[conspire] [paper] RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis

Nick Moffitt nick at zork.net
Fri Dec 20 02:37:25 PST 2013


Darlene Wallach:
> http://www.cs.tau.ac.il/~tromer/acoustic/
> http://www.tau.ac.il/~tromer/papers/acoustic-20131218.pdf
> So ya this basically just rendered all encryption virtually useless!

Not exactly.  This technique relied specifically on the way gnupg ran,
and there's a fix already in Debian and Ubuntu (and likely everywhere
else as well).

The mechanism is fascinating, to me.  All they had to detect was
MUL/FMUL (multiplication) instructions, and determine how many were run
and in what patterns.  Since RSA encryption is basically nothing but
factoring numbers into giant primes, they could infer which values were
found as the result.  If you control the ciphertext and when it's
decrypted (as in sending an encrypted mail to a computer running
thunderbird+seahorse), you can generate as many iterations as you have
time for.

I still haven't looked up how gnupg solved this, but I suspect it was
either re-ordering operations or throwing some chaff in to reduce the
accuracy of an attacker's measurements.

This is still definitely the security paper of the decade, so far. ☺

-- 
Though the great song return no more
There's keen delight in what we have:
The rattle of pebbles on the shore
Under the receding wave.  -- W. B. Yeats




More information about the conspire mailing list