summary of http cs tau ac il tromer acoustic
play

Summary of: http://www.cs.tau.ac.il/~tromer/acoustic/ Credit - PowerPoint PPT Presentation

Aug 22, 2023 •363 likes •831 views

Summary of: http://www.cs.tau.ac.il/~tromer/acoustic/ Credit (including pictures and algorithms) to authors of the paper RSA RSA Key generation: Choose two large primes, p and q , and calculate n = pq Select e relatively prime with ( n ),

  1. Summary of: http://www.cs.tau.ac.il/~tromer/acoustic/ Credit (including pictures and algorithms) to authors of the paper

  3. RSA

  4. RSA ● Key generation: Choose two large primes, p and q , and calculate n = pq Select e relatively prime with ϕ( n ), calculate d as inverese of e PU = ( e , n ) PR = ( d , n ) ● Encryption of message: C = M e mod n ● Decryption of ciphertext: M = C d mod n

  5. RSA 4096-bit ● RSA supports different “key” lengths: 1024, 2048, 4096 bits ● Key generation: – p is 2048 bits, q is 2048 bits – n = pq is 4096 bits – e often 65,537 (16 bits) – d is calculated; about same length as n , ~ 4000 bits ● Decryption/Signing, i.e. using private key, M , C < n : C d mod n (very large number) (very large number) mod n

  6. RSA Implementation ● Split the modular exponentiation of 4096-bit number into two modular exponentiations of 2048-bit numbers – Chinese Remainder Theorem – d p = d (mod p- 1) – d q = d (mod q- 1) – q inv = q -1 (mod p ) Two steps using smaller exponents; ● Decryption/Signing: Increases speed by factor of 4 compared to one step with large – m p = C d p mod p exponent – m q = C d q mod q – h = q inv (m p - m q ) ( mod p) – M = m q + hq

  7. History ● 1978: Ron Rivest, Adi Shamir and Len Adlemen algorithm company ● 1982: Formed company - RSA Security – Sells authentication tokens and BSAFE library of cryptographic operations (alternative to OpenSSL) ● 1995: Employees created digital certificate company (VeriSign) ● 2006: Acquired by EMC ● 2013: Alleged NSA backdoor in random number generator proposed and used by RSA

  8. Side Channel Attacks

  9. Ciphertext Only Attacks Attack intercepts ciphertext, aims to find the plaintext and/or private key

  10. Chosen Plaintext/Ciphertext Attacks Attacker can choose multiple ciphertext (and plaintext) values and convince target to decrypt them Aims to find the private key

  11. Side Channel Attack Side channel Attacker can choose multiple ciphertext (and plaintext) values and convince target to decrypt them Attacker can also observe activities of targets computer Aims to find the private key

  12. RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis Daniel Genkin Adi Shamir Eran Tromer Technion and Tel Aviv University Weizmann Institute of Science Tel Aviv University December 18, 2013 http://www.cs.tau.ac.il/~tromer/acoustic/ http://www.tau.ac.il/~tromer/papers/acoustic-20131218.pdf

  13. The Attack 1. Send a specially crafted ciphertext to target 2. Record the audio generated by target computer while it is decrypting ciphertext ● Need recording equipment nearby ● Different values of q require different operations in decryption, producing different sounds by target ● Identifying the different sounds allows for determining bits of q 3. Repeat with different ciphertexts until all bits of q are determined 4. Calculate p and d 5. Profit!!!

  14. The Attack 1. Send a specially crafted ciphertext to target 2. Record the audio generated by target computer while it is decrypting ciphertext Example ● Need recording equipment nearby Target runs an email client that automatically decrypts emails. ● Different values of q require different operations in decryption, Email client decrypts using targets Private key (d). producing different sounds by target Attacker creates the necessary chosen ciphertext and emails ● Identifying the different sounds allows for determining bits of q to target. 3. Repeat with different ciphertexts until all bits of q are Attacker can repeatedly send emails, making them look like determined spam. Target email client automatically decrypts and then 4. Calculate p and d discards. User doesn't notice. 5. Profit!!! POSSIBLE

  15. The Attack 1. Send a specially crafted ciphertext to target 2. Record the audio generated by target computer while it is decrypting ciphertext ● Need recording equipment nearby ● Different values of q require different operations in decryption, producing different sounds by target ● Identifying the different sounds allows for determining bits of q 3. Repeat with different ciphertexts until all bits of q are determined We will look at this in depth next. 4. Calculate p and d POSSIBLE (with some conditions) 5. Profit!!!

