Skip to main content
Erschienen in: Journal of Cryptology 2/2017

08.02.2016

Acoustic Cryptanalysis

verfasst von: Daniel Genkin, Adi Shamir, Eran Tromer

Erschienen in: Journal of Cryptology | Ausgabe 2/2017

Einloggen

Aktivieren Sie unsere intelligente Suche um passende Fachinhalte oder Patente zu finden.

search-config
loading …

Abstract

Many computers emit a high-pitched noise during operation, due to vibration in some of their electronic components. These acoustic emanations are more than a nuisance: They can convey information about the software running on the computer and, in particular, leak sensitive information about security-related computations. In a preliminary presentation (Eurocrypt’04 rump session), we have shown that different RSA keys induce different sound patterns, but it was not clear how to extract individual key bits. The main problem was the very low bandwidth of the acoustic side channel (under 20  kHz using common microphones, and a few hundred kHz using ultrasound microphones), and several orders of magnitude below the GHz-scale clock rates of the attacked computers. In this paper, we describe a new acoustic cryptanalysis key extraction attack, applicable to GnuPG’s implementation of RSA. The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts. We experimentally demonstrate such attacks, using a plain mobile phone placed next to the computer, or a more sensitive microphone placed 10 meters away.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

Anhänge
Nur mit Berechtigung zugänglich
Fußnoten
1
Above a few hundred kHz, sound propagation in the air has a very short range, due to nonlinear attenuation and distortion effects, such as viscosity, relaxation, and diffusion at the molecular level. The exact attenuation rates depend on frequency, air pressure, temperature, and humidity; see [9, 20]. Moreover, the size (and thus sensitivity) of membrane-based microphone transducers is limited by the acoustic wavelength.
 
2
High-end PC sound cards reach a 192  Ksample/sec rate and can be used instead.
 
3
Follow-up research [28, 29] observed similar signals from PCs on other channels: ground, power, and electromagnetic. The somewhat higher bandwidth of those channels allows for faster attacks.
 
4
The temperature change affected the capacitor’s mechanical properties, but also its electrical properties, which in turn change the dynamics of the circuit and affects other components. It is unclear which effect is observed.
 
5
For characterization of a new target computer, we suggest the following protocol. Run a simple, controlled computation pattern on the target (see Sect. 3.1). Try several sensitive microphones, of different frequency responses (see Sect. 2 and the “Appendix”). Observe a real-time spectrogram while placing the microphone in various positions around the target, focusing on vents and other holes in the chassis, pointing at the hole and in close proximity (e.g., 1 cm). Identify positions and frequency bands exhibiting distinct computation-dependent signals. Then, choose the microphone providing the best signal-to-noise ratio at these frequencies, and maximize the range subject to the constraints of the signal analysis and cryptanalytic processing.
 
6
For example, observing that an embassy has now decrypted a message using a rarely used key, heard before only in specific diplomatic circumstances, can be valuable.
 
7
Ironically, the latest GnuPG implementations use the side channel mitigation technique of always multiplying the intermediate results by the input, but this only helps our attack, since it doubles the number of multiplications and replaces their random timing with a repetitive pattern that is easier to record and analyze.
 
8
In this example, we kept the key fixed, to avoid key-dependent changes in the acoustic signature (see Sect. 4). The two bits shown are both in the most significant limb, and are thus handled similarly by the code and induce similar value-dependent leakage, as shown in Fig. 20.
 
9
The passphrase caching period is user-configurable. In the latest version (Enigmail 1.6), caching relies on GnuPG’s gpg-agent, which defaults to 10 min. Prior versions (e.g., Enigmail 1.5.2) cached the passphrase internally, by default for 5 min.
 
10
Recall that the Brüel&Kjær 4190 microphone capsule has a nominal range of up to\(20~\,{\text {kHz}} \) while we focus on the\(30{-}40~\,{\text {kHz}} \) range.
 
11
Our heuristic approach sufficed for achieving reliable key extraction. Improvements may be possible using the algorithmic approach of template attacks [14, 18].
 
12
A simpler approach is to take a single Fourier transform over the recording of the whole decryption period, but this is too sensitive to the transient loud noises in an typical office environment—due to sheer magnitude, they can contribute more to the result than the faint signal of interest. The median, taken across many smaller time windows, rejects temporally local outliers and proved much more robust.
 
