attacker. The idea is to use encrypted e-mail messages following the OpenPGP and PGP/MIME. For example, Enigmail (a popular plugin to the Thunderbird e-mail client) automatically decrypts incoming e-mail (for notification purposes) using GnuPG. An attacker can e-mail suitably-crafted messages to the victims, wait until they reach the target computer, and observe the acoustic signature of their decryption (as shown above), thereby closing the adaptive attack loop.

Re:Remember TEMPEST?

But doesn't a every calculation what CPU does happen in same "noise"?
Meaning, you are in foreign country and you try to listen that opera singer, singing in same foreign language as everyone else, and everyone are talking and yelling in same pitch and volume as the singer but in different timings. You really need to focus to that individual to listen him and see lips moving to "catch" the singing.

Re:Remember TEMPEST?

[fatphil]

They don't pull a 4096 bit key from the noise. They pull one single bit of it from the noise. When they're sure they've got it right, they use that information to help them pull the next bit of the key from the noise.

I'm quite crypto-savvy, and even I was saying "oooh, that's clever" occasionally while reading it. It borrows a lot from previous side-channel attacks, so isn't completely groundbreaking, but still, it's very nice how they've used everything that's available to them.

It's very approachably written, don't be afraid of giving it a read.

Re:Remember TEMPEST?

[u38cg]

Attacks never get worse. They may get better. And the whole point of cryptography is to be robust under the most adverse conditions.

Re:Remember TEMPEST?

[Opportunist]

You really know how to ride an analogy to Absurdistan...

Re:Remember TEMPEST?

[bofkentucky]

In the article they talk about how engineer the target to select the chosen ciphertext via a crafted email that thunderbird auto-decrypts to display the message preview popup.

Re:Remember TEMPEST?

[Joce640k]

It's not the CPU, it's ceramic capacitors that make the noise. You can actually buy special quiet capacitors.

Re:Remember TEMPEST?

[Bob+the+Super+Hamste]

I had similar thoughts and seem to remember a similar story from a few years back about a voltage attack that could be performed against some sun microsystem (I think it was sun) hardware that would cause it to cough up the crypto keys that were being used. I don't remember the details so I don't know how similar it was and can't seem to find the slashdot article on it but for some reason this seemed to strike me as an audio version of that same attack (thus more difficult).

Re:Remember TEMPEST?

[atomicxblue]

They could solve it by having it constantly crunch numbers, but only use a small subset of the data it gets back, so there's no idle time.

Re:Remember TEMPEST?

[InvalidError]

It doesn't?

The attacker sends specially crafted encrypted messages to his target, records the side-channel information from the attacks and uses that information to determine the target's private key. Now the attacker is able to impersonate the target. I would call that a real-world problem since the private key is supposed to remain private.

That is why the paper points at the vulnerability of plugins that automatically decrypt messages for notification purposes or any application where the decryption process is automated: the attacker may get to send hundreds of carefully crafted texts that exercise different parts of the modular exponentiation vulnerability before someone notices something weird is happening.

Re:Remember TEMPEST?

You've never worked with car audio then? You can "see" the sound coming from your speakers by looking at the amp's power lines with a 'scope. I expect an army of engineers with an undisclosed budget could do the same with computer emissions. Considering how sloppy some of the circuits are, though, I'd have to wonder how they'd be able to target a specific bus.

Re:Remember TEMPEST?

Not so sure here. I read a few papers about Simple- and Differential Power Analysis on cryptographic rfids. You can't fool DPA by adding additional noise (or rather, randomly adding operations that don't change the result, but make analysis harder due to nondeterministic timing/power variations). It just makes the analysis a bit harder, vulgo -> you need more samples to do the statistical analysis, but in the end, the power spikes still reveal the key (or in this case, the sound spikes).

Re:Remember TEMPEST?

[DMUTPeregrine]

No, GPG is pure asymmetric crypt. SSL & SSH use generated symmetric keys, but they're not used for the same things as GPG.

Re:Remember TEMPEST?

[bluefoxlucid]

it's compressed.

Re:Remember TEMPEST?

Are you sure it's him or could it be someone else with the same name?

Re:Remember TEMPEST?

[nmr_andrew]

That's what it sounds like, and furthermore, it also seems that they need a microphone near the computer in question - for a cell phone, nearly touching, or within ~4 meters with specialized equipment.

Given the level of social engineering to get the target to execute the code, or at least know they're using an email client/plugin combination that will autoexecute, combined with getting a microphone in the necessary location, it seems to me that it would be easier to just coerce the target into giving up their key. Blackmail, seduction, or the oft-cited xkcd $5 wrench method all seem much easier to pull off.

Re:Remember TEMPEST?

[sjames]

Since it's public key, you can send them any message you like without being too suspicious. Then you'd need to listen in on their PC.

Re:Remember TEMPEST?

[complete+loony]

It's an attack that can reveal one bit of the key per iteration, based on detecting which implementation of large integer multiplication GnuPG is using in its main decryption loop. Since the loop runs for 2048 iterations, the different code paths produce different load on the power regulator, which produces a different audible signal.

Re:Remember TEMPEST?

Even your ear can do that to some degree, but for software it is fairly trivial to separate the song from the other noises

Ouch! If you are an audiophile you'd know that it is actually reverse :-)

Re:Remember TEMPEST?

[marcello_dl]

> I dare suggest that sometimes even the experts need to RTFA.
NEVER!

(or at least, not after you cited the relevant part of the article in your very own comment :) )

Re:Remember TEMPEST?

[GCsoftware]

No, it isn't. GPG / PGP is a hybrid cryptosystem just like SSL and SSH. Not sure where you got this idea from..

Do you realise the sort of processing overheads that encrypting mega/gigabytes in RSA involves?

It would have taken a LONG time to encrypt a single HD floppy image back in 1991 when PGP was first developed.

Re:Remember TEMPEST?

[GCsoftware]

Argh, was replying to the post above claiming PGP is pure asymmetric crypto. No idea which this got placed here.

Wow..

Impressive.

cool

That is seriously cool...

Not a Problem

I will be playing Nirvana at max volume whenever I am decrypting shit from now on

Re:Not a Problem

[Edward+Kmett]

They note that noisy environments don't really help.

Re:Not a Problem

[ArbitraryName]

The should have noted that a sense of humor does help.

Re:Not a Problem

[VortexCortex]

I'll be playing a recording of my system decrypting data with my throw-away RSA key then.

Re:Not a Problem

[Opportunist]

I'd guess flooding with white noise in the right spectrum might.

Re:Not a Problem

[fibonacci8]

So just play John Cage's 4'33" on repeat, and sue them for pirating music.

Re:Not a Problem

yes, but the others are fucked

OTP

The use of one time pads is the only way to be sure you have secured your data, and even then, you must still be vigilant. There is no way I would ever use anything else.

Re:OTP

[wonkey_monkey]

As long as you never need to decrypt your data ever again, you can make it 100% safe from prying eyes.

Re:OTP

Describe the fun time had.

NSA wants to access microphone. Allow/disallow?

[sideslash]

This makes me re-think the push toward quiet, fanless computers. Now I am thinking that I want a white[/some other color] noise generator to add privacy to my personal computing.

Re:NSA wants to access microphone. Allow/disallow?

[Desler]

Did you miss the part about the secondary attack vector?

