[148513] in cryptography@c2.net mail archive
Re: [Cryptography] RSA Key Extraction via Low-Bandwidth Acoustic
daemon@ATHENA.MIT.EDU (Phillip Hallam-Baker)
Wed Dec 18 21:07:48 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <CAHE9jN20aeUZ22wMt9Vspo19mOH4+HDY4hi61WtLXoX5utJwBg@mail.gmail.com>
Date: Wed, 18 Dec 2013 19:50:11 -0500
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Alexandre Anzala-Yamajako <anzalaya@gmail.com>
Cc: Tamzen Cannoy <tamzen@cannoy.org>, Cryptography <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============2493976798335611980==
Content-Type: multipart/alternative; boundary=001a11c24a943a741104edd88b6c
--001a11c24a943a741104edd88b6c
Content-Type: text/plain; charset=ISO-8859-1
On Wed, Dec 18, 2013 at 7:19 PM, Alexandre Anzala-Yamajako <
anzalaya@gmail.com> wrote:
> As a student I was fortunate enough to attend one of Adi Shamir's lectures
> at the university of Waterloo where he talked specifically about this
> problem. It stuck with me and I'm glad to see that an actual key recovery
> attack came out of it.
> Have you trief this out against openssl ? How succesful do you think it
> would be ?
>
I would expect it to work against any crypto code that has not been
designed to avoid power or RF analysis.
Although the vector is acoustic here the acoustic signal is effectively
parasitic to the electrical signals going through the wires. So any code
that does not have code level protection against power analysis etc is
going to be vulnerable to this attack (and vice versa).
Randomizing the process so that there is no correlation between each run
seems to be the best available defense right now. But check the Kocher
patents, RAMBUS paid a fair bit for them so they are probably keen on
getting a return on their investment.
Some high end crypto devices have had acoustic shielding for quite a while.
It is not unusual to find that they are potted in some sort of expoxy gunk
inside. Nico Van Sommeren at n-Cipher was excited about acoustic as a side
channel at one point. I remember acoustic being raised as a possible vector
when Kocher published his power analysis paper in 1998 (possibly even by
Adi Shamir who was at MIT frequently while I was there).
What has changed here is that someone has found a way to exploit this
channel. We definitely need to check with the vendors to see if their
current products are vulnerable. But they should not have needed someone to
demonstrate the exploit before taking action.
--
Website: http://hallambaker.com/
--001a11c24a943a741104edd88b6c
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div class=3D"gmail_extra"><div class=3D"gmail_quote">On W=
ed, Dec 18, 2013 at 7:19 PM, Alexandre Anzala-Yamajako <span dir=3D"ltr">&l=
t;<a href=3D"mailto:anzalaya@gmail.com" target=3D"_blank">anzalaya@gmail.co=
m</a>></span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-=
left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;p=
adding-left:1ex"><div dir=3D"ltr"><div>As a student I was fortunate enough =
to attend one of Adi Shamir's lectures at the university of Waterloo wh=
ere he talked specifically about this problem. It stuck with me and I'm=
glad to see that an actual key recovery attack came out of it.<br>
</div>Have you trief this out against openssl ? How succesful do you think =
it would be ?</div></blockquote><div><br></div><div>I would expect it to wo=
rk against any crypto code that has not been designed to avoid power or RF =
analysis.</div>
<div><br></div><div>Although the vector is acoustic here the acoustic signa=
l is effectively parasitic to the electrical signals going through the wire=
s. So any code that does not have code level protection against power analy=
sis etc is going to be vulnerable to this attack (and vice versa).</div>
<div><br></div><div>Randomizing the process so that there is no correlation=
between each run seems to be the best available defense right now. But che=
ck the Kocher patents, RAMBUS paid a fair bit for them so they are probably=
keen on getting a return on their investment.</div>
<div><br></div><div><br></div><div>Some high end crypto devices have had ac=
oustic shielding for quite a while. It is not unusual to find that they are=
potted in some sort of expoxy gunk inside. Nico Van Sommeren at n-Cipher w=
as excited about acoustic as a side channel at one point. I remember acoust=
ic being raised as a possible vector when Kocher published his power analys=
is paper in 1998 (possibly even by Adi Shamir who was at MIT frequently whi=
le I was there).</div>
<div><br></div><div>What has changed here is that someone has found a way t=
o exploit this channel. We definitely need to check with the vendors to see=
if their current products are vulnerable. But they should not have needed =
someone to demonstrate the exploit before taking action.</div>
<div><br></div><div>=A0</div></div>-- <br>Website: <a href=3D"http://hallam=
baker.com/">http://hallambaker.com/</a><br>
</div></div>
--001a11c24a943a741104edd88b6c--
--===============2493976798335611980==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============2493976798335611980==--
