 So, RSAs have been around for a long time, we'll talk about history. Maybe last week, December 18, this paper was published or released and there were many news articles about it and you see the title of the paper, RSA key extraction via low bandwidth acoustic cryptanalysis, so the acoustic part it's using some sounds and it's attacking against RSA, a public key cipher. So what we want to do is just talk a little bit about RSA, how it works, and then see how this attack works. And released last week, actually the guys who did it, they've done similar attacks maybe ten years ago. So it's not new, they've just only recently been able to make the attack practical. So they've done acoustic analysis, many people have done acoustic analysis, they've just made it practical at this stage. And the slides I have, I just quickly extracted from the paper a number of pitches and comments. So everything's from the authors of the paper. If there's mistakes, they're my mistakes. We'll come back to the authors in a moment. So you may have seen tech news that mentions that a new attack steals email decryption using the sound. Okay, so many news articles last week and over the weekend saying that RSA may be broken. Let's see how broken it is. So some of you have done computer science and you do a CSS 322 so you know a little bit about RSA. Some haven't seen the algorithm. You don't need to understand RSA in detail to understand some key parts of the attack but let's just look at it. Three parts in RSA, the algorithm, you generate keys and it's a public key cipher. So you have a pair of keys, a public key and a private key. So I think every user has a pair of keys and you usually encrypt with one key pair, one key from the pair and decrypt using the other and you only successfully decrypt using the other. That's the concept with public keys ciphers. For it to work, you need to generate the keys correctly. You can't just choose random keys. So there's a step of key generation in RSA and we don't care too much about it. We just need to accept the fact that it works. The steps are you choose two large prime numbers, P and Q, large, let's say 2,000 bits. So the example we'll use is 2,048 bits in length. That's a large number. Two prime numbers, multiply them together. You get some larger number which is 4,096 bits in length, very large. Then select some other parameters, this E which is related to N and some calculate some D and your public key becomes this N and E and the private key N and D. So really the private value that you must keep secret is D. E and N you can tell anyone. So I generate my values. I've got my E, D, N as well as P and Q. I tell you all my values of E and N. I keep D secret and I also must keep P and Q secret. We'll see that they are important as well. We generate keys. Encryption is mathematically or conceptually easy. Your messages are integers. So you have a file. You need to somehow map that to a number. So you convert it to binary, treat it as an integer. Your message M, you raise to the power of E, mod by N and you get your ciphertext. To decrypt, you do the same operation but using D instead of E. So c to the power of D, mod N equals the original plaintext. And some of you know that it works. That is, you can prove that if you do choose the keys this way, you'll always be able to decrypt. If you don't know that, then accept the fact that we need a private D, E and N and we encrypt like this. Now you have to ask questions as we go. I'm going to go through quite quickly. There's a lot to go through but stop as we go. So as an example, the values of N are usually the thing thought of as the key length for RSA. How long is N? And there are different values supported. Typically nowadays 2048 bits is considered recommended. 4096 is more secure. 1024 is less secure. So think of it as a key length, the larger the value, the more secure against attacks. So let's say as an example, we use the more secure one, 4096 bits. Then to generate keys, you choose two primes, 2048 bits each in length. Multiply them together and you get a 4096 bit value. E is usually fixed. Everyone uses the same E value. In decimal it says 65,537, 16 bits. It's very small, E. D is calculated based on E and the other values and it's usually about the same length as N. So D, the secret value is very long. It's a 4000 bits, 4096 bits. It's about the same length as N. We'll care about the lengths when we look at the attack. And it's considered secure. The algorithm, the mathematics are considered secure. But breaking it requires some solving problems which are considered too hard to solve with large enough values. Now there's a problem though. If you take your ciphertext, some value which is quite long, it has to be less than N. So it may be up to 4096 bits in length. And you raise it to the power of D which is also 4000 bits. Take a large number, a very, very large number. Raise it to the power of another very, very large number and what do you get? Extremely large number. You cannot imagine how large. You mod by N, the problem is that implementations that do this, one large number raised to the power of another large number, are very slow. It works but to implement RSA, people don't do that. They try and optimise the performance by doing some different operations. So this is the concept. But because this can be slow to calculate, the implementations of RSA are slightly different. There's some algorithm to implement it such that you don't have to take this c to the power of D. What you do is you do it in two steps with smaller values, okay? Being a large number to the power of a large number is slow. So what the implementations do is they raise a smaller value to the power of a smaller value which is faster. And they do it twice with some different values. Now this slide tries to show that how that's done. We don't care too much about the theory and why it works. But basically they split, so modular exponentiation