Wednesday, June 5, 2019
Acoustic Cryptanalysis of RSA and Its Counter Measure
Acoustic Crypt psychoanalysis of RSA and Its Counter MeasureProf. J P Agrawal Saurabh Sharma Siddharth GuptaABSTRACTAcoustics has go up as a new vulnerability in the field of reading security. The RSA encryption algorithm, although h very sullen to break mathematically, has been broken of late by using acoustics and power analysis of emanations. Acoustic Cryptanalysis is the side-channel antiaircraft which targets implementations of cryptographic algorithms. The cryptographic algorithms atomic number 18 quite secure at the mathematical level, besides inadvertently leak secret information through signatures in power consumption, electromagnetic emanations, timing variations, and acoustical emanations. This paper presents a software base countermeasure which is base on application of specific mitigation techniques to ensure that even if there is escape valve of information it would bear minimal utilizeful information.INTRODUCTIONAcoustic cryptology is a form of side channel attack that aims at deriving the private key in a public key cryptography body using acoustical vibrations of a laptop. A side channel attack is basically an attack that gives assailant an additional channel of information about the system, the hitch generated by computers is one such potential channel other channels include keystroke acoustic emanations, acoustic emanations from printers, power analysis via the USB port and timing attacks. facial expression channel attacks can only be performed on public key cryptography system because the encrypted school text i.e. ciphers text depends upon the text that is encrypted. So while decoding the cipher text produces a unique acoustic spectrum which helps the attacker to extract the key.In this study we put our emphasis on a different arising of computer noise i.e. vibration of electronic components like capacitors and transistors in the circuit of the CPU. These acoustic vibrations are related to the system activity since the amo unt of power wasted from the CPU depends upon the operation which is performed.As a study case, we will focus on the GnuPG (GNU Privacy Guard), a cross-platform, open-source implementation of the OpenPGP Standard. We will demonstrate a key extraction attack that can extract 4096- rubbish RSA secret keys when used by GnuPG running on a laptop computer by analyzing the vibrations generated by the computer during decryption of chosen cipher texts.RELATED WORKAnalysis of acoustical vibrations is relatively a newer practice commonly used in forces context such as identification of vehicles through the sound signature of their engine. Similarly computer programmers monitor the functioning of their systems by listening to sound generated by mechanistic components. Some of the successfully implemented experiments involving side channel attacks include Electromechanical ciphers. Keyboard acoustic emanations. Acoustic emanations from printers. Power analysis. Power analysis via the USB po rt. Timing attacks.THE experimental SETUP(A) laptop on which the decryption is being performed(B) BrelKjr 4190 microphone capsule mounted on a BrelKjr 2669 preamplifier held by a flexible arm.(C) BrelKjr 5935 microphone power supply and amplifier,(D) National Instruments MyDAQ device with a 10 kHz RC low-pass filter cascaded with a one hundred fifty kHz RC high-pass filter on its A2D input(E) laptop computer performing the attack.Here, the microphone power, amplification and some filtering are done by an integrated, battery operated BrelKjr 5935 microphone power supply. after a self-built 10 kHz RC low-pass filter cascaded with a 150 kHz RC high-pass using capacitors and resistors, A2D conversion is done by the compact, USB-operated National Instruments MyDAQ device. The MyDAQ device captures at 200 K sample/sec. The BrelKjr 5935 amplifier is limited to a frequency of 100 kHz.OBSERVING THE ACOUSTIC natural spring 1. Distinguishing various CPU operationsWe can distinguish between various operations performed by CPU by analyzing the low bandwidth leakage of acoustical emanations. Our analysis begins by taking into account simple operations like HLT (CPU sleep), MUL (integer multiplication), FMUL (floating-point multiplication), main memory access (forcing L1 and L2 cache misses), and REP NOP (short-term idle). We concluded that these operations exhi firearm a unique frequency spectrum on execution.2. Distinguishing various code lengthsThese acoustical emanations can also determine the length of loop being executed. For deterrent example the leakage produced by a code executing 10000 ADD instructions in an infinite loop will have a different acoustic spectrum than a program executing 20000 ADD instructions in an infinite loop.3. Leakage sourceThe observed acoustical emanations are not caused by the rotation of the fan, hard seeks or audio speakers as it is verified by disabling these components. Rather it is caused by the capacitors and resistors in the power regulation circuit of the CPU. The precise source of the emanations is elusive to characterize, since it is different in every machine and it is typically located in hard to reach places. Acoustic localization is also difficult due to mechanical coupling of capacitors and resistors and because of acoustic reflections due to other components.PERFORMING THE ATTACKThe attacker sends an encrypted email to the target machine. This email when received by the target machine undergoes the solve of decryption so as to extract the data that has been sent. The email which is sent involves sending a chosen ciphertext, it cannot have any random data in it. The data which is sent via the email has to be a specially crafted ciphertext. Through this attack we try to get the q i.e. one of the prime factor of the key n.Enigmail provides an integrated graphical user interface and handles electronic mail encoding and user interaction the actual cryptography is done by an external GnuPG executable. Received e-mail depicted objects are decrypted upon the users request. In addition and by default, Enigmail automatically decrypts incoming e-mail messages. Thus, an attacker can send a suitably-crafted e-mail message to the victim, containing a chosen ciphertext. When this e-mail message is fetched by the target computer, the attacker observes the acoustic emanations during decryption, and obtains a bit of the secret key. The attacker then sends additional e-mail messages, until all key bits are recovered. If