Get Your Hands Off My Laptop: Physical Side-Channel Key-Extraction Attacks on PCs

Genkin, Daniel; Pipman, Itamar; Tromer, Eran

doi:10.1007/978-3-662-44709-3_14

Get Your Hands Off My Laptop: Physical Side-Channel Key-Extraction Attacks on PCs

Daniel Genkin^17,18,
Itamar Pipman¹⁸ &
Eran Tromer¹⁸

Conference paper

4563 Accesses
45 Citations

Part of the Lecture Notes in Computer Science book series (LNSC,volume 8731)

Abstract

We demonstrate physical side-channel attacks on a popular software implementation of RSA and ElGamal, running on laptop computers. Our attacks use novel side channels, based on the observation that the “ground” electric potential, in many computers, fluctuates in a computation-dependent way. An attacker can measure this signal by touching exposed metal on the computer’s chassis with a plain wire, or even with a bare hand. The signal can also be measured at the remote end of Ethernet, VGA or USB cables.

Through suitable cryptanalysis and signal processing, we have extracted 4096-bit RSA keys and 3072-bit ElGamal keys from laptops, via each of these channels, as well as via power analysis and electromagnetic probing. Despite the GHz-scale clock rate of the laptops and numerous noise sources, the full attacks require a few seconds of measurements using Medium Frequency signals (around 2 MHz), or one hour using Low Frequency signals (up to 40 kHz).

Keywords

Side Channel
Modular Exponentiation
Probe Wire
Decryption Operation
Simple Power Analysis

