Acoustic cryptoanalysis: using a stethoscope to decode an encrypted message

nobody-listens31.jpg
I decided to publish an old post from 2006. Better late than never.

Recently (I don’t remember how) I came accross an article (2004) [1] from Adi Shamir (the inventors of the RSA algorithm) and Eran Tromer about an original attack for encrypted messages based on the study of the sound produced by the CPU.
When I was student, I had several courses on cryptography. I was amazed by the kind of underlying information in a message that could be used against it: after been encrypted n times by a function, some information (e.g. entropy) was still remained and be used to attack it. But such approach was the “traditional way” to attack i.e. the use of theoretical weaknesses in the encryption algorithm.

But what did Adi Shamir is called a Side-Channel attack. As explained Wikipedia, a side channel attack (SCA) [2] is “any attack based on information gained from the physical implementation of a cryptosystem”. In this case the attack is focuses not directly on the code but on physical effects (called “information emanations”) caused by the operation of a cryptosystem (on the side) that can provide useful extra information.

If you are attentive, you will certainly note that a cpu of several GHz should not make audible noise (human perception is around 20hz to 20kHz). So where does this noise come from? It comes from the flow of electricity in the CPU that loses heat, producing continuous heating and cooling effects and leading to mechanical stress. Such mechanical stress seems to be the main source of noise (about 10 kHz) from CPUs. In the article Adi Shamir demonstrated that some basic CPU operations could be recognized only by listening the CPU and be used in further attacks.
On top of that he also studied thermal imaging attack and concluded that if the surface of the CPU chip can be observed, infrared images can also provide information about the code being executed on the CPU.
Maybe such approach is not directly operational and really useful, but I found it enough original and that’s the point.

References

Advertisements