PITA Side-Channel Attack Steals GPG Key from Laptops

Researchers at Tel Aviv University have developed a compact, untethered tool capable of extracting GnuPG crypto keys (RSA and ElGamal) from laptops.

It’s unlikely that anyone envisioned the evolution of cryptographic key thievery to include leavened flatbread, but that’s where we’ve arrived.

Researchers from Tel Aviv University in Israel are expected in September to present a paper at the Workshop on Cryptographic Hardware and Embedded System on the latest side-channel attack exposing crypto keys. The scientists—Daniel Genkin, Lev Pachmanov, Itamar Pipman, and Eran Tromer—have developed an inexpensive rig they say from close proximity steals GnuPG keys from a laptop. The setup, which they’ve called the Portable Instrument for Trace Acquisition (PITA), does indeed fit inside pita bread. While that may not make for the most practical attack scenario, it is compact, operates untethered and can be hidden easily, they said.

The paper, “Stealing Keys from PCs Using a Radio: Cheap Electromagnetic Attacks on Windowed Exponentiation” explains how laptops secured by RSA and ElGamal encryption algorithms are vulnerable, including machines that decrypt keys using sliding-window and fixed-window (which is supposed to be immune to side-channel attacks). The researchers’ attack was able to steal keys from laptops running open source GnuPG within seconds, they said.

“The attack sends a few carefully-crafted ciphertexts, and when these are decrypted by the target computer, they trigger the occurrence of specially-structured values inside the decryption software,” the researchers wrote. “These special values cause observable fluctuations in the electromagnetic field surrounding the laptop, in a way that depends on the pattern of key bits (specifically, the key-bits window in the exponentiation routine). The secret key can be deduced from these fluctuations, through signal processing and cryptanalysis.”

The researchers were able to snag keys using three different setups, they said. The first, they explained, involves the use of a software-defined radio receiver that records signals emanating from a shielded loop antenna to extract RSA and ElGamal keys. The second is a variation on the first except that it uses the PITA set up, which can connect wirelessly to a monitor and provide a real-time stream of the signals. It can also work in a different mode where it measures the electromagnetic field around a carrier frequency and records the signals to a microSD card.

The third variation on the attack uses a consumer-grade radio receiver to locate the signal—approximately the same as those operating on the AM band—and recording it with the microphone on a HTC EVO smartphone.

Overall, the researchers said they were able to differentiate between different CPU operations and home in on the crypto keys by measuring signals from the laptop as it decrypts their ciphertext.

“Different CPU operations have different power requirements. As different computations are performed during the decryption process, different electrical loads are placed on the voltage regulator that provides the processor with power,” the researchers said. “The regulator reacts to these varying loads, inadvertently producing electromagnetic radiation that propagates away from the laptop and can be picked up by a nearby observer. This radiation contains information regarding the CPU operations used in the decryption, which we use in our attack.”

As for building PITA for the respective attacks, the researchers said they used a number of commonly available components, including a FUNcube Dongle Pro+ receiver and control the SDR with the Rikomagic MK802 IV embedded computer, an Android TV dongle.

The researchers disclosed their attack to GnuPGP’s maintainers with countermeasures. A fix was released in GnuPG 1.4.19 and Libgcrypt 1.6.3, both of which are immune to these attacks, the researchers said. Other crypto implementations may be vulnerable, however.

“This is an open research question. Our attack requires careful cryptographic analysis of the implementation, which so far has been conducted only for the GnuPG 1.x implementation of RSA and ElGamal,” they said. “Implementations using ciphertext blinding (a common side-channel countermeasure) appear less vulnerable.”

Image courtesy Tel Aviv University

Suggested articles