### RE: NONSTOP Crypto Query

```
I've seen an existance proof which indicates that this is possible.
Back when I was first getting involved with computers (circa 1972),
some digitizer tablets worked by speed-of-sound measurements.
The stylus tip contained a small  spark gap which was energized
when the stylus pressed on the  tablet. This created a spark,
and the spark a minuscule roll of  thunder. Microphones situated
along the edges of the tablet recorded the arrival times of the sound,
and the location of the stylus calculated within a millimeter or two.

This was a peripheral for a DEC PDP-8E.

This was calculating a position over about 20 cm to a millimeter,
in real time, in 1972. Doing so to a resolution of a centimeter or
two, in 2001, ever several meters sounds feasible.

Peter Trei

--
From: Ray Dillinger[SMTP:[EMAIL PROTECTED]]
Sent: Friday, January 12, 2001 4:37 PM
To:   John Young
Cc:   [EMAIL PROTECTED]
Subject:  Re: NONSTOP Crypto Query

On Fri, 12 Jan 2001, John Young wrote:

Wright also describes the use of supersensitive microphones
to pick up the daily setting of rotors on cryptomachines of the
time, in particular the Hagelins made by CryptoAG.

Hmmm.  That sounds like a trick that could be brought up to
date.  If you get two sensitive microphones in a room, you
should be able to do interferometry to get the exact locations
on a keyboard of keystrokes from the sound of someone typing.
I guess three would be better, but with some reasonable
assumptions about keys being coplanar or on a surface of known
curvature, two would do it.  Interesting possibilities.

Bear

[A quick contemplation of the wavelength of the sounds in question
would put an end to that speculation I suspect. --Perry]

```

### Re: NONSTOP Crypto Query

```
One interesting question is exactly how strong radio frequency
illumination could cause compromise of information being processed by
electronic equipment. I have an idea for a mechanism whereby such
illumination could induce generation of harmonic and beat frequencies
that are modulated by internal data signals.

This mechanism is based  on an effect that is familiar to ham radio
operators, who are often bedeviled by neighbors complaining of
television interference. Here is a quote from the chapter on
interference in an old (1974) edition of the ARRL Radio Amateur's
Handbook:

"Harmonics by  Rectification"

"Even though the transmitter is completely free from harmonic output
it is still possible for interference to occur because of harmonics
generated outside the transmitter. These result from rectification of
fundamental-frequency currents induced in conductors in the vicinity
of the transmitting antenna. Rectification can take place at any
point where two conductors are in  poor electrical contact, a
condition that frequently exists in plumbing, downspouting, BX cables
crossing each other, ...It can also occur ... in power supplies,
speech equipment, etc. that may not be enclosed in the shielding
about the RF circuits."

In the case of computer equipment, the conductor could be a wire,
external cable or even a trace on a printed circuit board. Now
imagine that the source of rectification is not a poor connection,
but a transistor junction in a logic gate or line driver. As that
device is switched on and off, RF rectification may be switched on
and off as well, modulating the generated harmonic with the input
signal. If that signal carries sensitive information, all the
information would be broadcast on the harmonic output. Keyboard
interfaces, video output circuits and serial line drivers come to
mind as excellent candidates for this effect, since they often carry
sensitive information and are usually connected to long wires that
can absorb the incident RF energy and radiate the harmonics.

All an attacker has to do is monitor a site transmitting at frequency
f and analyze any signals at 2*f, 3*f, etc. If the site has more than
one transmitter, say a command hut, or a naval ship,  there are also
beat frequencies to consider f1+f2, f1-f2, 2*f1+f2, 2*f1-f2,  etc.
Note that harmonics and beats radiated from the equipment under
attack are vastly easier to detect that any re-radiation at the
fundamental frequency, which would be swamped by the primary
transmitter's signal.

There is also a potential active attack where an adversary
frequency-sweeps your equipment with RF hoping to find a parasitic
harmonic generator. This might be the "resonance" technology Peter
Wright referred to.  If the source illumination causes a resonance
by, say, operating at 1/4 the electrical wavelength of the video
output cable, any effect might be magnified greatly. (The even
harmonics would be suppressed, but odd harmonics would not be.)
Illumination could be done directly or over telephone, cable TV or
power lines.

This might also explain "NONSTOP testing and protection being
especially needed on vehicles, planes and ships." since they often
carry multiple radio transmitters and are more easily exposed to
monitoring and external illumination than a fixed site inside a
secure perimeter.

The two code names (NONSTOP and HIJACK) might possibly refer to the
passive and active modes.  Or NONSTOP may refer to radiated signals
and HIJACK to signals over hardwire lines. Or one could cover all the
effects I am proposing and the other something completely different.
Whatever.

FWIW,

Arnold Reinhold

At 2:23 AM + 1/13/2001, David Wagner wrote:
In a paper on side channel cryptanalysis by John Kelsey, Bruce Schneier,
Chris Hall, and I, we speculated on possible meanings of NONSTOP and HIJACK:

[...]
It is our belief that most operational cryptanalysis makes use of
side-channel information.  [...]  And Peter Wright discussed data
leaking onto a transmission line as a side channel used to break a
French cryptographic device [Wri87].

The (unclassified) military literature provides many examples of
real-world side channels.  [...]  Peter Wright's crosstalk anecdote
is probably what the HIJACK codeword refers to [USAF98]. Along
similar lines, [USAF98] alludes to the possibility that crosstalk from
sensitive hardware near a tape player might modulate the signal on the
tape; [USAF98] recommends that tapes played in a classified facility be
degaussed before they are removed, presumably to prevent side channels
from leaking. Finally, one last example from the military literature
is the NONSTOP attack [USAF98, Chapters 3-4]: after a careful reading
of unclassified sources, we believe this refers to the side channel
that results when cryptographic hardware is illuminated by a nearby
radio transmitter (e.g. a cellphone), thereby modulating ```

### Re: NONSTOP Crypto Query

