The researchers from the Israeli Institute of Technology published their findings in the June journal of the Association for Computing Machinery. They noted that the physical method of cracking a cryptographic algorithm, commonly known as a “side-channel attack,” works even against even sophisticated 4,096-bit encryption keys.
Stay abreast of the latest developments from nation’s capital and beyond with curated News Alerts from the Washington Examiner news desk and delivered to your inbox.
The only downside for a hacker is the need to work in the proximity of the target. “We experimentally demonstrated this attack from as far as 10 meters away using a parabolic microphone,” researchers said, “or from 30 cm. away through a plain mobile phone placed next to the computer.”
The authors note that the method threatens to upend traditional notions about security.
“For attackers, ramming the gates of cryptography is not the only option,” the authors write. “They can instead undermine the fortification by violating basic assumptions made by the cryptographic software. One such assumption is software can control its outputs. Our programming courses explain that programs produce their outputs through designated interfaces. So, to keep a secret, the software just needs to never output it or anything that may reveal it.
“Yet programs’ control over their own outputs is a convenient fiction, for a deeper reason. The hardware running the program is a physical object and, as such, interacts with its environment in complex ways,” they add. “Extraction of secret cryptographic keys from PCs using physical side channels is feasible, despite their complexity and execution speed.”
The challenges involved with using physical clues to bypass encryption are generally insurmountable to the average hacker, according to Mark Nunnikhoven, a vice president for cloud research at cybersecurity firm TrendMicro.
“Even though these types of attacks are well known, they are still difficult to pull off,” said Nunnikhoven, who was not involved with the study. “Usually only nation-state actors have sufficient resources and motivation to attempt them. These types of attacks are typically only used on very specific targets because they require a lot of planning and deep technical knowledge.”
“The complexity of the attacks means that they do not scale well. This keeps cybercriminals and ‘regular’ hackers from using them since they are simply not worth the investment for these attackers,” he added. “Thankfully, most users can safely ignore the threat. For government agencies, the threat is real but well understood.”
The paper’s authors said that other physical emissions capable of exposing an encryption key include light, electrical currents and electromagnetic fields. A safeguard to ward off these attacks, they suggest, could include the creation of sound-absorbent enclosures for hardware, or software that will make more random noises through the use of “dummy values.”
“Such countermeasures require careful design and adaptation for every cryptographic scheme and leakage channel,” they said. “They often involve significant cost in performance. There are emerging generic protection methods at the algorithmic level, [but] their overhead is currently so great as to render them impractical.”
END
Be the first to comment