13
Another approach is to use the rdtsc instruction. However, while working correctly in single core machines, the rdtsc instruction is problematic on some multi-core x86 machines since the instruction counters are not necessarily synchronized between cores, thus introducing noise into the measurement.
 
14
Brüel&Kjær also offers a 4191 microphone capsule that has a flat frequency response up to 40  kHz. However, while not having a flat frequency response, the 4190 capsule still has better sensitivity than the 4191 at 40  kHz.
 
15
The Brüel&Kjær 4939 1 / 4” capsule can also be connected to the 2670 1 / 4” preamplifier, eliminating the need for the UA0035 adapter. However, this preamplifier has a relatively high noise floor compared to the 2669 preamplifier, resulting in a lower signal-to-noise ratio.
 
16
Brüel&Kjær also offers the Nexus amplifiers, which also combine a built-in power supply. However, these amplifiers have a built-in 100  kHz low-pass filter that prevents the measurement of signals in the 100–350  kHz range (recall that these signals are already particularly weak due to poor performance of the 4939 capsule in these frequencies). Moreover, Nexus amplifiers have noise density of\(13.4 \,{{\text {nV}}}/{\sqrt{\text {Hz}}} \), which is worse then the ZPUL-30P.
 
Literatur
1.
Zurück zum Zitat D. Asonov, R. Agrawal, Keyboard acoustic emanations, in IEEE Symposium on Security and Privacy 2004 (IEEE Computer Society, 2004), pp. 3–11 D. Asonov, R. Agrawal, Keyboard acoustic emanations, in IEEE Symposium on Security and Privacy 2004 (IEEE Computer Society, 2004), pp. 3–11
2.
Zurück zum Zitat D. Agrawal, B. Archambeault, J.R. Rao, P. Rohatgi, The EM side-channel(s), in Workshop on Cryptographic Hardware and Embedded Systems (CHES) 2002 (Springer, 2002), pp. 29–45 D. Agrawal, B. Archambeault, J.R. Rao, P. Rohatgi, The EM side-channel(s), in Workshop on Cryptographic Hardware and Embedded Systems (CHES) 2002 (Springer, 2002), pp. 29–45
3.
Zurück zum Zitat R.J. Anderson, Security Engineering—A Guide to Building Dependable Distributed Systems (2nd ed.) (Wiley, 2008) R.J. Anderson, Security Engineering—A Guide to Building Dependable Distributed Systems (2nd ed.) (Wiley, 2008)
4.
Zurück zum Zitat D. Brumley, D. Boneh. Remote timing attacks are practical. Comput. Netw. 48(5), 701–716 (2005) D. Brumley, D. Boneh. Remote timing attacks are practical. Comput. Netw. 48(5), 701–716 (2005)
5.
Zurück zum Zitat E. Barker, W. Barker, W. Burr, W. Polk, M. Smid, NIST SP 800-57: Recommendation for Key Management—Part 1: General (2012) E. Barker, W. Barker, W. Burr, W. Polk, M. Smid, NIST SP 800-57: Recommendation for Key Management—Part 1: General (2012)
6.
Zurück zum Zitat M. Backes, M. Dürmuth, S. Gerling, M. Pinkal, C. Sporleder. Acoustic side-channel attacks on printers, in USENIX Security Symposium 2010 (USENIX Association, 2010), pp. 307–322. M. Backes, M. Dürmuth, S. Gerling, M. Pinkal, C. Sporleder. Acoustic side-channel attacks on printers, in USENIX Security Symposium 2010 (USENIX Association, 2010), pp. 307–322.
7.
Zurück zum Zitat N. Borisov, I. Goldberg, D. Wagner, Intercepting mobile communications: the insecurity of 802.11, in International Conference on Mobile computing and Networking MOBICOM 2011 (2001), pp. 180–189 N. Borisov, I. Goldberg, D. Wagner, Intercepting mobile communications: the insecurity of 802.11, in International Conference on Mobile computing and Networking MOBICOM 2011 (2001), pp. 180–189
8.
Zurück zum Zitat A. Bittau, M. Handley, J. Lackey, The final nail in WEP’s coffin, in IEEE Symposium on Security and Privacy 2006 (IEEE Computer Society, 2006), pp. 386–400. A. Bittau, M. Handley, J. Lackey, The final nail in WEP’s coffin, in IEEE Symposium on Security and Privacy 2006 (IEEE Computer Society, 2006), pp. 386–400.