is this step. Exponentiation is raised to the power, mod N, we call it modular exponentiation. This is slow when we use large numbers. So we split it into two steps, into two modular exponentiation. Instead of doing one large one, we do two small ones. And it still gets the same answer. And the way that they do, the implementations calculate some intermediate values, this dp and dq. It's a variation of our original d, but it's modded by p-1 and q-1. And some other steps in here. And the important point is that to encrypt, instead of doing c to the power of d, they first do c to the power of this dp and mod by p. And then another modular exponentiation, c to the power of dq mod by q. So we do two modular exponentiation, but using much smaller numbers, half the size in fact, half the length in bits. And it turns out that you get the same results, but it speeds up by a factor of four. So using this approach, maybe it takes one second to encrypt, or decrypt. Using this approach, it takes a quarter of a second, so that's much better. And that's what implementations do. They do two smaller modular exponentiations. We don't care about how they do that at the moment, it's not going to be relevant. But note that we do two exponentiations and we refer to them later as mod p and mod q. We usually do them in order, mod p and then do mod q. So that's what RSA implementations do. Nothing wrong yet. History of RSA, where does it come from? Three guys, the name, Revest, Shamir and Edelman, that's the RSA. 1978, they developed the algorithm. They formed a company a few years later called RSA Security. I don't think they're much involved with the company anymore, they've gone onto their own things, they're probably getting money from it. These company sells authentication tokens, I think some of you have a token, I know Uri has a token for generating keys, and they sell a library of cryptographic operations. You're all some of your experts in OpenSSL. That's an open source library. Be Safe is the one that RSA, the company sells. So it's just a library that implements different operations. So that's the company. People from the company actually formed what became Verisign and create digital certificates because RSA is connected to digital certificates. It was acquired by a larger company a few years ago. Another topic, there's some problems that people think that there are some backdoors, some holes in the algorithms that they use, may be paid for by NSA, but that's not this topic. Now let's go to the attack first generally and explain that this is a side channel attack. A normal attack, we think in a very simple form, you encrypt plain text using say a public key. You send the ciphertext, your friend decrypts using their private key. That's the normal operation. An attacker intercepts the ciphertext so they know your public key, it's public, they know the algorithm, END, their aim is to find M and more importantly find the private key. That's a normal attack. The attacker can intercept the ciphertext and we assume they know that. With RSA, we can do what's called a chosen plain text or a chosen ciphertext attack where the attacker, the red one here, they choose some plain text and they can encrypt it with the public key of the destination because they have it and send ciphertext chosen or the plain text chosen to try and support their attack and in that case their aim is to find the private key. They know the message, there's no need to find that, they need to find the private key. So that's a different type of attack where the attacker chooses the plain text. Another one is the attacker forget about the plain text, they just create a ciphertext. They don't encrypt anything but create a ciphertext and send it to the recipient who will try and decrypt and in that's a chosen ciphertext attack. They can choose the value of the ciphertext however they want. Why? Because they use that in this attack, they can create the structure of the ciphertext such that it will lead to some flaws in how the algorithm operates. So we'll see that this is a chosen ciphertext attack. We don't encrypt anything as the attacker, we just choose a value that will help us in the attack and send it. The recipient decrypts it, it won't successfully decrypt but that doesn't matter, they've still done the decryption using their private key and the next step is the side channel attack. The attacker sends some ciphertext while the normal user is decrypting, the attacker measures what their computer is doing, that's what we call a side channel. They're not just observing what happens across the network, they're also observing what's happening at the computer that decrypts and in this attack we'll cover they listen to the sound of the computer as it's decrypting. So this is the side channel of the attacker sends some ciphertext to you, the target, you decrypt that ciphertext using your private key, the attacker listens to your computer as you decrypt and from listening to the computer if the ciphertext was structured correctly they can start to make observations about what your private key is and that's the basic of the attack. So you choose a ciphertext, send it to someone, listen to their computer as the CPU is working and using some smarts of this attack start to guess or work out the private key. Questions? Anyone hungry? Keep eating? Yeah. That's the easy part so far so yeah, ask some questions while you're on the break. Then the side channel is listening to the computer, the CPU, yes, you're right, if the owner of the private key does not decrypt what they receive then we cannot attack. But someone, and we'll see later, that someone sends you an email that's encrypted so you want to check what the email is so you decrypt it. Now it doesn't matter whether it's successful decryption or not, it's still doing the decryption. So in fact two parts here, choose a ciphertext and we'll see how they choose that and measure what the