We demonstrated another low-bandwidth channel: the electric potential of the laptop's chassis. In many computers this "ground" potential fluctuates (even when connected to a grounded power supply) and leaks the requisite signal. This can be measured in several ways, for example:

Re:NSA wants to access microphone. Allow/disallow?

[sideslash]

(What is this article of which you speak? I barely skimmed the summary.)

It seems to me that just about any web page I visit can (given the right software vulnerabilities) snoop on my computer's microphone. So that seems like a much larger vulnerability than the ground potential. Maybe for some people in more public places it might be different.

Re:NSA wants to access microphone. Allow/disallow?

[UnknownSoldier]

Moving back to fan computers won't help so you can keep your ultra quiet fans. Read The Fine Article:

Q12: Won't the attack be foiled by loud fan noise, or by multitasking, or by several computers in the same room?

Usually not. The interesting acoustic signals are mostly above 10KHz, whereas typical computer fan noise and normal room noise are concentrated at lower frequencies and can thus be filtered out. In task-switching systems, different tasks can be distinguished by their different acoustic spectral signatures. Using multiple cores turns out to help the attack (by shifting down the signal frequencies). When several computers are present, they can be told apart by spatial localization, or by their different acoustic signatures (which vary with the hardware, the component temperatures, and other environmental conditions).

Re:NSA wants to access microphone. Allow/disallow?

[sideslash]

Moving back to fan computers won't help so you can keep your ultra quiet fans. Read The Fine Article:

*sigh* ... yes, I was aware of that. That was why in the next sentence I suggested adding a random/colored noise generator.

Acoustic sound?

Traveling through gaseous air?
On a more serious note, they're doing power analysis using DC/DC coil whine as a proxy.

Re:Acoustic sound?

Traveling through gaseous air?
On a more serious note, they're doing power analysis using DC/DC coil whine as a proxy.

I suspect they meant "acoustic noise," noted to differentiate it from noise in signal processing.

But who knows, maybe somebody would confuse "sound" between acoustics, water, and medical probes.

Daisy, Daisy...

[jtara]

In High School, we had a program we would run on the IBM 1620 (this was in ancient history...) that would play a song on a transistor radio placed on the console. Somebody figured out what instructions to run to create different frequencies.

We used to just leave the radio there even when not running that program.

"That's a loop!"

"Whoa! A "FORMAT" statement!"

One can easily see how A leads to B.

Re:Daisy, Daisy...

[Spiridios]

In High School, we had a program we would run on the IBM 1620 (this was in ancient history...) that would play a song on a transistor radio placed on the console. Somebody figured out what instructions to run to create different frequencies.

We used to just leave the radio there even when not running that program.

"That's a loop!"

"Whoa! A "FORMAT" statement!"

One can easily see how A leads to B.

Back when the 486dx4 was out, I'd tune my FM radio to ~100mHz and listen to the weird whirs and buzzes that occurred during disk access or mouse movement. Many years later, during a security class of all things, when I suggested using this as a method to leak information out of a secure room, the speaker said using radio transmission to leak information was much too sophisticated to be a viable attack for anything but the government and military.

Re:Daisy, Daisy...

One can easily see how A leads to B.

I agree that sure, but that time CPU-clock was considerably slower few MHz range. Now we are in GHz range instructions executed 1000 times faster and still there are detectable harmonic side channels that can be picked up by a microphone. Didn't have time yet to read full paper, but a apparently condenser which are very sensitive, but still a device made picking up kHz range is quite neat feat to pull.

Re:Daisy, Daisy...

[Obfuscant]

Back when the 486dx4 was out, I'd tune my FM radio to ~100mHz

Wow. You have a radio that tunes that low? What signals did you hear? Nyquist tells us that the highest frequency you could modulate on that would be 50 mHz, well below the range of human hearing.

Re:Daisy, Daisy...

[bobbied]

I think he means Megahertz as in 100 Mhz, which is in the FM broadcast band.

Re:Daisy, Daisy...

MEGAhertz, not kilohertz.

100mhz is near the center of the North American FM broadcast radio band.

Re: Daisy, Daisy...

You're a dinosaur, too? We played the Star Spangled Banner on a chain drive IBM 1403 printer.

Re:Daisy, Daisy...

[Cimexus]

You're missing the point. He typed mHz (millihertz) instead of MHz (megahertz).

Re:Daisy, Daisy...

No, 100mhz is 1/10 of 1Hz.

100MHz is near the center of the ITU Worldwide* FM broadcast radio band.

*With a few exceptions, like Japan.

Re:Daisy, Daisy...

That was 20 years ago. There's all sorts of things that were only accessible to the military and governments back then that most people can afford. Just take a look at the average cell phone now, the technology would have been impossible even for the government back during the days of the 486.

Re:Daisy, Daisy...

[Obfuscant]

You're missing the point. Only a dumb chat bot would take his typo literally

Who took it literally? I think I was being very kind in pointing out the typo by using gentle sarcasm. Perhaps my saying that 50 mHz is "well below" human hearing instead of "practically fucking DC" confused you?

This is "news for nerds." Any self-respecting nerd that doesn't know the SI system of prefixes should just turn the computer off and go back to bed. Trying to insult the messenger for a failure to preview a posting and being NINE ORDERS OF MAGNITUDE WRONG is just pathetic.

Re:Daisy, Daisy...

[viperidaenz]

Perhaps they're listen for the CPU throwing away the pipeline due to a branch in the gnuPG code and waiting for the pipeline to fill up again after waiting for the next instruction to be fetched from the cache.

Re:Daisy, Daisy...

[AmiMoJo]

Actually the CPU does things on both edges of the clock, so internally 100mhz switching is possible. However, the GP was probably picking up EM from the drive motor, not the CPU.

Re:Daisy, Daisy...

[Elbart]

Absolutely! milli, Mega, kilo, Kelvin, Giga, gram, what's the difference, right?

Re:Daisy, Daisy...

[Neil+Boekend]

The GGP probably tuned his radio to 100 MHz instead of 100 mHz.
This leads me to a funny cable label. A cable was marked "20 MA". It was about half a mm^2 (approx 16 AWG) and the price made me quite sure it wasn't superconducting. Someone had decided to put EVERYTHING IN CAPS. Someone who needs a stern talking to.

Re:Daisy, Daisy...

[geminidomino]

That's nothing! I did that trick, too, and while I installed Lotus Notes, a deep, otherworldly voice started chanting in Latin!

Re:Daisy, Daisy...

[MrNiceguy_KS]

Uh, that's standard for any Lotus Notes install. You must not have read appendix 666 in the install docs.

Re:Daisy, Daisy...

Back in the 1970's my father was in the military (not US) in communications. In a not very large town that the base he was posted in (10,000ish people) they were able to tap into the power lines on the other side of the town from the base and produce reports of what people where typing on their computers.

I would expect we now have more filtering on our power lines then we did in the past so this may not work. But there is a reason why when they need a certain level of security computers are placed in areas with generators and have no connections to the outside.

Re:Daisy, Daisy...

[Spiridios]

Back when the 486dx4 was out, I'd tune my FM radio to ~100mHz

Wow. You have a radio that tunes that low? What signals did you hear? Nyquist tells us that the highest frequency you could modulate on that would be 50 mHz, well below the range of human hearing.

