Re: NONSTOP Crypto Query
I believe the main reason Peter Wright wanted unconventional snooping devices was to avoid detection by sweepers who regularly checked for the usual, known devices. Intercepting signals from radiated objects was one of those methods for it avoided having to plant a device within the targeted space. However, such methods eventually became known to sweepers and countermeasures were taken though Wright does not describe them. Wright wrote of one instance when Soviet sweepers of their Egyptian ally's code room discovered a British mike concealed in a phone set. The Brits could hear the sweepers unscrewing the cover, pausing, then screwing the cover back on without removing the disc mike. Wright presumes the Soviets wanted the Brits to hear about the strong opposition the Soviets were planning to British Middle East ventures. Which raises the question of what devices/methods Wright and others used to supplement the ones that have been written about. Seldom was only one method applied. On Steve Bellovin's point to "look for the plaintext," when examing encrypted signal: The NONSTOP document lists that threat as a required testing procedure of encrypted signals, as well as for emissions from nearby cabling and equipment that may not themselves be processing encrypted or RED signals. RED/BLACK requirements for separating classified intelligence bearing data from those carrying unclassified data repeatedly emphasize the threat of seemingly innocuous, unintentional antennas snarfing both plain text and cipher text. Those requirements are described in "NSTISSAM TEMPEST/2-95 RED/BLACK Installation Guide": http://cryptome.org/tempest-2-95.htm It is this doc which states that NONSTOP is the principle TEMPEST vulnerability of "transportables, aircraft and ships." It may be that the many surfaces of these objects is what makes such good emitters of unintentional signals, especially when radiated. The changing environment of each probably also complicates countermeasures. What I've not seen are reports on the emissions of individual warfighters who may be heavily clothed with electronic and antenna-like devices. Unless the term "transportables" covers such mobile, multi-faceted objects. Then, there are the plain voice signals emitted by a vehicle in which an encrypted cellphone user is riding. Say, Potus or Russian bear. And so on. The full electromagnetic spectrum is presumably capable of transmitting more covertly than overtly -- that is, there are far more signals being sent than there are devices to receive and process them. So we are disinformed.
RE: NONSTOP Crypto Query
I've seen an existance proof which indicates that this is possible. Back when I was first getting involved with computers (circa 1972), some digitizer tablets worked by speed-of-sound measurements. The stylus tip contained a small spark gap which was energized when the stylus pressed on the tablet. This created a spark, and the spark a minuscule roll of thunder. Microphones situated along the edges of the tablet recorded the arrival times of the sound, and the location of the stylus calculated within a millimeter or two. This was a peripheral for a DEC PDP-8E. This was calculating a position over about 20 cm to a millimeter, in real time, in 1972. Doing so to a resolution of a centimeter or two, in 2001, ever several meters sounds feasible. Peter Trei > -- > From: Ray Dillinger[SMTP:[EMAIL PROTECTED]] > Sent: Friday, January 12, 2001 4:37 PM > To: John Young > Cc: [EMAIL PROTECTED] > Subject: Re: NONSTOP Crypto Query > > > > On Fri, 12 Jan 2001, John Young wrote: > > >Wright also describes the use of supersensitive microphones > >to pick up the daily setting of rotors on cryptomachines of the > >time, in particular the Hagelins made by CryptoAG. > > Hmmm. That sounds like a trick that could be brought up to > date. If you get two sensitive microphones in a room, you > should be able to do interferometry to get the exact locations > on a keyboard of keystrokes from the sound of someone typing. > I guess three would be better, but with some reasonable > assumptions about keys being coplanar or on a surface of known > curvature, two would do it. Interesting possibilities. > > Bear > > [A quick contemplation of the wavelength of the sounds in question > would put an end to that speculation I suspect. --Perry] >
Re: NONSTOP Crypto Query
> [A quick contemplation of the wavelength of the sounds in question > would put an end to that speculation I suspect. --Perry] I know this has been somewhat done to death, but there's a nice comparison: GPS positioning using carrier phase tracking is equivalent (well, it's reversed - clicks come from the microphones/satellites and the key/receiver calculates its position - but the principle is the same). This can give millimetre accuracy with carrier wavelengths of 19cm (if you're very careful, have lots of time and maybe some luck). The precision comes from cross-correlating wave trains rather than trying to measure a particular point (eg the initial rise of the click) accurately. You wouldn't do as well with keyboard clicks, but then you don't need to. Note that usually GPS positioning is not done using carrier phase tracking - that, together with problems like different atmospheric paths from differnet satellites and, in the past, noise added to civillian signals, gives much lower precision. See, for example, http://www.colorado.edu/geography/gcraft/notes/gps/gps.html Accuracy for keyboards would depend on how many wavelengths can be detected at good signal-to-noise within a single "click" (and having stable recordings with no wow or flutter). Also, it would be useful to know the identity of one key - return for example - to help solve for the position of the keyboard relative to the microphones. Getting an initial solution might be difficult - it would be a big help to know the relative position of keyboard and mcirophones to within a wavelength or two (and have all recordings marked by synchronized clock ticks). If the user moved their keyboard during typing it would cause havoc with any attempt to converge on a solution. Maybe we should all start walking around as we type... Andrew (In a previous job I wrote software to calculate positions from GPS satellites - Paul Crowley may be able to correct me if I have made any errors as he was there too...)
