A blog covering security and security technology.
« Tor User Identified by FBI | Main
December 19, 2013
This is neat:
Here, we describe a new acoustic cryptanalysis key extraction attack, applicable to GnuPG's current implementation of RSA. The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts. We experimentally demonstrate that such attacks can be carried out, using either a plain mobile phone placed next to the computer, or a more sensitive microphone placed 4 meters away.
Beyond acoustics, we demonstrate that a similar low-bandwidth attack can be performed by measuring the electric potential of a computer chassis. A suitably-equipped attacker need merely touch the target computer with his bare hand, or get the required leakage information from the ground wires at the remote end of VGA, USB or Ethernet cables.
Posted on December 19, 2013 at 6:29 AM• 49 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
In other words, you can always find a covert channel with enough bandwidth to transmit an arbitrary number of keys, assuming you can get some sort of keylogger/keyfinder on the target. Scary.
Somehow I don't think there is any size key that would be immune to such attacks (and especially not less safe from other attacks).
Call me skeptical, but I think that this research paper is an April 1st joke ahead of its time - regradless of the big names who authored it.
I bet that nobody would be able to independently corroborate on the reported findings.
I don't know much about crypto stuff, but I do know a bit about passive electronic components and acoustic vibrations.
To correlate vibrations induces in ceramic capacitors and chip inductors by current pulses due to crypto operations in a power supply is science fiction:
1. There are fairly big electrolytic / polymer capacitors which provide current to spiked demand from the CPU et al. The ceramics / inductors demands are not that synchronized to CPU demands.
2. There are so many background operations in a PC due to OS operations , making it extremely difficult to discern CPU specific crypto ops.
3. The hard disk, graphic card and other parasitic will mask CPU-only current demands. The decoupling of the PDN (Power distribution Network) assigned to the CPU is not totally decoupled from the rest of the sub-systems.
4. A smartphone mic pickup? give me a break. You need very expensive audio pic-up to sense anything from a component vibration, and I even doubt that the parabolic contraption with the expensive mike there would pick anything from 2-4 mteres away.
I simply don'y buy this.
@ Jacog: I agree. This is just more FUD for influence, intimidation, and control. Someone wants to make you afraid so you will pay them for something to allay your fears (and be grateful).
To further my skepticism:
From an Engineering Note by Nippon Chemi-Con , one of the big names in capacitors:
----------------
When large high frequency ripple current acrosses multilayer ceramic capacitor , the capacitor can vibrate.The phenomenon occurs as the capacitor has natural vibration frequency due to the mechanical dimensions, resonates to the large high frequency ripple current.
To prevent the resonance, please select the capacitor or change the ripple current frequency.
For your information, we indicate the following resonance frequency to each chip size:
0805 : 900/1500/1800 KHz
1206: 600/1200/1600 KHz
----------------
Smaller chips, like 0603 and 0402 which are also commonly used in PS, have much higher resonance frequency.
Nobody will sense those ultrasound waves at the megahertz range with a smartphone. Just can't be done.
@Jacob:
If you had read the FAQ page, you would have learned that the authors did not measure Sound in the MHz-Range, but around 10 kHz, which is perfectly reasonable with a cell phone.
And if you google "laptop high pitch noise" you will find that a lot of laptops generate audible component vibrations.
Shamir -- of RSA repute is on the paper. If he says it's so, I believe it.
Like most side channel attacks, this requires that Alice persuade the target to decrypt a significant number of specially selected plaintexts.
Still, a neat bit of research.
The paper was also dated 2004, but never released due to the time it took for GnuPG to find a solution that worked. 9 years...
@Jacob @kashmarek
Funny how a lot of people often voice a knee-jerk "skeptical" reaction without actually reading the publication :)
That's not "skeptical", that's "believer" with a negative sign!
If one would care to read the paper, one would find that this is a timing attack, with a clever side channel (acoustic) to access the timing data. Rest assured, they don't magically "hear the bits flying along the bus". Read the paper, it's an interesting read.
