A trio of scientists have verified that results they first presented nearly 10 years ago are in fact valid, proving that they can extract a 4096-bit RSA key from a laptop using an acoustic side-channel attack that enables them to record the noise coming from the laptop during decryption, using a smartphone placed nearby. The attack, laid out in a new paper, can be used to reveal a large RSA key in less than an hour.
In one of the cleverer bits of research seen in recent years, three scientists from Israel improved on some preliminary results they presented in 2004 that revealed the different sound patterns that different RSA keys generate. Back then, they couldn’t figure out a method for extracting the keys from a machine, but that has now changed. The research, which involves Adi Shamir, one of the inventors of the RSA algorithm and a professor at Weizmann Institute of Science, and two other academic researchers from Tel Aviv University, lays out a method through which an attacker can use a smartphone placed near a laptop to record the sounds generated by the machine during a decryption process using the GnuPG software.
“In this paper we describe a new acoustic cryptanalysis key extraction attack, applicable to GnuPG’s current implementation of RSA. The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts. We experimentally demonstrate that such attacks can be carried out, using either a plain mobile phone placed next to the computer, or a more sensitive microphone placed 4 meters away,” the researchers said in the paper, “RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis”, published Wednesday.
The attack relies on a number of factors, including proximity to the machine performing the decryption operation and being able to develop chosen ciphertexts that incite certain observable numerical cancellations in the GnuPG algorithm. Over several thousand repetitions of the algorithm’s operation, the researchers discovered that there was sound leakage they could record over the course of fractions of a second and interpret, resulting in the discovery of the RSA key in use.
“We observe that GnuPG’s RSA signing (or decryption) operations are readily identified by their acoustic frequency spectrum. Moreover, the spectrum is often key-dependent, so that secret keys can be distinguished by the sound made when they are used. The same applies to ElGamal decryption. We devise and demonstrate a key extraction attack that can reveal 4096-bit RSA secret keys when used by GnuPG running on a laptop computer, within an hour, by analyzing the sound generated by the computer during decryption of chosen ciphertexts. We demonstrate the attack on various targets and by various methods, including the internal microphone of a plain mobile phone placed next to the computer, and using a sensitive microphone from a distance of 4 meters,” the paper says.
To test their attack, the researchers performed it against GnuPG using OpenPGP messages containing their chosen chiphertext. OpenPGP will, in some cases, automatically decrypt incoming email messages.
“In this case, an attacker can e-mail suitably-crafted messages to the victims, wait until they reach the target computer, and observe the acoustic signature of their decryption, thereby closing the adaptive attack loop,” the researchers said.
Their attack works against a number of laptop models and they said that there are a number of ways that they could implement it, including through a malicious smartphone app running on a device near a target machine. They could also implement it through software on a compromised mobile device of through the kind of eavesdropping bugs used by intelligence agencies and private investigators.
The developers of GnuPG have developed a patch for the vulnerability that the Israeli researchers used, implementing a technique known as blinding. The patch is included in version 1.4.16 of GnuPG. Shamir and his co-authors, Daniel Genkin and Eran Tromer, said that they also could perform their attack from a greater distance using a parabolic microphone and may also work with a laser microphone or vibrometer.
Image from Flickr photos of Tess Watson.