computer is doing, listen to what the computer is doing. So they combine the sound, the acoustics with the chosen ciphertext and they get the right combination such that they wanted to discover the private key. Note the authors, and I don't know much about cryptography, I teach it but I don't do any research in the area, but note the second author, Shamir, he's an S in RSA. So it's not by unknowns, it's by people who know the algorithm, one of them built, designed the algorithm. So in the cryptography a lot of people they design an algorithm and then go and find attacks against that to try and show that it's strong and so this is hopefully quite a successful attack. Let's see, you can find the paper, everything I've got here is just grabbed from the paper. And it's about 60 pages, it's not really a paper, it's like a report and it's quite easy to read. I mean it's one of the easiest papers I've ever read, it's well explained and even I think most of you will be able to read that, at least the introductory parts quite easily. So what's the attack? So I'm the attacker, I need to send a specially created ciphertext to the target, you're the target, your computer, I create a ciphertext, I need to create it specially, we'll see how, I send it to you and while you're decrypting it, you receive a ciphertext, your computer starts to decrypt it using your private key, I record the audio generated by your computer while you're decrypting it, so we're going to see how that's done, I record the audio, that is I record the sounds from your computer. Of course to record the sounds of your computer I need some recording equipment nearby, I can't do it across the internet, well maybe, I need something nearby but I may be remote, what's this, different values of Q, Q, alright remember P and Q are the two primes that we choose at the start, turns out if we can find the value of one of those primes, go back quickly, if we can find Q, we know N as the attacker, if I can find Q then I can calculate P because P is just N divided by Q, that's easy, so if I know Q I can find P, if I know the two primes it's very easy to calculate D, so if you find Q you've broken and found their private key, so in fact this attack will focus on finding the value of Q, sorry, yes P or Q correct, I mean the two primes, yes so if you find one of them you can find D, okay and the attack once we record some sounds it turns out that different values of Q will require different operations by the CPU and when your CPU does different things it produces different sounds, so as the attacker by recording the sounds of your computer I can identify those different sounds and that will allow me to determine bits of Q, okay and we actually do it one bit at a time, Q is say 2048 bits long, I listen to the sounds of the computer and it can help me determine what the one of the bits of Q was, then I just repeat I send you another ciphertext, listen to your computer while you decrypt and I get the next bit of Q and I just keep you sending you ciphertext, you keep decrypting them with your private key including Q and eventually I'll learn all your bits of Q and then I can find your private key D, so that's the basics, then I can calculate P and D, yep in fact yeah so we do not send the same ciphertext over and over, we send ciphertexts but different ones they'll be structured, we'll see how we can make that practical, come in whoever's there, so we'll come back to your question then, if I can find Q we can easily calculate P and D and we're done as the attacker was successful and then we profit because many systems use RSA if we can break it then we can do what we like as the attacker, sounds easy how do we do it, go through the steps, how do we send a specially crafted ciphertext to a target, the authors of the paper give some example how to do that in practice, let's say you as the target you run an email client that decrypts emails that your friends send you, okay so you want to keep your emails secure you don't send them in plain text you send them encrypted so your client when it receives emails it decrypts them for you and it automatically does it because it's more convenient for the user if your email is received and automatically decrypted for you, so what the attacker does that they create some chosen ciphertext values and email them to the target they send them as emails, the emails are received by the target, the software, the email client automatically decrypts and the attacker can repeatedly do that maybe making them look like spam so why would someone send you thousands of emails come in come in why would someone send you thousands of emails well they probably don't over a short period but maybe you just your email classifies them as spam your email client and just puts them into the trash automatically so what the attacker does is they create emails that contain the ciphertext it looks like spam so when you your email client receives those classifies a spam it decrypts them to check that they are spam and then puts them in trash but it's still got your computer to decrypt those emails to decrypt those ciphertext so there are practical ways and the authors give some ways some other ways to to make someone decrypt many ciphertext okay emails one way so what you need as the attacker is to make the target decrypt many ciphertext that they receive and it's possible so let's say we can do that the next thing if we can send emails to the target and get them to decrypt them the next thing we need to be able to is record the audio or record the sound of their computer how do we do that we will look at that in depth how they go about recording the sound so we'll come back to that one if we can record the sound all right this was step one in fact just keep sending emails to them with the chosen ciphertext until you get the bits of queue calculate p and d easy okay takes the computer less than a second to do that once you have queue you're