Who said I was human?

Re:Daisy, Daisy...

Look up superheterodyne radios. You only need to have a Nyquist value inside your intermediate frequency range.

Adi Shamer

[SeanDS]

Adi Shamir of RSA fame.

All right, that's it!

[93+Escort+Wagon]

I'm turning off the web server right now!

What about what else the pc is doing...

Was this a single core?

Or a dual+ core doing nothing else at the time?

Re:What about what else the pc is doing...

[Desler]

They address that. It ms a very short "article" so you really should read.

In before "you must be new here".

Re:What about what else the pc is doing...

Was this a single core?

Or a dual+ core doing nothing else at the time?

It's a dual-core Windows PC running an anti-virus program on the 2d core.

It's not the fan or mechanical components

[LNO]

It's more awesome than that. The white noise generated by the fan doesn't matter at all.

"The acoustic signal of interest is generated by vibration of electronic components (capacitors and coils) in the voltage regulation circuit, as it struggles to maintain a constant voltage to the CPU despite the large fluctuations in power consumption caused by different patterns of CPU operations. The relevant signal is not caused by mechanical components such as the fan or hard disk, nor by the laptop's internal speaker."

The attack scenarios are even more fantastical. I have no idea how plausible they are, but wow, regardless:

"We discuss some prospective attacks in our paper. In a nutshell:
Install an attack app on your phone. Set up a meeting with your victim, and during the meeting, place your phone on the desk next to the the victim's laptop (see Q2).
Break into your victim's phone, install your attack app, and wait until the victim inadvertently places his phone next to the target laptop.
Have a web page use the microphone of the the computer running the browser (using Flash or HTML Media Capture). Use that to steal the user's GnuPG key.
Put your stash of eavesdropping bugs and laser microphones to a new use.
Send your server to a colocation facility, with a good microphone inside the box. Then acoustically extract keys from all nearby servers.
Get near a TEMPEST/1-92 protected machine, such as the one pictured to the right. Put your microphone next to its ventilation holes and extract its supposedly-protected secrets."

Re:It's not the fan or mechanical components

[sideslash]

It's more awesome than that. The white noise generated by the fan doesn't matter at all.

Right, I mentioned the fan as one source of noise to act as a countermeasure (not a good one, of course, since you want something random).

Re:It's not the fan or mechanical components

[LNO]

Even that gets filtered out:

"Q12: Won't the attack be foiled by loud fan noise, or by multitasking, or by several computers in the same room?

Usually not. The interesting acoustic signals are mostly above 10KHz, whereas typical computer fan noise and normal room noise are concentrated at lower frequencies and can thus be filtered out. In task-switching systems, different tasks can be distinguished by their different acoustic spectral signatures. Using multiple cores turns out to help the attack (by shifting down the signal frequencies). When several computers are present, they can be told apart by spatial localization, or by their different acoustic signatures (which vary with the hardware, the component temperatures, and other environmental conditions)."

Re:It's not the fan or mechanical components

Want it to be *really* worrisome? Some HSMs are certain to be vulnerable to this. In fact, anything that is not very well *primarily* hardened against power-measurement attacks (i.e. which doesn't depend on external shielding for the hardening -- since that shield is unlikely to have been designed to twart acoustic profiling, as evidenced by the attack on a TEMPEST-shielded box) will be.

Re:It's not the fan or mechanical components

On the other hand, playing AC/DC songs at high volume through the speakers will probably cause harmonic resonance in the much weaker structures of the target computer housing, at higher frequencies...

Re:It's not the fan or mechanical components

[elmer+at+web-axis]

They forgot to include: 'Take a lead pipe and break bones of the victim until he gives you access to his encrypted data'

Re:It's not the fan or mechanical components

So we need to use differential logic on the cpu die with a constant (although unfortunately very high, presumably) current consumption, then. Away with the noisy single-ended CMOS logic!

Re:It's not the fan or mechanical components

[Neil+Boekend]

Oblig. XKCD.
It does have a major difference: this hack can be done without the victim noticing. The $5 wrench attack vector is a bit more conspicuous.

A legit reason to have the radio on all the time!

[sandytaru]

I'm totally going to use this if I'm ever asked to turn my music down in the office. "But sir, this is increasing my encryption security!"

Since 90% of the people in my office are not tech people, that just might work.

Easy fix

Just run in the background a "Random Noise Generator"

Re:Easy fix

[bobbied]

Just run in the background a "Random Noise Generator"

And what program do you propose to use that generates Random Noise?

Re:Easy fix

[lisaparratt]

Read Slashdot at -1.

Re:Easy fix

[bn557]

a twitter reader?

Re:Yeah right?

[Mister+Transistor]

This is obviously nonsense to you and me, but now the NSA thinks this is a viable vector! Imagine all the billions of tax $$ they will now waste researching and trying to crack it!

This is what we need - more crackpot theories of infection/subterfuge vectors to keep 'em busy.

Re:Yeah right?

[Desler]

You could have spent 5 minutes to skim the page where they address your questions.

Good thing im exempt

[nurb432]

I run a quantum computer. Good luck getting noise from that.

Re:Good thing im exempt

[chuckugly]

I'll just use my box full of cat next to it instead of a microphone.

Re:Good thing im exempt

[ls671]

Lucky you, I am still eavesdropping on dial tones and deciphering by matching to digits. I am also faking dial tones and making long distance calls by whistling.

https://en.wikipedia.org/wiki/Phreaking

 

Re:Good thing im exempt

[VortexCortex]

So long, and thanks for all the fjords.

Re:Good thing im exempt

[Valdrax]

I run a quantum computer. Good luck getting noise from that.

Haha. Mine is entangled with yours. Gives a whole new meaning to spooky action at a distance.

Re:Good thing im exempt

[nurb432]

So THAT is where that porn came from...

Re:Good thing im exempt

[dudpixel]

It's no use, I looked in your box there and your cat is dead...

Re:Good thing im exempt

I already know your computers state, I just can't observe it.

Re:Yeah right?

[Desler]

How is it "obviously nonsense"? Pardon the appeal to authority but do you know who, for example, who Adi Shamir is? He isn't some random quack.

New?

Wait, this is a new paper? Neat, they updated it since 2004. Um, this is a pretty old technique, I've seen it demonstrated, on GnuPG, no less, before. RSA squares and multiply have different loops. This one, I know, GCHQ did first.

It's one of the reasons we like Ed25519 and the other safecurves - constant time loops, no key-dependent branches, massively reduces side-channel attack potential.

Re:New?

[Grizzley9]

Exactly, this is not new. Even game designers know about this as it was even highlighted in Batman:Arkham Origins or whatever game. Batman would use some type of audio/sonic based device to pick secure locks and get their codes even though they couldn't be hacked via normal means.

As a trustworthy friend that retired from the FBI also told me, they can find out what's on your hard drive by listening from across the street as well. (I'm assuming they could only get the data you were accessing at the time though)

NSA to Scientist: "Welcome to 1998"

[JoeyRox]

I'm sure the NSA has been doing this for some time. Not to mention listening in on keyboard sounds and emissions from computer displays to get the same information.

Re:Yeah right?

[cold+fjord]

This is what we need - more crackpot theories of infection/subterfuge vectors to keep 'em busy.

If so, this is definitely the right place to get them.