```
[A quick contemplation of the wavelength of the sounds in question
would put an end to that speculation I suspect. --Perry]

I know this has been somewhat done to death, but there's a nice
comparison:  GPS positioning using carrier phase tracking is equivalent
(well, it's reversed - clicks come from the microphones/satellites and
the key/receiver calculates its position - but the principle is the
same).  This can give millimetre accuracy with carrier wavelengths of
19cm (if you're very careful, have lots of time and maybe some luck).
The precision comes from cross-correlating wave trains rather
than trying to measure a particular point (eg the initial rise of the
click) accurately.  You wouldn't do as well with keyboard clicks, but
then you don't need to.

Note that usually GPS positioning is not done using carrier phase
tracking - that, together with problems like different atmospheric paths
from differnet satellites and, in the past, noise added to civillian
signals, gives much lower precision.  See, for example,

Accuracy for keyboards would depend on how many wavelengths can be
detected at good signal-to-noise within a single "click" (and having
stable recordings with no wow or flutter).  Also, it would be useful to
know the identity of one key - return for example - to help solve for
the position of the keyboard relative to the microphones.  Getting an
initial solution might be difficult - it would be a big help to know the
relative position of keyboard and mcirophones to within a wavelength or
two (and have all recordings marked by synchronized clock ticks).  If
the user moved their keyboard during typing it would cause havoc with
any attempt to converge on a solution.  Maybe we should all start
walking around as we type...

Andrew

(In a previous job I wrote software to calculate positions from GPS
satellites - Paul Crowley may be able to correct me if I have made any
errors as he was there too...)

```

### Re: NONSTOP Crypto Query

```
Joel McNamara first told me about NONSTOP and its commonly
associated classified codeword, HIJACK, both somehow related
to Tempest.

When you do a search on either of them you get hundreds
(or 1000s) of hits for the generic terms "non-stop" and "hi-jack"
but few entries for the codewords, and then as standards in
military security documents.

It's as if the codewords were picked to be camouflaged by the
generics. And, because codewords are usually set to have
no relation to the protected material, they probably are not
descriptive -- but could be, just to outfox the smarties.

The NONSTOP doc released to us was first issued in 1975
and has gone through 4 reprintings, the latest in 1987. And
it continues to be cited as still in effect, though usually such
standards are updated at least every 5 years. So there may
be a later one which would account for its partial release
after first denial.