done as an attacker so send many emails with your chosen ciphertext to their target they decrypt them while they're decrypting them you record the sound that their computer is making and how does that help that's what we're going to spend the time looking at listening to a computer what's my computer can anyone hear it you can hear the air what if we turned off the air conditioning could you hear my computer well maybe you hear the fan you hear some things if you sit near your computer you'll hear what do you hear hard drive the fan yeah they're the main things music we'll look at how music can stop this attack it doesn't okay so you can we can hear some things but let's say we have better ears like we have a microphone that can is very sensitive what can that hear well turns out that I think you would know that cpu's they change their power consumption when they do different operations often cpu's are idle they do nothing and they don't consume much power when they're idle and then they need to do a calculation and they consume more power okay so that's normal mode of cpu's the circuitry that provides the power from the power supply to the cpu as the cpu is drawing more power that circuitry effectively vibrates okay so there's the the power supply unit provides power to the cpu as the cpu does more operations there's some vibrations in the electrical components that supply the power have I gone ahead yeah that's here so cpu's change the power it depends upon the operations they do if a cpu is multiplying versus adding it consumes a different amount of power and changing the power to the cpu leads to vibrations of the components in the power supply circuitry okay so something vibrates and you know when things vibrate they make a sound a very faint sound nothing I can hear but in fact you can hear sometimes so but when things vibrate they make some sound acoustic emanations they emanate some acoustic noise so how do we do that how do we take advantage of that given that if you believe that and it's true they show why that's true as an attacker if we can listen to the sound with a microphone and if we can distinguish what operations are being performed while decrypting so if we know what operations the cpu is doing while it's decrypting and if those operations depend upon a specific private key that means if we use one private key 1d and it leads to some operations and some sound and then use a different private key and it leads to different operations and a different sound then the attacker can start to learn the private key because if we know the sound we can work backwards and know that these operations led to this sound what led to these operations or this type of key so if we can distinguish and if we can listen to the sound we can get our key and that's the attack but there are a lot of ifs here how do we do that how do we listen to the sound of your computer you can hear the hard disk and the fan can you hear the cpu and the paper gives some set up of a real experiment where they do listen to the sound of the computer they have some microphones some good quality microphones but nothing too expensive that picks up different frequencies so they have some that pick up about 20 kilohertz up to 100 kilohertz with different sensitivities so different qualities and with those microphones nearby the computer a laptop they test it with they can distinguish the sound of the cpu activity okay not the fan not the hard disk but they can distinguish different things that the cpu is doing because the cpu activity leads to vibrations and sounds sounds at different frequencies than the hard disk activity so you think the hard disk makes sounds at one range of frequencies the fan makes sounds at a different range of frequencies the cpu makes sounds at a different range of frequencies again so you can distinguish what the cpu is doing separate from the fan and the hard disk and separate from mp3 is a music okay so if someone's playing music they can distinguish yes and one of the the prevention of this attack is to create noise that is at the same frequency of the operations from the cpu so you need a very special purpose noise generator and music is not that's the problem with music we'll see the frequencies in some examples so first you need some microphones i'll show you some pictures of what they set up okay we'll get to that in the next few slides how far away is the microphone all right we'll soon all right if we can record the sound nearby still that doesn't help we need to be able to distinguish what the cpu is doing we need to know that this sound corresponds to these operations and this other sound corresponds to different operations it turns out they can do that as well they've done analysis and they see that different cpu operations especially in their decryption produce different sounds and they looked at the spectrogram which is the the frequencies of the signal the frequency components over time we'll see some plots once they do that what they do is they create cyber text that trigger the different operations okay so send a cipher text that causes the decryptor to do one particular set of operations record the sound because you record the sound you know what operations were performed and it turns out that you can make the operations dependent upon the key upon the value of d so the attacker sends a cipher text the cpu does some operations based upon that cipher text and those operations reveal some information about the key and by recording the sound we can learn that information about the key send another cipher text to reveal other information about the key we'll see some details but we'll see how far we get with time how to record the sound here's a picture of what they one test they have three different setups a expensive one a cheap one or an expensive one not so expensive and easy one the expensive one is a fixed one where they have a good antenna a parabolic dish you can just