Unfortunately there are way more crackpot theories about what NSA are up to than there are about new attack vectors. Someone needs to step up production of the crackpot attack vectors. Any takers?

Re:Yeah right?

[bob_super]

You forgot to mention deep pipelines, out-of-order execution, cache hits and misses, interrupts, multitasking...

Yeah, I don't believe that one on regular PCs (and I don't think they'll bother to come break my keys to prove me wrong), and I'd like to see the amount of testing required for it to work on single-threaded single-core in-order non-cached micros, if they can find one.

How do you test a meter?

[wonkey_monkey]

but up to four meters have been successfully tested

Were they all the same size?

Re:How do you test a meter?

[kthreadd]

=)

Re:How do you test a meter?

How do you test a meter?

With another meter of the opposite polarity. Obviously, a meter touching itself would be wrong because it would go blind.

Re:How do you test a meter?

[Nivag064]

Perhaps they should have said four metres (using the correct spelling)!

Re:How do you test a meter?

ha! i know what you did there!! :-)

Re:How do you test a meter?

One was 2m wide.

Oh, I got an idea -- The Bat detector!

I need to borrow one from biology lab tomorrow and see those sounds could be heard with that :)

Re:Yeah right?

[Desler]

They address both multitasking and multiple cores. They say multiple cores makes the attack easier.

Re:Yeah right?

[AnotherAnonymousUser]

It stands to reason that it makes a sound that no knows... Perhaps Joff-tchoff-tchoff-tchoffo-tchoffo-tchoff?

Easy to guard against this

[OuchIAteMyself]

It seems like 'random' interference would be easy to produce by mimicking the behavior of these components in intervals in order to obscure the collected data. Even though the interference wouldn't be truly 'random', it would certainly increase the amount of data that needs to be collected in order to effectively remove it from the sound recording.

Requires continuous decryption of known texts

This only works if the computer is decrypting known files for an hour. It would be very difficult to exploit in practice.

Re:Requires continuous decryption of known texts

[chuckugly]

Yes, because no one could come into a conference room and set a cell phone next to the target notebook while sending ciphertext to the notebook at the same time. For an hour long meeting. Ever.

Re:Requires continuous decryption of known texts

[gl4ss]

but the ciphertext would need to be encrypted on the notebook to be attacked. with known compilation. assuming no other semi-random power draw. just extract the key already if you have local access.

it still sounds a bit whimsical.

Re:Requires continuous decryption of known texts

[chuckugly]

No. The cipher text is encrypted with a public key (which is public) and then sent to the target machine to be decrypted with the private key, which is what is being attacked.

More "Don't Bother" FUD from the NSA

We KNOW that the NSA has commissioned multiple academic papers - peer reviewed and widely published - pushing the absolute lie that properly erased data on a HDD can be recovered. Indeed, the owners of Slashdot, on multiple occasions, have ensured that such FUD about the safety of erased files has gained maximum promotion on this site.

A significant part of the NSA budget is set aside for media propaganda campaigns, in both the general and specialist 'press', that actively discourages people from deploying the best security protocols. This is a STATISTICAL game, where the active intent of the NSA is to ensure a significantly lower proportion of the systems they encounter through ALL their surveillance projects have good security.

"The NSA can hack it all anyway, so why bother with ANY inconvenient security measures- the commercial security packages are just as 'safe' as things like Truecrypt, Tor, etc."

Sounds like the thoughts of a moron, but the NSA know this is actually the thinking of most of you, after exposure to FUD campaigns on Slashdot and elsewhere.

CPUs don't make 'sounds', and modern processors handle encryption/decryption with such a tiny fraction of their computing power, 'reading' the 'algorithm' and 'data' use of the processor using analysis of power usage or EM radiation would be impossible, UNLESS the software had been specifically engineered (ie., anything from Microsoft or the like) to allow such attacks.

But here's a more recent example of technical FUD from NSA sources. Modern processors have instructions specifically created to improve the 'flow' of encrypted data- instructions that 'accelerate' parts of common encryption/decryption algorithms. While a naive person might think such instructions were a likely vector for an NSA sponsored hardware attack, they are in reality merely simply simple maths/data operations that happen to help the algorithm.

On the other hand, Intel, AMD and ARM licensees are all implementing NSA/GCHQ perverted FAKE random number generators that morons are encouraged to use as seeds etc for their encryption algorithms. ***NO*** valid security software will ever use these hardware random number units. Google, Microsoft and the usual suspects, however, mandate the use of these subverted units in the hackable, back-door riddled 'security' products they produce.

But my intended point is that technical sites are DELIBERATELY confusing their readers about the 'safety' of using the accelerating instructions as if they carry an identical risk to using the inbuilt FAKE random number generator. This is the common "all or nothing" FUD propaganda method in different clothes.

To put it simply, if it's promoted on Slashdot now, it's pro-NSA FUD. Once Slashdot bothered to hide its true colours. Today, they don't even see the need to do that. A bit like how Obama, in the midst of the full surveillance NSA scandal, launched a spy platform for his massively expanding war machine, decorated with a giant octopus swallowing the world, and a logo that effectively stated "F**k you sheeple". Needless to say, the blatant use of this obscene 'middle finger' to Humanity was not deemed worthy of 'promotion' on Slashdot.

Re:More "Don't Bother" FUD from the NSA

"The NSA can hack it all anyway, so why bother with ANY inconvenient security measures- the commercial security packages are just as 'safe' as things like Truecrypt, Tor, etc."

Yet, funny enough the NSA and others recommend you use as strong security measures as possible. Even if we assume the NSA could break any security system, they are not the only threat. The only person that would give up after such an assumption is some conspiracy theorist with a one track mind. For the rest of us, we continue to use the best we can, without needing to assume what the NSA can and can't break, and many continue to fix the problems these papers highlight.

Re:Yeah right?

[r2kordmaa]

CPU does not make a sound. Its current consumption does however swing wildly depending on what program its currently running. Variable current, all these chokes and coils in the way - you will get vibration and thus acoustics. Look up power analysis attack vectors on cryptography. These are old news and they work. Now the novel bit here is how you get the data for power analysis, instead of direct current measurement you measure acoustics. I guess thats plenty of data.

Re:Yeah right?

Seriously. RTFA...

White Noise Generators As Countermeasure?

[teambpsi]

EOL.

Redundant summary is redundant

[henryteighth]

I'm so glad to know they examined the *acoustic* sound (or the acoustic *sound*, even) instead of any sort.

Reminiscent of other attacks

[cold+fjord]

There have been other attacks previous discussed here as I recall, such as using power fluctuations or timing attacks, and so on, as cribs to retrieve a key. It appears this sort of attack that exploits the characteristics of the system performing the encryption will continue to be an attack vector of growing importance.

Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems

Abstract. By carefully measuring the amount of time required to perform private key operations, attackers may be able to find fixed Diffie-Hellman exponents, factor RSA keys, and break other cryptosystems. Against a vulnerable system, the attack is computationally inexpensive and often requires only known ciphertext. Actual systems are potentially at risk, including cryptographic tokens, network-based cryptosystems, and other applications where attackers can make reasonably accurate timing measurements. Techniques for preventing the attack for RSA and Diffie-Hellman are presented. Some cryptosystems will need to be revised to protect against the attack, and new protocols and algorithms may need to incorporate measures to prevent timing attacks.