9.
Zurück zum Zitat H.E. Bass, R.G. Keeton, Ultrasonic absorption in air at elevated temperatures. J. Acoust. Soc. Am. 58(1), 110–112 (1975) H.E. Bass, R.G. Keeton, Ultrasonic absorption in air at elevated temperatures. J. Acoust. Soc. Am. 58(1), 110–112 (1975)
10.
Zurück zum Zitat Brüel & Kjær, Technical Documentation—Microphone Handbook, vol. 1 (1996) Brüel & Kjær, Technical Documentation—Microphone Handbook, vol. 1 (1996)
11.
Zurück zum Zitat B.B. Brumley, N. Tuveri, Remote timing attacks are still practical, in ESORICS 2011 (Springer, 2011), pp. 355–371. B.B. Brumley, N. Tuveri, Remote timing attacks are still practical, in ESORICS 2011 (Springer, 2011), pp. 355–371.
12.
Zurück zum Zitat Y. Berger, A. Wool, A. Yeredor, Dictionary attacks using keyboard acoustic emanations, in ACM Conference on Computer and Communications Security (ACM, 2006), pp. 245–254 Y. Berger, A. Wool, A. Yeredor, Dictionary attacks using keyboard acoustic emanations, in ACM Conference on Computer and Communications Security (ACM, 2006), pp. 245–254
13.
Zurück zum Zitat J. Callas, L. Donnerhacke, H. Finney, D. Shaw, R. Thayer, OpenPGP message format. RFC 4880 (November 2007). J. Callas, L. Donnerhacke, H. Finney, D. Shaw, R. Thayer, OpenPGP message format. RFC 4880 (November 2007).
14.
Zurück zum Zitat O. Choudary, M.G. Kuhn, Efficient template attacks, in Smart Card Research and Advanced Applications (CARDIS) 2013 (Springer, 2013), pp. 253–270 O. Choudary, M.G. Kuhn, Efficient template attacks, in Smart Card Research and Advanced Applications (CARDIS) 2013 (Springer, 2013), pp. 253–270
15.
Zurück zum Zitat S.S. Clark, H.A. Mustafa, B. Ransford, J. Sorber, K. Fu, W. Xu, Current events: identifying webpages by tapping the electrical outlet, in ESORICS 2013 (Springer, 2013), pp. 700–717. S.S. Clark, H.A. Mustafa, B. Ransford, J. Sorber, K. Fu, W. Xu, Current events: identifying webpages by tapping the electrical outlet, in ESORICS 2013 (Springer, 2013), pp. 700–717.
17.
Zurück zum Zitat D. Coppersmith, Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptol. 10(4), 233–260 (1997) D. Coppersmith, Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptol. 10(4), 233–260 (1997)
18.
Zurück zum Zitat S. Chari, J.R. Rao, P. Rohatgi, Template attacks, in Cryptographic Hardware and Embedded Systems (CHES) 2002 (Springer, 2002), pp. 13–28 S. Chari, J.R. Rao, P. Rohatgi, Template attacks, in Cryptographic Hardware and Embedded Systems (CHES) 2002 (Springer, 2002), pp. 13–28
19.
Zurück zum Zitat S.S. Clark, B. Ransford, A. Rahmati, S. Guineau, J. Sorber, W. Xu, K. Fu, WattsUpDoc: power side channels to nonintrusively discover untargeted malware on embedded medical devices, in USENIX Workshop on Health Information Technologies (HealthTech) 2013 (USENIX Association, 2013) S.S. Clark, B. Ransford, A. Rahmati, S. Guineau, J. Sorber, W. Xu, K. Fu, WattsUpDoc: power side channels to nonintrusively discover untargeted malware on embedded medical devices, in USENIX Workshop on Health Information Technologies (HealthTech) 2013 (USENIX Association, 2013)
20.
Zurück zum Zitat L.B. Evans, H.E. Bass, Tables of absorption and velocity of sound in still air at \(68^\circ \) F, in Report WR72-2 (Wyle Laboratories, 1972) L.B. Evans, H.E. Bass, Tables of absorption and velocity of sound in still air at \(68^\circ \) F, in Report WR72-2 (Wyle Laboratories, 1972)
21.
Zurück zum Zitat T. ElGamal, A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theory 31(4), 469–472 (1985) T. ElGamal, A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theory 31(4), 469–472 (1985)
25.
