Journal of Cryptographic Engineering

, Volume 5, Issue 2, pp 95–112 | Cite as

Get your hands off my laptop: physical side-channel key-extraction attacks on PCs

Extended version
CHES 2014

Abstract

We demonstrate physical side-channel attacks on a popular software implementation of RSA and ElGamal, running on laptop computers. Our attacks use novel side channels, based on the observation that the “ground” electric potential, in many computers, fluctuates in a computation-dependent way. An attacker can measure this signal by touching exposed metal on the computer’s chassis with a plain wire, or even with a bare hand. The signal can also be measured on the ground shield at the remote end of Ethernet, USB and display cables. Through suitable cryptanalysis and signal processing, we have extracted 4096-bit RSA keys and 3072-bit ElGamal keys from laptops, via each of these channels, as well as via power analysis and electromagnetic probing. Despite the GHz-scale clock rate of the laptops and numerous noise sources, the full attacks require a few seconds of measurements using Medium Frequency (MF) signals (around 2 MHz), or one hour using Low Frequency (LF) signals (up to 40  kHz).

Keywords

Side channel attack Power analysis RSA ElGamal 

References

  1. 1.
    GNU multiple precision arithmetic library. http://gmplib.org/. Accessed 4 Dec 2014
  2. 2.
    GNU Privacy Guard. https://www.gnupg.org. Accessed 4 Dec 2014
  3. 3.
    Agrawal, D., Archambeault, B., Rao, J.R., Rohatgi, P.: The EM side-channel(s). In: Workshop on Cryptographic Hardware and Embedded Systems (CHES) 2002, pp. 29–45. Springer (2002)Google Scholar
  4. 4.
    Anderson, R.J.: Security Engineering—A Guide to Building Dependable Distributed Systems, 2nd edn. Wiley, New York (2008)Google Scholar
  5. 5.
    Bernstein, D.J.: Cache-timing attacks on AES (2005). http://cr.yp.to/papers.html#cachetiming. Accessed 4 Dec 2014
  6. 6.
    Brumley, B.B., Tuveri, N.: Remote timing attacks are still practical. In: ESORICS 2011, pp. 355–371. Springer (2011)Google Scholar
  7. 7.
    Brumley, D., Boneh, D.: Remote timing attacks are practical. Comput. Netw. 48(5), 701–716 (2005)CrossRefGoogle Scholar
  8. 8.
    Callas, J., Donnerhacke, L., Finney, H., Shaw, D., Thayer, R.: OpenPGP message format. RFC 4880, November (2007)Google Scholar
  9. 9.
    Clark, S.S., Mustafa, H.A., Ransford, B., Sorber, J., Fu, K., Xu, W.: Current events: Identifying webpages by tapping the electrical outlet. In: ESORICS 2013, pp. 700–717. Springer (2013)Google Scholar
  10. 10.
    Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptol. 10(4), 233–260 (1997)CrossRefMATHMathSciNetGoogle Scholar
  11. 11.
    Courrège, J.-C., Feix, B., Roussellet, M.: Simple power analysis on exponentiation revisited. In: Smart Card Research and Advanced Application (CARDIS) 2010, pp. 65–79. Springer (2010)Google Scholar
  12. 12.
    ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theory 31(4), 469–472 (1985)CrossRefMATHMathSciNetGoogle Scholar
  13. 13.
    Elkins, M., Del Torto, D., Levien, R., Roessler, T.: MIME security with OpenPGP. RFC 3156 (2001). http://www.ietf.org/rfc/rfc3156.txt. Accessed 4 Dec 2014
  14. 14.
    The Enigmail Project. Enigmail: a simple interface for OpenPGP email security. https://www.enigmail.net. Accessed 4 Dec 2014
  15. 15.
    Fouque, P.-A., Valette, F.: The doubling attack—why upwards is better than downwards. In: Workshop on Cryptographic Hardware and Embedded Systems (CHES) 2003, pp. 269–280. Springer (2003)Google Scholar
  16. 16.
    Gandolfi, K., Mourtel, C., Olivier, F.: Electromagnetic analysis: concrete results. In: Workshop on Cryptographic Hardware and Embedded Systems (CHES) 2001, pp. 251–261. Springer (2001)Google Scholar
  17. 17.
    Genkin, D., Pachmanov, L., Pipman, I., Tromer, E.: Stealing keys from PCs using a radio: Cheap electromagnetic attacks on windowed exponentiation. Cryptology ePrint Archive, Report 2015/170 (2015). http://eprint.iacr.org/2015/170. Accessed 4 Dec 2014
  18. 18.
    Genkin, D., Shamir, A., Tromer, E.: RSA key extraction via low-bandwidth acoustic cryptanalysis. In: CRYPTO 2014, Extended version: Cryptology ePrint Archive, Report 2013/857, vol. 1, pp. 444–461. Springer (2014)Google Scholar
  19. 19.
