240 likes | 514 Views
RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis. Daniel Genkin , Adi Shamir, Eran Tromer. Mathematical Attacks. Crypto Algorithm. Input. Output. Key. Goal: recover the key given access to the inputs and outputs . Side Channel Attacks. Radiation. Heat. EM. Sound.
E N D
RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis Daniel Genkin, Adi Shamir, EranTromer
Mathematical Attacks Crypto Algorithm Input Output Key Goal: recover the key given access to the inputs and outputs
Side Channel Attacks Radiation Heat EM Sound Crypto Device Crypto Algorithm Key Key Input Output Bad Inputs Errors Key Timing Power Vibration Goal: recover the key given access to the inputs and outputs Goal: recover the key given access to the inputs, outputs and measurements Crypto Algorithm
ENGULF [Peter Wright, pycatcher, p. 84] In 1956, a couple of Post Office engineers fixed a phone at the Egyptian embassy in London.
ENGULF (cont.) “The combined MI5/GCHQ operation enabled us to read the Egyptian ciphers in the London Embassy throughout the Suez Crisis.”
Distinguishing various code lengths loops in different lengths of ADD instructions
RSA decryption long operations that depend on the leakage of either will break security.
RSA key distinguishability and here is the sound of the keys (after signal processing)
Modular exponentiation This is a side channel countermeasure meant to protect
Extracting (simplified) If then , thus . That is, has special structure. If then , thus . That is, is random looking. and we now multiply by causing the bit-dependent leakage. Assume we know and decrypt
Extracting If then , thus . That is, has special structure. If then , thus . That is, is random looking. and we now multiply by causing the bit-dependent leakage. Assume we know and decrypt
Extracting (problem) Multiplication is repeated 2048 times (0.5 sec of data) Single multiplication is way to fast for us to measure Assume we know and decrypt
Results Key extraction is possible up to 4 meters away using a parabolic microphone
Results Key extraction is possible up to 1 meter away without a parabolic microphone
Results Key extraction is possible up to 30cmaway using a smartphone
Karatsuba multiplication Based on the following identity for multiplication and runs in time If then has many 1-valued or 0-valued bits causing the result to have many 0-valued bits. If then is random-looking and so is the result.
The recursion tree Number of 0-valued bits in the second operand is depends on the value of
Basic multiplication If the algorithm does nothing! Repeated for a total of 8 times in this call and for a total of up to ~172,000 times!, allowing for the leakage to be detectable using low bandwidth means (such as sound).
Countermeasures --- bad ideas! • Play loud music while decrypting (or other kind of noise) • Parallel software load
Countermeasures (ciphertext randomization) Given a ciphertext: • Generate a random number and compute • Decrypt and obtain • Output Works since thus:
Thank you!(questions?) http://www.cs.tau.ac.il/~tromer/acoustic