1 / 24

RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis

RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis. Daniel Genkin , Adi Shamir, Eran Tromer. Mathematical Attacks. Crypto Algorithm. Input. Output. Key. Goal: recover the key given access to the inputs and outputs . Side Channel Attacks. Radiation. Heat. EM. Sound.

phyre
Télécharger la présentation

RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis Daniel Genkin, Adi Shamir, EranTromer

  2. Mathematical Attacks Crypto Algorithm Input Output Key Goal: recover the key given access to the inputs and outputs

  3. Side Channel Attacks Radiation Heat EM Sound Crypto Device Crypto Algorithm Key Key Input Output Bad Inputs Errors Key Timing Power Vibration Goal: recover the key given access to the inputs and outputs Goal: recover the key given access to the inputs, outputs and measurements Crypto Algorithm

  4. ENGULF [Peter Wright, pycatcher, p. 84] In 1956, a couple of Post Office engineers fixed a phone at the Egyptian embassy in London.

  5. ENGULF (cont.) “The combined MI5/GCHQ operation enabled us to read the Egyptian ciphers in the London Embassy throughout the Suez Crisis.”

  6. Acoustic cryptanalysis on modern CPUs

  7. Distinguishing various CPU operations

  8. Distinguishing various code lengths loops in different lengths of ADD instructions

  9. RSA decryption long operations that depend on the leakage of either will break security.

  10. RSA key distinguishability and here is the sound of the keys (after signal processing)

  11. Modular exponentiation This is a side channel countermeasure meant to protect

  12. Extracting (simplified) If then , thus . That is, has special structure. If then , thus . That is, is random looking. and we now multiply by causing the bit-dependent leakage. Assume we know and decrypt

  13. Extracting If then , thus . That is, has special structure. If then , thus . That is, is random looking. and we now multiply by causing the bit-dependent leakage. Assume we know and decrypt

  14. Extracting (problem) Multiplication is repeated 2048 times (0.5 sec of data) Single multiplication is way to fast for us to measure Assume we know and decrypt

  15. Acoustic leakage of key bits

  16. Results Key extraction is possible up to 4 meters away using a parabolic microphone

  17. Results Key extraction is possible up to 1 meter away without a parabolic microphone

  18. Results Key extraction is possible up to 30cmaway using a smartphone

  19. Karatsuba multiplication Based on the following identity for multiplication and runs in time If then has many 1-valued or 0-valued bits causing the result to have many 0-valued bits. If then is random-looking and so is the result.

  20. The recursion tree Number of 0-valued bits in the second operand is depends on the value of

  21. Basic multiplication If the algorithm does nothing! Repeated for a total of 8 times in this call and for a total of up to ~172,000 times!, allowing for the leakage to be detectable using low bandwidth means (such as sound).

  22. Countermeasures --- bad ideas! • Play loud music while decrypting (or other kind of noise) • Parallel software load

  23. Countermeasures (ciphertext randomization) Given a ciphertext: • Generate a random number and compute • Decrypt and obtain • Output Works since thus:

  24. Thank you!(questions?) http://www.cs.tau.ac.il/~tromer/acoustic

More Related