Acoustic and power sidechannels are old news, so I didn’t mean to debate the very existence of them.
What was surprising about this attack was its efficiency despite its low frequency nature and that they did it at the *remote* end of the Ethernet cable that plugs into the chassis! WiFi is more secure in that department :) Anyway, looking closer, it’s highly dependent on the implementation of the ciphers. Symmetric ciphers are ‘too fast’ for this low frequency power attack but RSA’s slow exponentiation routines are vulnerable when implemented in a certain classical way (seems at least chinese remainder theorem is vulnerable). As I understand, OpenSSL’s implementation isn’t vulnerable but GnuPG’s is. So I meant to ask this question on this list from the perspective of BC’s own implementation and its own vulnerability. Seems that RSA’s partial homomorphic nature in the exponentiation department leads to some interesting tricks. The researchers will be presenting details soon, current info at http://www.tau.ac.il/~tromer/handsoff/ Very clever work! Cheers Sid From: Paul Cunningham [mailto:pcunning...@wombatsecurity.com] Sent: Thursday, August 28, 2014 11:28 AM To: Edward Ned Harvey (bouncycastle) Cc: John Anderjaska; Sid Shetye; dev-crypto-csharp@bouncycastle.org Subject: Re: [dev-crypto-csharp] Side channel vulnerabilities: Power consumption and ground potential attacks? I can't comment on specific responses to this thread, but hacking via montoring power consumption (SPA and DPA) is a proven technique in the world of smartcards. Most smartcard manufacturers have progressed beyond this type of vulnerability, but the technique is still valid. Here's a paper I found that talks about it in more detail: <http://www.cryptography.com/public/pdf/DPATechInfo.pdf> http://www.cryptography.com/public/pdf/DPATechInfo.pdf -pc On Thu, Aug 28, 2014 at 2:02 PM, Edward Ned Harvey (bouncycastle) <bouncycas...@nedharvey.com <mailto:bouncycas...@nedharvey.com> > wrote: > From: John Anderjaska [mailto:john.anderja...@dsainc.com > <mailto:john.anderja...@dsainc.com> ] > Sent: Thursday, August 28, 2014 1:24 PM > > In summary I'd say it is a glaring hole in most contemporary > security solutions. But the type of information that could be introduced to that medium is what? Take it as given, that certain CPU instructions are prone to consume more power than other instructions, just because they activate larger areas of the chip, with a larger number of bit flips and gate propagations occurring internally, so yes, the power consumed "fluctuates according to the computation that is being performed by its processor," but does not reveal specifics of the data that is being processed. This is like watching the power consumption of a house painter painting a house with his spray gun, and based on the power fluctuations, determining what color paint he has loaded in the spray gun. Yes you can probably tell when he's painting, but no you can't determine *what* he's painting. Yes I believe an observer of the ground signal could determine "I saw a power spike between X ms and Y ms, which probably means you did something cryptographic or doing some kind of compression or decompression, or graphics rendering," but no I don't believe even remotely, that they are extracting private keys out of that signal, nor what jpg you viewed, nor what file you zip'd up, or what video you converted from H.264 to Mpeg4. All of these would be the *content* of what you were processing at the time.