the messages are backdated or made to look like spam messages, they may even go unnoticed. But this doesnt affects our attack as it will still be decrypted by the email client.Choosing the ciphertextq is a 2048 bit numberq2048 q2047 q2046 q2045 q2 q1GnuPG always generates RSA keys in which the most meaning(a) bit of q is set, i.e., q2048 = 1. Considering we spot the first i-1 bits of qe.g. i=4 , we know q2048 q2047 q2046 =110Now we need to find the next bit of q , which can be 0 or 1So , we create a ciphertext with first i-1 bits equal to that of first i-1 bits of q, the next bit 0 and the remaining bits to be 1q2048 q2047 q2046 0 111111.11111Recording the emmisions We use our experimental setup to record the acoustic emissions that are created during the decryption. Placing the microphone with respect to the laptop body has a large influence on the obtained signal. Laptops have chilling system for heat dissipation. It has a fan that requires large intake of air and some exhaust holes. Also, there are other holes and gaps for ports such as USB, press Card slot, SD card reader, and Ethernet port. Any of these ports can be used as a position for the microphone. Typically, the best microphone placement is near the Ethernet port or the fan exhaust vent.We record the sound using the LABVIEW software. We compute the sliding-window Fourier transform of the trace, yielding a sequence of spectra, and then aggregate these spectra by taking the average value of each bin. (The use of median effectively rejects temporally-local outliers, such as transient spikes.) The spectrum is truncate to the frequency range of interest (determined manually).Extracting the keyThe most significant bit of a prime number is always 1. exploitation this fact we create a desired ciphertext and obtain the power frequency templates for 0 and 1. Thus, if the attacker were to have two spectrum templates describing the leakage of zero and one bits, he could classify an unknown signal by checking the similarity between it and the templates he has. Concretely, in our case a template is a vector of real numbers describing the signal power at each frequency bin. The classification is based on calculate the correlation of the Fourier spectrum of the leakage with the two templates.Recall that q is chosen to be a prime such that its most significant bit is always set to one. Moreover, this information is known to an attacker. Thus, obtaining an example of a leakage o f a one bit can be done by measuring the leakage resulting from the decryption of g20481. Obtaining an example of a leakage of a zero bit is more tricky. This is because the attacker does not know in advance the location of the first zero bit in q. However, this problem can be easily avoided. Consider any number l such that q 2048 1). Notice that the reduction of l modulo q is equivalent to computation l q and will cause the bits of the result to be random thus achieving a similar spectrum as the sound of zero bits of q at the beginning of the attack.After this we compare the data acquired with the templates of 0 and 1 and the output of the comparison gives one bit of the q. Then this attack has to repeated 2048 times to get all the bits of q.These templates are updated dynamically in the matter of 20 bits. After receiving the acoustic spectrum of every attack bit we try to match the frequencies with the ones in the predefined templates. Whenever we get a duplicate frequency we c heck its corresponding value for power if this value is in range according the given threshold of the template we classify the bit as 0 or 1. By repeating this same procedure to attack every bit we obtain all the 2048 bits of prime q and in sour find the key.COUNTER MEASURECipher text randomization One countermeasure that is effective in stopping our attack ciphertext randomization. If we have a cipher text c, instead of decrypting c immediately what we can generate a 4096 bit random value r, compute re and then decrypt re* c and multiply the result by r-1. Since ed = 1 mod (n)It does not stop the attacker from extracting the key but it masks the original key so that even if the attacker is able to extract the key he doesnt has the correct key.In implementation we have used the random library of python. Using this library random.randint(range) generates a random integer which can be multiplied to the value of cipher text and it changes the acoustic spectrum of the ciphertext which masquerades the original key.Why software based countermeasures are better than hardware based countermeasures?Enforce a proper layering can seem to be an effective countermeasure. Unfortunately, such low-level physical leakage prevention, is most of the times, impractical due to the significantly bad cost vs. security tradeoff because of the following reasons (1) Suitable manipulation at the higher levels can pad any leakage remnants, similar to what we do in our chosen-ciphertext attack(2) Low-level mechanisms try to protect all computation, even though most of it is insensitive or does not induce easily-exploitable leakage(3) Essential performance-enhancing mechanisms produce leakage as an inevitable side effect.REFRENCES1 M. Hanspach and J. Keller, In guards we trust Security and privacy in operational systems revisited,- in Proc. 5th ASE/IEEE International Conference on Information Privacy, Security, Risk and Trust, Washington D.C., USA IEEE, Sept 2013.2 M. Hanspach and M.Go etz, On Covert acoustical mesh profit in air, revisited,- in Journal of Communications Vol. 8, No. 11, November 2013.3 R. Otnes, A. Asterjadhi, P. Casari, M. Goetz, T. Husy, I. Nissen, et al., Underwater Acoustic Networking Techniques, ser. Springer Briefs in Electrical and Computer Engineering, Springer, 2012.4 R. Frankland, Side channels, compromising emanations and care Current and future technologies,- Department of Mathematics, Royal Holloway, University of London, Egham, Surrey TW20 0EX, England, Tech. Rep., Mar. 2011.5 Daniel Genkin, Adi Shamir, Eran Tromer, RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis December 18, 2013.6Nikita Borisov, Ian Goldberg, and David Wagner. Intercepting mobile communications the insecurity of 802.117 H. E. Bass and Roy G. Keeton. Ultrasonic soaking up in air at elevated temperatures. The Journal of the Acoustical Society of America.8Taher ElGamal. A public key cryptosystem and a signature scheme based on discrete logarithms.IEEE Transactions on Information Theory, 31(4)469472, 1985.1
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.