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Chapter PDF

References

GNU multiple precision arithmetic library, http://gmplib.org/
The GNU Privacy Guard, http://www.gnupg.org
Agrawal, D., Archambeault, B., Rao, J.R., Rohatgi, P.: The EM side-channel(s). In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 29–45. Springer, Heidelberg (2003)
CrossRef Google Scholar
Anderson, R.J.: Security engineering — a guide to building dependable distributed systems, 2nd edn. Wiley (2008)
Google Scholar
Brumley, D., Boneh, D.: Remote timing attacks are practical. Computer Networks 48(5), 701–716 (2005)
CrossRef Google Scholar
Clark, S.S., Mustafa, H., Ransford, B., Sorber, J., Fu, K., Xu, W.: Current events: Identifying webpages by tapping the electrical outlet. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 700–717. Springer, Heidelberg (2013)
CrossRef Google Scholar
Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptology 10(4), 233–260 (1997)
CrossRef MathSciNet MATH Google Scholar
Courrège, J.-C., Feix, B., Roussellet, M.: Simple power analysis on exponentiation revisited. In: Gollmann, D., Lanet, J.-L., Iguchi-Cartigny, J. (eds.) CARDIS 2010. LNCS, vol. 6035, pp. 65–79. Springer, Heidelberg (2010)
CrossRef Google Scholar
Enigmail Project, T.: Enigmail: A simple interface for OpenPGP email security, https://www.enigmail.net
Gandolfi, K., Mourtel, C., Olivier, F.: Electromagnetic analysis: Concrete results. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 251–261. Springer, Heidelberg (2001)
CrossRef Google Scholar
Genkin, D., Shamir, A., Tromer, E.: RSA key extraction via low-bandwidth acoustic cryptanalysis (extended version). IACR Cryptology ePrint Archive 2013, 857 (2013), extended version of [12]
Google Scholar
Genkin, D., Shamir, A., Tromer, E.: RSA key extraction via low-bandwidth acoustic cryptanalysis. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 444–461. Springer, Heidelberg (2014), See [11] for extended version
CrossRef Google Scholar
Hu, W.M.: Lattice scheduling and covert channels. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 52–61 (1992)
Google Scholar
Karatsuba, A., Ofman, Y.: Multiplication of Many-Digital Numbers by Automatic Computers. Proceedings of the USSR Academy of Sciences 145, 293–294 (1962)
Google Scholar
Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)
CrossRef Google Scholar
Kocher, P., Jaffe, J., Jun, B., Rohatgi, P.: Introduction to differential power analysis. Journal of Cryptographic Engineering 1(1), 5–27 (2011)
CrossRef Google Scholar
Kuhn, M.G.: Compromising emanations: Eavesdropping risks of computer displays. PhD dissertation (2003)
Google Scholar
Mangard, S., Oswald, E., Popp, T.: Power analysis attacks — revealing the secrets of smart cards. Springer (2007)
Google Scholar
MITRE: Common vulnerabilities and exposures list, entry CVE-2013-4576 (2013), http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4576
Oren, Y., Shamir, A.: How not to protect PCs from power analysis (2006), http://iss.oy.ne.ro/HowNotToProtectPCsFromPowerAnalysis , CRYPTO rump session
Quisquater, J.J., Samyde, D.: Electromagnetic analysis (EMA): Measures and counter-measures for smart cards. In: E-smart 2001, pp. 200–210 (2001)
Google Scholar
Schmidt, J.-M., Plos, T., Kirschbaum, M., Hutter, M., Medwed, M., Herbst, C.: Side-channel leakage across borders. In: Gollmann, D., Lanet, J.-L., Iguchi-Cartigny, J. (eds.) CARDIS 2010. LNCS, vol. 6035, pp. 36–48. Springer, Heidelberg (2010)
CrossRef Google Scholar
Tokunaga, C., Blaauw, D.: Securing encryption systems with a switched capacitor current equalizer. IEEE Journal of Solid-State Circuits 45(1), 23–31 (2010)
CrossRef Google Scholar
Walter, C.D., Samyde, D.: Data dependent power use in multipliers. In: IEEE Symposium on Computer Arithmetic, pp. 4–12 (2005)
Google Scholar
Yarom, Y., Falkner, K.E.: Flush+reload: a high resolution, low noise, L3 cache side-channel attack. IACR Cryptology ePrint Archive 2013, 448 (2013)
Google Scholar
Yen, S.-M., Lien, W.-C., Moon, S.-J., Ha, J.: Power analysis by exploiting chosen message and internal collisions – vulnerability of checking mechanism for RSA-decryption. In: Dawson, E., Vaudenay, S. (eds.) Mycrypt 2005. LNCS, vol. 3715, pp. 183–195. Springer, Heidelberg (2005)
CrossRef Google Scholar
Zajic, A., Prvulovic, M.: Experimental demonstration of electromagnetic information leakage from modern processor-memory systems. IEEE Transactions on Electromagnetic Compatibility (to appear)
Google Scholar

Download references

Author information

Authors and Affiliations

Technion, Israel
Daniel Genkin
Tel Aviv University, Israel
Daniel Genkin, Itamar Pipman & Eran Tromer

Authors

Daniel Genkin
View author publications
You can also search for this author in PubMed Google Scholar
Itamar Pipman
View author publications
You can also search for this author in PubMed Google Scholar
Eran Tromer
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

FNWI-iCIS/DS, Radboud University Nijmegen, P.O. Box 9010, 6500 GL, Nijmegen, The Netherlands
Lejla Batina
Impinj, Inc., 701 N. 34th Street, Suite 300, 98103, Seattle, WA, USA
Matthew Robshaw

Rights and permissions

Reprints and Permissions

Copyright information

About this paper

Cite this paper

Genkin, D., Pipman, I., Tromer, E. (2014). Get Your Hands Off My Laptop: Physical Side-Channel Key-Extraction Attacks on PCs. In: Batina, L., Robshaw, M. (eds) Cryptographic Hardware and Embedded Systems – CHES 2014. CHES 2014. Lecture Notes in Computer Science, vol 8731. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-44709-3_14

Download citation

DOI: https://doi.org/10.1007/978-3-662-44709-3_14
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-44708-6
Online ISBN: 978-3-662-44709-3
eBook Packages: Computer ScienceComputer Science (R0)