1 / 20

Emission Security

Emission Security. Kay Jr-Hui Jeng. Emission Security (Emsec). Refers to preventing a system from being attacked using compromising emanations. How important is it. Military Organizations Spent as much on it as on cryptography Commercial World

rico
Download Presentation

Emission Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Emission Security Kay Jr-Hui Jeng

  2. Emission Security (Emsec) • Refers to preventing a system from being attacked using compromising emanations

  3. How important is it • Military Organizations • Spent as much on it as on cryptography • Commercial World • The uptake of smartcards was materially set back in the last few years

  4. History of Emsec • “Crosstalk” between telephone wires (1914) • Field telephone wires using single-core insulated cable • Earth Leakage caused crosstalk including messages from enemy side. • The tempest attacks were not just feasible, but could be mounted with simple equipment (1985)

  5. History of Emsec (cont’d) • Smart cards • Broken by inserting transients. Or glitches in power or clock lines (1996). • Crypto keys used in smart cards could be recovered by appropriate processing of precise measurements of the current drawn by the card (1998).

  6. Common Emsec attacks • Most attacks are not those that exploit some unintended design feature of innocuous equipment, but those in which a custom-designed device is introduced by the attacker. • If information can be captured by a device, then no subsequent protective measures are likely to help very much.

  7. Emsec attack devices • Simple radio microphone • Radio transmitter & TV camera • Exotic device • A wooded replica of the Great Seal of the U.S was presented to U.S. ambassador in Moscow in 1946 • In 1952, it was discovered to contain a resonant cavity that acted as a microphone when illuminated by microwaves from outside the building, and retransmitted the conversations in the office.

  8. Emsec attack devices (cont’d) • Laser microphones • Work by shining a laser beam at a reflective in the room where the target conversation is taking place. • The sound waves modulate the reflected light, which can be picked up and decoded at a distance. • High-end devices • Used today by governments • Low-probability-of-intercept radio techniques

  9. Types of Emsec attack • Passive attacks • the opponent makes use of whatever electromagnetic signals are presented to him without any effort. • Electromagnetic eavesdropping • Active attacks • Disruptive electromagnetic attacks

  10. Passive attacks • Leakage through power and signal cables • Exploited for military purposes since in 1914. • Conducted leakage of information can be largely suppressed by careful design with power supplies and signal cables.

  11. Passive attacks (cont’d) • Leakage through RF signals • Early IBM machine with a 1.5MHz clock & Radio Tuned to this frequency emits a loud whistle • Video display units emit a weak TV signal • A VHF/UHF radio signal, modulated with a distorted version of the image currently being displayed • LCD displays are also easy for the eavesdropper

  12. Active attacks • Tempest viruses • Nonstop • Glitching • Differential fault analysis • Combination attacks • Commercial exploitation

  13. Active attacks (cont’d) • Tempest viruses • Infect a target computer and transmit the secret data to a radio receiver hidden nearby. • Nonstop • Nonstop is the exploitation of RF emanations that are accidentally induced by nearby radio transmitters and other RF sources.

  14. Active attacks (cont’d) • Glitching • By changing power & clock signals attacker can step over jump instructions & force resets

  15. Active attacks (cont’d) • Differential fault analysis • S = Md (mod p*q) • If card returns defective signature (Sp) which is correct modulo p but incorrect modulo q then we have: • p = gcd (p*q, Spe– M)  Breaks System

  16. Active attacks (cont’d) • Combination attacks • Use a combination of active and passive methods. • If PIN was incorrect, they would decrement a retry counter writing to EEPROM. • The current consumed by the card rose were charge up. • The attacker could simply reset the card and try the next candidate PIN. • Commercial exploitation • SFX Entertainment monitors what customers are playing on their car radios by picking up the stray RF from the radio’s local oscillator.

  17. Emsec protection devices • Nonlinear junction detector • A device that can find hidden electronic equipment at close range. • Surveillance receiver • The better ones sweep the radio spectrum from 10 KHz to 3 GHz every few tens of seconds, and look for signals that can’t be explained as broadcast, police, air traffic control and so on.

  18. Emsec protection devices (cont’d) • Electromagnetic Shielding • Double pane windows to prevent laser microphones • Some facilities at military organizations are place in completely shielded buildings or underground.

  19. Conclusion • Although originally a concern in the national intelligence community, Emsec is now a real issue for companies that build security products such as smart cards and cash machines.

  20. References • Ross Anderson, “Security Engineering”, pp.305-320 • http://www.tpub.com/content/USMC/mcr3403b/css/mcr3403b_79.htm • http://isis.poly.edu/courses/cs996-management/ Lectures/Transec-Emsec-Tempest.ppt

More Related