RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis

Here is a fascinating use of acoustic analysis to extract the security key used to decrypt secured communications.

The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts. We experimentally demonstrate that such attacks can be carried out, using either a plain mobile phone placed next to the computer, or a more sensitive microphone placed 4 meters away.

The exploit makes use of the fact that the voltage regulation systems for the CPU in typical laptops emit high pitched noises when carrying out various operations. Individual CPU operations which occur at rates of GHz are obviously too high frequency to be captured by acoustic methods, but loops of operations, which are iterated over and over again will have specific signatures within the acoustic range. It is easy enough for example to look at the captured spectrum and tell that a given model laptop is performing a floating point multiplication (FMUL) or CPU SLEEP operation. The exploit uses carefully chosen ciphertext to be decrypted which takes advantage of certain optimizations in the algorithm which causes the signature for the specific bit to be discernible as to whether it is a 1 or a 0.

In a nutshell, the key extraction attack relies on crafting chosen ciphertexts that cause numerical cancellations deep inside GnuPG’s modular exponentiation algorithm. This causes the special valuezero to appear frequently in the innermost loop of the algorithm, where it affects control flow. A single iteration of that loop is much too fast for direct acoustic observation, but the effect is repeated and amplified over many thousands of iterations, resulting in a gross leakage effect that is discernible in the acoustic spectrum over hundreds of milliseconds.

The attack depends on stepping through the key iteratively, to determine the current bit in question, one bit at a time. A 4096 bit key can be determined in under an hour using the scenarios outlined in the paper. The paper also outlines some mitigation strategies, which ideally will occur within the decryption algorithm itself – such as cipher randomization or cipher normalization which would limit the attackers ability to craft the ciphertext required to deliberately perform a specific branch of the algorithm to determine the value of the current bit – rather than limiting the acoustic capture of the noise signatures. Since the signatures are in the >10kHz range, simply being in a noisy environment is not sufficient to mask out the noise needed to carry out the attack.

The details of the cryptography algorithms used are beyond my understanding but it’s a fascinating use of acoustic analysis.

(via Metafilter)

Share this post
  , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *