summary of http cs tau ac il tromer acoustic
play

Summary of: http://www.cs.tau.ac.il/~tromer/acoustic/ Credit - PowerPoint PPT Presentation

Aug 22, 2023 •363 likes •831 views

Summary of: http://www.cs.tau.ac.il/~tromer/acoustic/ Credit (including pictures and algorithms) to authors of the paper RSA RSA Key generation: Choose two large primes, p and q , and calculate n = pq Select e relatively prime with ( n ),

  1. Summary of: http://www.cs.tau.ac.il/~tromer/acoustic/ Credit (including pictures and algorithms) to authors of the paper

  3. RSA

  4. RSA ● Key generation: Choose two large primes, p and q , and calculate n = pq Select e relatively prime with ϕ( n ), calculate d as inverese of e PU = ( e , n ) PR = ( d , n ) ● Encryption of message: C = M e mod n ● Decryption of ciphertext: M = C d mod n

  5. RSA 4096-bit ● RSA supports different “key” lengths: 1024, 2048, 4096 bits ● Key generation: – p is 2048 bits, q is 2048 bits – n = pq is 4096 bits – e often 65,537 (16 bits) – d is calculated; about same length as n , ~ 4000 bits ● Decryption/Signing, i.e. using private key, M , C < n : C d mod n (very large number) (very large number) mod n

  6. RSA Implementation ● Split the modular exponentiation of 4096-bit number into two modular exponentiations of 2048-bit numbers – Chinese Remainder Theorem – d p = d (mod p- 1) – d q = d (mod q- 1) – q inv = q -1 (mod p ) Two steps using smaller exponents; ● Decryption/Signing: Increases speed by factor of 4 compared to one step with large – m p = C d p mod p exponent – m q = C d q mod q – h = q inv (m p - m q ) ( mod p) – M = m q + hq

  7. History ● 1978: Ron Rivest, Adi Shamir and Len Adlemen algorithm company ● 1982: Formed company - RSA Security – Sells authentication tokens and BSAFE library of cryptographic operations (alternative to OpenSSL) ● 1995: Employees created digital certificate company (VeriSign) ● 2006: Acquired by EMC ● 2013: Alleged NSA backdoor in random number generator proposed and used by RSA

  8. Side Channel Attacks

  9. Ciphertext Only Attacks Attack intercepts ciphertext, aims to find the plaintext and/or private key

  10. Chosen Plaintext/Ciphertext Attacks Attacker can choose multiple ciphertext (and plaintext) values and convince target to decrypt them Aims to find the private key

  11. Side Channel Attack Side channel Attacker can choose multiple ciphertext (and plaintext) values and convince target to decrypt them Attacker can also observe activities of targets computer Aims to find the private key

  12. RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis Daniel Genkin Adi Shamir Eran Tromer Technion and Tel Aviv University Weizmann Institute of Science Tel Aviv University December 18, 2013 http://www.cs.tau.ac.il/~tromer/acoustic/ http://www.tau.ac.il/~tromer/papers/acoustic-20131218.pdf

  13. The Attack 1. Send a specially crafted ciphertext to target 2. Record the audio generated by target computer while it is decrypting ciphertext ● Need recording equipment nearby ● Different values of q require different operations in decryption, producing different sounds by target ● Identifying the different sounds allows for determining bits of q 3. Repeat with different ciphertexts until all bits of q are determined 4. Calculate p and d 5. Profit!!!

  14. The Attack 1. Send a specially crafted ciphertext to target 2. Record the audio generated by target computer while it is decrypting ciphertext Example ● Need recording equipment nearby Target runs an email client that automatically decrypts emails. ● Different values of q require different operations in decryption, Email client decrypts using targets Private key (d). producing different sounds by target Attacker creates the necessary chosen ciphertext and emails ● Identifying the different sounds allows for determining bits of q to target. 3. Repeat with different ciphertexts until all bits of q are Attacker can repeatedly send emails, making them look like determined spam. Target email client automatically decrypts and then 4. Calculate p and d discards. User doesn't notice. 5. Profit!!! POSSIBLE

  15. The Attack 1. Send a specially crafted ciphertext to target 2. Record the audio generated by target computer while it is decrypting ciphertext ● Need recording equipment nearby ● Different values of q require different operations in decryption, producing different sounds by target ● Identifying the different sounds allows for determining bits of q 3. Repeat with different ciphertexts until all bits of q are determined We will look at this in depth next. 4. Calculate p and d POSSIBLE (with some conditions) 5. Profit!!!

  16. The Attack 1. Send a specially crafted ciphertext to target 2. Record the audio generated by target computer while it is decrypting ciphertext ● Need recording equipment nearby ● Different values of q require different operations in decryption, producing different sounds by target ● Identifying the different sounds allows for determining bits of q 3. Repeat with different ciphertexts until all bits of q are determined 4. Calculate p and d As described in step 1. 5. Profit!!! POSSIBLE

  17. The Attack 1. Send a specially crafted ciphertext to target 2. Record the audio generated by target computer while it is decrypting ciphertext ● Need recording equipment nearby ● Different values of q require different operations in decryption, producing different sounds by target ● Identifying the different sounds allows for determining bits of q Public values: e, n, C, M 3. Repeat with different ciphertexts until all bits of q are If you also know q : determined n = pq therefore q = n/p ϕ( n ) = ( p -1)( q -1) 4. Calculate p and d Calculate d (same as key generation) 5. Profit!!! EASY

  18. Listening to a computer ● CPUs change their power consumption depending what they need to do – Depends on type and number of operations, e.g. MUL, ADD ● Leads to vibrations of electrical components in power supply circuitry ● Vibrations create sound (acoustic emanations) ● So what? If we can listen to the sound and, if we can distinguish what operations are being performed while decrypting, and if the operations depend on specific private keys, then can learn the private key

  19. A lot of ifs ... If we can listen to the sound and, if we can distinguish what operations are being performed while decrypting, and if the operations depend on specific private keys, then can learn the private key ● Microphones pickup frequencies from up to 20kHz, even up to 100kHz (with lower sensitivity). Sound from CPU activity differs in frequencies than other sources (fan, hard disk etc) ● Different operations produce acoustic signals (sound) with different spectrograms ● Creating chosen ciphertexts trigger different operations in RSA decryption (modular exponentiation) depending on key

  20. How to record sound of target computer?

  21. Experimental Setup: Fixed

  22. Experimental Setup: Portable

  23. Experimental Setup: Mobile

  24. Can different CPU operations be detected by sound?

  25. Frequency Spectrogram of CPU Operations Frequency (0-310 kHz) Time (0-3.7s) “Greener” the value, larger the signal magnitude

  26. mod p and mod q can be distinguished Yellow arrows show where RSA changes from mod p to mod q modular exponentiation m p = c d p mod p m q = c d q mod q

  27. Another laptop, Freq up to 40kHz

  28. Are the CPU operations dependent on the private key? (and if so, can we detect the different operations?)

  29. Approach ● Choose a ciphertext such that the decryption by the target will require different operations depending on the target's key – “Target's key” is q in this attack ● Focus on a single bit in q at a time ● Attacker wants the decryption to sound different depending on that bit of q – Send a chosen ciphertext to target – If attacker can detect the different sounds, then can detect that bit of q ● Repeat by sending different chosen ciphertexts to detect subsequent bits of q – Either repeat for all 2048 bits of q – Or use Coppersmith attack: require about 1024 bits of q

  30. Modular Exponentiation Algorithm m : m q d : d q (2048 bits) q (2048 bits) Reduce ciphertext c if greater than q Loop 2048 times Multiply current m and ciphertext c

  31. q Modular Exponentiation (Simplified) MODULAR_EXPONENTATION (c, d, q) { Reduce ciphertext c c = c mod q m q = 1 for i = 2048 .. 1 { m q = m q2 2048 multiplications of c and m … t = m q * c … } return m q }

  32. Choosing the Ciphertext ● q is 2048 number q 2048 q 2047 q 2046 … q 3 q 2 q 1 ● Assume we know the first ( i - 1) bits of q – E.g. i = 4 , we know: q 2048 q 2047 q 2046 = 110 ● Aim: find the next bit of q – E.g. q 2045 : is it 0 or 1? ● Create ciphertext with first ( i - 1) bits of q , then 0, then all 1's q 2048 q 2047 q 2046 011111...11111 ● Send chosen ciphertext to target for decryption

