One interesting question is exactly how strong radio frequency 
illumination could cause compromise of information being processed by 
electronic equipment. I have an idea for a mechanism whereby such 
illumination could induce generation of harmonic and beat frequencies 
that are modulated by internal data signals.

This mechanism is based  on an effect that is familiar to ham radio 
operators, who are often bedeviled by neighbors complaining of 
television interference. Here is a quote from the chapter on 
interference in an old (1974) edition of the ARRL Radio Amateur's 

"Harmonics by  Rectification"

"Even though the transmitter is completely free from harmonic output 
it is still possible for interference to occur because of harmonics 
generated outside the transmitter. These result from rectification of 
fundamental-frequency currents induced in conductors in the vicinity 
of the transmitting antenna. Rectification can take place at any 
point where two conductors are in  poor electrical contact, a 
condition that frequently exists in plumbing, downspouting, BX cables 
crossing each other, ...    It can also occur ... in power supplies, 
speech equipment, etc. that may not be enclosed in the shielding 
about the RF circuits."

In the case of computer equipment, the conductor could be a wire, 
external cable or even a trace on a printed circuit board. Now 
imagine that the source of rectification is not a poor connection, 
but a transistor junction in a logic gate or line driver. As that 
device is switched on and off, RF rectification may be switched on 
and off as well, modulating the generated harmonic with the input 
signal. If that signal carries sensitive information, all the 
information would be broadcast on the harmonic output. Keyboard 
interfaces, video output circuits and serial line drivers come to 
mind as excellent candidates for this effect, since they often carry 
sensitive information and are usually connected to long wires that 
can absorb the incident RF energy and radiate the harmonics.

All an attacker has to do is monitor a site transmitting at frequency 
f and analyze any signals at 2*f, 3*f, etc. If the site has more than 
one transmitter, say a command hut, or a naval ship,  there are also 
beat frequencies to consider f1+f2, f1-f2, 2*f1+f2, 2*f1-f2,  etc. 
Note that harmonics and beats radiated from the equipment under 
attack are vastly easier to detect that any re-radiation at the 
fundamental frequency, which would be swamped by the primary 
transmitter's signal.

There is also a potential active attack where an adversary 
frequency-sweeps your equipment with RF hoping to find a parasitic 
harmonic generator. This might be the "resonance" technology Peter 
Wright referred to.  If the source illumination causes a resonance 
by, say, operating at 1/4 the electrical wavelength of the video 
output cable, any effect might be magnified greatly. (The even 
harmonics would be suppressed, but odd harmonics would not be.) 
Illumination could be done directly or over telephone, cable TV or 
power lines.

This might also explain "NONSTOP testing and protection being 
especially needed on vehicles, planes and ships." since they often 
carry multiple radio transmitters and are more easily exposed to 
monitoring and external illumination than a fixed site inside a 
secure perimeter.

The two code names (NONSTOP and HIJACK) might possibly refer to the 
passive and active modes.  Or NONSTOP may refer to radiated signals 
and HIJACK to signals over hardwire lines. Or one could cover all the 
effects I am proposing and the other something completely different. 


Arnold Reinhold

At 2:23 AM +0000 1/13/2001, David Wagner wrote:
>In a paper on side channel cryptanalysis by John Kelsey, Bruce Schneier,
>Chris Hall, and I, we speculated on possible meanings of NONSTOP and HIJACK:
>   [...]
>   It is our belief that most operational cryptanalysis makes use of
>   side-channel information.  [...]  And Peter Wright discussed data
>   leaking onto a transmission line as a side channel used to break a
>   French cryptographic device [Wri87].
>   The (unclassified) military literature provides many examples of
>   real-world side channels.  [...]  Peter Wright's crosstalk anecdote
>   is probably what the HIJACK codeword refers to [USAF98]. Along
>   similar lines, [USAF98] alludes to the possibility that crosstalk from
>   sensitive hardware near a tape player might modulate the signal on the
>   tape; [USAF98] recommends that tapes played in a classified facility be
>   degaussed before they are removed, presumably to prevent side channels
>   from leaking. Finally, one last example from the military literature
>   is the NONSTOP attack [USAF98, Chapters 3-4]: after a careful reading
>   of unclassified sources, we believe this refers to the side channel
>   that results when cryptographic hardware is illuminated by a nearby
>   radio transmitter (e.g. a cellphone), thereby modulating the return
>   signal with information about what the crypto gear is doing [AK98].
>   [...]
>   [AK98] R. Anderson and M. Kuhn, "Soft Tempest: Hidden Data Transmission
>          Using Electromagnetic Emanations," Proc. 2nd Workshop on
>          Information Hiding, Springer, 1998.
>   [USAF98] US Air Force, Air Force Systems Security Memorandum 7011--
>          Emission Security Countermeasures Review, 1 May 1998.
>   [Wri87] P. Wright, Spycatcher, Viking Penguin Inc., 1987.
>The above is excerpted from the conclusions of
>   J. Kelsey, B. Schneier, D. Wagner, C. Hall,
>   "Side channel cryptanalysis of product ciphers",
>   Journal of Computer Security, vol. 8, pp. 141--158, 2000.
>Do remember, please, that these are just guesses.
>Also, credit is due to Ross Anderson and Markus Kuhn for informative
>discussions on this topic.

Reply via email to