RSS Feed
 

Rambus shows off how to sniff crypto keys

IDF 2011: Cryptography Research demos side channel attacks

Sep 19, 2011 in Consoles, Desktop, Mobile, Security, Servers, Set Top, Software

by

Rambus LogoAt IDF, Rambus (NASDAQ:RMBS) was demonstrating the technology of their newest acquisition, Cryptography Research. Actually, they were not showing off what the tech could do, they were showing off what it could prevent, without spilling the secret sauce.

Cryptography Research (CR) does something that sounds simple, they guard against side channel attacks on crypto hardware. Side channel attacks are things that don’t go after the numbers themselves, but look at the hardware for related information like power use, emitted EM, and other things that are not often guarded against. The idea is that you don’t read the output of the algorithm, you read the process itself.

At IDF, CR was showing off how to snoop several devices, mostly smartphones running crypto algorithms, in real time. While it was an ideal setting, their demos showed off how effective a side channel attack can be when in the hands of a layman. With someone who knows what they are doing behind the same tools, if you are not protected, your keys can be extracted more easily than a script kiddie looking at a Sony product.

CR was showing off power monitoring, magnetic field, and other EM emissions snooping. The smartphones were grinding away at several crypto programs, and they were put in front of various sensors to show what could be sniffed. The demo was simplified for, well, demo purposes, but the same techniques hold for real world sniffing. In the field, it is just a bit trickier to figure out what to look at, but you do the same things in roughly the same way.

Rambus_CR_Power_sniff

Power monitoring of a smart phone

The CR guys were monitoring the power use while one type of algorithm was used. A 0 in the key has one set of functions used to encode/decode the data, and a 1 in the key uses a much more complex series of calculations. That is the complex way of saying a 0 does a little work, a 1 does a lot of work. A 0 draws little power, a 1 draws a lot. Can you read the key, or at least part of the key?

Rambus_CR_EM_Sniff

EM sniffing of keys works too

In this demo, you can’t actually see much because we held the device up to the antenna for the sake of the picture. You can see a little bit of the peaks, but the signal/noise ratio is so high that everything gets washed out. If you hold the phone back a ways, you can read the keys in a very similar way to the power sniffing above. Think about that for remote sniffing of keys, all you need is a directional antenna and a clear view of someone’s office……

Other types of attacks work the same way, you figure out what the algorithm is doing, and what the differences each bit or sub-section of the key produces. Then you just look for that, and if the devices is not protected, you simply read the keys off. In practice, it is a little harder than that, but if you know what you are doing, most cryptosystems can be shredded quite easily.

That brings us back to CR, and why Rambus bought them. CR provides countermeasures to this type of snooping, something you really need to do if you are in any way serious about security. Exactly how they protect you is kind of a secret sauce, so no answers here, but it does vary with each implementation. Some countermeasures are algorithmic, some are physical, and some are, well, secret.

In any case, as you can see above, if you don’t guard against this type of attack, your keys are vulnerable. Anyone trained in the art of side channel attacks can rip you to shreds in short order, and given how much easier it is than brute forcing keys, it is where I would start hacking. Luckily, there are some very smart people that can help keep your keys private too.S|A

Tags: , , , ,

7 Responses to “Rambus shows off how to sniff crypto keys”

  1. Doug Sep 19, 2011 at 11:44 am #

    The algorithmic attack is blindingly simple to defend against. Rather than doing one code path for a 0 and another for a 1, do both. After you’ve done both you only need to determine which of the results you want to keep based on what the bit actually was, basically an if/then.

    Average power use would nearly double (assuming that on average half the bits are normally lower power 0s) but this isn’t something someone concerned about this type of attack is going to care about.

    Another alternative would be designing a better algorithm where the amount of work for a 0 and a 1 and the code paths followed were similar enough that this type of attack would yield nothing useful.

    Reply
  2. Snidely Whiplash Sep 19, 2011 at 11:17 am #

    Jason, what if you are walking around outside? Going to erect a Faraday shield around yourself?

    Reply
  3. jason Sep 19, 2011 at 8:22 am #

    Kinda old news actually. That’s why the NSA and others have been using shielded buildings for decades now.

    Reply
  4. AlexZ Sep 19, 2011 at 5:29 am #

    Wouldn’t randomly mixing the cryptographic workload with doing something useless but CPU-consuming solve this problem?

    Reply
  5. El MaƱo Sep 19, 2011 at 5:08 am #

    I never heared about this, it’s rather interesting.
    Thanks Charlie!

    Reply
    • Winning Sep 19, 2011 at 6:50 am #

      Seems like a small subset of the original project Tempest? People can ‘sniff’ your entire screen remotely via RF.

      Reply

Leave a Reply

Comments are un-moderated except for automatic spam-reduction services, these services are not related to liposuction or any other dieting method. Hitting the [POST] button here is the legal equivalent to self-publishing. This means that you are liable and therefore RESPONSIBLE for all consequences of what you are writing and publishing. S|A is not and will not be held liable for your publications using our platform. We will happily turn over your IP address to any legal authority with a valid search warrant.

Past Articles