Breaking DES with side-channel attacks

This lab will demonstrate how power analysis of cryptographic hardware can reveal the key. We will be using basic electronic measurement tools such as oscilloscopes to demonstrate this side-channel attack.

You will be using a small hardware board (fig. 1) with a generic microprocessor programmed to perform DES encryption and decryption. The scenario is that you are the attacker and want to find out the secret key stored inside the board. There is no way of getting to the key directly, so you will need to perform a side-channel attack by measuring the power consumption of the board while the algorithm is running. The hardware board also allows the user to load a custom key in order to compare the power consumption.

And to think that there were people poopooing NSA for pulling cables and servers that Snowden had access to. More attack vectors for everybody!

The technology inside Apple’s $50 Thunderbolt cable

A source within the telecom industry explained to Ars that active cables are commonly used at data rates above 5Gbps. These cables contain tiny chips at either end that are calibrated to the attenuation and dispersion properties of the wire between them. Compensating for these properties "greatly improves the signal-to-noise ratio" for high-bandwidth data transmission.

Re:Reminiscent of other attacks

[AmiMoJo]

I'm skeptical of the Apple cable. It is low bandwidth, can't support uncompressed HDMI and there isn't any USB 3.0 support yet. The active part is probably just DRM.

Re:Reminiscent of other attacks

[cold+fjord]

In other words, you didn't bother to read it, didn't understand it, or you're trolling.

Re:Reminiscent of other attacks

unprecedented speed of the new Thunderbolt technology

Active copper QDR IB cables happily did 10Gb/s per lane over 10m distance in 2009.

Re:Reminiscent of other attacks

[etnoy]

Breaking DES with side-channel attacks

This lab will demonstrate how power analysis of cryptographic hardware can reveal the key. We will be using basic electronic measurement tools such as oscilloscopes to demonstrate this side-channel attack.

You will be using a small hardware board (fig. 1) with a generic microprocessor programmed to perform DES encryption and decryption. The scenario is that you are the attacker and want to find out the secret key stored inside the board. There is no way of getting to the key directly, so you will need to perform a side-channel attack by measuring the power consumption of the board while the algorithm is running. The hardware board also allows the user to load a custom key in order to compare the power consumption.

Hey, I'm the author of that lab instruction. How on earth did you find this humble little document? :)

Re:Reminiscent of other attacks

I guess you are thinking of the lightning cable, which has nothing to do with this. But why bother reading a post before responding anyway?

Mind

[koan]

Blown.

This is probably not a big deal

[DrJimbo]

What they are exploiting is that in naive implementations of RSA the amount of computer power needed during en/decryption varies with each binary digit in the key. If the digit is zero then no computation is done and if it is one that a tight loop is executed.

There have been other side channel attacks that exploit this weakness in naive implementations. The obvious fix is to slightly change the algorithm so the same computation is done whether the digit is a zero or a one. This reduces the efficiency by a factor of two but it makes these side channel attacks much more difficult.

In fact, the authors contacted GPG before publicly releasing this exploit and the fix is in place:

Q9 How vulnerable is GnuPG now?

We have disclosed our attack to GnuPG developers under CVE-2013-4576, suggested suitable countermeasures, and worked with the developers to test them. New versions of GnuPG 1.x and of libgcrypt (which underlies GnuPG 2.x), containing these countermeasures and resisting our current key-extraction attack, were released concurrently with the first public posting of these results. Some of the effects we found (including RSA key distinguishability) remain present.

...

Q13: What countermeasures are available?

One obvious countermeasure is to use sound dampening equipment, [...]

Alternatively, one can employ algorithmic techniques to reduce the usefulness of the emanations to attacker. These techniques ensure the rough-scale behavior of the algorithm is independent of the inputs it receives; they usually carry some performance penalty, but are often already used to thwart other side-channel attacks. This is what we helped implement in GnuPG (see Q9).

TRS-80

[CohibaVancouver]

Back when I had my TRS-80 Model 1 you could 'listen' to the 1.77 MHz Z80 processor do its thing on any AM radio nearby. Now get off my lawn.

Re:Yeah right?

[amicusNYCL]

What sounds does a cpu make?

They describe that in the paper's summary.

Or better yet how does a CPU make sound?

They describe that in the first line of the paper's summary, and also in question 2 of the Q&A.

The clock speeds are in the GHZ range so it is so far outside of the sound range of any microphone it just is not funny.

They address that at the end of the first paragraph of the paper's summary, and also in question 8.

Throw in that all cpus today have more than one core you will have a more than one code stream executing at one time.

They address that in question 12.

Throw in the sound of the fans running to make picking up the sound just seem very unlikely.

Also in question 12.

Until it is duplicated I would really doubt it.

OK, thanks for the valuable feedback.

random comments

Despite all the random comments, this paper appears to have very solid grounding.

The attack they propose is a chosen-ciphertext attack where the computer is requested to decrypt a message encrypted by a public key which is sent by the attacker to the computer which is decrypting it with a private key using a known software library (GnuPG).

They note that it is possible to control the message so that two known paths are taken through the software depending on a specific intermediate computation and they were able to characterize different audible electromechanical oscillations in the power regulation circuitry of the CPU of when taking these two branches despite some safeguards in the library designed to prevent other side-channel attacks (e.g., timing and instruction cache occupancy).

Sorry, I can't believe this

This is one of those things I won't believe until I witness it with my own eyes. Even then I'll be skeptical.
My intuition tells me there's no way this can be true. I don't care who wrote this paper.
If it is true it's the most incredible thing I've ever read, and either proves or disproves there really is a God, I'm not sure which.

Re:Sorry, I can't believe this

[u38cg]

And this, boys and girls, is why we have SCIENCE.

Re:Yeah right?

It has been duplicated. This is not the first time sound has been used to crack crypto operations running. It's been done for decades to crack crypto machines and specialized chips, although I think this is the first time it's been published on as commonly used software as GnuPG.

It's in the class of side-channel timing attacks. Other published exploits in this class are leaks via network latency--where the attacker will systematically negotiate a ton of SSL connections and analyze timing--and via pre-emptive multitasking--where you can crack a key running on another process, or even another VM instance.

These attacks are so well known that most modern AES implementations, in both software and hardware, have been tweaked so they don't leak key material via timing vectors. Doing this for public-key cryptography is more difficult because of the extensive use of multiplication and division, and because you'd need to refactor the bignum libraries being used, which is pretty intrusive and might lead to other bugs.

Layman interpretation (generally)

[avoisin]

Ok, I'm impressed.

For those that didn't want to RTFA, this works by letting the target computer spin on a carefully chosen piece of text. That text is chosen such that the CPU will do some predictable math (such as big equations that == 0). Then, those places where the CPU hits 0 can be heard through a sensitive microphone.

The neat part is that you're not looking for a 4096-bit key. Computers don't actually handle things with that large of a size, they have to break it down into 32-bit/64-bit chunks to be able to do the math. That's the real vulnerability - despite the key length itself being massive, because the number gets broken down into small chunks, you can start to handle it. The paper goes through a very complicated way of sensing each section of a large key, and then piecing it all together. This is not a case of hearing a specific noise, and looking it up in a table. It's not even a case of looking up 32-bit chunks in a table.