see here not too big they have a microphone and some equipment to convert it to digital here's the target laptop in this case it's about four meters away so there's works about four meters in this case no further so if the target's there and you're four meters away with a clear view with this dish it works then they have a portable one where they have a smaller antenna no dish portable in that they think you can carry in a suitcase the laptop all this put in a suitcase maybe have the antenna or the microphone pointing out and not as obvious as having a dish sitting around within four meters okay you can put the suitcase down and still record so they do it and works in this case the target computers they all use a laptops and they use several different laptops and some are better than others for doing the attack this one worked at a distance of one meter okay so you need the suitcase one meter from the target laptop and then mobile phone they use a galaxy note too 30 centimeters away from the target computer and they do some measurements as to where put it near the fan outlet you know most laptops have a space for the fan the hot air to go out put it near there turns out to be good and some other locations are better than others so 30 centimeters with a mobile phone mobile phones have terrible microphones compared to the other equipment still it works okay so you leave your phone near the target computer and it automatically does the attack or maybe you hack their phone install some software on there so it will do the attack for you so that's the setup so they can record the sound but can they distinguish the sound here's a spectrogram that they produce what does it show some of you will know that we can think of a signal in the time domain you see a plot and you see the things going up and down over time the time axis we can convert it to the frequency domain where we see the the peaks indicating the the main frequency components this combines them and that here we have frequency from zero up to 300 kilohertz and here what they do think of a line here when the dot is green it means we have a peak in the frequency magnitude so at the frequency of whatever it is here whatever it is 20 kilohertz there's a strong signal at this point and then time increases as we go down so across about four seconds they do a measurement and they see the peak in this case is always about the same but note at this frequency it's hard to see but at this frequency the signal is strong for this period but then during this period the signal is weak it's not as green the green is the signal magnitude so there's something changing here and then it's strong again but maybe not as strong so that the greenness means the strength of the signal the diff the variations in the greenness is what we want to detect and what they do in this experiment they get their cpu to do different operations a Holt operation two different multipliers so this is the think of the assembly operations on the cpu two different multipliers and add access memory and a no op and you can distinguish the operations it may not look much different but some are obvious the Holt the sounds that the c the emanating from the cpu or the equipment leading to the cpu are different from here okay so you can see that the greens are different and in fact they can determine that there is a difference there so this is just showing that by listening to the sound of the cpu this was using their their good equipment I think one or four meters by listening to the sounds you can identify what operations the computer is doing what cpu operations all right now come to our cipher remember rsa c we originally had c to the power of d mod n but we split that into two two steps c to the power of d something mod p and then c to the power of d q mod q so we talk about the two modular exponentiations one is mod p one is mod q so what your software does is it does the mod p first decrypts and then it does the mod q sequentially so they listen to the cpu when it's doing the decryption and here the blue ones is doing the mod p and the red ones doing a mod q there's a difference look here the the magnitude is stronger at this point when they're doing the mod q than doing the mod p so at this point they know whether the person is decrypting using mod p or mod q it doesn't give us anything about the key yet but the attacker knows what parts of the algorithm are being used at this point in time that's all questions so far yeah uh so running other software that is you get the cpu to be doing other things at the same time that's a potential way to prevent the attack it doesn't work in mode well at least in the cases that they tested it doesn't work again because the operations that they tested you could still distinguish okay so yes they tested what if you get some extra load some background task to try and hide here and they tested it and in some cases it even helps the attack because it shifts the spectrum in some cases uh yeah who's following so far any questions how much time have we got who's leaving at one o'clock okay leave leave whenever okay we'll just go at whatever rate we can um trying to go fast but still no chance to cover at all so so far the attacker by listening can distinguish when are you doing the mod p and when you're doing the mod q but still it doesn't tell us anything about the private key not yet this is just from a different laptop a different target laptop with different frequencies again they can identify that it's hard to see but the changes between mod p mod q so they can work out what step the algorithm's in it's maybe obvious a little bit more obvious uh well yeah you can see the differences it looks very small differences but you can calculate that it is a abrupt change from a signal an audio signal using one's range of frequencies to an audio signal with a different range of frequencies so if we know the differences we can detect the operations