On Thu, Aug 23, 2018 at 11:25:53AM -0500, Joel C. Ewing wrote: > On 08/22/2018 05:09 PM, Rob Schramm wrote: > > While the keys that are processed in the Crypto Express cards should be > > safe.. I am less sure about anything else. > > > > https://www.bleepingcomputer.com/news/security/new-attack-recovers-rsa-encryption-keys-from-em-waves-within-seconds/ > > > > Rob Schramm > > It actually sounds like a fairly restrictive attack. Requires close > physical proximity (lack of physical security), but more importantly the
The "bank" they want to rob is a cellphone in one's pocket. No physical security for this, I am afraid. The phone could be (a) stolen, then miraculuously "found" and (b) returned to the proper owner. Between (a) and (b) anything can happen to the said phone, including most diabolical cloning schemes imaginable. Or the phone could happen to be placed close to the listening device without the owner realising it, like example given in the article - publicly available charger. > speed of decryption is apparently dependent on knowledge of the specific > code used by the OpenSSL Project (since a code mitigation was suggested > to OpenSSL) and the knowledge that the emanated EM signals from the > device occur "during a single decryption operation". How on earth does > an EM observer know a time interval that a single decryption is > occurring on the device unless they already have near total control over > the device? As far as I understand they do not have to know anything like this. The attack had been demonstrated against one method from well known open source library. The only thing that stopped researchers from demonstrating it for all of the library was their lack of time, but this is not going to stop a thief. As of "knowing when", I suppose one just has to record everything. Then matching consecutive portions of the recording against the algorithm, if no break get next portion, loop. At some level this is as trivial as finding people talking about security on this list - grab the archive, look for matching phrases, no need to know when the said talk took place - if it is there, it will be found, if not, then searching next mailing list can deliver. -- Regards, Tomasz Rola -- ** A C programmer asked whether computer had Buddha's nature. ** ** As the answer, master did "rm -rif" on the programmer's home ** ** directory. And then the C programmer became enlightened... ** ** ** ** Tomasz Rola mailto:[email protected] ** ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
