Encryption Securing Mobile Money Transfers Can Be Broken

An anonymous reader writes: A group of researchers has proved that it is possible to break the encryption used by many mobile payment apps by simply measuring and analyzing the electromagnetic radiation emanating from smartphones. Modern cryptographic software on mobile phones, implementing the ECDSA digital signature algorithm, may inadvertently expose its secret keys through physical side channels: electromagnetic radiation and power consumption which fluctuate in a way that depends on secret information during the cryptographic computation.

Not A Broken Encryption. Learn To Language.

This is *not* a broken encryption (which the idiotic title suggests). Encryption is an algorithm. It doesn't exist physically.
What is measured are side effects of the hardware at work. The hardware is broken then, but only if we assume it should be secure enough not to allow such measurements and analysis.

>by simply measuring and analyzing the electromagnetic radiation emanating from smartphones
This is not simple.
That way you can 'simply' crack passwords by 'simply' looking at the keyboard when it is typed in.

-- Ed

Re:Not A Broken Encryption. Learn To Language.

[kav2k]

While true that it doesn't break the encryption algorithm itself - such things are rare.

But one can argue it breaks an implementation of an algorithm. Which, arguably, doesn't "exist physically" either, it's still a bunch of bytes.

However, there are software countermeasures to some side channel attacks (like constant-time calculations), so question is whether such mitigation is possible here. Looking at the article - that's exactly what's lacking with some software.

Notable quote:
> The OpenSSL's developers notified us that "hardware side-channel attacks are not in OpenSSL's threat model"