At 9:35 PM -0500 3/8/03, Dave Emery wrote:
On Fri, Mar 07, 2003 at 10:46:06PM -0800, Bill Frantz wrote:
The next more complex version sends the same random screen over and over in
sync with the monitor. Even more complex versions change the random screen
every-so-often to try to frustrate recovering the differences between
screens of data on the monitor.
Five or six years ago I floated the suggestion that one could do
worse than phase lock all the video dot clock oscillators in a computer
room or office to the same master timing source. This would make it
significantly harder to recover one specific monitor's image by
averaging techniques as the interference from nearby monitors would have
exactly the same timing and would not average out as it does in the more
typical case where each monitor is driven from a video board with a
slightly different frequency dot clock (due to aging and manufacturing
tolerances).
The dot clock on a megapixel display is around 70 MHz, or 14
nanoseconds per pixel. Syncing that over some distance is not
trivial. Remember the speed of light is 1 nanosecond/foot. On the
other hand, I think syncing the sweep signals would be enough to
implement your idea and that should not be hard to do, possibly even
in software since they are created on the video card.
Effectiveness is another matter. The attacker could use a directional
antenna to separate out monitors. Even if his equipment was outside
the building, the windows would act like an antenna whose radiation
pattern would be different for the different monitors in the room.
The attacker might be able to discriminate between different monitors
just by driving his van around outside.
Even if he can't distinguish between different monitors, he still
gets a signal that is the sum of the content on each monitor. That
is analogous to a book code and likely just as secure, i.e. not very.
Modifying existing video boards to support such master timing
references is possible, but not completely trivial - but would cost
manufacturers very little if it was designed in in the first place.
Modifying existing monitors to shield the video signal wouldn't cost
that much either. As I understand it the big expense in Tempest rated
equipment is the testing and the tight manufacturing control needed
to insure that the monitors produced are the same as the ones tested.
And of course one could "improve" the shielding on the monitor
with the dummy unimportant data so it radiated 10 or 20 db more energy
than the sensitive information monitor next to it. In many cases this
might involve little more than scraping off some conductive paint or
removing the ground on a cable shield.
Simply buying some class A monitors for the dummy data might do what
you want, but I'm not sure 10-20 db of reduced signal to background
buys you much. I've heard numbers of 100 db or more required for
effective Tempest shielding, with Class B shielding (the higher grade
FCC requirement) buying you 40-50 db. See for example
http://www.cabrac.com/RFI_EMI_Tempest.html
I am sure that it would take little effort with a spectrum
analyzer and some hand tools to defeat most of the EMI suppression
in many monitors and whilst this would not be entirely legal under
FCC rules (at least for a manufacturer or dealer) it probably would
be closer to legal than deliberately creating rf interference
with an intentionally radiating jammer.
I imagine, however, that the usefulness of the RF radiated by a
modern TFT flat panel display fed with DVI digital video is already much
less as there is no serial stream of analog pixel by pixel video energy
at any point in such an environment. Most TFTs do one entire row or
column of the display at a time in parallel which does not yield an
easily separated stream of individual pixel energy. Thus extracting
anything resembling an image would seem very difficult.
The signal is still serialized in digital form at some point on a
pixel by pixel basis. Because flat panels do not have the high-power
sweep signals of CRT monitors, the overall shielding needed to meet
Class B may be less. That might make life easier for attackers.
This does suggest one simple approach that might be useful for flat
panels displaying sensitive text: chose foreground and back ground
colors that have the same number of on and off bits in each color
byte pair, e.g. foreground red and background red each have three
bits on, both blues have four bits on, both greens have five bits on.
That might make background and foreground more difficult to
distinguish via RF radiation in an all digital system.
So perhaps the era of the simplest to exploit TEMPEST threats
is ending as both optical and rf TEMPEST is much easier with raster
scan pixel at a time CRT displays than it is with modern more parallel
flat panel display designs.
On the other hand, remember that the earliest Tempest systems were
built using vacuum tubes. An attacker today can carry vast amounts of
signal processing power in a briefcase.
All in all I would not put much faith in ad hoc Tempest protection.
Without access to the secret specifications and test procedures, I
would prefer to see highly critical operations done using battery
powered laptops operating in a Faraday cage, with no wires crossing
the boundary (no power, no phone, no Ethernet, nada). In that
situation, one can calculate shielding effectiveness from first
principles.
http://www.cs.nps.navy.mil/curricula/tracks/security/AISGuide/navch16.txt
suggests US government requirements for a shielded enclosure are 60
db minimum.
Arnold Reinhold
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]