Encryption Securing Mobile Money Transfers Can Be Broken

An anonymous reader writes: A group of researchers has proved that it is possible to break the encryption used by many mobile payment apps by simply measuring and analyzing the electromagnetic radiation emanating from smartphones. Modern cryptographic software on mobile phones, implementing the ECDSA digital signature algorithm, may inadvertently expose its secret keys through physical side channels: electromagnetic radiation and power consumption which fluctuate in a way that depends on secret information during the cryptographic computation.

Re:Not A Broken Encryption. Learn To Language.

[kav2k]

While true that it doesn't break the encryption algorithm itself - such things are rare.

But one can argue it breaks an implementation of an algorithm. Which, arguably, doesn't "exist physically" either, it's still a bunch of bytes.

However, there are software countermeasures to some side channel attacks (like constant-time calculations), so question is whether such mitigation is possible here. Looking at the article - that's exactly what's lacking with some software.

Notable quote:
> The OpenSSL's developers notified us that "hardware side-channel attacks are not in OpenSSL's threat model"