  33. q Modular Exponentiation of Chosen Ciphertext MODULAR_EXPONENTATION (c, d, q) { c = c mod q m q = 1 c = q 2048 q 2047 q 2046 0 11111...11111 for i = 2048 .. 1 { q = q 2048 q 2047 q 2046 q 2045 q 2044 q 2043 ... m q = m q2 If q 2045 = 1, c < q: … c mod q = c c doesn't change; still 2048 bits with many 1's at right t = m q * c If q 2045 = 0, c ≥ q: … c mod q = ? c changes; smaller, random looking number } return m q }

  34. q Modular Exponentiation of Chosen Ciphertext MODULAR_EXPONENTATION (c, d, q) { c = c mod q m q = 1 for i = 2048 .. 1 { m q = m q2 … t = m q * c If q 2045 = 1, c < q: … c doesn't change; still 2048 bits with many 1's at right 2048 multiplications with structured, 2048 bit c } If q 2045 = 0, c ≥ q: return m q c changes; smaller, random looking number 2048 multiplications with random, shorter c }

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

From calls to counts: Estimating animal density using passive acoustic monitoring (PAM) Images

From calls to counts: Estimating animal density using passive acoustic monitoring (PAM) Images

From calls to counts: Estimating animal density using passive acoustic monitoring (PAM) Images courtesy of J. Hildebrand (L) and http://www.birds.cornell.edu/brp/elephant (R) Why acoustics? A wealth of recorded information Acoustic

496 views • 21 slides
The Hunting of the SNARK Nir Bitansky Ran Canetti Alessandro Chiesa Eran Tromer Succint

The Hunting of the SNARK Nir Bitansky Ran Canetti Alessandro Chiesa Eran Tromer Succint

The Hunting of the SNARK Nir Bitansky Ran Canetti Alessandro Chiesa Eran Tromer Succint Noninteractive Argument of Knowledge Kilian '92 Micali '00 Aiello Bhatt Ostrovsky Rajagopalan '00 Dwork Langberg Naor Nissim Reingold '04 Di Crescenzo

567 views • 14 slides
Results from a Study of Acoustic Ultrahigh- energy Neutrino Detection (SAUND)

Results from a Study of Acoustic Ultrahigh- energy Neutrino Detection (SAUND)

Results from a Study of Acoustic Ultrahigh- energy Neutrino Detection (SAUND) http://hep.stanford.edu/neutrino/SAUND/ Justin Vandenbroucke justinav@socrates.berkeley.edu September 13, 2003 Stanford University Workshop on Acoustic Cosmic Ray

370 views • 33 slides
VARIFLEX operable walls Introduction Acoustic overview Acoustic selection table Types of VX

VARIFLEX operable walls Introduction Acoustic overview Acoustic selection table Types of VX

mobile acoustic partitions / VARIFLEX operable walls Introduction Acoustic overview Acoustic selection table Types of VX &amp; selection table Types of elements Layout example Hardware &amp; components Types of tracks Suspension details

745 views • 37 slides
Cryptologic Applications of the PlayStation 3: Cell SPEED Dag Arne Osvik EPFL Eran Tromer MIT

Cryptologic Applications of the PlayStation 3: Cell SPEED Dag Arne Osvik EPFL Eran Tromer MIT

Cryptologic Applications of the PlayStation 3: Cell SPEED Dag Arne Osvik EPFL Eran Tromer MIT Cell Broadband Engine 1 PowerPC core Based on the PowerPC 970 128-bit AltiVec/VMX SIMD unit Currently up to 8 synergistic

449 views • 26 slides
The Center for Acoustic Neuroma Translabyrinthine Resection of Acoustic Neuroma Indications 1 -

The Center for Acoustic Neuroma Translabyrinthine Resection of Acoustic Neuroma Indications 1 -

Translabyrinthine Resection of Acoustic Neuroma The Center for Acoustic Neuroma Translabyrinthine Resection of Acoustic Neuroma Indications 1 - Any tumors with non-serviceable hearing Servicable hearing 50/50 rule Speech discrimination

551 views • 42 slides
Proof-Carrying Data: secure computation on untrusted execution platforms Eran Tromer Joint work

Proof-Carrying Data: secure computation on untrusted execution platforms Eran Tromer Joint work

