RE: NONSTOP Crypto Query
I've seen an existance proof which indicates that this is possible. Back when I was first getting involved with computers (circa 1972), some digitizer tablets worked by speed-of-sound measurements. The stylus tip contained a small spark gap which was energized when the stylus pressed on the tablet. This created a spark, and the spark a minuscule roll of thunder. Microphones situated along the edges of the tablet recorded the arrival times of the sound, and the location of the stylus calculated within a millimeter or two. This was a peripheral for a DEC PDP-8E. This was calculating a position over about 20 cm to a millimeter, in real time, in 1972. Doing so to a resolution of a centimeter or two, in 2001, ever several meters sounds feasible. Peter Trei -- From: Ray Dillinger[SMTP:[EMAIL PROTECTED]] Sent: Friday, January 12, 2001 4:37 PM To: John Young Cc: [EMAIL PROTECTED] Subject: Re: NONSTOP Crypto Query On Fri, 12 Jan 2001, John Young wrote: Wright also describes the use of supersensitive microphones to pick up the daily setting of rotors on cryptomachines of the time, in particular the Hagelins made by CryptoAG. Hmmm. That sounds like a trick that could be brought up to date. If you get two sensitive microphones in a room, you should be able to do interferometry to get the exact locations on a keyboard of keystrokes from the sound of someone typing. I guess three would be better, but with some reasonable assumptions about keys being coplanar or on a surface of known curvature, two would do it. Interesting possibilities. Bear [A quick contemplation of the wavelength of the sounds in question would put an end to that speculation I suspect. --Perry]
Re: NONSTOP Crypto Query
One interesting question is exactly how strong radio frequency illumination could cause compromise of information being processed by electronic equipment. I have an idea for a mechanism whereby such illumination could induce generation of harmonic and beat frequencies that are modulated by internal data signals. This mechanism is based on an effect that is familiar to ham radio operators, who are often bedeviled by neighbors complaining of television interference. Here is a quote from the chapter on interference in an old (1974) edition of the ARRL Radio Amateur's Handbook: "Harmonics by Rectification" "Even though the transmitter is completely free from harmonic output it is still possible for interference to occur because of harmonics generated outside the transmitter. These result from rectification of fundamental-frequency currents induced in conductors in the vicinity of the transmitting antenna. Rectification can take place at any point where two conductors are in poor electrical contact, a condition that frequently exists in plumbing, downspouting, BX cables crossing each other, ...It can also occur ... in power supplies, speech equipment, etc. that may not be enclosed in the shielding about the RF circuits." In the case of computer equipment, the conductor could be a wire, external cable or even a trace on a printed circuit board. Now imagine that the source of rectification is not a poor connection, but a transistor junction in a logic gate or line driver. As that device is switched on and off, RF rectification may be switched on and off as well, modulating the generated harmonic with the input signal. If that signal carries sensitive information, all the information would be broadcast on the harmonic output. Keyboard interfaces, video output circuits and serial line drivers come to mind as excellent candidates for this effect, since they often carry sensitive information and are usually connected to long wires that can absorb the incident RF energy and radiate the harmonics. All an attacker has to do is monitor a site transmitting at frequency f and analyze any signals at 2*f, 3*f, etc. If the site has more than one transmitter, say a command hut, or a naval ship, there are also beat frequencies to consider f1+f2, f1-f2, 2*f1+f2, 2*f1-f2, etc. Note that harmonics and beats radiated from the equipment under attack are vastly easier to detect that any re-radiation at the fundamental frequency, which would be swamped by the primary transmitter's signal. There is also a potential active attack where an adversary frequency-sweeps