Re: NONSTOP Crypto Query
One interesting question is exactly how strong radio frequency illumination could cause compromise of information being processed by electronic equipment. I have an idea for a mechanism whereby such illumination could induce generation of harmonic and beat frequencies that are modulated by internal data signals. This mechanism is based on an effect that is familiar to ham radio operators, who are often bedeviled by neighbors complaining of television interference. Here is a quote from the chapter on interference in an old (1974) edition of the ARRL Radio Amateur's Handbook: "Harmonics by Rectification" "Even though the transmitter is completely free from harmonic output it is still possible for interference to occur because of harmonics generated outside the transmitter. These result from rectification of fundamental-frequency currents induced in conductors in the vicinity of the transmitting antenna. Rectification can take place at any point where two conductors are in poor electrical contact, a condition that frequently exists in plumbing, downspouting, BX cables crossing each other, ...It can also occur ... in power supplies, speech equipment, etc. that may not be enclosed in the shielding about the RF circuits." In the case of computer equipment, the conductor could be a wire, external cable or even a trace on a printed circuit board. Now imagine that the source of rectification is not a poor connection, but a transistor junction in a logic gate or line driver. As that device is switched on and off, RF rectification may be switched on and off as well, modulating the generated harmonic with the input signal. If that signal carries sensitive information, all the information would be broadcast on the harmonic output. Keyboard interfaces, video output circuits and serial line drivers come to mind as excellent candidates for this effect, since they often carry sensitive information and are usually connected to long wires that can absorb the incident RF energy and radiate the harmonics. All an attacker has to do is monitor a site transmitting at frequency f and analyze any signals at 2*f, 3*f, etc. If the site has more than one transmitter, say a command hut, or a naval ship, there are also beat frequencies to consider f1+f2, f1-f2, 2*f1+f2, 2*f1-f2, etc. Note that harmonics and beats radiated from the equipment under attack are vastly easier to detect that any re-radiation at the fundamental frequency, which would be swamped by the primary transmitter's signal. There is also a potential active attack where an adversary frequency-sweeps your equipment with RF hoping to find a parasitic harmonic generator. This might be the "resonance" technology Peter Wright referred to. If the source illumination causes a resonance by, say, operating at 1/4 the electrical wavelength of the video output cable, any effect might be magnified greatly. (The even harmonics would be suppressed, but odd harmonics would not be.) Illumination could be done directly or over telephone, cable TV or power lines. This might also explain "NONSTOP testing and protection being especially needed on vehicles, planes and ships." since they often carry multiple radio transmitters and are more easily exposed to monitoring and external illumination than a fixed site inside a secure perimeter. The two code names (NONSTOP and HIJACK) might possibly refer to the passive and active modes. Or NONSTOP may refer to radiated signals and HIJACK to signals over hardwire lines. Or one could cover all the effects I am proposing and the other something completely different. Whatever. FWIW, Arnold Reinhold At 2:23 AM + 1/13/2001, David Wagner wrote: >In a paper on side channel cryptanalysis by John Kelsey, Bruce Schneier, >Chris Hall, and I, we speculated on possible meanings of NONSTOP and HIJACK: > > [...] > It is our belief that most operational cryptanalysis makes use of > side-channel information. [...] And Peter Wright discussed data > leaking onto a transmission line as a side channel used to break a > French cryptographic device [Wri87]. > > The (unclassified) military literature provides many examples of > real-world side channels. [...] Peter Wright's crosstalk anecdote > is probably what the HIJACK codeword refers to [USAF98]. Along > similar lines, [USAF98] alludes to the possibility that crosstalk from > sensitive hardware near a tape player might modulate the signal on the > tape; [USAF98] recommends that tapes played in a classified facility be > degaussed before they are removed, presumably to prevent side channels > from leaking. Finally, one last example from the military literature > is the NONSTOP attack [USAF98, Chapters 3-4]: after a careful reading > of unclassified sources, we believe this refers to the side channel > that results when cryptographic hardware is illuminated by a nearby > radio transmitter (e.g. a cellphone)