Proof-Carrying Data: secure computation on untrusted execution platforms Eran Tromer Joint work with Alessandro Chiesa Eli Ben-Sasson Daniel Genkin 1 Technion Cryptoday June 16, 2011 Motivation 3 Motivation INTEGRITY CONFIDENTIALITY

725 views • 50 slides
Acoustic Modeling: Tied-state HMMs &amp; DNN-based models Lecture 7 CS 753 Instructor: Preethi

Acoustic Modeling: Tied-state HMMs &amp; DNN-based models Lecture 7 CS 753 Instructor: Preethi

Acoustic Modeling: Tied-state HMMs &amp; DNN-based models Lecture 7 CS 753 Instructor: Preethi Jyothi Recall: Acoustic Model Acoustic Context Pronunciation Language Models Transducer Model Model Acoustic Word

604 views • 37 slides
Measurement of acoustic noise in Lake Baikal Report submitted to the Mini-Workshop on Acoustic

Measurement of acoustic noise in Lake Baikal Report submitted to the Mini-Workshop on Acoustic

Measurement of acoustic noise in Lake Baikal Report submitted to the Mini-Workshop on Acoustic Neutrino and Highest Energy Shower Detection, Stanford Sept. 13-14. N.Budnev, A.Chensky, R.Mirgazov, G.Pankov, L.Pankov Irkutsk State

354 views • 16 slides
Integrity for Car-Computing A cryptographic vision for integrity in vehicle networks Eran Tromer

Integrity for Car-Computing A cryptographic vision for integrity in vehicle networks Eran Tromer

Integrity for Car-Computing A cryptographic vision for integrity in vehicle networks Eran Tromer Transportation CybserSecurity 1 18 Feb 2014 The first vehicle computer D-17B Minuteman I guidance system 2 The first vehicle computer D-17B

554 views • 10 slides
Welcome to the Welcome to the First MiniWorkshop MiniWorkshop on on First Acoustic

Welcome to the Welcome to the First MiniWorkshop MiniWorkshop on on First Acoustic

Welcome to the Welcome to the First MiniWorkshop MiniWorkshop on on First Acoustic Cosmic Ray Detection Acoustic Cosmic Ray Detection A few facts: G.Gratta, Welcome 1st Acoustic MiniWorkshop, Stanford, Sept 13-14, 03 2

136 views • 10 slides
CT CTC-CRF CRF CRF-based sin ingle-stage acoustic ic modeli ling wit ith CT CTC topology

CT CTC-CRF CRF CRF-based sin ingle-stage acoustic ic modeli ling wit ith CT CTC topology

CT CTC-CRF CRF CRF-based sin ingle-stage acoustic ic modeli ling wit ith CT CTC topology Hongyu Xiang, Zhijian Ou Speech Processing and Machine Intelligence (SPMI) Lab Tsinghua University http://oa.ee.tsinghua.edu.cn/ouzhijian/ 1

339 views • 21 slides
Numerical approximation of acoustic scattering by fractal screens Andrea Moiola

Numerical approximation of acoustic scattering by fractal screens Andrea Moiola

UMI, P AVIA , 27 S EPTEMBER 2019 Numerical approximation of acoustic scattering by fractal screens Andrea Moiola http://matematica.unipv.it/moiola/ Joint work with S.N. Chandler-Wilde (Reading), D.P . Hewett (UCL) A. Caetano (Aveiro)

854 views • 57 slides
Acoustic Liquid- -Level Determination of Level Determination of Acoustic Liquid Gradients and

Acoustic Liquid- -Level Determination of Level Determination of Acoustic Liquid Gradients and

Gas Well De-Liquification Workshop Adams Mark Hotel, Denver, Colorado March 5 - 7, 2007 Acoustic Liquid- -Level Determination of Level Determination of Acoustic Liquid Gradients and BHP in Flowing Gas Wells Gradients and BHP in Flowing Gas

522 views • 28 slides
Acoustic particle detection Robert Lahmann HAP Workshop: The Non-Thermal Universe Erlangen,

Acoustic particle detection Robert Lahmann HAP Workshop: The Non-Thermal Universe Erlangen,

Acoustic particle detection Robert Lahmann HAP Workshop: The Non-Thermal Universe Erlangen, 21-Sept-2016 Outline Introduction: acoustic neutrino detection The first generation of acoustic neutrino test setups Lessons learned

686 views • 37 slides
The ABS The ABS Acoustic Bubble Spectrometer Acoustic Bubble Spectrometer by G. L.