your equipment with RF hoping to find a parasitic harmonic generator. This might be the "resonance" technology Peter Wright referred to. If the source illumination causes a resonance by, say, operating at 1/4 the electrical wavelength of the video output cable, any effect might be magnified greatly. (The even harmonics would be suppressed, but odd harmonics would not be.) Illumination could be done directly or over telephone, cable TV or power lines. This might also explain "NONSTOP testing and protection being especially needed on vehicles, planes and ships." since they often carry multiple radio transmitters and are more easily exposed to monitoring and external illumination than a fixed site inside a secure perimeter. The two code names (NONSTOP and HIJACK) might possibly refer to the passive and active modes. Or NONSTOP may refer to radiated signals and HIJACK to signals over hardwire lines. Or one could cover all the effects I am proposing and the other something completely different. Whatever. FWIW, Arnold Reinhold At 2:23 AM + 1/13/2001, David Wagner wrote: In a paper on side channel cryptanalysis by John Kelsey, Bruce Schneier, Chris Hall, and I, we speculated on possible meanings of NONSTOP and HIJACK: [...] It is our belief that most operational cryptanalysis makes use of side-channel information. [...] And Peter Wright discussed data leaking onto a transmission line as a side channel used to break a French cryptographic device [Wri87]. The (unclassified) military literature provides many examples of real-world side channels. [...] Peter Wright's crosstalk anecdote is probably what the HIJACK codeword refers to [USAF98]. Along similar lines, [USAF98] alludes to the possibility that crosstalk from sensitive hardware near a tape player might modulate the signal on the tape; [USAF98] recommends that tapes played in a classified facility be degaussed before they are removed, presumably to prevent side channels from leaking. Finally, one last example from the military literature is the NONSTOP attack [USAF98, Chapters 3-4]: after a careful reading of unclassified sources, we believe this refers to the side channel that results when cryptographic hardware is illuminated by a nearby radio transmitter (e.g. a cellphone), thereby modulating
Re: NONSTOP Crypto Query
[A quick contemplation of the wavelength of the sounds in question would put an end to that speculation I suspect. --Perry] I know this has been somewhat done to death, but there's a nice comparison: GPS positioning using carrier phase tracking is equivalent (well, it's reversed - clicks come from the microphones/satellites and the key/receiver calculates its position - but the principle is the same). This can give millimetre accuracy with carrier wavelengths of 19cm (if you're very careful, have lots of time and maybe some luck). The precision comes from cross-correlating wave trains rather than trying to measure a particular point (eg the initial rise of the click) accurately. You wouldn't do as well with keyboard clicks, but then you don't need to. Note that usually GPS positioning is not done using carrier phase tracking - that, together with problems like different atmospheric paths from differnet satellites and, in the past, noise added to civillian signals, gives much lower precision. See, for example, http://www.colorado.edu/geography/gcraft/notes/gps/gps.html Accuracy for keyboards would depend on how many wavelengths can be detected at good signal-to-noise within a single "click" (and having stable recordings with no wow or flutter). Also, it would be useful to know the identity of one key - return for example - to help solve for the position of the keyboard relative to the microphones. Getting an initial solution might be difficult - it would be a big help to know the relative position of keyboard and mcirophones to within a wavelength or two (and have all recordings marked by synchronized clock ticks). If the user moved their keyboard during typing it would cause havoc with any attempt to converge on a solution. Maybe we should all start walking around as we type... Andrew (In a previous job I wrote software to calculate positions from GPS satellites - Paul Crowley may be able to correct me if I have made any errors as he was there too...)