yeah question uh different different results so what they've done so yes different equipment different hardware produces different sounds okay so your attack would need to be targeted to a particular uh piece of hardware but they've done tests with several different laptops only laptops and some are better than others for distinguishing the sounds but most of them they could so the attack's not going to work in general on every computer in the world but if you want to attack someone's specific computer you know that i'm presenting in this room every tuesday at one p.m i and you know my laptop you put some listening device maybe hidden in the the cable here you know i'm here i always plug my laptop in maybe i'm receiving emails and then you as the attacker listen in so it has to be targeted usually okay not general so the main challenge is the things that the cpu are doing do they depend upon the key the private key if they do can we detect the different operations so the goal from the attacker is find the private key if the with one private key we use one set of operations on the cpu and produce one set of sounds and then use a different private key and produce a different set of operations and different sounds then the attacker can use that to take the sounds and work back to get the key turns out yes and this is the complicated part everything so far is easy the approach you choose a cipher text as the attacker such that the decryption will require different operations depending upon the key okay so i'm i choose a cipher text to send to you and it's chosen in such a way that when you decrypt that cipher text the sounds your computer will make will differ depending on the key that you have and in this case the target's key is in fact the value of q we're trying to determine q so we saw there was mod p mod q we focus on the mod q part and there is reasons why mod q is easier to attack the mod p but we don't care about that what it does is it looks at a single bit of q at a time q is 2048 bits in length the first bit is always one because if it was zero then q is effectively one bit shorter it would be 2040 what did i say 47 bits okay 2048 so q the the most significant bit is always one so we know that as the attacker the most significant bit is one we send a cipher text we listen and we try and find the next most significant bit the next bit if we determine it then we move on to the next bit and the next bit and so on so we do it uh repeatedly what the attacker does they send a cipher text try and make the cpu make sounds that it can recognize they want the decryption to sound different depending upon that bit of q so if you think of that one bit of q it's either zero or one okay so if we target one bit if it's zero we want the cpu to make some sounds if q was one we wanted to make different sounds then if we can measure the sounds we can determine what bit q was was it zero or was it one let's say bit q zero produces a loud sound q one produces a quiet sound from the cpu then what i do is measure if it's loud i assume it's bit zero as q if it's uh quiet then i assume it's bit one that's the concept there so they choose a cipher text such that different operations will be performed and then try and determine whether that q that one bit of q is zero or one and then once you've found that bit of q you send another cipher text to find the next bit of q and using the same approach and you repeatedly do it and you keep going until you found all 2048 bits of q okay so you need to send 2048 cipher texts at least sometimes it may not work they're actually a tax to once you have half the bits of q you can actually find them other ways quite simply let's move on to the results okay because i have a few slides i'm not going to go through now how do they do that how do they create a cipher text that produces the value we'll go through that later if people ask questions but let's for those who have to leave let's go skip that and assume that they can magically do it and where can we go to their idea and it works that they hope that if one particular bit of q is some value let's say one if the 2045th bit of q for example is one then they hope the CPU has to do some set of operations like loop through many times on some value whereas if it's if it was a bit zero the CPU has to do a different set of operations loop through but operating on a different value if it does this and it turns out it does then what you do is that let's explain this the decryption does a loop 2048 multiplications so each loop multiplies some value if q is bit one then it may multiply a long value with the cipher text if it's a bit zero it multiplies a short value with the cipher text multiplying a large value with a smaller value takes different CPU effort so their idea is that when you're doing a lot of operations a large multiplication the CPU makes one set of sounds and when you're doing a different set of operations and it's actually on a different value it produces a different set of sounds so what you do if you can distinguish those sounds you know was it doing this or this and if you know which one then you know was that bit zero or one and now you've discovered the bit of q and how that works is the slides I just skipped so we can come back if you have questions and it does work okay and this results show an example the way to read it this is the mod this is decrypting and they're looking at that a single bit of q remember q is 2048 bits but this is the results of decrypting using just a single bit focus focusing on a single bit this is the mod p operation and then mod q which we care about if the bit was zero the audio makes this sound if it was one it makes this sound can you see the difference where's the difference look here the green parts it's hard to see if the bit was zero of q the mod q operation the main signal strength is at this frequency here but when the bit is one it's at a different frequency