The ABS The ABS Acoustic Bubble Spectrometer Acoustic Bubble Spectrometer by G. L.

The ABS The ABS Acoustic Bubble Spectrometer Acoustic Bubble Spectrometer by G. L. Chahine D YNAFLOW , I NC . Jessup, MD www.dynaflow-inc.com Email: glchahine@dynaflow-inc.com www.dynaflow-inc.com Background Background Bubbles

238 views • 21 slides
Just a little of that human touch Daniel Genkin Itamar Pipman Technion and Tel Aviv University

Just a little of that human touch Daniel Genkin Itamar Pipman Technion and Tel Aviv University

Just a little of that human touch Daniel Genkin Itamar Pipman Technion and Tel Aviv University Tel Aviv University Eran Tromer Tel Aviv University Laboratory for Experimental Information Security CRYPTO 2014 rump session 19 August 2014 1

466 views • 8 slides
Paper downloading method: All papers exclude S&amp;P 2018 can be found by Google Scholar. For

Paper downloading method: All papers exclude S&amp;P 2018 can be found by Google Scholar. For

Paper downloading method: All papers exclude S&amp;P 2018 can be found by Google Scholar. For those papers accepted by S&amp;P 2018, you can download them from this website: https://www.computer.org/csdl/proceedings/sp/2018/4353/00/index.html

321 views • 4 slides
A STRUCTURED L IFE A STRUCTURED L IFE A STRUCTURED L IFE A STRUCTURED L IFE A STRUCTURED L IFE

A STRUCTURED L IFE A STRUCTURED L IFE A STRUCTURED L IFE A STRUCTURED L IFE A STRUCTURED L IFE

A STRUCTURED L IFE A STRUCTURED L IFE A STRUCTURED L IFE A STRUCTURED L IFE A STRUCTURED L IFE by Kirk Gittings Note: Kirk Gittings has been photographing the prehistor- coast, but m aking a real living as an art photographer ic,

1.16k views • 8 slides
Persistent Security for RFID Mike Burmester and Breno de Medeiros Computer Science Department

Persistent Security for RFID Mike Burmester and Breno de Medeiros Computer Science Department

Persistent Security for RFID Mike Burmester and Breno de Medeiros Computer Science Department Florida State University Tallahassee, FL 32306 { burmeste,breno } cs.fsu.edu Abstract. Low-cost RFID tags are being deployed to support smart

513 views • 12 slides
Low-weight correlation-immune Boolean functions for counter-measures to side channel attacks

Low-weight correlation-immune Boolean functions for counter-measures to side channel attacks

Low-weight correlation-immune Boolean functions for counter-measures to side channel attacks Claude Carlet LAGA, Universities of Paris 8 and Paris 13, CNRS, France and University of Bergen, Norway Work in common with Xi Chen Outline

498 views • 45 slides
Side-Channel Analysis (SCA) A comparative approach on smart cards, embedded systems, and high

Side-Channel Analysis (SCA) A comparative approach on smart cards, embedded systems, and high

Side-Channel Analysis (SCA) A comparative approach on smart cards, embedded systems, and high security solutions Rohde &amp; Schwarz SIT GmbH Stuttgart/Germany Dr. Torsten Schtze Workshop on Applied Cryptography Lightweight

595 views • 15 slides
Learn with Enfocus How to Handle Fonts in PitStop 10 November 22, 2011 Bert van Rooijen,

Learn with Enfocus How to Handle Fonts in PitStop 10 November 22, 2011 Bert van Rooijen,

Learn with Enfocus How to Handle Fonts in PitStop 10 November 22, 2011 Bert van Rooijen, Solution Architect EnfocusSW @EnfocusSW Enfocus, an EskoArtwork Company Session topics Technical details A closer look at the features

643 views • 18 slides
1. For others that inspire 2 We give thanks to God always for all of you, constantly mentioning you

1. For others that inspire 2 We give thanks to God always for all of you, constantly mentioning you

1. For others that inspire 2 We give thanks to God always for all of you, constantly mentioning you in our prayers, 3 remembering before our God and Father your work of faith and labor of love and steadfastness of hope in our Lord Jesus Christ. 1

488 views • 11 slides

More recommend