Re: Active Countermeasures Against Tempest Attacks

[Arnold G. Reinhold]

At 10:46 PM -0800 3/7/03, Bill Frantz wrote:
It has occurred to me that the cheapest form of protection from tempest
attacks might be an active transmitter that swamps the signal from the
computer.  Such a transmitter would still be legal if its power output is
kept within the FCC part 15 rules.
Take, for example, the signal from a CRT monitor.  The monitor signal
consists of large signals which are the vertical and horizontal sync
pulses, and smaller signals which are the levels of each of the phosphor
guns.
The simplest countermeasure would be random RF noise which is many orders
of magnitude stronger than the signal from the monitor.  However, with this
system, the attacker can average many fields from the monitor and perhaps
still recover the signal because any give pixel is the same, while the
noise is random.  (Or at least the pixels change slowly compared with the
fields, giving lots of data to average.)
The next more complex version sends the same random screen over and over in
sync with the monitor.  Even more complex versions change the random screen
every-so-often to try to frustrate recovering the differences between
screens of data on the monitor.
Can such a device be built and still stay within the Part 15 rules?

Cheers - Bill

Part 15 is pretty complex, but reading a summary at 
http://www.arrl.org/tis/info/part15.html suggests a number of 
problems. First there are dozens of bands where intentional radiators 
are not permitted to operate (15.205). Designing a noise source that 
avoided all these band might be difficult.

Second, the permitted signal levels associated with intentional 
radiators (15.209) are very similar to those permitted for 
unintentional radiators (15.109), including most consumer grade CRT 
monitors (Class B). Commercial monitors (Class A) are permitted 
higher levels of radiation, but I suspect most monitors made today 
are Class B.

Now the radiation from a monitor is mostly sweep signals and the 
like, which carry no information. The signals that drive the CRT guns 
are much weaker. But I suspect you will need the noise to be much 
more powerful to obliterate the signal carrying data. The situation 
is even worse if the attacker suspects what the data may contain. He 
can then use correlation techniques to find the data well below the 
noise level.

I'd also point out that the noise source has be be co-located with 
the data signal. Otherwise, the attacker can use a directional 
antenna to capture the noise signal without the data signal, allowing 
it to be subtracted from the data+noise signal.  Similarly, it will 
be vital to change the noise pattern whenever the content of the CRT 
changes, otherwise the attacker who had reason to suspect when the 
screen changed can subtract data1+noise from data2+noise to get 
data2-data1, which is likely to leak a lot of information.

I suspect it would be cheaper to shield the CRT or operate in a Faraday cage.

Arnold Reinhold

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Comments/summary on unicity discussion

[Joseph Ashwood]

- Original Message -
From: Joshua Hill [EMAIL PROTECTED]
Subject: Re: Comments/summary on unicity discussion


 It doesn't deal with plaintext, just ciphertext.  In fact, unicity
 distance is only valid for a ciphertext only attack.  Once you get a
 known plaintext/ciphertext pair, a high unicity distance works against
 you (more on this later). In addition, it is isn't certain that after
 observing the requisite unicity distance number of ciphertext units that
 you can uniquely determine the key, it is merely very likely.

There appears to be an error in there. The Unicity Distance has a very
strong correlation with the uncertainty of the plaintext (entropy per
message). By having access to the plaintext/ciphertext pair (often it takes
multiple pairs), this removes all uncertainty as to the plaintext, this
changes the unicity distance calculation by making the unicity distance as
short as possible, which would make Once you get a known
plaintext/ciphertext pair, a high unicity distance works against you
Seem more than a little odd as a statement.

On K complexity, while K complexity offers a convenient, if somewhat
inaccurate, upperbound of the entropy, that is basically where the
relationship ends. Permit me to give the basic example. Which of these
strings has higher entropy:
kevsnblawtrlnbatkb
kevsnblawtrlnbatkb
One was created by slapping my hands on the keyboard, and so contains some
entropy, the other was created through copy and paste, and so contains none.
However the K complexity of the two is identical. The portion of the
equation you are forgetting is that the key to the pRNG may itself be
compressible. This leads to somewhat of a logic loop, but at the end of it
is the absolute smallest representation, as a compression of a given
language (the only sense in which this makes sense).
Joseph Ashwood


Trust Laboratories
http://www.trustlaboratories.com


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

ADMIN: acm.org subscribers in danger

[Perry E. Metzger]

Hi there.

A large fraction of the messages being sent to acm.org are being
tagged as spam, by some sort of highly over-aggressive anti-spam
filter acm.org has put in.

I've attempted to contact the postmaster there, but so far I've
failed as my attempt to get in touch get tagged as spam, too.

If I keep getting torrents of bounces, all the folks using acm.org
mail redirectors (and there are dozens of you) will get removed from
the list in a few days. Very sorry, but I just don't know what else to
do.

-- 
Perry E. Metzger[EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]