Re: NONSTOP Crypto Query
Joel McNamara first told me about NONSTOP and its commonly associated classified codeword, HIJACK, both somehow related to Tempest. When you do a search on either of them you get hundreds (or 1000s) of hits for the generic terms "non-stop" and "hi-jack" but few entries for the codewords, and then as standards in military security documents. It's as if the codewords were picked to be camouflaged by the generics. And, because codewords are usually set to have no relation to the protected material, they probably are not descriptive -- but could be, just to outfox the smarties. The NONSTOP doc released to us was first issued in 1975 and has gone through 4 reprintings, the latest in 1987. And it continues to be cited as still in effect, though usually such standards are updated at least every 5 years. So there may be a later one which would account for its partial release after first denial. It's intriguing to read Spycatcher (1987) while reading the Tempest docs. I had not read Wright's most informative book, and regret not having done so. (The Story of Hut 6, too, by Gordon Welchman -- luckily found both in a military used-bookstore.) For those who have not read Spycatcher, Peter Wright was MI5's first scientist, and entered the service after WW2. He specialized in the technology of counterintelligence and with a few others cooked up a host of ingenious means to spy on spies and suspects. A specialty was the extraordinary use of electromagnetic science -- radio, telephone, acoustic, resonance, and more -- applying scientific abilities well in advance of technicians and engineers. Some of his ideas were so advanced his bosses said impossible, until he proved effectiveness. Then Wright quickly became the savior of officers who could not understand why Britain's enemies kept outsmarting them -- usually with advanced technological means. Wright changed that, but often got at odds with non-scientific personnel whose faith was HUMINT. Among others, he worked closely with GCHQ on occasion to provide technical attacks on cryptosystems which could not be broken by cryptanalysis. Thus his research on the cryptosecrets revealed by compromising emanations from devices, cabling, furniture, construction materials, and a host of ordinary physical objects in and near cipher rooms -- all of which emitted signals that could be acquired and interpreted by careful tuning for comprehension. He writes of amazing methods of acquiring signals, and it is no wonder HMG fought to prevent publication of Spycatcher. What he did not write about must be even more wondrous, and it makes you think he could pick up your brain waves if you were part of particular triangulated antenna. Maybe NONSTOP and HIJACK have nothing to do with the stuff Wright excelled at. Still, reading Spycatcher along with the Tempest docs -- and now Stephen Budiansky's "Battle of Wits: The Complete Story of Codebreaking in World War II," (2000) -- certainly demonstrates how much of codebreaking has been done by covert technical and physical means, even as we are told misleading cover stories. Are these latest crypto-revelations disinformation? Historically nearly all have been. Ha. Ha. Ha.
Re: NONSTOP Crypto Query
At 01:37 PM 1/12/01 -0800, Ray Dillinger wrote: Hmmm. That sounds like a trick that could be brought up to date. If you get two sensitive microphones in a room, you [A quick contemplation of the wavelength of the sounds in question would put an end to that speculation I suspect. --Perry] Maybe not, because you can use the click--- you look only at intensity envelope, summing all frequencies essentially. [Remember your basic science: you can't resolve something smaller than half a wavelength. (Well, you can, with certain techniques, but things get seriously hairy at that point, and in general the limit is half a wavelength.) Given this, it is unlikely that you're going to figure out whether the g or the h key was struck. If I'm wrong here, I'd like to hear a detailed counterargument or evidence. --Perry]
Re: NONSTOP Crypto Query
Ray Dillinger wrote: If you get two sensitive microphones in a room, you should be able to do interferometry to get the exact locations on a keyboard of keystrokes from the sound of someone typing. Interesting. Probably not the easiest way to snoop, but you might be driven to it. I guess three would be better, but with some reasonable assumptions about keys being coplanar or on a surface of known curvature, two would do it. Interesting possibilities. Interferometry like measuring the time delay between the two microphones? Defines a hyperboloid, which when intersected with the keyboard still isn't specific enough, so I think you need three mics. [A quick contemplation of the wavelength of the sounds in question would put an end to that speculation I suspect. --Perry] You can localize to better than the shortest wavelength present, so the spectrum isn't obviously a problem. Consider it under ideal conditions -- anechoic, no transmission