Zurück zum Zitat K. Gandolfi, C. Mourtel, F. Olivier. Electromagnetic analysis: concrete results, in Workshop on Cryptographic Hardware and Embedded Systems (CHES) 2001 (Springer, 2001), pp. 251–261 K. Gandolfi, C. Mourtel, F. Olivier. Electromagnetic analysis: concrete results, in Workshop on Cryptographic Hardware and Embedded Systems (CHES) 2001 (Springer, 2001), pp. 251–261
28.
Zurück zum Zitat D. Genkin, L. Pachmanov, I. Pipman, E. Tromer, Stealing keys from PCs using a radio: cheap electromagnetic attacks on windowed exponentiation, in Workshop on Cryptographic Hardware and Embedded Systems (CHES) 2015. To appear. Extended version: Cryptology ePrint Archive, Report 2015/170 (2015), pp. 207–228. D. Genkin, L. Pachmanov, I. Pipman, E. Tromer, Stealing keys from PCs using a radio: cheap electromagnetic attacks on windowed exponentiation, in Workshop on Cryptographic Hardware and Embedded Systems (CHES) 2015. To appear. Extended version: Cryptology ePrint Archive, Report 2015/170 (2015), pp. 207–228.
29.
Zurück zum Zitat D. Genkin, I. Pipman, E. Tromer, Get your hands off my laptop: physical side-channel key-extraction attacks on PCs, in Workshop on Cryptographic Hardware and Embedded Systems (CHES) 2014. See [30] for an extended version (Springer, 2014), pp. 242–260 D. Genkin, I. Pipman, E. Tromer, Get your hands off my laptop: physical side-channel key-extraction attacks on PCs, in Workshop on Cryptographic Hardware and Embedded Systems (CHES) 2014. See [30] for an extended version (Springer, 2014), pp. 242–260
30.
Zurück zum Zitat D. Genkin, I. Pipman, E. Tromer, Get your hands off my laptop: physical side-channel key-extraction attacks on PCs (extended version). J. Cryptogr. Eng. 5(2), 95–112 (2015). Extended version of [29] D. Genkin, I. Pipman, E. Tromer, Get your hands off my laptop: physical side-channel key-extraction attacks on PCs (extended version). J. Cryptogr. Eng. 5(2), 95–112 (2015). Extended version of [29]
31.
Zurück zum Zitat D. Genkin, A. Shamir, E. Tromer, RSA key extraction via low-bandwidth acoustic cryptanalysis, in CRYPTO 2014, vol. 1 (Springer, 2014), pp. 444–461 D. Genkin, A. Shamir, E. Tromer, RSA key extraction via low-bandwidth acoustic cryptanalysis, in CRYPTO 2014, vol. 1 (Springer, 2014), pp. 444–461
32.
Zurück zum Zitat T. Halevi, N. Saxena, On pairing constrained wireless devices based on secrecy of auxiliary channels: the case of acoustic eavesdropping, in ACM Conference on Computer and Communications Security CCS 2010 (ACM, 2010), pp. 97–108 T. Halevi, N. Saxena, On pairing constrained wireless devices based on secrecy of auxiliary channels: the case of acoustic eavesdropping, in ACM Conference on Computer and Communications Security CCS 2010 (ACM, 2010), pp. 97–108
33.
Zurück zum Zitat P. Kocher, J. Jaffe, B. Jun, Differential power analysis, in CRYPTO 1999 (Springer, 1999), pp. 388–397 P. Kocher, J. Jaffe, B. Jun, Differential power analysis, in CRYPTO 1999 (Springer, 1999), pp. 388–397
34.
Zurück zum Zitat P. Kocher, J. Jaffe, B. Jun, P. Rohatgi, Introduction to differential power analysis. J. Cryptogr. Eng. 1(1), 5–27 (2011) P. Kocher, J. Jaffe, B. Jun, P. Rohatgi, Introduction to differential power analysis. J. Cryptogr. Eng. 1(1), 5–27 (2011)
35.
Zurück zum Zitat A. Karatsuba, Y. Ofman, Multiplication of many-digital numbers by automatic computers. Proc. USSR Acad. Sci. 145, 293–294 (1962) A. Karatsuba, Y. Ofman, Multiplication of many-digital numbers by automatic computers. Proc. USSR Acad. Sci. 145, 293–294 (1962)
36.
Zurück zum Zitat P.C. Kocher, Timing attacks on implementations of diffie-hellman, RSA, DSS, and other systems, in CRYPTO 1996 (Springer, 1996), pp. 104–113 P.C. Kocher, Timing attacks on implementations of diffie-hellman, RSA, DSS, and other systems, in CRYPTO 1996 (Springer, 1996), pp. 104–113