it's hard to see but this greenish line here so depending upon the bit different sounds are made by the computer and that's captured here the green plot is when it was a bit zero the peak frequency component is around 35 kilohertz but when it was a bit one the peak is around 38 kilohertz so you have an audio signal where a peak depending upon the bit is at a different frequency so what you do you measure the sound if the frequency is around 35 kilohertz the peak you assume it was a bit zero that was used in q if it was around 38 kilohertz you assume it was a bit one and then you do it again but try and get the next bit and the next bit and so on and we're done because what we can do is just repeatedly do that and we get the bits of q once we have the bits of q we can calculate p once we have p and q the two primes we can calculate d easily and once we have d we have your private key that's as fast as i can go or as slow as i can go through that uh it's still fast questions before we look at some of the the practical things yep uh so it's the way that the so how do you know it's working on say bit two thousand and four two thousand and forty five it's the way the cipher text that you choose is structured uh basically the cipher text maybe there's a slide is like this the chosen cipher text let's say you know some of the bits of q already the first three bits you know the values of q whatever it was one one zero what you do the bit you're targeting you set the cipher text bit to be zero and the rest all ones you send that cipher text to the target they decrypt and this structure causes the the decrypting code to take different paths in a loop so there's an if state statement or there's an operation that if the q bit is zero some operations are done by the decryptor if it was one a different set of operations are done so how do you know which bit you're targeting you create a cipher text to focus on a particular bit and then once you know the next bit then you send a cipher text that targets the 2044 learn that 2043 and you keep doing it until you discover all bits let's all right we can go back to that later for those that are interested is it realistic well the conditions that they they experimented with the target computer it uses uh GNU PG GNU Privacy Guard for the software to decrypt okay so that's a common open source implementation of rsa in there different than open ssl okay you've used open ssl this is a different implementation and they use a recent version and it worked for older versions and they used a plugin in Thunderbird the email client called a unique mail that does automatically automatic decryption of emails you receive so the target person had to be using this plugin you send them emails and this plugin automatically decrypts those emails and they did it for different laptops a few specific ones okay to test they expect you it could be tailored to other hardware and other software okay so and they've done a few tests on some other algorithms even the attack works but maybe just a little bit harder so it's realistic some scenarios they say how do you get someone how do you listen to someone on its computer you install some app and they wrote an app you that works on android and you put it on your phone and you just leave your phone on your target's desk near their computer they don't notice it and the phone has an app that does the the attack and maybe sends you the results of the attack their key or you somehow compromise their phone and when they leave their phone on their desk the phone automatically does the attack it records the audio does the the attack and sends you the results or you compromise their computer you somehow get to their laptop and install some device that can record the audio you use bugs like in the movies small devices you put near the computer so you can get laptop locks cables that lock your laptop at Kensington lock and if you can include some recording equipment inside that so the user the target uses that or a presentation you have a podium at a conference you as the attacker install something in the podium that will record the audio when the presenter puts their laptop on there within a few centimeters it records and does the attack so some practical ways to to get the audio it's realistic prevent shield so that the noise doesn't come out of the laptop okay then it's harder to hear it works but it's makes the laptop harder to manufacture you need special devices and how do you shield the the fan vent on your laptop if you cover up your fan vent you'll probably burn your laptop that is your cause problems and in fact their attack can record the audio from the fan vent quite well background load turns out doesn't work at least in the tests they use that is get the CPU to do other things at the same time uh what does this show it shifts the the spectrum but we still get a peak even if the CPU is doing other things so we can still distinguish if there's a background load on the CPU uh yeah if you're decrypting but know that the the frequencies change okay that is it's not always exactly here it depends upon the hardware and what's happening the point is to the two different bits choose produce different peaks at different frequencies so if you decrypted at the same time something else maybe maybe you'll get another peak here okay maybe at a different frequency so now you need to guess just between two so yes it makes it a little bit harder but you just you could trial an error of those two listen to music again music has the wrong range of frequencies to overwrite the frequencies of produced by the CPU around 35 kilohertz whereas music is less than 20 in most cases uh you need a special device that generates noise at that particular frequency that will work okay that's that's how to stop a way to stop it but you need a device then the the way that's being uh incorporated and it works that into the the upgraded software is that before you