It's intriguing to read Spycatcher (1987) while reading the
Tempest docs. I had not read Wright's most informative
book, and regret not having done so. (The Story of Hut 6,
too, by Gordon Welchman -- luckily found both in a
military used-bookstore.)

For those who have not read Spycatcher, Peter Wright
was MI5's first scientist, and entered the service after
WW2. He specialized in the technology of counterintelligence
and with a few others cooked up a host of ingenious means
to spy on spies and suspects. A specialty was the
extraordinary use of electromagnetic science -- radio,
telephone, acoustic, resonance, and more -- applying
scientific abilities well in advance of technicians and
engineers. Some of his ideas were so advanced his
bosses said impossible, until he proved effectiveness.
Then Wright quickly became the savior of officers
who could not understand why Britain's enemies kept
outsmarting them -- usually with advanced technological
means. Wright changed that, but often got at odds with
non-scientific personnel whose faith was HUMINT.

Among others, he worked closely with GCHQ on occasion
to provide technical attacks on cryptosystems which could
not be broken by cryptanalysis. Thus his research on the
cryptosecrets revealed by compromising emanations from
devices, cabling, furniture, construction materials, and a host
of ordinary physical objects in and near cipher rooms -- all
of which emitted signals that could be acquired and interpreted
by careful tuning for comprehension. He writes of amazing
methods of acquiring signals, and it is no wonder HMG
fought to prevent publication of Spycatcher.

What he did not write about must be even more wondrous,
and it makes you think he could pick up your brain waves
if you were part of particular triangulated antenna.

Maybe NONSTOP and HIJACK have nothing to do with
the stuff Wright excelled at. Still, reading Spycatcher
along with the Tempest docs -- and now Stephen
Budiansky's "Battle of Wits: The Complete Story of
Codebreaking in World War II," (2000) -- certainly
demonstrates how much of codebreaking has been
done by covert technical and physical means, even
as we are told misleading cover stories.

Are these latest crypto-revelations disinformation?
Historically nearly all have been.  Ha. Ha. Ha.

```

### Re: NONSTOP Crypto Query

```
At 01:37 PM 1/12/01 -0800, Ray Dillinger wrote:
Hmmm.  That sounds like a trick that could be brought up to
date.  If you get two sensitive microphones in a room, you

[A quick contemplation of the wavelength of the sounds in question
would put an end to that speculation I suspect. --Perry]

Maybe not, because you can use the click--- you look only at intensity
envelope, summing all frequencies essentially.

[Remember your basic science: you can't resolve something smaller than
half a wavelength. (Well, you can, with certain techniques, but things
get seriously hairy at that point, and in general the limit is half a
wavelength.) Given this, it is unlikely that you're going to figure
out whether the g or the h key was struck. If I'm wrong here, I'd like
to hear a detailed counterargument or evidence. --Perry]

```

### Re: NONSTOP Crypto Query

```
Ray Dillinger wrote:
If you get two sensitive microphones in a room, you
should be able to do interferometry to get the exact locations
on a keyboard of keystrokes from the sound of someone typing.

Interesting.  Probably not the easiest way to snoop, but you might be
driven to it.

I guess three would be better, but with some reasonable
assumptions about keys being coplanar or on a surface of known
curvature, two would do it.  Interesting possibilities.

Interferometry like measuring the time delay between the two
microphones?  Defines a hyperboloid, which when intersected with the
keyboard still isn't specific enough, so I think you need three mics.

[A quick contemplation of the wavelength of the sounds in question
would put an end to that speculation I suspect. --Perry]

You can localize to better than the shortest wavelength present, so
the spectrum isn't obviously a problem.  Consider it under ideal
conditions -- anechoic, no transmission losses, omnidirectional
emission.  Then the mics get the same signal (at different times), and
you can just find peak correlations between them.

The required accuracy is roughly a centimeter, or 30 usec of sound
travel, over one sample at audio rates; adjust that trigonometrically
for mics placed other than 60 degrees apart.  Keystrokes are noisy and
should make decent correlation codes.  Less-than-ideal conditions
might make the scheme impossible, but I don't know how to conclude
that without a lot more work.