  16. The Attack 1. Send a specially crafted ciphertext to target 2. Record the audio generated by target computer while it is decrypting ciphertext ● Need recording equipment nearby ● Different values of q require different operations in decryption, producing different sounds by target ● Identifying the different sounds allows for determining bits of q 3. Repeat with different ciphertexts until all bits of q are determined 4. Calculate p and d As described in step 1. 5. Profit!!! POSSIBLE

  17. The Attack 1. Send a specially crafted ciphertext to target 2. Record the audio generated by target computer while it is decrypting ciphertext ● Need recording equipment nearby ● Different values of q require different operations in decryption, producing different sounds by target ● Identifying the different sounds allows for determining bits of q Public values: e, n, C, M 3. Repeat with different ciphertexts until all bits of q are If you also know q : determined n = pq therefore q = n/p ϕ( n ) = ( p -1)( q -1) 4. Calculate p and d Calculate d (same as key generation) 5. Profit!!! EASY

  18. Listening to a computer ● CPUs change their power consumption depending what they need to do – Depends on type and number of operations, e.g. MUL, ADD ● Leads to vibrations of electrical components in power supply circuitry ● Vibrations create sound (acoustic emanations) ● So what? If we can listen to the sound and, if we can distinguish what operations are being performed while decrypting, and if the operations depend on specific private keys, then can learn the private key

  19. A lot of ifs ... If we can listen to the sound and, if we can distinguish what operations are being performed while decrypting, and if the operations depend on specific private keys, then can learn the private key ● Microphones pickup frequencies from up to 20kHz, even up to 100kHz (with lower sensitivity). Sound from CPU activity differs in frequencies than other sources (fan, hard disk etc) ● Different operations produce acoustic signals (sound) with different spectrograms ● Creating chosen ciphertexts trigger different operations in RSA decryption (modular exponentiation) depending on key

  20. How to record sound of target computer?

  21. Experimental Setup: Fixed

  22. Experimental Setup: Portable

  23. Experimental Setup: Mobile

  24. Can different CPU operations be detected by sound?

  25. Frequency Spectrogram of CPU Operations Frequency (0-310 kHz) Time (0-3.7s) “Greener” the value, larger the signal magnitude

  26. mod p and mod q can be distinguished Yellow arrows show where RSA changes from mod p to mod q modular exponentiation m p = c d p mod p m q = c d q mod q

  27. Another laptop, Freq up to 40kHz

  28. Are the CPU operations dependent on the private key? (and if so, can we detect the different operations?)

  29. Approach ● Choose a ciphertext such that the decryption by the target will require different operations depending on the target's key – “Target's key” is q in this attack ● Focus on a single bit in q at a time ● Attacker wants the decryption to sound different depending on that bit of q – Send a chosen ciphertext to target – If attacker can detect the different sounds, then can detect that bit of q ● Repeat by sending different chosen ciphertexts to detect subsequent bits of q – Either repeat for all 2048 bits of q – Or use Coppersmith attack: require about 1024 bits of q

  30. Modular Exponentiation Algorithm m : m q d : d q (2048 bits) q (2048 bits) Reduce ciphertext c if greater than q Loop 2048 times Multiply current m and ciphertext c

  31. q Modular Exponentiation (Simplified) MODULAR_EXPONENTATION (c, d, q) { Reduce ciphertext c c = c mod q m q = 1 for i = 2048 .. 1 { m q = m q2 2048 multiplications of c and m … t = m q * c … } return m q }

  32. Choosing the Ciphertext ● q is 2048 number q 2048 q 2047 q 2046 … q 3 q 2 q 1 ● Assume we know the first ( i - 1) bits of q – E.g. i = 4 , we know: q 2048 q 2047 q 2046 = 110 ● Aim: find the next bit of q – E.g. q 2045 : is it 0 or 1? ● Create ciphertext with first ( i - 1) bits of q , then 0, then all 1's q 2048 q 2047 q 2046 011111...11111 ● Send chosen ciphertext to target for decryption

  33. q Modular Exponentiation of Chosen Ciphertext MODULAR_EXPONENTATION (c, d, q) { c = c mod q m q = 1 c = q 2048 q 2047 q 2046 0 11111...11111 for i = 2048 .. 1 { q = q 2048 q 2047 q 2046 q 2045 q 2044 q 2043 ... m q = m q2 If q 2045 = 1, c < q: … c mod q = c c doesn't change; still 2048 bits with many 1's at right t = m q * c If q 2045 = 0, c ≥ q: … c mod q = ? c changes; smaller, random looking number } return m q }

  34. q Modular Exponentiation of Chosen Ciphertext MODULAR_EXPONENTATION (c, d, q) { c = c mod q m q = 1 for i = 2048 .. 1 { m q = m q2 … t = m q * c If q 2045 = 1, c < q: … c doesn't change; still 2048 bits with many 1's at right 2048 multiplications with structured, 2048 bit c } If q 2045 = 0, c ≥ q: return m q c changes; smaller, random looking number 2048 multiplications with random, shorter c }