Ubuntu Linux just put out a security patch to GNU Privacy Guard to address this attack. So I don't think it is FUD or an April Fool's joke.
Nine years.
Why so long? I find it hard to believe the developers of GnuPG would not be motivated to find a solution to this. Is there anyway to find out when they were notified? Is this a case where responsible disclosure succeeded after 9 years? Thats still a fail imo.
@John
According to Q16 in their FAQ, there's also a lot of improvements in the attack itself since 2004 (including full key extraction).
@arno
Ceramic caps, which is what the paper claims to sense (in addition ro inductors) vibrates at their natural frequency, which is in the MHz range. If they sense vibes at audible range, it is not from these components.
I don't doubt that there is a "laptop high pitch noise" - I myself was annoyed many times in the far past from the 15-18KHz noise emanating from CRT based equipment - but I doubt that this noise comes from the small SMD comps - maybe from some other large components, e.g connectors/sockets/ toroids or support structure like PCB etc.
@q - I never implied that they listen to the bits. However, for side-channel timing attack based on sound emanating from small caps/ inductors in the CPU PDN - I have my serious doubts.
By the way, this is very easy to test: take a ssd/flash based based computer, no fan operating for the duration of the test, stick a good mike inside, and see if you can hear at all any of the various OS operations. Run a heavy math routine - can you tell from the mike output when it stops? I bet you would not hear a thing.
Er.... 'Preliminary results were announced in the Eurocrypt 2004 rump session presentation titled "Acoustic cryptanalysis: on nosy people and noisy machines"'
@John "never released... nine years" does not sound accurate.
Seems to me that if this works, it should be easy to prevent by a multitasking processor running some heavy random calculations to compromise the pure calculation noise signals they claim they're receiving. There would be no way to separate the signal from the noise.
Reminds me of this 2011 newsbite:
http://www.theregister.co.uk/Print/2011/03/10/...
Glad my old solution I borrowed from govt still works. Should still work, anyway.
https://www.schneier.com/blog/archives/2010/10/predator_softwa.html#c470617
And for anyone interested in SCIF's, I just found this brand new paper about them with nice pictures and illustration.
@Jacob
I can hear my fanless SSD nettop making intermittent sounds in the quiet of the night, so much that I began to avoid leaving it on as it annoys me. Admittedly, I didn't think to try discerning what it's doing by its noise, but my built-in natural frequency analyzer is quite poor :)
@Keith
According to the paper, multitasking actually *helps* the capture by lowering the frequencies of the interesting signal, and they are able to distinguish spectral fingerprints of GPG vs. other apps.
Of course currently it's a "lab only" attack, but they get better...
First, peer review. I don't get too worked up when papers like this come I. I take it seriously but I don't get excited. How does Bruce put it? Be professionally paranoid.
Use crypto. Without it you're completely defenseless.
A big problem is system security. Know your hardware. Strip it down if you have to. Know your software. Open source is the only way to go.
Mobile phones are a complete wreck as far as security. I'm would love to get rid of mine. I'm actually happier without a mobile phone. That being said, these phones need to be locked down considerably.
What about the chips in the mobile phone that supposedly is doing the detecting and recording (or live analysis)? They make noise too. Doesn't that phone mic get confused by that also? And, where one has a computer, there are disk drives (internal & external), routers, sound cards & speaker systems, cable/DSL modems, printers, network switches, plus interruptable power supplies along with other phones (cell & otherwise) etc. That would be one hell of a cell phone with high quality mic to pick up and filter out all of that stray noise and still achieve the intended objective.
Doubtful...and probably worrisome only in select areas. FUD for all practical purposes.
The whole point IMO is simply that a usable side channel exists given chosen, iterative ciphertext. RSA blinding eliminates the side channel. GPG2 uses a library that implements RSA blinding. There are probably zero production installations of GPG1 that operate in the manner required by this paper to exploit the side channel. The vulnerability is academic. With nobody at risk, the term "FUD" doesn't exactly apply.
