Slashdot Mirror
Stealing Keys From a Laptop In Another Room — and Offline
Motherboard carries a report that with equipment valued at about $3,000, a group of Israeli researchers have been able to extract cryptographic keys from a laptop that is not only separated by a physical wall, but protected by an air gap. This, they say, "is the first time such an approach has been used specifically against elliptic curve cryptography running on a PC." From the article:
The method is a so-called side-channel attack: an attack that doesn't tackle an encryption implementation head on, such as through brute force or by exploiting a weakness in the underlying algorithm, but through some other means. In this case, the attack relies on the electromagnetic outputs of the laptop that are emitted during the decryption process, which can then be used to work out the target's key.
Specifically, the researchers obtained the private key from a laptop running GnuPG, a popular implementation of OpenPGP. (The developers of GnuPG have since released countermeasures to the method. Tromer said that the changes make GnuPG âoemore resistant to side-channel attack since the sequence of high-level arithmetic operations does not depend on the secret key.â)
This is why our government uses the "Tempest" certification on buildings, categorizing whether information can be stolen from electromagnetic emanations within neighboring wall, room, just outside the building, etc.
It's called Van Eck phreaking, and it's one of the many modern day forms of wizardry. Essentially different components of your computer communicate via high frequency electric currents. These currents broadcast corresponding EM waves somewhere in the radio spectrum, and you decode the corresponding frequency components into your own information, which if you know what monitor they're using, for instance, you can catch the signal from their wires and reproduce their monitor image on your screen.
When performing different operations, computers emit different EM signals. EM antennae and post-processing software have become sufficiently fast and accurate that if you know the source code of an encryption algorithm, you can trace through the code non-intrusively, simply by watching for patterns in the emitted EM radiation. As it happens, GnuPG's EEC implementation performed different operations depending on the private key, so you can reconstruct the private key. GnuPG's developers addressed this by changing the implementation to try to ensure that the same sequence of operations will always get executed, regardless of the key. This is similar to how cryptographic string comparisons always compare all characters in a string and don't stop when they encounter the first difference, as normal string comparisons do.
Its more than just cases, you have to "clean" every cable connected to the machine as well. If the laptop had been connected to power, the researcher's job would have been much easier.
I currently have 300 processes running on my laptop, more on my server. I really wonder how they can filter out the noise of 299 of them to find out the electromagnetic noise of the PGP process (which lasts for only a split second) and THEN exploit that. It's one thing to get the Van Eck of an analog signal of a monitor (two very regular frequencies), another one entirely to get this of an 8 core CPU which uses variable frequencies depending on load.
Non-Linux Penguins ?
Absolutely. Someone thinking about the possibility of something happening and someone implementing it are equivalent.
Because even if you have 300 processes running, the 299 could be ignored because of their "cpu fingerprint".
They do not occupy one CPU to the max, most processes running on a computer do just a bit more than nothing.
I have the uncanny feeling that GnuPG is not parallalized at all.
A crypto application however runs - if it's not parallelized - on one CPU-Core 100% for a depending on the processing power of the machine certain amount of time.
(In crypto does not like timing sidechannel attacks)
I guess, without having read the article, this specific burst of activity is where a crypto "broadcast" can be identified by.
When I would attack a webservers private key using this tactic, I would just initiate a https connection and send certain data and than would see the what the spectrum says, I would then repeat it .. and I recognize patterns, and a again and again and again, till I have gathered enough data.
However I think your point hints at a possible counter measure, having similar fingerprints also similarly timed it would interfere with the "broadcast".
Tromer said that the changes make GnuPG Ãoemore resistant to side-channel attack since the sequence of high-level arithmetic operations does not depend on the secret key.Ã
Hey, speaking of character encoding on Slashdot...
- or -
Hey, use the "Preview" button!
Bonus funny: that changed from a lowercase 'a' with a '^' to an uppercase 'A' with a '~' while posting.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
This is why I'll jest let out a big yawn when we finally discover faster-than-light travel.
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
In the case of laptops, it would add so much weight to do it right, that it would render them unfit for purpose. The problem is that shielding doesn't completely nix the EM emissions, but it removes a percentage. The trouble with that is that if someone has a sufficiently good antenna and low-noise amplifier, even a tiny fraction of the original EM emission could give you away, so standard anti-EM foil isn't going to cut it. For now, it's better to try to design our software in such a way that it emits the same EM signature regardless of the cryptographic key used.
not only separated by a physical wall, but protected by an air gap
Normally you put the most surprising thing second. In this context a physical wall is an "air gap."
systemd is Roko's Basilisk.