[148514] in cryptography@c2.net mail archive
Re: [Cryptography] RSA Key Extraction via Low-Bandwidth Acoustic
daemon@ATHENA.MIT.EDU (Jerry Leichter)
Wed Dec 18 21:26:10 2013
X-Original-To: cryptography@metzdowd.com
From: Jerry Leichter <leichter@lrw.com>
In-Reply-To: <CAMm+Lwh5ZSS2ZqeFZEQyvYtNCUS=9wd7=5Ov3cRseRikqhScLQ@mail.gmail.com>
Date: Wed, 18 Dec 2013 21:24:04 -0500
To: Phillip Hallam-Baker <hallam@gmail.com>
Cc: Alexandre Anzala-Yamajako <anzalaya@gmail.com>,
Tamzen Cannoy <tamzen@cannoy.org>, Cryptography <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============3486592544781916862==
Content-Type: multipart/alternative; boundary="Apple-Mail=_1BACCA9C-AE85-4188-8ED9-6A92D7293395"
--Apple-Mail=_1BACCA9C-AE85-4188-8ED9-6A92D7293395
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=iso-8859-1
On Dec 18, 2013, at 7:50 PM, Phillip Hallam-Baker wrote:
> As a student I was fortunate enough to attend one of Adi Shamir's =
lectures at the university of Waterloo where he talked specifically =
about this problem. It stuck with me and I'm glad to see that an actual =
key recovery attack came out of it.
> Have you trief this out against openssl ? How succesful do you think =
it would be ?
>=20
> I would expect it to work against any crypto code that has not been =
designed to avoid power or RF analysis....
I've only read a very small part of the paper, but ... this isn't true. =
In fact, the paper comments that the techniques used to block =
traditional RF and power attacks make the acoustic attacks *easier*. =
(The acoustic attacks, by their nature, operate in a very much lower =
frequency band than traditional attacks. A side-effect of the =
traditional defenses is to tamp down the irrelevant low-frequency stuff =
while not stopping the low-frequency information they actually need.
They specifically attack a version of PGP which has counter-measures to =
the traditional attacks in place. Based on their results, later =
versions of PGP are immune.
The attack is a chosen-ciphertext attack against RSA that causes the =
multiplications to hit some repetitive patterns. It's likely to work, =
with perhaps some modifications, against any implementation that isn't =
hardened in specific ways to protect itself.
The paper is 50+ pages long and will take some time to absorb. But Adi =
Shamir has come through again. Where would we be without him?
-- Jerry
--Apple-Mail=_1BACCA9C-AE85-4188-8ED9-6A92D7293395
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=iso-8859-1
<html><head></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; =
"><div><div>On Dec 18, 2013, at 7:50 PM, Phillip Hallam-Baker =
wrote:</div><blockquote type=3D"cite"><div dir=3D"ltr"><div =
class=3D"gmail_extra"><div class=3D"gmail_quote">
<blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px =
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left=
-style:solid;padding-left:1ex"><div dir=3D"ltr"><div>As a student I was =
fortunate enough to attend one of Adi Shamir's lectures at the =
university of Waterloo where he talked specifically about this problem. =
It stuck with me and I'm glad to see that an actual key recovery attack =
came out of it.<br>
</div>Have you trief this out against openssl ? How succesful do you =
think it would be ?</div></blockquote><div><br></div><div>I would expect =
it to work against any crypto code that has not been designed to avoid =
power or RF analysis....</div>
</div></div></div></blockquote>I've only read a very small part of the =
paper, but ... this isn't true. In fact, the paper comments that =
the techniques used to block traditional RF and power attacks make the =
acoustic attacks *easier*. (The acoustic attacks, by their nature, =
operate in a very much lower frequency band than traditional attacks. =
A side-effect of the traditional defenses is to tamp down the =
irrelevant low-frequency stuff while not stopping the low-frequency =
information they actually need.</div><div><br></div><div>They =
specifically attack a version of PGP which has counter-measures to the =
traditional attacks in place. Based on their results, later =
versions of PGP are immune.</div><div><br></div><div>The attack is a =
chosen-ciphertext attack against RSA that causes the multiplications to =
hit some repetitive patterns. It's likely to work, with perhaps =
some modifications, against any implementation that isn't hardened in =
specific ways to protect itself.</div><div><br></div><div>The paper is =
50+ pages long and will take some time to absorb. But Adi Shamir =
has come through again. Where would we be without =
him?</div><div><br></div><div><div> =
=
=
-- Jerry</div><div><br></div></div></body></html>=
--Apple-Mail=_1BACCA9C-AE85-4188-8ED9-6A92D7293395--
--===============3486592544781916862==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============3486592544781916862==--
