Get your hands off my laptop: physical side-channel key-extraction attacks on PCs

We demonstrate physical side-channel attacks on a popular software implementation of RSA and ElGamal, running on laptop computers. Our attacks use novel side channels, based on the observation that the “ground” electric potential, in many computers, fluctuates in a computation-dependent way. An attacker can measure this signal by touching exposed metal on the computer’s chassis with a plain wire, or even with a bare hand. The signal can also be measured on the ground shield at the remote end of Ethernet, USB and display cables. Through suitable cryptanalysis and signal processing, we have extracted 4096-bit RSA keys and 3072-bit ElGamal keys from laptops, via each of these channels, as well as via power analysis and electromagnetic probing. Despite the GHz-scale clock rate of the laptops and numerous noise sources, the full attacks require a few seconds of measurements using Medium Frequency (MF) signals (around 2 MHz), or one hour using Low Frequency (LF) signals (up to 40  kHz).

[1]  T. Elgamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, CRYPTO 1984.

[2]  David Brumley,et al.  Remote timing attacks are practical , 2003, Comput. Networks.

[3]  Raphael C.-W. Phan Review of Security Engineering: A Guide to Building Dependable Distributed Systems, 2nd Edition by Ross J. Anderson , 2009, Cryptologia.

[4]  JaeCheol Ha,et al.  Power Analysis by Exploiting Chosen Message and Internal Collisions - Vulnerability of Checking Mechanism for RSA-Decryption , 2005, Mycrypt.

[5]  Raph Levien,et al.  MIME Security with OpenPGP , 2001, RFC.

[6]  Wenyuan Xu,et al.  Current Events: Identifying Webpages by Tapping the Electrical Outlet , 2013, ESORICS.

[7]  Billy Bob Brumley,et al.  Remote Timing Attacks Are Still Practical , 2011, ESORICS.

[8]  Pankaj Rohatgi,et al.  Introduction to differential power analysis , 2011, Journal of Cryptographic Engineering.

[9]  Dakshi Agrawal,et al.  The EM Side-Channel(s) , 2002, CHES.

[10]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[11]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[12]  Ross J. Anderson Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[13]  Robert H. Sloan,et al.  Power Analysis Attacks of Modular Exponentiation in Smartcards , 1999, CHES.

[14]  David Samyde,et al.  Data dependent power use in multipliers , 2005, 17th IEEE Symposium on Computer Arithmetic (ARITH'05).

[15]  Wei-Ming Hu,et al.  Lattice scheduling and covert channels , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[16]  Don Coppersmith,et al.  Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities , 1997, Journal of Cryptology.

[17]  Roman Novak,et al.  SPA-Based Adaptive Chosen-Ciphertext Attack on RSA Implementation , 2002, Public Key Cryptography.

[18]  Frédéric Valette,et al.  The Doubling Attack - Why Upwards Is Better than Downwards , 2003, CHES.

[19]  Adi Shamir,et al.  RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis , 2014, CRYPTO.

[20]  Adi Shamir,et al.  Collision-Based Power Analysis of Modular Exponentiation Using Chosen-Message Pairs , 2008, CHES.

[21]  Michael Hutter,et al.  Side-Channel Leakage across Borders , 2010, CARDIS.

[22]  Markus G. Kuhn,et al.  Compromising Emanations , 2002, Encyclopedia of Cryptography and Security.

[23]  David Blaauw,et al.  Securing Encryption Systems With a Switched Capacitor Current Equalizer , 2010, IEEE Journal of Solid-State Circuits.

[24]  Benoit Feix,et al.  Simple Power Analysis on Exponentiation Revisited , 2010, CARDIS.

[25]  Daniel Genkin,et al.  Stealing Keys from PCs Using a Radio: Cheap Electromagnetic Attacks on Windowed Exponentiation , 2015, CHES.

[26]  Jon Callas,et al.  OpenPGP Message Format , 1998, RFC.

[27]  Adi Shamir,et al.  Cache Attacks and Countermeasures: The Case of AES , 2006, CT-RSA.

[28]  Yuval Yarom,et al.  FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack , 2014, USENIX Security Symposium.

[29]  C. D. Walter,et al.  Distinguishing Exponent Digits by Observing Modular Subtractions , 2001, CT-RSA.

[30]  Colin Percival CACHE MISSING FOR FUN AND PROFIT , 2005 .

[31]  Jean-Jacques Quisquater,et al.  ElectroMagnetic Analysis (EMA): Measures and Counter-Measures for Smart Cards , 2001, E-smart.

[32]  Daniel J. Bernstein,et al.  Cache-timing attacks on AES , 2005 .

[33]  Milos Prvulovic,et al.  Experimental Demonstration of Electromagnetic Information Leakage From Modern Processor-Memory Systems , 2014, IEEE Transactions on Electromagnetic Compatibility.

[34]  Stefan Mangard,et al.  Power analysis attacks - revealing the secrets of smart cards , 2007 .

[35]  Francis Olivier,et al.  Electromagnetic Analysis: Concrete Results , 2001, CHES.