decrypt the cipher text you do some operation that effectively random not randomizes that cipher text so someone sends you cipher text chosen cipher text if you decrypted it reveals things about your computer when you receive that cipher text you actually do an operation on it and then decrypt that result and once you get the result of the decryption you do another inverse operation to get the real plain text back there are ways to do that and that solves the problem it defeats the attack effectively so because the attack depends upon a chosen cipher text being decrypted if we cannot allow that chosen cipher text we can defeat the attack and if you can implement this implement this in software you don't need special hardware to stop this attack and that's that's the recommended approach so you can defeat it and that's it okay on the website they have a nice set of pictures and and some answers to some common questions and they have the actual paper which is not too bad to read so you can have a look and ask any questions now if you want about the details so it works the attack practical so they gave real ways to do it they showed that it worked but like many timing attacks it's very specific it's a side channel attack where we require some measurements of audio i can't do it over the internet it's not like i'm intercepting your traffic across the internet to do an attack i need access to your computer to do it so that's the limitation and like many such attacks there are relatively quick ways to defeat it so rsa is still considered secure but specific implementations specific targets may be able to using this attack to find their their key if they haven't set it up correctly okay so if you want to target a particular person maybe you could still use this attack if you want to target people in general then it's not going to work enough questions very quick but maybe even if you don't understand at all it may motivate some of you to have a look into it and find out and understand some of the approaches that that they use okay that's the main point because of the process that you have to the pair of the data in the center you mean a block cipher you mean decrypting a large a large plain text yes in theory though you're still using the same key the same d okay and all right when you say in parallel only in several operations so in theory and they only did the attack on one particular set of hardware but in theory you it would still make noise when you decrypt and as long as you can distinguish the set of operations being performed now it may be harder when you're using a different hardware but in theory as long as you can distinguish the sounds and as recording equipment gets better and people get more knowledge of how to create the chosen cipher text it may get better so in theory maybe it still could work on different hardware systems gpu for example okay let's i'll be hanging around yeah the fix so what does the fix do the fix yeah means that the decryptor will not decrypt the chosen cipher text and yes that prevents the attack it will not work because you'll not get two different audio signatures depending upon the bit of q so yes it does but this operation requires extra processing okay so yes it defeats the attack so yeah maybe the attack will not be used in practice against new systems but who's upgraded to the latest version of of this it's released a few days ago many people don't upgrade for a year and so i mean in in office environments in companies they have an upgrade policy to stick with the same software or they just don't know to upgrade so yes it defeats it but still avenues for attack the method of using time to use the audio is not theirs it's been around for many years people have known about it for a long time it's really a matter of finding a practical way to implement it so let's say let's say they didn't release this attack they didn't publish it but i've known about it for a year so they've been finding the keys of people for a year already so yes this specific attack can be stopped now but imagine a government organization worked out this attack 10 years ago and they've been doing it for 10 years so that's the significance of this that maybe someone knows about this already but yeah that's with most attacks people come up with an attack then people come up with a smart way to defeat it that's what a lot of cryptographic cryptography research is the interrupts effect i don't think so i don't know i i didn't read anything about having different maybe you can have different devices to cause the cpu to do different things but i don't think so because what it measures in terms of the audio this is really a long loop a loop with 2048 iteration so this is time i don't know how many milliseconds it is but the decryptor is doing the same operation 2048 times for a reasonable period of time so milliseconds tens of milliseconds maybe as long as it exhibits a different audio signal than when we use a different value then we can even if there's some interference from other operations during that we can still distinguish so i i didn't read anything about interrupts in the paper but i think it would still apply all right you stop the cpu but then it continues again later doesn't it i think what you would see and i don't know if it would interrupt the cpu here but if you did then would you not maybe it would shift the frequency okay you'd see this part then it will stop and then a little bit later then maybe at a different frequency turns out when they do things at different times the frequency component changes because i think because of the cpu as it gets hotter and it produces different power power draws and produces different audio so when you do things at different times you don't always get the same frequency but as long as there are different frequencies depending upon the bit that's sufficient so interrupting the cpu may not help okay for those who want to stick around