bit-tech.net

Security keys leaked via touch, claim researchers

Security keys leaked via touch, claim researchers

Eran Tromer's team has demonstrated that it is possible to snag the private cryptographic keys from a computer simply by touching it with a damp hand - providing your body is connected to a signal analyser, of course.

Security researchers have discovered a novel method for obtaining the private keys used in cryptographic applications: simply touching a computer with their bare hand.

A team of researchers at Tel Aviv University, led by Eran Tromer, demonstrated the attacker earlier this week at a security conference in California ahead of their paper's formal presentation. According to MIT's Technology Review, the technique works through measuring fluctuations in the ground potential of a targeted computer to recreate the private cryptographic key used for decryption operations. The best way to measure the ground signal isn't exactly subtle: placing a wire against a metal part of the computer's chassis. More suitable for spy-craft is the discovery that a bare hand, preferably slightly clammy, can act as a go-between for the wire - allowing an attacker to casually lean against a system and potentially capture keys. It's also possible to use the ground connection on the far end of a USB, VGA or Ethernet cable, while Tromer even claims that wireless monitoring is possible, using sensitive signal analysers.

'Through suitable cryptanalysis and signal processing, we have extracted 4096-bit RSA keys and 3072-bit ElGamal keys from laptops, via each of these channels, as well as via power analysis and electromagnetic probing,' Tromer writes on his university webpage. 'Despite the GHz-scale clock rate of the laptops and numerous noise sources, the full attacks require a few seconds of measurements using Medium Frequency signals (around 2 MHz), or one hour using Low Frequency signals (up to 40 kHz).'

Tromer's team also addressed the use of electromagnetic field (EMF) emanations, a variant on the US military's classic TEMPEST technique, and extracting the cryptographic secrets by measuring the fluctuating power draw of a target system - a technique that works, he claims, 'even though PCs use complex switching power supplies, which partially decouple the power source from the CPU load, and moreover employ large capacitors, chokes, and shields for electromagnetic compatibility (EMC) compliance — all of which attenuate and disrupt the signals sought in traditional power analysis.'

For those concerned about their security, the fact that each of Tromer's attacks requires that the attacker is within a very short range of a target system - or the end-point of a connected cable - should be reassuring. Those wanting more details can read the extended paper (PDF warning.)

5 Comments

Discuss in the forums Reply
Cerberus90 21st August 2014, 13:02 Quote
I really don't understand how this works or how it could possibly work.

How does measuring a ground connection tell you what's going on, other than, "It's On" or "It's Off", or "Heavy usage" or "Light usage"?
Bungletron 21st August 2014, 13:35 Quote
Quote:
Originally Posted by Cerberus90
I really don't understand how this works or how it could possibly work.

How does measuring a ground connection tell you what's going on, other than, "It's On" or "It's Off", or "Heavy usage" or "Light usage"?

Kind of makes sense, the ground (in fact all terminals) will be noisy, that noise is caused by background interference. So it looks like interference emitted by the the logic part of the computer is interfering with the power circuitry then being leaked into the ground and contains useful information. While this interference is minuscule and negligible to power function it appears to be significant enough to be picked up and separated, an unfortunate side effect when you consider the two systems are isolated because conventionally one thinks isolation is most important so that the power circuitry does not interfere with the logic side since it is several orders of magnitude more powerful, this lot have looked at it the other way round, its ingenious really.

Thats why it would work on wireless frequencies emitted too. If you have the expertise and you know what you are looking for, you get a a very sensitive spectrograph and can filter off all the other noise, you reconstruct the useful data from any emission then apply cryptography to decrypt the information you need.
mi1ez 21st August 2014, 23:01 Quote
Quote:
Originally Posted by Bungletron
can filter off all the other noise

And here's where I see the downfall. If the PC was only processing crypto keys and wasn't running (for example) an OS, outputting any video/sound, listening for interrupts, and generally being a computer; this could be feasible.

IMHO
edzieba 22nd August 2014, 08:54 Quote
This is what's known as a Side Channel attack, specifically via power analysis. The novel part here is the connection via a squishy meatbag electrode rather than a metal clamp or probe.
Gareth Halfacree 22nd August 2014, 09:47 Quote
Quote:
Originally Posted by mi1ez
And here's where I see the downfall. If the PC was only processing crypto keys and wasn't running (for example) an OS, outputting any video/sound, listening for interrupts, and generally being a computer; this could be feasible.
Not sure what you mean by "this could be feasible:" the researchers have already done it.
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums