You are not logged in.

#1 2014-01-03 12:20:04

Peterle
Member
Registered: 2013-03-10
Posts: 13

RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis

Daniel Genkin - Technion and Tel Aviv University - danielg3@cs.technion.ac.il
Adi Shamir - Weizmann Institute of Science - adi.shamir@weizmann.ac.il
Eran Tromer - Tel Aviv University - tromer@cs.tau.ac.il
assisted by Lev Pachmanov and numerous others


December 18, 2013 

Abstract

Many computers emit a high-pitched noise during operation, due to vibration in some of their electronic components. These acoustic emanations are more than a nuisance: they can convey information about the software running on the computer, and in particular leak sensitive information about security-related computations.

In a preliminary presentation (Eurocrypt’04 rump session), we have shown that different RSA keys induce different sound patterns, but it was not clear how to extract individual key bits. The main problem was that the acoustic side channel has a very low bandwidth (under 20kHz using common microphones, and a few hundred kHz using ultrasound microphones), many orders of magnitude below the GHz-scale clock rates of the attacked computers.

In this paper we describe a new acoustic cryptanalysis key extraction attack, applicable to GnuPG’s current implementation of RSA. The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts.

We experimentally demonstrate that such attacks can be carried out, using either a plain mobile phone placed next to the computer, or a more sensitive microphone placed 4 meters away. 

Beyond acoustics, we demonstrate that a similar low-bandwidth attack can be performed by measuring the electric potential of a computer chassis. A suitably-equipped attacker need merely touch the target computer with his bare hand, or get the required leakage information from the ground wires at the remote end of VGA, USB or Ethernet cables. 

source:
http://www.cs.tau.ac.il/~tromer/acoustic/
http://lists.gnupg.org/pipermail/gnupg- … 00337.html

Offline

#2 2014-01-03 13:17:18

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,449
Website

Re: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis

Very interesting.  But why is this posted here?  Is there a question, or are you trying to use the forums as a blog?

edit: tone is lost in text and I'm worried my comment might sound sarcastic - it is not.  This is very interesting, but I'm just not sure it's appropriately placed here.

Last edited by Trilby (2014-01-03 13:19:37)


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#3 2014-01-03 13:26:50

Mr.Elendig
#archlinux@freenode channel op
From: The intertubes
Registered: 2004-11-07
Posts: 4,092

Re: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis

This is a 10 year old experiment that for some reason have resurfaced, and half the press world is reposting as if it was something new and exiting. If you want something really new and exiting, then watch defcon 21 and 30c3 videos.


Evil #archlinux@libera.chat channel op and general support dude.
. files on github, Screenshots, Random pics and the rest

Offline

#4 2014-01-03 13:34:20

Peterle
Member
Registered: 2013-03-10
Posts: 13

Re: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis

This section is called -Networking, Server, and Protection-  and this information is coherent with this field of interest, IMHO.

The news is that this affected one branch of the gnupg package, so they released a new version:

[Announce] [security fix] GnuPG 1.4.16 released
Werner Koch wk at gnupg.org
Wed Dec 18 15:05:38 CET 2013


Q9: How vulnerable is GnuPG now?
We have disclosed our attack to GnuPG developers under CVE-2013-4576, suggested suitable countermeasures, and worked with the developers to test them. New versions of GnuPG 1.x and of libgcrypt (which underlies GnuPG 2.x), containing these countermeasures and resistant to our current key-extraction attack, were released concurrently with the first public posting of these results. Some of the effects we found (including RSA key distinguishability) remain present.

Last edited by Peterle (2014-01-03 13:43:11)

Offline

#5 2014-01-03 14:02:28

tomk
Forum Fellow
From: Ireland
Registered: 2004-07-21
Posts: 9,839

Re: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis

Probably worth mentioning here that Arch uses gnupg 2.x, and is therefore not affected by any of this.

Offline

#6 2014-01-03 15:39:45

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 19,740

Re: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis

Moving to GNU/Linux discussion


Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

Offline

#7 2014-01-03 15:47:09

Peterle
Member
Registered: 2013-03-10
Posts: 13

Re: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis

Please correct me if I'm wrong, but I've understood that the sentence ' Some of the effects we found (including RSA key distinguishability) remain present.' , was referred  to the entire previous sentence, which include the gnupg2:

"New versions of GnuPG 1.x and of libgcrypt (which underlies GnuPG 2.x), containing these countermeasures and resistant to our current key-extraction attack , were released concurrently with the first public posting of these results. Some of the effects we found (including RSA key  distinguishability) remain present."

So, they didn't mention the first attack as solved,  the 'RSA key distinguishability' part, but only the 'key-extraction' part.




Those effects are related to the 'first attack':


Impact of the security problem
==============================

CVE-2013-4576 has been assigned to this security bug.

The paper describes two attacks.  The first attack allows to distinguish
keys: An attacker is able to notice which key is currently used for
decryption.  This is in general not a problem but may be used to reveal
the information that a message, encrypted to a commonly not used key,
has been received by the targeted machine.  We do not have a software
solution to mitigate this attack.

The second attack is more serious.


In conclusion:
even if this part might be quite annoying or too forensic-centric  (sorry), I haven't properly understood whether the gnupg2 is actually affected or not by the first attack (RSA key distinguishability).

Eventually,  they said: 
'we do not have a software solution to mitigate this attack' (and 'this' refears to the first attack),
not 'for this version we do not have a solution to mitigate this attack'.

Offline

Board footer

Powered by FluxBB