Daniel Genkin - Technion and Tel Aviv University - firstname.lastname@example.org
Adi Shamir - Weizmann Institute of Science - email@example.com
Eran Tromer - Tel Aviv University - firstname.lastname@example.org
assisted by Lev Pachmanov and numerous others
December 18, 2013
Many computers emit a high-pitched noise during operation, due to vibration in some of their electronic components. These acoustic emanations are more than a nuisance: they can convey information about the software running on the computer, and in particular leak sensitive information about security-related computations.
In a preliminary presentation (Eurocrypt’04 rump session), we have shown that different RSA keys induce different sound patterns, but it was not clear how to extract individual key bits. The main problem was that the acoustic side channel has a very low bandwidth (under 20kHz using common microphones, and a few hundred kHz using ultrasound microphones), many orders of magnitude below the GHz-scale clock rates of the attacked computers.
In this paper we describe a new acoustic cryptanalysis key extraction attack, applicable to GnuPG’s current implementation of RSA. The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts.
We experimentally demonstrate that such attacks can be carried out, using either a plain mobile phone placed next to the computer, or a more sensitive microphone placed 4 meters away.
Beyond acoustics, we demonstrate that a similar low-bandwidth attack can be performed by measuring the electric potential of a computer chassis. A suitably-equipped attacker need merely touch the target computer with his bare hand, or get the required leakage information from the ground wires at the remote end of VGA, USB or Ethernet cables.
Very interesting. But why is this posted here? Is there a question, or are you trying to use the forums as a blog?
edit: tone is lost in text and I'm worried my comment might sound sarcastic - it is not. This is very interesting, but I'm just not sure it's appropriately placed here.
Last edited by Trilby (2014-01-03 13:19:37)
This is a 10 year old experiment that for some reason have resurfaced, and half the press world is reposting as if it was something new and exiting. If you want something really new and exiting, then watch defcon 21 and 30c3 videos.
This section is called -Networking, Server, and Protection- and this information is coherent with this field of interest, IMHO.
The news is that this affected one branch of the gnupg package, so they released a new version:
[Announce] [security fix] GnuPG 1.4.16 released
Werner Koch wk at gnupg.org
Wed Dec 18 15:05:38 CET 2013
Q9: How vulnerable is GnuPG now?
We have disclosed our attack to GnuPG developers under CVE-2013-4576, suggested suitable countermeasures, and worked with the developers to test them. New versions of GnuPG 1.x and of libgcrypt (which underlies GnuPG 2.x), containing these countermeasures and resistant to our current key-extraction attack, were released concurrently with the first public posting of these results. Some of the effects we found (including RSA key distinguishability) remain present.
Last edited by Peterle (2014-01-03 13:43:11)
Probably worth mentioning here that Arch uses gnupg 2.x, and is therefore not affected by any of this.
Moving to GNU/Linux discussion
Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
You assume people are rational and influenced by evidence. You must not work with the public much. -- Trilby
How to Ask Questions the Smart Way
Please correct me if I'm wrong, but I've understood that the sentence ' Some of the effects we found (including RSA key distinguishability) remain present.' , was referred to the entire previous sentence, which include the gnupg2:
"New versions of GnuPG 1.x and of libgcrypt (which underlies GnuPG 2.x), containing these countermeasures and resistant to our current key-extraction attack , were released concurrently with the first public posting of these results. Some of the effects we found (including RSA key distinguishability) remain present."
So, they didn't mention the first attack as solved, the 'RSA key distinguishability' part, but only the 'key-extraction' part.
Those effects are related to the 'first attack':
Impact of the security problem
CVE-2013-4576 has been assigned to this security bug.
The paper describes two attacks. The first attack allows to distinguish
keys: An attacker is able to notice which key is currently used for
decryption. This is in general not a problem but may be used to reveal
the information that a message, encrypted to a commonly not used key,
has been received by the targeted machine. We do not have a software
solution to mitigate this attack.
The second attack is more serious.
even if this part might be quite annoying or too forensic-centric (sorry), I haven't properly understood whether the gnupg2 is actually affected or not by the first attack (RSA key distinguishability).
Eventually, they said:
'we do not have a software solution to mitigate this attack' (and 'this' refears to the first attack),
not 'for this version we do not have a solution to mitigate this attack'.