Researchers demonstrate stealing crypto keys from a offline computer using electromagnetic pulsesThe attack
For the uninitiated, air gapped computers are those computers and laptops which are cut off from Internet purposefully to protect them from any kind of hacking. Most companies including defence departments and NASA use air-gapped computer to store their most confidential data. The researchers from Tel Aviv University have build upon the side channel attack discovered by researchers from Georgia Institute of Technology in January, 2015. The method used by Tel Aviv University researchers is quite similar to the research carried out to steal crypto keys by “listening” so this isn’t the first time that such an approach has been used by researchers against elliptic curve cryptography being run on a computer
The attack
As said above, the method used by the researchers build upon the side-channel attack. This kind of an attack does not involve the implementation of an encryption head on, as with brute force or by making use of a vulnerability in the algorithm but relies upon other sources. The researchers used the electromagnetic output from a laptop to conduct their attack. EM emanations emitted during the decryption process, which were used by the researchers work out the target’s key. Researchers acquired the laptop’s private key by running GnuPG. GnuPG is a widely famous implementation of OpenPGP. Once done, they measured the electromagnetic emanations of the target computer and within seconds, they had the secret decryption key. According to the team of researchers, which comprised of Daniel Genkin, Lev Pachmanov, Itamar Pipman, and Eran Tromer, the attack is launched using lab equipment that “costs about $3000.” This shows that the attack is unwieldy. They further stated, “the attacks are completely non-intrusive; we did not modify the targets or open their chassis.” However, Tromer stated while talking to Motherboard “experience shows that once the physical phenomena are understood in the lab, the attack setup can be miniaturized and simplified.” Tromer further explained that the modifications make GnuPG more “resistant to side-channel attack since the sequence of high-level arithmetic operations does not depend on the secret key.” The attack’s legitimacy was tested by sending specific ciphertext to the target, which is basically an encrypted message. “During the decryption of the chosen ciphertext, we measure the EM leakage of the target laptop, focusing on a narrow frequency band,” the research paper states. After processing the signals “a clean trace is produced which reveals information about the operands used in the elliptic curve cryptography [and in turn] it is used in order to reveal the secret key.” The equipment that the team used were quite varied such as they used amplifiers, an antenna and software-defined radio too along with, obviously, a laptop. This process was being carried out through a 15cm thick wall, reinforced with metal studs, according to the research paper. The secret key was received after observation of around 66 decryption processes. Each of these procedures lasted for 0.05 seconds. This yielded overall measurement duration of around “3.3 seconds” the paper established. The research team have published a paper (pdf) stating the process of the attack and will be demonstrating the same on 3rd March at the forthcoming RSA Conference.