So, it is a real attack, that is mostly dependent on the breakdown of the 4096bit key into bitesize chunks, that go through known math routines. If you can get the target to nicely decrypt several well-crafted messages for you, and you can get a good microphone near their CPU while they do it, and you can let this process go on long enough (so the attack program can listen to the CPU for a while to build up a profile, etc.), it really can work.

I'll say that it needs kind of an ideal scenario to get all those things lined up, but it's not impossible.

Preventing it fully is really only possible with two ways. Either switch your CPU to not use those bite-size chunks, and have the decryption take place all in one massive math operation (not realistic), or change the math that occurs on the bite-size chunks to be irregular in terms of any recognizable patterns (very realistic).

Re:Layman interpretation (generally)

[oldhack]

Yours is the most useful comment on this fascinating story. Since you RTFA (sucka), what is the source of the CPU noise? What are its characteristics (frequency range, dynamic range) such that it can cut through other noises to register onto an at-distance audio mic?

BTW, I would have thought it bunk but for the name Adi Shamir in the author list, you know, the S of RSA.

Re:Layman interpretation (generally)

[knapper_tech]

I was skeptical until I recalled how the encryption will pass through a loop or not at some order of magnitude frequency that can be picked up by the Mic. For any busy server with requests popping in and out at various intervals, there would be more noise from the multiple processes that might be doing encryption work or just varying workload (db's, web apps etc). This is noise on the same order as the encryption work in some cases. The web server or ssh server (using GPG but not encrypting communication?) will also be doing encryption with a different key and creating more noise. Of course both keys can be gotten in the case of key-key noise, but in a server room full of the things, it's just one more layer of variables.

What I don't get is that GPG's implementation is doing more or less work based the encryption routines being executed. Optimization always leads to saturation unless memory traffic is the culprit (can't optimize memory reads infinitely). Would read the paper, but oh look at the time.

Re:Layman interpretation (generally)

[slew]

Yours is the most useful comment on this fascinating story. Since you RTFA (sucka), what is the source of the CPU noise? What are its characteristics (frequency range, dynamic range) such that it can cut through other noises to register onto an at-distance audio mic?

BTW, I would have thought it bunk but for the name Adi Shamir in the author list, you know, the S of RSA.

The authors speculate that this is electro/magnetic-mechanical noise coming from the voltage regulators near the CPU (e.g., inductor "hum"). They note that it is hard to localize because the whole motherboard assembly is of course mechanically coupled together. The audio spectrum was characterized in a small range (35-39kHz) which is something that you can pick up with a standard microphone pickup. The dynamic range varied on different platforms, but in one case 0.5Hz separated the '0' and the '1' case.

Re:Layman interpretation (generally)

[Impy+the+Impiuos+Imp]

The data could be in there, and people are getting better and better at complex signal waveform analysis. Every month now we're seeing a new story about someone doing something along these lines with audio or radio or light.

I am convinced this is just the beginning. In a few years I expect to see a cell phone app that turns it into the audio quasi-radar in aliens.

Gentlemen, you have your mission.

Re:Layman interpretation (generally)

[avoisin]

Just to help expand on the noise source, it's coming from the change in current associated with the transistors, I'm not sure why the paper didn't mention that as clearly. For example, a transistor is going to be either on (value = 1) or off (value = 0). As you might guess, it takes more current to have a transistor in the on position! When there's billions of transistors, the amount of current for each transistor is pretty small. But if you get a bunch of them to line up all at once (lots of 1's or lots of 0's, as they mention), you start to get a measurable current change.

That's what's being heard. In points of the math algorithm, the current drawn by those 1's and 0's is changing, and it's changing in a repeatable way because of the math loops. That change in current draw is seen by the power supply, and pieces of the power supply end up making noise as a result, because the change in current draw is large enough for a long enough period of time.

An easy example you might recognize is a fluorescent light that's running on the 60Hz signal. If the light starts to die, you're starting to see varying amounts of current being drawn, which translate to a noise being heard. The CPU is doing exactly the same thing.

As far as the signal specs itself, the paper was looking up to ~300kHz, iirc. I don't remember the dynamic range, but because they were examining the frequency content and not just the overall signal power, it gets a lot easier to pick up on the tones.

in other words

[rewindustry]

rsa works by doing the same little set of manipulations over and over, masked downstream by a counter and/or how compressed your data is. this set of manipulations manifests as a (probably not very) musical note which repeats itself over and over in the cacophony every machine radiates, and unfortunately it is the constant repetition which gives the game away.

unfortunately it is the blindly repetitive nature of the operation which makes rsa even vagely feasible given the vast amounts of data we expect it to cover, and i would guess that any attempt to counter this kind of attack would only make the situation worse.

as far as i can guess this kind of attack should be feasible on any block cipher.

did we not know this was coming?

block cipher in counter mode DOES NOT EQUAL csprng.

quod, as has been, demonstrandum.

Re:in other words

[slew]

Actually, no.

This attack was made possible because of a specific optimization made in the GnuPG implementation. Because modular exponentiation of big numbers is time consuming, a general purpose optimization in question isn't always the fastest (specifically karatsuba multiplication technique) and branch is taken when the library heuristically thinks a naïve algorithm with some special case partial operand code would be faster. The branch is attacked by using a carefully chosen sequence of chosen ciphertexts to attack the branch that tickles the special-case code.

In contrast, most block ciphers do not have interior branches, but are repetitive data operations of substitution and permutation that would not exhibit this type of vulnerability (even more so with AES as there are specific CPU instructions that implement the inner loops of the algorithm making them highly resistant to side channel attacks like this).

And of course counter mode is not a csprng, but this has nothing to do with this. DRBGs, however can be based on block ciphers and they appear to be state of the art (unlike the well known backdoor-ed Dual-EC-DRBG).

Re:Yeah right?

[LWATCDR]

I did and it just doesn't make any sense.
Where does the sound come from? Their answer is this.
"The acoustic signal of interest is generated by vibration of electronic components (capacitors and coils) in the voltage regulation circuit, as it struggles to maintain a constant voltage to the CPU despite the large fluctuations in power consumption caused by different patterns of CPU operations. "
The variable power load would very based on the instructions but we are not really interested in the instructions we are interested in the data. Doing an instruction on any data should cause the same power draw so how do they extract the data?

Then you have answer 8
"Individual CPU operations are too fast for a microphone to pick up, but long operations (e.g., modular exponentiation in RSA) can create a characteristic acoustic spectral signature over many milliseconds, and these can be detected. In the chosen-ciphertext key extraction attack, we carefully craft the inputs to RSA decryption in order to maximize the dependence of the spectral signature on the secret key bits."
So it can only work with some keys?

For the multi core issue CPUs have a single VCC so you have no idea what core is doing want if it is even possible to extract the pattern since the claim it is the power draw on the voltage regulators that cause the sound.

The summary really does not answer the questions. The idea that the sound can extract the data violates the Nyquist–Shannon sampling theorem. There should be no way a multi khz audio signal can carry the data of the exection of data at over 1 Ghz. Even the statement that they extract the key over half an hour is just illogical. How much data can a modern PC encrypt with half an hour execution time?