Re: NONSTOP Crypto Query
On Sat, Jan 13, 2001 at 12:11:13PM -0800, Ray Dillinger wrote: > > > We hear low-frequency sounds when we type. But have we ever checked > for high-frequency sounds outside of human hearing range? I'd bet > a keyboard has a number of squeaks and ticks and twangs up there. > I'd also bet that most of the keys, after a keyboard's broken in, > don't sound exactly alike -- wear and tear, typing patterns, etc. > You might be able to resolve ambiguities of interferometry by using > the sounds of the keys themselves. > > Bear For what very little it is worth, I have been told that this was done quite sucessfully many many years ago with the old model 28 Teletype machines (anyone old enough to remember those ?) that made quite characteristic noises as the typebox was positioned to print a character (on a X, Y grid). One can be sure that reading traffic from the clatter of TTY machines was easier than a keyboard by interferometry or key click sound signatures, but then the DSP required to do it was a lot less readily available back then too... Model 28s were widely deployed by the US government by the way, and often used to print crypto traffic. > > > -- Dave Emery N1PRE, [EMAIL PROTECTED] DIE Consulting, Weston, Mass. PGP fingerprint = 2047/4D7B08D1 DE 6E E1 CC 1F 1D 96 E2 5D 27 BD B0 24 88 C3 18
Re: NONSTOP Crypto Query
>Ray Dillinger wrote: >> >> If you get two sensitive microphones in a room, you >> should be able to do interferometry to get the exact locations >> on a keyboard of keystrokes from the sound of someone typing. >> I guess three would be better, but with some reasonable >> assumptions about keys being coplanar or on a surface of known >> curvature, two would do it. Interesting possibilities. >> >> Bear >> >> [A quick contemplation of the wavelength of the sounds in question >> would put an end to that speculation I suspect. --Perry] We hear low-frequency sounds when we type. But have we ever checked for high-frequency sounds outside of human hearing range? I'd bet a keyboard has a number of squeaks and ticks and twangs up there. I'd also bet that most of the keys, after a keyboard's broken in, don't sound exactly alike -- wear and tear, typing patterns, etc. You might be able to resolve ambiguities of interferometry by using the sounds of the keys themselves. Bear
Re: NONSTOP Crypto Query
At 01:30 AM 1/13/2001 +, Ben Laurie wrote: >Hmm. 6 kHz has a wavelength of 5 cm. I would guess you can easily get >resolution to 1/10 of a wavelength under ideal conditions. Which is .5 >cm, which is half the size of a key, more or less. You don't have to locate the exact key to save a lot of complexity. A standard PC keyboard has 47 keys on the main section. Ignoring shifts, control, alt, combinations, etc. you have to deal with 47^N easy options per secret key of length N. Lets assume you don't get the key as a fact from the sound inference, but rather you get a probability density function that is weighted heavily arround a single key, and then arround the keys "one key away" and with decreasing probability for "two keys away" and so on until you get to the maximum of 14 or so keys away. If Ben's estimate is close to accurate, you should see a two standard deviation circle of only 9 or so keys. Since 47^6 is 229,345,008 and 9^6 is only531,441 this technique can whack out a factor of 500 in the "likely" exhaustive search of a six character passphrase. Obviously it saves more on longer passphrases. It also saves more if the user enters control/alt/shift combinations. Interesting. Pat Pat Farrell voice: (703 587-9898) Alchemistemail: [EMAIL PROTECTED] OneBigCD, yourtext pager: [EMAIL PROTECTED] Internet CD Jukebox
Re: NONSTOP Crypto Query
In a paper on side channel cryptanalysis by John Kelsey, Bruce Schneier, Chris Hall, and I, we speculated on possible meanings of NONSTOP and HIJACK: [...] It is our belief that most operational cryptanalysis makes use of side-channel information. [...] And Peter Wright discussed data leaking onto a transmission line as a side channel used to break a French cryptographic device [Wri87]. The (unclassified) military literature provides many examples of real-world side channels. [...] Peter Wright's crosstalk anecdote is probably what the HIJACK codeword refers to [USAF98]. Along similar lines, [USAF98] alludes to the possibility that crosstalk from sensitive hardware near a tape player might modulate the signal on the tape; [USAF98] recommends that tapes played in a classified facility be degaussed before they are removed, presumably to prevent side channels from leaking. Finally, one last example from the military literature is the NONSTOP attack [USAF98, Chapters 3-4]: after a careful reading of unclassified sources, we believe this refers to the side channel that results