RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis
description
Transcript of RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis
![Page 1: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/56815f4a550346895dce2850/html5/thumbnails/1.jpg)
RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis
Daniel Genkin, Adi Shamir, Eran Tromer
![Page 2: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/56815f4a550346895dce2850/html5/thumbnails/2.jpg)
Mathematical Attacks
Input OutputCrypto Algorithm
Key
Goal: recover the key given access to the inputs and outputs
![Page 3: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/56815f4a550346895dce2850/html5/thumbnails/3.jpg)
Side Channel Attacks
PowerVibrati
onTiming
SoundHeatEM
Input Output
Radiation
Crypto Algorithm
KeyBad Inputs Errors
Goal: recover the key given access to the inputs, outputs and measurementsGoal: recover the key given access to the inputs and outputs
Crypto Device
Key
![Page 4: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/56815f4a550346895dce2850/html5/thumbnails/4.jpg)
ENGULF [Peter Wright, pycatcher, p. 84]
In 1956, a couple of Post Office engineers fixed a phone at the Egyptian embassy in London.
![Page 5: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/56815f4a550346895dce2850/html5/thumbnails/5.jpg)
ENGULF (cont.)
“The combined MI5/GCHQ operation enabled us to read the Egyptian ciphers in the London Embassy throughout the Suez Crisis.”
![Page 6: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/56815f4a550346895dce2850/html5/thumbnails/6.jpg)
Acoustic cryptanalysis on modern CPUs
![Page 7: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/56815f4a550346895dce2850/html5/thumbnails/7.jpg)
Distinguishing various CPU operations
![Page 8: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/56815f4a550346895dce2850/html5/thumbnails/8.jpg)
Distinguishing various code lengths
loops in different lengths of ADD instructions
![Page 9: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/56815f4a550346895dce2850/html5/thumbnails/9.jpg)
RSA decryption
long operations that depend on the leakage of either will break security.
![Page 10: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/56815f4a550346895dce2850/html5/thumbnails/10.jpg)
RSA key distinguishability
and here is the sound of the keys (after signal processing)
![Page 11: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/56815f4a550346895dce2850/html5/thumbnails/11.jpg)
Modular exponentiation
m=𝑐𝑑𝑛⋯𝑑𝑖𝑚𝑜𝑑𝑞m=𝑐𝑑𝑛⋯𝑑𝑖0𝑚𝑜𝑑𝑞
𝑡=𝑐𝑑𝑛⋯𝑑𝑖1𝑚𝑜𝑑𝑞m=𝑐𝑑𝑛⋯𝑑𝑖− 1𝑚𝑜𝑑𝑞
This is a side channel countermeasure meant to protect
![Page 12: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/56815f4a550346895dce2850/html5/thumbnails/12.jpg)
Extracting (simplified)
𝑐 𝑖= 𝑞2048⋯𝑞𝑖+101⋯ 1
If then , thus . That is, has special structure.
If then , thus .That is, is random looking.
and we now multiply by causing the bit-dependent leakage.
Assume we know and decrypt
![Page 13: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/56815f4a550346895dce2850/html5/thumbnails/13.jpg)
Extracting
𝑐 𝑖= 𝑞2048⋯𝑞𝑖+101⋯ 1+𝑛
If then , thus . That is, has special structure.
If then, thus .That is, is random looking.
and we now multiply by causing the bit-dependent leakage.
Assume we know and decrypt
![Page 14: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/56815f4a550346895dce2850/html5/thumbnails/14.jpg)
Extracting (problem)
Single multiplication is way to fast for us to measure
Assume we know and decrypt
Multiplication is repeated 2048 times (0.5 sec of data)
![Page 15: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/56815f4a550346895dce2850/html5/thumbnails/15.jpg)
Acoustic leakage of key bits
![Page 16: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/56815f4a550346895dce2850/html5/thumbnails/16.jpg)
ResultsKey extraction is possible up to 4 meters away using
a parabolic microphone
![Page 17: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/56815f4a550346895dce2850/html5/thumbnails/17.jpg)
ResultsKey extraction is possible up to 1 meter away without
a parabolic microphone
![Page 18: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/56815f4a550346895dce2850/html5/thumbnails/18.jpg)
ResultsKey extraction is possible up to 30cm away using a
smartphone
![Page 19: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/56815f4a550346895dce2850/html5/thumbnails/19.jpg)
Karatsuba multiplicationBased on the following identity for multiplication and runs in time
If then has many 1-valued or 0-valued bits causing the result to have many 0-valued bits.
If then is random-looking and so is the result.
![Page 20: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/56815f4a550346895dce2850/html5/thumbnails/20.jpg)
The recursion tree
Number of 0-valued bits in the second operand is depends on the value of
![Page 21: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/56815f4a550346895dce2850/html5/thumbnails/21.jpg)
Basic multiplication
If the algorithm does nothing!
Repeated for a total of 8 times in this call and for a total of up to ~172,000 times!, allowing for the leakage to be detectable using low bandwidth means (such as sound).
![Page 22: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/56815f4a550346895dce2850/html5/thumbnails/22.jpg)
1. Play loud music while decrypting (or other kind of noise)
2. Parallel software load
Countermeasures --- bad ideas!
![Page 23: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/56815f4a550346895dce2850/html5/thumbnails/23.jpg)
Given a ciphertext :1. Generate a random number and compute 2. Decrypt and obtain 3. Output
Works since thus:
Countermeasures (ciphertext randomization)
![Page 24: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader035.fdocuments.in/reader035/viewer/2022062410/56815f4a550346895dce2850/html5/thumbnails/24.jpg)
Thank you!(questions?)
:// . . . . /~http www cs tau ac il/tromer acoustic