Re:Daisy, Daisy..., and AC97

[Chemisor]

On every motherboard I've owned the onboard audio always picked up noise from unrelated CPU, or maybe GPU, activity. Moving the mouse, opening a menu, and just typing would create random clicks and buzzes from the speakers. And, naturally, there was the white noise, no doubt from the poor quality hardware. The only way I could get sound to work well is with a discrete sound card.

wrong

[rewindustry]

rsa is usually run on a simple counter, and this output is only then xor'ed with your data.

Solution:

[Tablizer]

Put toddlers around the office to drown out the CPU sound.

Re:Yeah right?

[amicusNYCL]

The variable power load would very based on the instructions but we are not really interested in the instructions we are interested in the data. Doing an instruction on any data should cause the same power draw so how do they extract the data?

There's an 8MB PDF linked from the summary that has your name all over it. Instead of asking questions like that and waiting for the answer and ignoring all of the work that they did in producing the paper, just read the paper and get the answers.

So it can only work with some keys?

It is a chosen-ciphertext attack, not a chosen-key attack.

The summary really does not answer the questions.

Yeah, no shit. The summary is not supposed to answer all of the question. You know what is supposed to answer the questions? The paper.

The idea that the sound can extract the data violates the Nyquist–Shannon sampling theorem.

Don't tell me, tell them. Review their paper, find the flaws in it, and tell them. That's what peer review is about.

I used to carry a transistor radio for debugging.

[Ungrounded+Lightning]

Back when I had my TRS-80 Model 1 you could 'listen' to the 1.77 MHz Z80 processor do its thing on any AM radio nearby. Now get off my lawn.

In those days I carried a transistor radio and used it for debugging - (on stuff substantially larger than a TRS-80). It gave subtle insights into how much time the machine was spending in different parts of algorithms. (The ear and its post-processing in the brain is really good at picking this stuff out.)

The rise of multitasking, with fine-grained time slices, ruined this approach by cutting up the signal of interest and mixing it with bits from other programs running "simultaneously". Then the march of Moore's Law and its variants nailed up the coffin by cutting the run time of most stuff of interest down to such short periods that even a bat couldn't get anything useful from their radio-to-accoustic signatures.

But modern cryptography involves deliberately long computations, on machines that are otherwise so fast that other tasks are mostly idle,. So the technique rises from the grave...

Good luck getting any usable information from me

My machines are far too loud. it would be almost completely white noise from fans/pumps/ and hdd's. This concept seems a bit far fetched and would need multiple sources of confirmation to even start considering it's possible to extract any useful crypto information this way.

Re:Yeah right?

The idea that the sound can extract the data violates the Nyquist–Shannon sampling theorem.

Only if you apply the theorem like that to a one shot recording of some signal. if you have a repeating signal, you can get much more data out of it even if under-sampled. This is regularly used by ADCs to measure signals orders of magnitude faster than their sampling rate, by having a repeating signal that is recorded many times.

there was an old lady

[rewindustry]

who swallowed a fly...

rsa is already busting it's square little heart trying to scramble your data, now you want another cipher to generate random noise to mask the regular patterns your initial cipher is making. what masks the patterns your new cipher produces - yet another cipher?

Re:there was an old lady

[Neil+Boekend]

Oh my god! It's cyphers all the way down!

Grid Computing?

[godel_56]

I run grid computing using the BOINC and World Community Grid, so my four cores are running flat out all the time.

Would this be enough to blind any software that was trying to listen to the noise your CPU makes? Sort of a CPU white noise generator?

Re:Grid Computing?

[Areyoukiddingme]

Only if you're willing to run BOINC etc. at the same priority level as GPG while it's working, and maybe not even then. In any case, the latest version of libcrypt has been patched to mitigate the vulnerability to the extent you don't really have to worry about it.

Not that you have to worry about it at all, since it only works while decrypting known data sent to you while listening to it with a nearby microphone. Avoid opening random encrypted emails from sources you don't recognize and don't let random strangers leave their cell phones next to your computer, and you're fine.

If you start getting a series of ostensibly junk files that have been encrypted with your public key, somebody is attacking you.

(Authors of Claws Email reader and other email readers that feature tight integration with GPG should probably blacklist the attack files and raise a warning if one or more of them appears.)

Re:Grid Computing?

[u38cg]

The point is not so much that this is a practical attack that oen should implement countermeasures against. The point is that an ideal cryptography system should be robust against such attacks (known plaintext, timing, etc) even in circumstances unlikely to arise in practice. Furthermore, other attacks may build on top of this.

Re:Yeah right?

>What sounds does a cpu make?

Obligatory (you knew it was comming): If a cpu falls in a forest, and no one hears it, does it make a sound?

OK, second try: If a cpu is decrypting in a forest ...

third try: If a cpu is decrypting in a forest and the NSA isn't listening ...

clock speed changes with the # of cores in use

[SuperBanana]

Well, if they're Intel turbo-boost processors, running more threads (and activating more cores) drops the frequency of all the cores. Fewer cores in use = higher core frequency.

Re:clock speed changes with the # of cores in use

[gl4ss]

but that doesn't really answer the question... ..how are the distinguishing between the "noises" from the core1 vs. core2 vs. core3.

all and all it sounds so whimsical some proof of concept actual practical doing of it would be nice(and what else could they get from the sounds of the cpu then...). .. and just with an android phone?? wtf? how are they hitting high enough sampling frequencies for it to be doable in the first place??

NSA Tempest fun fact

[RogueWarrior65]

Back in the 80s when personal computers began to appear on every desk, the NSA was spending a ton of money to shield every PC they had. So when they built their new main offices at Fort Meade, they decided it was cheaper to shield the entire building.

Easily beaten by applying mutations?

Sounds like this method relies on the encryption algorithm being known, possibly to the point of the exact instructions used in the encryption loop. If that's the case, then it can be easily beaten by generating a slightly mutated/modified version of the encryption algorithm (by adding superflous operations to it, that do not change the results and/or randomly replacing complex operations, like multiplications, by different number of additions, etc) periodically, at random intervals, and using that to encrypt the data streams. This would an additional variable - besides the encryption key itself - to the process, which in turn would prevent the encryption key itself being deduced by statistical means.

Solution

[ChrisMaple]

TFA did not mention the particular fix to the problem, so I'll speculate. They mentioned that zeros would cause a recognizable branch, so choices are: make the code non-branching, or make the timing of the branch for zero the same as not branching. Other possibilities include inserting pseudo-random delays in the code, processing sections of the message out of order (randomly), and interspersing decoding of bogus messages with the decoding of the real message.

Re:Solution

Yeah, because that will be efficient.

Re:Yeah right?

[viperidaenz]

Who cares what sound a CPU makes, what does the fox say?

Re:Yeah right?

Neither was Linus Pauling.

You can be a genius and a quack at the same time, as despite what you might think, they are not mutually exclusive.

Re:Yeah right?

[viperidaenz]

They're interested specifically in the instructions.
They inject crafted data in to GnuPG designed to hit various branches in the code. Listening for which branches get hit and which ones don't give them clues to figure out the encryption key.

TLDR description of the attack;

[complete+loony]

There's an if test in GnuPG's modulus implementation that is based on the size of the cypher text verses the size of the private key. So if you control the cypher text, you can cause one of two different outcomes from this comparison based on the next unknown bit of the private key.

In a loop with 2048 iterations, a decision is made from this intermediate value. Causing one of two different multiplication methods to be used for every iteration of this loop.