when cryptographic hardware is illuminated by a nearby radio transmitter (e.g. a cellphone), thereby modulating the return signal with information about what the crypto gear is doing [AK98]. [...] [AK98] R. Anderson and M. Kuhn, "Soft Tempest: Hidden Data Transmission Using Electromagnetic Emanations," Proc. 2nd Workshop on Information Hiding, Springer, 1998. [USAF98] US Air Force, Air Force Systems Security Memorandum 7011-- Emission Security Countermeasures Review, 1 May 1998. [Wri87] P. Wright, Spycatcher, Viking Penguin Inc., 1987. The above is excerpted from the conclusions of J. Kelsey, B. Schneier, D. Wagner, C. Hall, "Side channel cryptanalysis of product ciphers", Journal of Computer Security, vol. 8, pp. 141--158, 2000. http://www.cs.berkeley.edu/~daw/papers/sidechan-final.ps Do remember, please, that these are just guesses. Also, credit is due to Ross Anderson and Markus Kuhn for informative discussions on this topic.
Re: NONSTOP Crypto Query
Ray Dillinger wrote: > > On Fri, 12 Jan 2001, John Young wrote: > > >Wright also describes the use of supersensitive microphones > >to pick up the daily setting of rotors on cryptomachines of the > >time, in particular the Hagelins made by CryptoAG. > > Hmmm. That sounds like a trick that could be brought up to > date. If you get two sensitive microphones in a room, you > should be able to do interferometry to get the exact locations > on a keyboard of keystrokes from the sound of someone typing. > I guess three would be better, but with some reasonable > assumptions about keys being coplanar or on a surface of known > curvature, two would do it. Interesting possibilities. > > Bear > > [A quick contemplation of the wavelength of the sounds in question > would put an end to that speculation I suspect. --Perry] Hmm. 6 kHz has a wavelength of 5 cm. I would guess you can easily get resolution to 1/10 of a wavelength under ideal conditions. Which is .5 cm, which is half the size of a key, more or less. Sounds pretty feasible to me. Cheers, Ben. -- http://www.apache-ssl.org/ben.html "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff
Re: NONSTOP Crypto Query
Ray Dillinger wrote: > If you get two sensitive microphones in a room, you > should be able to do interferometry to get the exact locations > on a keyboard of keystrokes from the sound of someone typing. Interesting. Probably not the easiest way to snoop, but you might be driven to it. > I guess three would be better, but with some reasonable > assumptions about keys being coplanar or on a surface of known > curvature, two would do it. Interesting possibilities. Interferometry like measuring the time delay between the two microphones? Defines a hyperboloid, which when intersected with the keyboard still isn't specific enough, so I think you need three mics. > [A quick contemplation of the wavelength of the sounds in question > would put an end to that speculation I suspect. --Perry] You can localize to better than the shortest wavelength present, so the spectrum isn't obviously a problem. Consider it under ideal conditions -- anechoic, no transmission losses, omnidirectional emission. Then the mics get the same signal (at different times), and you can just find peak correlations between them. The required accuracy is roughly a centimeter, or 30 usec of sound travel, over one sample at audio rates; adjust that trigonometrically for mics placed other than 60 degrees apart. Keystrokes are noisy and should make decent correlation codes. Less-than-ideal conditions might make the scheme impossible, but I don't know how to conclude that without a lot more work. I don't know the state of the art, but a little web searching appears to say that people can localize speech in a videoconferencing room to within one 44-kHz sample. http://www.ie.ncsu.edu/kay/msf/sound.htm -- Eli Brandt | [EMAIL PROTECTED] | http://www.cs.cmu.edu/~eli/
Re: NONSTOP Crypto Query
At 01:37 PM 1/12/01 -0800, Ray Dillinger wrote: >Hmmm. That sounds like a trick that could be brought up to >date. If you get two sensitive microphones in a room, you >[A quick contemplation of the wavelength of the sounds in question >would put an end to that speculation I suspect. --Perry] Maybe not, because you can use the click--- you look only at intensity envelope, summing all frequencies essentially. [Remember your basic science: you can't resolve something smaller than half a wavelength. (Well, you can, with certain techniques, but things get seriously hairy at that point, and in general the limit is half a wavelength.) Given this, it is unlikely that you're going to figure out whether the g or the h key was struck. If I'm wrong here, I'd like to hear a detailed counterargument or evidence. --Perry]
Re: NONSTOP Crypto Query
