rsa key extraction via low-bandwidth acoustic cryptanalysis
DESCRIPTION
RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis. Daniel Genkin , Adi Shamir, Eran Tromer. Mathematical Attacks. Crypto Algorithm. Input. Output. Key. Goal: recover the key given access to the inputs and outputs . Side Channel Attacks. Radiation. Heat. EM. Sound. - PowerPoint PPT PresentationTRANSCRIPT
RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis
Daniel Genkin, Adi Shamir, Eran Tromer
Mathematical Attacks
Input OutputCrypto Algorithm
Key
Goal: recover the key given access to the inputs and outputs
Side Channel Attacks
PowerVibrati
onTiming
SoundHeatEM
Input Output
Radiation
Crypto Algorithm
KeyBad Inputs Errors
Goal: recover the key given access to the inputs, outputs and measurementsGoal: recover the key given access to the inputs and outputs
Crypto Device
Key
ENGULF [Peter Wright, pycatcher, p. 84]
In 1956, a couple of Post Office engineers fixed a phone at the Egyptian embassy in London.
ENGULF (cont.)
“The combined MI5/GCHQ operation enabled us to read the Egyptian ciphers in the London Embassy throughout the Suez Crisis.”
Acoustic cryptanalysis on modern CPUs
Distinguishing various CPU operations
Distinguishing various code lengths
loops in different lengths of ADD instructions
RSA decryption
long operations that depend on the leakage of either will break security.
RSA key distinguishability
and here is the sound of the keys (after signal processing)
Modular exponentiation
m=𝑐𝑑𝑛⋯𝑑𝑖𝑚𝑜𝑑𝑞m=𝑐𝑑𝑛⋯𝑑𝑖0𝑚𝑜𝑑𝑞
𝑡=𝑐𝑑𝑛⋯𝑑𝑖1𝑚𝑜𝑑𝑞m=𝑐𝑑𝑛⋯𝑑𝑖− 1𝑚𝑜𝑑𝑞
This is a side channel countermeasure meant to protect
Extracting (simplified)
𝑐 𝑖= 𝑞2048⋯𝑞𝑖+101⋯ 1
If then , thus . That is, has special structure.
If then , thus .That is, is random looking.
and we now multiply by causing the bit-dependent leakage.
Assume we know and decrypt
Extracting
𝑐 𝑖= 𝑞2048⋯𝑞𝑖+101⋯ 1+𝑛
If then , thus . That is, has special structure.
If then, thus .That is, is random looking.
and we now multiply by causing the bit-dependent leakage.
Assume we know and decrypt
Extracting (problem)
Single multiplication is way to fast for us to measure
Assume we know and decrypt
Multiplication is repeated 2048 times (0.5 sec of data)
Acoustic leakage of key bits
ResultsKey extraction is possible up to 4 meters away using
a parabolic microphone
ResultsKey extraction is possible up to 1 meter away without
a parabolic microphone
ResultsKey extraction is possible up to 30cm away using a
smartphone
Karatsuba multiplicationBased on the following identity for multiplication and runs in time
If then has many 1-valued or 0-valued bits causing the result to have many 0-valued bits.
If then is random-looking and so is the result.
The recursion tree
Number of 0-valued bits in the second operand is depends on the value of
Basic multiplication
If the algorithm does nothing!
Repeated for a total of 8 times in this call and for a total of up to ~172,000 times!, allowing for the leakage to be detectable using low bandwidth means (such as sound).
1. Play loud music while decrypting (or other kind of noise)
2. Parallel software load
Countermeasures --- bad ideas!
Given a ciphertext :1. Generate a random number and compute 2. Decrypt and obtain 3. Output
Works since thus:
Countermeasures (ciphertext randomization)
Thank you!(questions?)
:// . . . . /~http www cs tau ac il/tromer acoustic