From listening to (probably) the noise of a capacitor in the CPU's power regulator you can hear the difference between these two code paths and extract one bit of the private key.

Meanwhile, in the archives...

http://it.slashdot.org/story/09/07/12/0259246/stealing-data-via-electrical-outlet
http://it.slashdot.org/story/09/03/26/1947246/laser-sniffing-captures-typed-keystrokes-from-50-100-feet
http://it.slashdot.org/story/09/03/12/2038213/researchers-sniff-keystrokes-from-thin-air-wires
http://hardware.slashdot.org/story/08/10/20/1248234/compromising-wired-keyboards
http://it.slashdot.org/story/08/05/01/0354211/nsa-releases-historical-documents-on-tempest
http://politics.slashdot.org/story/07/01/18/152205/deathblow-to-a-voting-machine
http://politics.slashdot.org/comments.pl?sid=217546&cid=17664882
http://it.slashdot.org/story/02/03/09/199242/crt-eavesdropping-optical-tempest
http://news.slashdot.org/story/01/11/26/2353252/generate-am-radio-broadcasts-with-your-monitor
http://yro.slashdot.org/story/01/01/16/139244/nsa-reveals-some-tempest-information
http://yro.slashdot.org/story/01/01/01/2310241/cryptome-posts-just-released-tempest-documents
http://yro.slashdot.org/story/99/11/08/093250/coming-to-a-desktop-near-you-tempest-capabilities
http://hardware.slashdot.org/story/99/08/21/1736251/making-music-with-cpu-activity
http://tech.slashdot.org/story/99/07/19/1324207/super-shielded-pc-cases

A non-Slashdotted link to the PDF.

[Ostracus]

http://www.slideshare.net/daniel_bilar/acoustic-20131218

A link that's not Slashdotted (yet).

Shazam

[Jack+Griffin]

Shazam does this to a certain extent. I can use Shazam in s busy store with lots of background noise, or in my car driving on the freeway with a lot of engine and road noise and it still easily picks up and recognises a song through the noise. If a home brew phone app can do that, It's not beyond the realms of imagination that the clever people can build something similar with a lot more smarts.

Re:Shazam

[gl4ss]

but it's more like deducting the brain activity of a fly based on the sound of the wingflaps.

Re:Yeah right?

[Rhyas]

I'm not sure I'd qualify that guy as a "peer" to review...

Re:Yeah right?

You, sir, are a moron.

anonymous

The first piece of music played on a computer was done that way on an Apple ][. The song it playes was _Daisy_.

Supposedly, HAL sings that song as he dies as a sort of racial memory.

Inappropriate use of RSA?

[Figj]

It would appear that this attack is only relevant to “dumb” systems that use RSA for bulk encryption/decryption. Properly designed systems (e.g. S/MIME) would always use a much more efficient symmetric (wrapping) key for “user-data” crypto and then RSA just to protect that tiny wrapping key. Similarly, RSA only needs to protect the small hash of a digital signature. In these systems, there is *no* bulk RSA decryption to listen in on!

Not practical in real life, but already fixed

[Cley+Faye]

From what I muster, it's far from exploitable in real-life scenario. Still impressive though, and this might broaden the way peoples see side-channel attacks on general computers, and not only on specific hardware.
Still, http://www.debian.org/security/2013/dsa-2821

HSM FTW?

For code signing at work, we got some Yubikeys. I imagine they are less vulnerable to this type of attack...

Sounds like an April fools BS story

...only we're not in April.

Cheap Obvious Joke

If a CPU hums in a forest and no one is around to hear it, does it make a sound?

Ubuntu Patched This Today!

[randallman]

Changelog:

Changes for the versions:
Installed version: 1.4.11-3ubuntu2.4
Available version: 1.4.11-3ubuntu2.5

Version 1.4.11-3ubuntu2.5:

    * SECURITY UPDATE: RSA Key Extraction via Low-Bandwidth Acoustic
        Cryptanalysis attack
        - debian/patches/CVE-2013-4576.dpatch: Use blinding for the RSA secret
            operation in cipher/random.*, cipher/rsa.c, g10/gpgv.c. Normalize the
            MPIs used as input to secret key functions in cipher/dsa.c,
            cipher/elgamal.c, cipher/rsa.c.
        - CVE-2013-4576

Just wow.

Re:Ubuntu Patched This Today!

So did Debian, but yesterday.

Re:Daisy, Daisy..., and AC97

[omnichad]

This is why you should always have your computer's volume set to 100% and to adjust speaker volume at the amplified speaker. And/or use a digital output.

A simple solution?

[Uncle+Warthog]

Since they're attacking using high frequency sound, maybe have the machine emit some random noise in the same spectrum using its sound hardware while encrypting or decrypting or performing key generation. Wouldn't something like that jam such an attack (at least from a distance; if someone got microphones into your hardware that might be a different story)?

Re:Yeah right?

[omnichad]

I wish I hadn't already commented, as I'd love to mod this a little higher.

Re:Yeah right?

[LWATCDR]

I get that and the length of time to extract the data all would seem to make this a very improbable method for a practical exploit.

Re:Yeah right?

[LWATCDR]

I did read the entire paper. Using the methods they used it does not seem to be a practical attack vector at all. In fact I would say that you would have to have detailed specific information of the computer being exploited. Not even just the model but the actual computer since things like the age of the caps will make a difference.
On a danger scale of 1 to 100 this is about a 1. I should have made it more clear that I was more suggesting that this is wildly impractical verses theoretically impossible. Frankly it might even work one week and not the next.

Re:Daisy, Daisy..., and AC97

I recall the first gen sound cards would play a lot of bus-noise until they worked out how to properly isolate the dirty power from the amplifier.

Too sophisticated

[phorm]

the speaker said using radio transmission to leak information was much too sophisticated to be a viable attack for anything but the government and military

Using most generally-available consumer equipment, it probably was. We've come a long way in terms of consumer tech though, especially in terms of miniaturization.

Re:Yeah right?

You assume there's just one Adi Shamir in the whole world? And even if that's true... there would not be any chance someone else would wrongly call themselves the name of a celebrity to get attention, right?

re

Its relevant to the ability of something taking audio sample at 8000 Hz being able to extract information that is being produced at rates that are order of magnitude greater.

Re:Yeah right?

[bob_super]

Right, because most people use all their other cores to run a nice convenient infinite loop of ADD instructions.
It doesn't make the attack easier, it "could" make the attack easier, under a particular and highly unrealistic scenario.

EIther a joke or disinformation ...

Lots of things in this article made me suspicious or sometimes laugh out loud. Here are just a few:
The article has not been published in a journal.
It uses up valuable article real-estate to include a content-free picture of a tree with 64, then 32, then 16, ...
Listing the parts numbers of the setup like it came from a Radio Shack catalog
Elaborate description of how to place said Austin Powers style Radio Shack microphone.
Then saying that equipment barely matters and that we can crack all your codes using a cell phone or laser microphone
Power analysis of the AC outlet also reveals this signal!
Hypothesizing that the attack could be carried out with an agent's "bare hands"
You must harden your systems using cork.
Vague details of how the algo reveals the key one bit at a time. I'm not an expert but I know enough to know that you can't verify that you have found the high order bits of the key without the low-order bits.

thank you

[rewindustry]

what you say makes sense, is much appreciated.