37.
Zurück zum Zitat M. LeMay, J. Tan, Acoustic surveillance of physically unmodified PCs, in Security and Management 2006 (CSREA Press, 2006), pp. 328–334 M. LeMay, J. Tan, Acoustic surveillance of physically unmodified PCs, in Security and Management 2006 (CSREA Press, 2006), pp. 328–334
38.
Zurück zum Zitat X. Lurton, An Introduction to Underwater Acoustics: Principles and Applications. Geophysical Sciences Series (Springer, 2002) X. Lurton, An Introduction to Underwater Acoustics: Principles and Applications. Geophysical Sciences Series (Springer, 2002)
40.
Zurück zum Zitat P.L. Montgomery, Modular multiplication without trial division. Math. Comput. 44(170), 519–521 (1985) P.L. Montgomery, Modular multiplication without trial division. Math. Comput. 44(170), 519–521 (1985)
41.
Zurück zum Zitat S. Mangard, E. Oswald, T. Popp, Power Analysis Attacks—Revealing the Secrets of Smart Cards (Springer, 2007) S. Mangard, E. Oswald, T. Popp, Power Analysis Attacks—Revealing the Secrets of Smart Cards (Springer, 2007)
43.
Zurück zum Zitat National Institute of Standards and Technology, FIPS 140-3: Draft Security Requirements for Cryptographic Modules (Revised Draft) (2009) National Institute of Standards and Technology, FIPS 140-3: Draft Security Requirements for Cryptographic Modules (Revised Draft) (2009)
45.
Zurück zum Zitat J.-J. Quisquater, D. Samyde. Electromagnetic analysis (EMA): measures and counter-measures for smart cards, in E-smart 2001 (2001), pp. 200–210 J.-J. Quisquater, D. Samyde. Electromagnetic analysis (EMA): measures and counter-measures for smart cards, in E-smart 2001 (2001), pp. 200–210
46.
Zurück zum Zitat R.L. Rivest, A. Shamir, Efficient factoring based on partial information, in Eurocrypt 1985 (Springer, 1985), pp. 31–34 R.L. Rivest, A. Shamir, Efficient factoring based on partial information, in Eurocrypt 1985 (Springer, 1985), pp. 31–34
47.
Zurück zum Zitat R.L. Rivest, A. Shamir, L.M. Adleman, A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978) R.L. Rivest, A. Shamir, L.M. Adleman, A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)
49.
Zurück zum Zitat D.X. Song, D. Wagner, X. Tian, Timing analysis of keystrokes and timing attacks on SSH, in USENIX Security Symposium 2001 (USENIX Association, 2001) D.X. Song, D. Wagner, X. Tian, Timing analysis of keystrokes and timing attacks on SSH, in USENIX Security Symposium 2001 (USENIX Association, 2001)
50.
Zurück zum Zitat P. Wright. Spycatcher (Viking Penguin, 1987) P. Wright. Spycatcher (Viking Penguin, 1987)
51.
Zurück zum Zitat Y. Yarom, K. Falkner, FLUSH+RELOAD: a high resolution, low noise, L3 cache side-channel attack, in USENIX Security Symposium 2014 (USENIX Association, 2014), pp. 719–732 Y. Yarom, K. Falkner, FLUSH+RELOAD: a high resolution, low noise, L3 cache side-channel attack, in USENIX Security Symposium 2014 (USENIX Association, 2014), pp. 719–732
52.
Zurück zum Zitat L. Zhuang, F. Zhou, J.D. Tygar, Keyboard acoustic emanations revisited, in ACM Conference on Computer and Communications Security (ACM, 2005), pp. 373–382 L. Zhuang, F. Zhou, J.D. Tygar, Keyboard acoustic emanations revisited, in ACM Conference on Computer and Communications Security (ACM, 2005), pp. 373–382
Metadaten
Titel
Acoustic Cryptanalysis
verfasst von
Daniel Genkin
Adi Shamir
Eran Tromer
Publikationsdatum
08.02.2016
Verlag
Springer US
Erschienen in
Journal of Cryptology / Ausgabe 2/2017
Print ISSN: 0933-2790
Elektronische ISSN: 1432-1378
DOI
https://doi.org/10.1007/s00145-015-9224-2

Weitere Artikel der Ausgabe 2/2017

Journal of Cryptology 2/2017 Zur Ausgabe