Joel McNamara first told me about NONSTOP and its commonly associated classified codeword, HIJACK, both somehow related to Tempest. When you do a search on either of them you get hundreds (or 1000s) of hits for the generic terms "non-stop" and "hi-jack" but few entries for the codewords, and then as standards in military security documents. It's as if the codewords were picked to be camouflaged by the generics. And, because codewords are usually set to have no relation to the protected material, they probably are not descriptive -- but could be, just to outfox the smarties. The NONSTOP doc released to us was first issued in 1975 and has gone through 4 reprintings, the latest in 1987. And it continues to be cited as still in effect, though usually such standards are updated at least every 5 years. So there may be a later one which would account for its partial release after first denial. It's intriguing to read Spycatcher (1987) while reading the Tempest docs. I had not read Wright's most informative book, and regret not having done so. (The Story of Hut 6, too, by Gordon Welchman -- luckily found both in a military used-bookstore.) For those who have not read Spycatcher, Peter Wright was MI5's first scientist, and entered the service after WW2. He specialized in the technology of counterintelligence and with a few others cooked up a host of ingenious means to spy on spies and suspects. A specialty was the extraordinary use of electromagnetic science -- radio, telephone, acoustic, resonance, and more -- applying scientific abilities well in advance of technicians and engineers. Some of his ideas were so advanced his bosses said impossible, until he proved effectiveness. Then Wright quickly became the savior of officers who could not understand why Britain's enemies kept outsmarting them -- usually with advanced technological means. Wright changed that, but often got at odds with non-scientific personnel whose faith was HUMINT. Among others, he worked closely with GCHQ on occasion to provide technical attacks on cryptosystems which could not be broken by cryptanalysis. Thus his research on the cryptosecrets revealed by compromising emanations from devices, cabling, furniture, construction materials, and a host of ordinary physical objects in and near cipher rooms -- all of which emitted signals that could be acquired and interpreted by careful tuning for comprehension. He writes of amazing methods of acquiring signals, and it is no wonder HMG fought to prevent publication of Spycatcher. What he did not write about must be even more wondrous, and it makes you think he could pick up your brain waves if you were part of particular triangulated antenna. Maybe NONSTOP and HIJACK have nothing to do with the stuff Wright excelled at. Still, reading Spycatcher along with the Tempest docs -- and now Stephen Budiansky's "Battle of Wits: The Complete Story of Codebreaking in World War II," (2000) -- certainly demonstrates how much of codebreaking has been done by covert technical and physical means, even as we are told misleading cover stories. Are these latest crypto-revelations disinformation? Historically nearly all have been. Ha. Ha. Ha.
Re: NONSTOP Crypto Query
On Fri, 12 Jan 2001, John Young wrote: >Wright also describes the use of supersensitive microphones >to pick up the daily setting of rotors on cryptomachines of the >time, in particular the Hagelins made by CryptoAG. Hmmm. That sounds like a trick that could be brought up to date. If you get two sensitive microphones in a room, you should be able to do interferometry to get the exact locations on a keyboard of keystrokes from the sound of someone typing. I guess three would be better, but with some reasonable assumptions about keys being coplanar or on a surface of known curvature, two would do it. Interesting possibilities. Bear [A quick contemplation of the wavelength of the sounds in question would put an end to that speculation I suspect. --Perry]
Re: NONSTOP Crypto Query
In message <[EMAIL PROTECTED]>, John Young write s: > >This loops back to NONSTOP and the question of what may >be the signatures and compromising emanations of today's >cryptosystems which reveal information in ways that go beyond >known sniffers -- indeed, that known sniffers may divertingly >camouflage. Again going back to "Spycatcher", Wright described a number of other emissions. For example, voices in a room could modulate the current flow through a telephone's ringer. (This was, of course, back in the days of electromagnet-actuated ringers...) One can also find signals corresponding to the plaintext superimposed on the output waveform of the ciphertext, and possibly see coupling to the power supply. (One of the rules I've read: "Step 1: Look for the plaintext".) I've seen brochures for high-grade encryptors that speak of "red-black separation" and separate power supplies for the two halves. --Steve Bellovin, http:/www.research.att.com/~smb
