Security Corner

Dec 22 2013   1:43AM GMT

Shhhh! Your PC is telling someone its secrets (keys, that is)



Posted by: Ken Harthun
Tags:
Encryption
Security
Vulnerabilities
Source: mobyrebuttal.blogspot.com

Source: mobyrebuttal.blogspot.com

Your PC or laptop is a disloyal little traitor. She (or he, if you prefer) is happily sitting there chattering away, revealing your RSA keys to anyone who cares to listen. Yes, my friend, even RSA isn’t good enough anymore.

No, it’s not April first, and no, I’m not making this up. A Debian Security Advisory, DSA-2821-1, CVE ID, CVE-2013-4576, issued December 18, 2013, gives the scoop:

Genkin, Shamir and Tromer discovered that RSA key material could be extracted by using the sound generated by the computer during the decryption of some chosen ciphertexts.

The Shamir is Adi Shamir, the S in RSA.

Those of you who have been around for awhile will recall that “listening” to the emissions of CRT screens — known  as “Van Eck phreaking” — was once used as a way to eavesdrop. (The link points to a fascinating video. Check it out.) The researchers’ approach is similar, but exists in the acoustic rather than the electromagnetic realm.

I admit my lead is a bit over the top. For someone to pull off such an attack requires physical access to the equipment and a whole lot of tinkering as detailed in their report. But it works, and if the obstacles can be overcome, it’s a real threat. I highly recommend you study the paper. You’ll learn why data security isn’t as simple as you think.

For those of you who may be super paranoid about such things, here are some ways to interfere and, perhaps, thwart such an attack as presented in the Naked Security blog post:

1. Disabling auto-decryption of received emails.
2. Putting your mobile phone in your pocket or bag before reading encrypted emails.
3. The presence of background noise.
4. “Decoy processes” running on other CPU cores at the same time.

1  Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • FTClark
    Just when you thought it couldn't get any stranger...
    730 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: