Story 5BPA Stealing Keys from PCs using a Radio: Cheap Electromagnetic Attacks on Windowed Exponentiation

Stealing Keys from PCs using a Radio: Cheap Electromagnetic Attacks on Windowed Exponentiation

by
Anonymous Coward
in security on (#5BPA)
http://www.cs.tau.ac.il/~tromer/radioexp/

"Overview

We demonstrate the extraction of secret decryption keys from laptop computers, by nonintrusively measuring electromagnetic emanations for a few seconds from a distance of 50 cm. The attack can be executed using cheap and readily-available equipment: a consumer-grade radio receiver or a Software Defined Radio USB dongle. The setup is compact and can operate untethered; it can be easily concealed, e.g., inside pita bread. Common laptops, and popular implementations of RSA and ElGamal encryptions, are vulnerable to this attack, including those that implement the decryption using modern exponentiation algorithms such as sliding-window, or even its side-channel resistant variant, fixed-window (m-ary) exponentiation.

We successfully extracted keys from laptops of various models running GnuPG (popular open source encryption software, implementing the OpenPGP standard), within a few seconds. The attack sends a few carefully-crafted ciphertexts, and when these are decrypted by the target computer, they trigger the occurrence of specially-structured values inside the decryption software. These special values cause observable fluctuations in the electromagnetic field surrounding the laptop, in a way that depends on the pattern of key bits (specifically, the key-bits window in the exponentiation routine). The secret key can be deduced from these fluctuations, through signal processing and cryptanalysis."

#########################################

Cryptology ePrint Archive: Report 2015/170

http://eprint.iacr.org/2015/170

"Stealing Keys from PCs using a Radio: Cheap Electromagnetic Attacks on Windowed Exponentiation

Daniel Genkin and Lev Pachmanov and Itamar Pipman and Eran Tromer
Abstract: We present new side-channel attacks on RSA and ElGamal implementations that use the popular sliding-window or fixed-window (m-ary) modular exponentiation algorithms. The attacks can extract decryption keys using a very low measurement bandwidth (a frequency band of less than 100 kHz around a carrier under 2 MHz) even when attacking multi-GHz CPUs.

We demonstrate the attacks' feasibility by extracting keys from GnuPG, in a few seconds, using a nonintrusive measurement of electromagnetic emanations from laptop computers. The measurement equipment is cheap and compact, uses readily-available components (a Software Defined Radio USB dongle or a consumer-grade radio receiver), and can operate untethered while concealed, e.g., inside pita bread.

The attacks use a few non-adaptive chosen ciphertexts, crafted so that whenever the decryption routine encounters particular bit patterns in the secret key, intermediate values occur with a special structure that causes observable fluctuations in the electromagnetic field. Through suitable signal processing and cryptanalysis, the bit patterns and eventually the whole secret key are recovered.

Category / Keywords: side channel, electromagnetic analysis, RSA, ElGamal

Date: received 27 Feb 2015, last revised 3 Mar 2015

Contact author: tromer at cs tau ac il"

#########################################
EOF
Reply 6 comments

Fixed for GnuPG (Score: 1)

by seriously@pipedot.org on 2015-03-20 21:20 (#5BTV)

From the paper (page 5):
Current Status. Following the practice of responsible disclosure, we worked with the authors
of GnuPG to suggest several countermeasures and verify their effectiveness against our attacks
(see CVE-2014-3591 [MIT14]). GnuPG 1.4.19 and Libgcrypt 1.6.3, resilient to these attacks, were
released concurrently with the public announcement of the results presented in this paper.

Illumination will be found here (Score: 1)

by fnj@pipedot.org on 2015-03-21 12:06 (#5CXW)

Look here [Stealing Keys from PCs using a Radio: Cheap Electromagnetic Attacks on Windowed Exponentiation].

I am fully updated on arch and have the fix.

What makes this news? TEMPEST ANYONE (Score: 1)

by bsdguy@pipedot.org on 2015-03-23 02:31 (#5FZK)

I learned about doing this back in the Navy in the late 1970s. This is exactly why there are protocols over what electronics can be used when on a warship. Back in the 1980s it was possible to pick up random radiation to discover the position of a ship fairly far away, and if one had the right equipment even in those days keystrokes could be decoded based on the radiation from the keyboards and terminals.

So I have to say that those who do not read history are doomed to learn the lesson again.

bsdguy

Re: What makes this news? TEMPEST ANYONE (Score: 2, Informative)

by evilviper@pipedot.org on 2015-03-23 04:33 (#5G4F)

To tell you the truth "what makes this news" is the fact that it was in the queue, there hadn't been a story for a couple days, and I'm very busy at the moment...

Re: What makes this news? TEMPEST ANYONE (Score: 0)

by Anonymous Coward on 2015-03-23 16:02 (#5HZX)

It may be an old attack vector but it's certainly news to me that in this day and age this can still be done with such low-grade hardware.
Also that new versions of the affected libraries are available.

Re: What makes this news? TEMPEST ANYONE (Score: 1)

by seriously@pipedot.org on 2015-03-24 10:20 (#5KYS)

In this case, the attacker doesn't necessarily need you to touch the keyboard or anything. Their attack scenario is the following:

1. they send you an email with specific content and encrypted using your public key.
2. your email client fetches the email
3. the moment the client decrypts it (e.g. using Enigmail in Thunderbird), they can infer your private key just from the CPU's EM radiations.
4. Profit !!

Besides, their hardware is very small (as in "fits in a pocket") and quite cheap (as in less than 300$) compared to what (they claim) existed before.