    Homma, N., Miyamoto, A., Aoki, T., Satoh, A., Shamir, A.: Collision-based power analysis of modular exponentiation using chosen-message pairs. In: Workshop on Cryptographic Hardware and Embedded Systems (CHES) 2008, pp. 15–29. Springer (2008)Google Scholar
  20. 20.
    Hu, W.-M.: Lattice scheduling and covert channels. In: Proceedings of the IEEE Symposium on Security and Privacy 1992, pp. 52–61. IEEE Computer Society (1992)Google Scholar
  21. 21.
    Karatsuba, A., Ofman, Y.: Multiplication of many-digital numbers by automatic computers. Proc. USSR Acad. Sci. 145, 293–294 (1962)Google Scholar
  22. 22.
    Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: CRYPTO 1999, pp. 388–397. Springer (1999)Google Scholar
  23. 23.
    Kocher, P., Jaffe, J., Jun, B., Rohatgi, P.: Introduction to differential power analysis. J. Cryptogr. Eng. 1(1), 5–27 (2011)Google Scholar
  24. 24.
    Kocher, P.C.: Timing attacks on implementations of Diffie–Hellman, RSA, DSS, and other systems. In: CRYPTO 1996, pp. 104–113. Springer (1996)Google Scholar
  25. 25.
    Kuhn, M.G.: Compromising emanations: eavesdropping risks of computer displays. Ph.D. dissertation (2003)Google Scholar
  26. 26.
    Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks—Revealing the Secrets of Smart Cards. Springer, Berlin (2007)MATHGoogle Scholar
  27. 27.
    Messerges, T.S., Dabbish, E.A., Sloan, R.H.: Power analysis attacks of modular exponentiation in smartcards. In: Workshop on Cryptographic Hardware and Embedded Systems (CHES) 1999, pp. 144–157. Springer (1999)Google Scholar
  28. 28.
    MITRE. Common vulnerabilities and exposures list, entry CVE-2013-4576 (2013). http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4576. Accessed 4 Dec 2014
  29. 29.
    Novak, R.: SPA-based adaptive chosen-ciphertext attack on RSA implementation. In: Public Key Cryptography (PKC) 2002, pp. 252–262. Springer (2002)Google Scholar
  30. 30.
    Oren, Y., Shamir, A.: How not to protect PCs from power analysis. presented during CRYPTO 2006 rump session (2006). http://iss.oy.ne.ro/HowNotToProtectPCsFromPowerAnalysis. Accessed 4 Dec 2014
  31. 31.
    Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks and countermeasures: the case of AES. In: RSA Conference Cryptographers’ Track (CT-RSA) 2006, pp. 1–20. Springer (2006)Google Scholar
  32. 32.
    Percival, C.: Cache missing for fun and profit. Presented at BSDCan (2005). http://www.daemonology.net/hyperthreading-considered-harmful. Accessed 4 Dec 2014
  33. 33.
    Quisquater, J.-J., Samyde, D.: Electromagnetic analysis (EMA): measures and counter-measures for smart cards. In: E-smart’01, pp. 200–210 (2001)Google Scholar
  34. 34.
    Schmidt, J.-M., Plos, T., Kirschbaum, M., Hutter, M., Medwed, M., Herbst, C.: Side-channel leakage across borders. In: Smart Card Research and Advanced Application (CARDIS) 2010, pp. 36–48. Springer (2010)Google Scholar
  35. 35.
    Tokunaga, C., Blaauw, D.: Securing encryption systems with a switched capacitor current equalizer. Solid-State Circuits IEEE J. 45(1), 23–31 (2010)CrossRefGoogle Scholar
  36. 36.
    Walter, C.D., Samyde, D.: Data dependent power use in multipliers. In: IEEE Symposium on Computer Arithmetic (ARITH) 2005, pp. 4–12. IEEE Computer Society (2005)Google Scholar
  37. 37.
    Walter, C.D., Thompson, Susan: Distinguishing exponent digits by observing modular subtractions. In: RSA Conference the Cryptographer’s Track (CT-RSA) 2001, pp. 192–207. Springer (2001)Google Scholar
  38. 38.
    Yarom, Y., Falkner, K.: FLUSH+RELOAD: A high resolution, low noise, L3 cache side-channel attack. In: USENIX Security Symposium 2014, pp. 719–732. USENIX Association (2014)Google Scholar
  39. 39.
    Yen, S.-M., Lien, W.-C., Moon, S.-J., Ha, J.: Power analysis by exploiting chosen message and internal collisions – vulnerability of checking mechanism for RSA-decryption. In: Mycrypt, pp. 183–195. Springer (2005)Google Scholar
  40. 40.
    Zajic, A., Prvulovic, M.: Experimental demonstration of electromagnetic information leakage from modern processor-memory systems. IEEE Trans. Electromagn. Compat (EMC) 56(4), 885–893 (2014)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2015

Authors and Affiliations

  1. 1.TechnionHaifaIsrael
  2. 2.Tel Aviv UniversityTel AvivIsrael

Personalised recommendations