losses, omnidirectional emission. Then the mics get the same signal (at different times), and you can just find peak correlations between them. The required accuracy is roughly a centimeter, or 30 usec of sound travel, over one sample at audio rates; adjust that trigonometrically for mics placed other than 60 degrees apart. Keystrokes are noisy and should make decent correlation codes. Less-than-ideal conditions might make the scheme impossible, but I don't know how to conclude that without a lot more work. I don't know the state of the art, but a little web searching appears to say that people can localize speech in a videoconferencing room to within one 44-kHz sample. http://www.ie.ncsu.edu/kay/msf/sound.htm -- Eli Brandt | [EMAIL PROTECTED] | http://www.cs.cmu.edu/~eli/
Re: NONSTOP Crypto Query
Ray Dillinger wrote: On Fri, 12 Jan 2001, John Young wrote: Wright also describes the use of supersensitive microphones to pick up the daily setting of rotors on cryptomachines of the time, in particular the Hagelins made by CryptoAG. Hmmm. That sounds like a trick that could be brought up to date. If you get two sensitive microphones in a room, you should be able to do interferometry to get the exact locations on a keyboard of keystrokes from the sound of someone typing. I guess three would be better, but with some reasonable assumptions about keys being coplanar or on a surface of known curvature, two would do it. Interesting possibilities. Bear [A quick contemplation of the wavelength of the sounds in question would put an end to that speculation I suspect. --Perry] Hmm. 6 kHz has a wavelength of 5 cm. I would guess you can easily get resolution to 1/10 of a wavelength under ideal conditions. Which is .5 cm, which is half the size of a key, more or less. Sounds pretty feasible to me. Cheers, Ben. -- http://www.apache-ssl.org/ben.html "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff
Re: NONSTOP Crypto Query
At 01:30 AM 1/13/2001 +, Ben Laurie wrote: Hmm. 6 kHz has a wavelength of 5 cm. I would guess you can easily get resolution to 1/10 of a wavelength under ideal conditions. Which is .5 cm, which is half the size of a key, more or less. You don't have to locate the exact key to save a lot of complexity. A standard PC keyboard has 47 keys on the main section. Ignoring shifts, control, alt, combinations, etc. you have to deal with 47^N easy options per secret key of length N. Lets assume you don't get the key as a fact from the sound inference, but rather you get a probability density function that is weighted heavily arround a single key, and then arround the keys "one key away" and with decreasing probability for "two keys away" and so on until you get to the maximum of 14 or so keys away. If Ben's estimate is close to accurate, you should see a two standard deviation circle of only 9 or so keys. Since 47^6 is 229,345,008 and 9^6 is only531,441 this technique can whack out a factor of 500 in the "likely" exhaustive search of a six character passphrase. Obviously it saves more on longer passphrases. It also saves more if the user enters control/alt/shift combinations. Interesting. Pat Pat Farrell voice: (703 587-9898) Alchemistemail: [EMAIL PROTECTED] OneBigCD, yourtext pager: [EMAIL PROTECTED] Internet CD Jukebox
Re: NONSTOP Crypto Query
In message [EMAIL PROTECTED], John Young write s: This loops back to NONSTOP and the question of what may be the signatures and compromising emanations of today's cryptosystems which reveal information in ways that go beyond known sniffers -- indeed, that known sniffers may divertingly camouflage. Again going back to "Spycatcher", Wright described a number of other emissions. For example, voices in a room could modulate the current flow through a telephone's ringer. (This was, of course, back in the days of electromagnet-actuated ringers...) One can also find signals corresponding to the plaintext superimposed on the output waveform of the ciphertext, and possibly see coupling to the power supply. (One of the rules I've read: "Step 1: Look for the plaintext".) I've seen brochures for high-grade encryptors that speak of "red-black separation" and separate power supplies for the two halves. --Steve Bellovin, http:/www.research.att.com/~smb
Re: NONSTOP Crypto Query
On Fri, 12 Jan 2001, John Young wrote: Wright also describes the use of supersensitive microphones to pick up the daily setting of rotors on cryptomachines of the time, in particular the Hagelins made by CryptoAG. Hmmm. That sounds like a trick that could be brought up to date. If you get two sensitive microphones in a room, you should be able to do interferometry to get the exact locations on a keyboard of keystrokes from the sound of someone typing. I guess three would be better, but with some reasonable assumptions about keys being coplanar or on a surface of known curvature, two would do it. Interesting possibilities. Bear [A quick contemplation of the wavelength of the sounds in question would put an end to that speculation I suspect. --Perry]