Belt, meet suspenders.
Having spent a lot of my life listening to computers, I'd say this is a plausible attack vector, though I am surprised that it proved computationally feasible.
Note that there are a lot of moving parts to using it successfully, including being able to get the victim to decrypt a suitable known plaintext while their system is being monitored.
The concept of using accoustic characteristics as a side channel attack is nothing new... What is intresting to me is the implementation and the work details...
There appears to be a bit of confusion of physical objects as transducers...
All physical solid physical objects will "vibrate in sympathy" with an applied stimulus either at the stimulus frequency or a harmonic or subharmonic or a combination there of.
Most objects also have self resonant modes where if subject to a step input they will vibrate at one or more of the objects natural frequencies (or harmonic, subharmonics or combinations there of).
If you analyse the actual vibration of an object you will often find a complex waveform which has components of both the stimulus wave form and the natural frequencies of the object.
Thus whilst the SRF of a chip cap may well be in the high KHz or MHz it will still produce a wave form representative of the stimulus, which may well amplitude modulate the SRF or other near resonant frequency.
Further large value surface mount capacitors have issues to do with series resistance and inductance. Most RF engineers with a few years under their belt have horror stories of capacitors looking like inductors and inductors looking like capacitors even at quite low frequencies (LF/HF) and it is quite normal to use two or three capacitors such as 10uF 100nF and 100pF in parellel on powers supply lines hard up against active components to try to resolve the Series inductor/resistance issues and the resonnce problems they cause.
But I've said all this befor when talking about the bidirectional behaviour of transducers and the well know "microphonics" effect of components that are not properly physicaly "damped" with wax / hot melt / other absorbers.
So, as I understand it, this is another attack where the power dissipation of the computer is taken as a side channel for computational effort. Power dissipation is now estimated from acoustic emissions from electronics that heats up when used.
The solution would be to level out power use over keys "complexity". Which seems to be the received wisdom.
I do not see why this is controversial?
@Clive Robinson,
You are talking about the "Natural Resonance Ferequency" and resonance. It's sufficient to realize that capacitors and inductors eminate harmonics in the accoustic range that can be analysed. I'd go further than that! Its not just descrete components that exhibit this effect. Tracelines on boards (multilayered boards) also show this phenomena. Traces and spaces also act as distributed capacitors, inductors, and radiating antennas... Perhaps its also more effective to analyze the whole spectrum in the attack scenario (and not just the accoustic one).Most objects also have self resonant modes...
@Craig: You have to keep in mind that the flip-side of "trust the math" is "DON'T trust the implementation". Mathematically the algorithms are still sound. The implementation, however, inadvertently leaks information. It's a weakness in the physical system that's being exploited here, not a weakness in the mathematics.
All you people who claim it's impossible for computers to emit any audible noise need to go try it... I've got one right here that emits such a loud noise it sounds like an ancient hard drive, and it has no hard drive... it's significantly louder than the fan... holding a straw up to your ear and moving the other end over the components helps you locate where it's all coming from too...
@herman: "Of course Bruce Schneier can read the key just by touching the computer. No equipment needed."
I sense a new T-shirt coming...
For quite a few years, I've been able to notice quite distinctive (and not very subtle) sounds associated with particular computations on notebook PCs. Roughly speaking, these are bursts of noise not altogether unlike white noise, or the modulation in high-speed telephone modems.
I don't notice these much recently, probably a combination of age-related hearing loss and using notebooks whose fans run constantly :/ So I don't remember exactly which actions were associated with the obnoxious sounds, but I recall that I inferred that is was likely related to the graphics processor.
Apart from finding the sounds a bit annoying -- partly because they reminded me of stupid TV programs and movies in which computers make a noise while they are "thinking" -- I didn't give them much thought.
First-class work on the part of these security researchers, and a caution to us all.
