Removing 4096-bit RSA keys with a microphone

The famous cryptographer Adi Shamir (the letter “S” in the abbreviation RSA) and colleagues yesterday published a scientific paper entitled “Removing the RSA key by acoustic cryptanalysis with a low sampling rate” (RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis). The complex name hides an exceptionally accessible method for retrieving RSA keys (in the GnuPG implementation) using a regular mobile phone or microphone. Just put the phone 30 cm from the victim’s computer. If you use high-quality microphones, then you can remove the keys from a distance of up to 4 meters.

This is hard to believe, but several successful experiments have been carried out on extracting keys from different computer models, and software has been written that can be used by independent researchers to verify the results.

The work is a continuation of Adi Shamir’s famous 2004 presentation. Then he showed the theoretical ability to extract keys and demonstrated the difference in the sound picture when deciphering text with different RSA keys.
')
Now we managed to reach a fundamentally new level, for which we need to thank first of all the developer Lev Pakhmanov (Lev Pachmanov), who wrote a unique software for signal processing.

“Many computers make high-frequency sound during operation, due to vibrations in some electronic components,” explains Adi Shamir. “These acoustic emanations are more than an annoying squeak: they contain information about running software, including security-related calculations.” In 2004, Shamir proved that different RSA keys cause different sound patterns, but then it was not clear how to extract individual bits of keys. The main problem was that sound equipment is not capable of recording sound with a sufficiently high sampling rate: only 20 kHz for conventional microphones and no more than a few hundred kilohertz for ultrasonic microphones. This is many orders of magnitude less than the frequency of several gigahertz, on which modern computers operate.

Now, thanks to the aforementioned Pakhmanov, software has been created that extracts the full 4096-bit GnuPG keys from computers of various models after an hour of listening if the computer is decrypting. A successful demonstration of such an attack using a smartphone, which lay 30 cm from the computer, as well as an attack using directional microphones from a distance of up to 4 meters. Background noise, as well as the sounds of the fan, hard drive and other components usually do not interfere with the analysis, because they are emitted at low frequencies below 10 kHz and can be filtered, while the peaks of electronic components of interest are at higher frequencies. The use of multi-core processors facilitates attack. The sounds of computers with the same hardware configuration also do not interfere with each other, because computers differ in distance from the microphone, in temperature and other parameters.



Among the attack scenarios:

• Installing a special application in your smartphone and organizing a meeting with the victim, during a meeting placing the phone near his laptop.
• Hacking the victim's phone, installing a special program there and waiting until the phone is near the computer.
• Using a web page that can turn on the microphone through a browser (Flash or HTML Media Capture).
• Use of traditional bugs and laser microphones for a new work area.
• Sending your server to a hosting with a good microphone inside. Acoustic key extraction from all surrounding servers.
• Installing bugs in the vents of servers and workstations.

Reaching out readers who have not yet dropped their jaws, Adi Shamir adds: “In addition to acoustics, a similar attack can be carried out by measuring the electrical potential of a computer case. To do this, a suitably equipped attacker simply touch the conductive parts of the case with his bare hand or connect to the grounding contacts on the other end of the VGA, USB or Ethernet cable. " First you need to measure the potential of your own body relative to the ground potential in the room, touching a well-grounded object.

Six months ago, the developers of GnuPG received information about the vulnerability, as well as recommendations from Shamir for alleged protection against this kind of analysis. The versions of GnuPG 1.x and libgcrypt released today contain the necessary algorithmic modifications that make analysis difficult, but some effects still exist, in particular, various RSA keys still acoustically differ, says Shamir.

PS Maybe this is a coincidence, but two months ago, Adi Shamir was not given an entry visa to the United States when he was going to the History of Cryptology cryptographic conference, although Shamir was one of the founders of this conference and delivered an opening speech at its opening in 1981 Since then, all 32 years, tried not to miss a single meeting. Now the organization is sponsored by the NSA.