I don't know the state of the art, but a little web searching appears
to say that people can localize speech in a videoconferencing room to
within one 44-kHz sample.  http://www.ie.ncsu.edu/kay/msf/sound.htm

--
Eli Brandt  |  [EMAIL PROTECTED]  |  http://www.cs.cmu.edu/~eli/

```

### Re: NONSTOP Crypto Query

```
Ray Dillinger wrote:

On Fri, 12 Jan 2001, John Young wrote:

Wright also describes the use of supersensitive microphones
to pick up the daily setting of rotors on cryptomachines of the
time, in particular the Hagelins made by CryptoAG.

Hmmm.  That sounds like a trick that could be brought up to
date.  If you get two sensitive microphones in a room, you
should be able to do interferometry to get the exact locations
on a keyboard of keystrokes from the sound of someone typing.
I guess three would be better, but with some reasonable
assumptions about keys being coplanar or on a surface of known
curvature, two would do it.  Interesting possibilities.

Bear

[A quick contemplation of the wavelength of the sounds in question
would put an end to that speculation I suspect. --Perry]

Hmm. 6 kHz has a wavelength of 5 cm. I would guess you can easily get
resolution to 1/10 of a wavelength under ideal conditions. Which is .5
cm, which is half the size of a key, more or less.

Sounds pretty feasible to me.

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

```

### Re: NONSTOP Crypto Query

```
At 01:30 AM 1/13/2001 +, Ben Laurie wrote:
Hmm. 6 kHz has a wavelength of 5 cm. I would guess you can easily get
resolution to 1/10 of a wavelength under ideal conditions. Which is .5
cm, which is half the size of a key, more or less.

You don't have to locate the exact key to save a lot of complexity.

A standard PC keyboard has 47 keys on the main section.
Ignoring shifts, control, alt, combinations, etc. you have to deal with
47^N easy options per secret key of length N.

Lets assume you don't get the key as a fact from the sound inference,
but rather you get a probability density function that is weighted heavily
arround a single key, and then arround the keys "one key away" and
with decreasing probability for "two keys away" and so on until you get
to the maximum of 14 or so keys away.

If Ben's estimate is close to accurate, you should see a two standard deviation
circle of only 9 or so keys.

Since 47^6 is 229,345,008 and
9^6 is only531,441
this technique can whack out a factor of 500 in the "likely" exhaustive
search of
a six character passphrase. Obviously it saves more on longer passphrases.
It also saves more if the user enters control/alt/shift combinations.

Interesting.

Pat

Pat Farrell  voice:  (703 587-9898)
Alchemistemail:   [EMAIL PROTECTED]
OneBigCD, yourtext pager:  [EMAIL PROTECTED]
Internet CD Jukebox

```

### Re: NONSTOP Crypto Query

```
In message [EMAIL PROTECTED], John Young write
s:

This loops back to NONSTOP and the question of what may
be the signatures and compromising emanations of today's
cryptosystems which reveal information in ways that go beyond
known sniffers -- indeed, that known sniffers may divertingly
camouflage.

Again going back to "Spycatcher", Wright described a number of other
emissions.  For example, voices in a room could modulate the current
flow through a telephone's ringer.  (This was, of course, back in the
days of electromagnet-actuated ringers...)  One can also find signals
corresponding to the plaintext superimposed on the output waveform of
the ciphertext, and possibly see coupling to the power supply.  (One of
the rules I've read:  "Step 1:  Look for the plaintext".)

I've seen brochures for high-grade encryptors that speak of "red-black
separation" and separate power supplies for the two halves.

--Steve Bellovin, http:/www.research.att.com/~smb

```

### Re: NONSTOP Crypto Query

```

On Fri, 12 Jan 2001, John Young wrote:

Wright also describes the use of supersensitive microphones
to pick up the daily setting of rotors on cryptomachines of the
time, in particular the Hagelins made by CryptoAG.

Hmmm.  That sounds like a trick that could be brought up to
date.  If you get two sensitive microphones in a room, you
should be able to do interferometry to get the exact locations
on a keyboard of keystrokes from the sound of someone typing.
I guess three would be better, but with some reasonable
assumptions about keys being coplanar or on a surface of known
curvature, two would do it.  Interesting possibilities.

Bear

[A quick contemplation of the wavelength of the sounds in question
would put an end to that speculation I suspect. --Perry]

```