________________________________________
To those crying "FUD": it has happened over and over, that a laboratory attack has been refined to develop completely practical field attacks that work under typical conditions.
Discussing mechanical self-resonant frequencies of electronic components is not very helpful to understanding the problem.
Suppose that a capacitor or inductor undergoes a dimensional change -- however tiny! -- in response to changes in voltage or current. If the electrical stimulus is modulated at 1000 Hz, the surface of the component will also move at 1000 Hz, even if its self-resonant frequency many times greater than that.
The component is acting as an acoustic transducer, just like the cone or diaphragm of an audio loudspeaker. Of course, it's a very inefficient transducer ... but today's CPUs (even those intended for battery-powered operation) commonly sink 20+ amperes of supply current!
So it is to be expected that audio-frequency acoustic signals will be emitted, which are dependent on computation. The acoustic efficiency of the tiny transducers will increase with increasing frequency (because of "piston size," not self-resonant frequency), so with an ordinary microphone the best signals will be found in the highest octave (roughly 10 to 20 kHz).
Everyone remember reflecting lasers off windows? The beam was modulated by acoustics and, incredibly, could return with enough information to discern conversations taking place on the other side. Of course, there are limitations.
What next? I half expect to learn of someone reflecting lasers off windows to pick up keystrokes, whew...
How about a little jammer for your crypto sniffer? How big would an FSA have to be not to look like a decoy?
BTW, how does the smartphone screen out its own noises?
Or, put another way, how quiet does an observer have to be, in order not to over-contaminate the signal?
Easy fix -- run folding @ Home or other distributed computing app. With today's multi-core processors, they're not going to be able to tell the difference between the distributed computing and PGP.
This is no different than the old days (and still practiced today) of leaving a radio playing or white noise generator playing to keep eavesdroppers from listening in.
"Everyone remember reflecting lasers off windows? The beam was modulated by acoustics and, incredibly, could return with enough information to discern conversations taking place on the other side. Of course, there are limitations."
Limitations, which include some companies on the web who sell an item which when attached to a window, causes its own vibrations to nullify laser microphone attacks. I've seen them selling on at least one site, which can be found via Google, but I'm not posting the company name/site here for promotion.
@ Jacob
I smirked when I saw that. I figured it was either a typo (2014 instead of 2013) or the presentation was a draft scheduled for 2014. Ive seen many academic papers dated in the future for the latter reason. Knowing govt, more likely a typo than foresight. ;)
Impressive. Not that it is any real surprise. Some smart and competent people were bound to do this sooner or later. And yes, ceramic capacitors and non-encapsulated coils radiate AC signals pretty strongly. For ceramics, this is simply the Piezo-effect. For coils it is the individual loops acting as electro-magnets.
These effects are one reason why all well-designed switching regulators switch above the the human hearing range. The other is smaller components.
Looks like we need to think about power-neutral RSA implementations...
Bruce,
I happened to click the "side-channel attacks" tag on your blog and found that the key icon next to the URL (I'm using Firefox) turned into a warning sign. This doesn't happen for other tags (e.g. "RSA"). Can you look into it?
https://www.schneier.com/cgi-bin/mt/mt-search.cgi?tag=side-channel%20attacks
It looks like the warning is because there are images (of a pair of door keypads) on the page linked by http and not https.
@Alex:
"With today's multi-core processors, they're not going to be able to tell the difference between the distributed computing and PGP."
According to the linked web page, "Using multiple cores turns out to help the attack"
This story is nevertheless orders of magnitude more credible than that recent craziness with Dragos Ruiu and "BadBIOS," which also involves sound/audio/acoustics/etc.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.
 |
| Subscribe |
    Subscribe via Kindle |
| Blog Menu |
SearchPowered by DuckDuckGoBlog Home Page Archives by Date2013JFMAMJJASOND Tags  |
| Latest Book |
 more books by Bruce Schneier |
Therefore, never use GnuPG on a networked machine, make sure you physically secure your device and as always, if you really care, you'll take the battery out your phone.