Recommend

From calls to counts: Estimating animal density using passive acoustic monitoring (PAM) Images

From calls to counts: Estimating animal density using passive acoustic monitoring (PAM) Images

From calls to counts: Estimating animal density using passive acoustic monitoring (PAM) Images courtesy of J. Hildebrand (L) and http://www.birds.cornell.edu/brp/elephant (R) Why acoustics? A wealth of recorded information Acoustic

496 views • 21 slides
The Hunting of the SNARK Nir Bitansky Ran Canetti Alessandro Chiesa Eran Tromer Succint

The Hunting of the SNARK Nir Bitansky Ran Canetti Alessandro Chiesa Eran Tromer Succint

The Hunting of the SNARK Nir Bitansky Ran Canetti Alessandro Chiesa Eran Tromer Succint Noninteractive Argument of Knowledge Kilian '92 Micali '00 Aiello Bhatt Ostrovsky Rajagopalan '00 Dwork Langberg Naor Nissim Reingold '04 Di Crescenzo

567 views • 14 slides
Results from a Study of Acoustic Ultrahigh- energy Neutrino Detection (SAUND)

Results from a Study of Acoustic Ultrahigh- energy Neutrino Detection (SAUND)

Results from a Study of Acoustic Ultrahigh- energy Neutrino Detection (SAUND) http://hep.stanford.edu/neutrino/SAUND/ Justin Vandenbroucke justinav@socrates.berkeley.edu September 13, 2003 Stanford University Workshop on Acoustic Cosmic Ray

370 views • 33 slides
VARIFLEX operable walls Introduction Acoustic overview Acoustic selection table Types of VX

VARIFLEX operable walls Introduction Acoustic overview Acoustic selection table Types of VX

mobile acoustic partitions / VARIFLEX operable walls Introduction Acoustic overview Acoustic selection table Types of VX &amp; selection table Types of elements Layout example Hardware &amp; components Types of tracks Suspension details

745 views • 37 slides
Cryptologic Applications of the PlayStation 3: Cell SPEED Dag Arne Osvik EPFL Eran Tromer MIT

Cryptologic Applications of the PlayStation 3: Cell SPEED Dag Arne Osvik EPFL Eran Tromer MIT

Cryptologic Applications of the PlayStation 3: Cell SPEED Dag Arne Osvik EPFL Eran Tromer MIT Cell Broadband Engine 1 PowerPC core Based on the PowerPC 970 128-bit AltiVec/VMX SIMD unit Currently up to 8 synergistic

449 views • 26 slides
The Center for Acoustic Neuroma Translabyrinthine Resection of Acoustic Neuroma Indications 1 -

The Center for Acoustic Neuroma Translabyrinthine Resection of Acoustic Neuroma Indications 1 -

Translabyrinthine Resection of Acoustic Neuroma The Center for Acoustic Neuroma Translabyrinthine Resection of Acoustic Neuroma Indications 1 - Any tumors with non-serviceable hearing Servicable hearing 50/50 rule Speech discrimination

551 views • 42 slides
Proof-Carrying Data: secure computation on untrusted execution platforms Eran Tromer Joint work

Proof-Carrying Data: secure computation on untrusted execution platforms Eran Tromer Joint work

Proof-Carrying Data: secure computation on untrusted execution platforms Eran Tromer Joint work with Alessandro Chiesa Eli Ben-Sasson Daniel Genkin 1 Technion Cryptoday June 16, 2011 Motivation 3 Motivation INTEGRITY CONFIDENTIALITY

725 views • 50 slides
Acoustic Modeling: Tied-state HMMs &amp; DNN-based models Lecture 7 CS 753 Instructor: Preethi

Acoustic Modeling: Tied-state HMMs &amp; DNN-based models Lecture 7 CS 753 Instructor: Preethi

Acoustic Modeling: Tied-state HMMs &amp; DNN-based models Lecture 7 CS 753 Instructor: Preethi Jyothi Recall: Acoustic Model Acoustic Context Pronunciation Language Models Transducer Model Model Acoustic Word

604 views • 37 slides
Measurement of acoustic noise in Lake Baikal Report submitted to the Mini-Workshop on Acoustic

Measurement of acoustic noise in Lake Baikal Report submitted to the Mini-Workshop on Acoustic

Measurement of acoustic noise in Lake Baikal Report submitted to the Mini-Workshop on Acoustic Neutrino and Highest Energy Shower Detection, Stanford Sept. 13-14. N.Budnev, A.Chensky, R.Mirgazov, G.Pankov, L.Pankov Irkutsk State

354 views • 16 slides
Integrity for Car-Computing A cryptographic vision for integrity in vehicle networks Eran Tromer

Integrity for Car-Computing A cryptographic vision for integrity in vehicle networks Eran Tromer

Integrity for Car-Computing A cryptographic vision for integrity in vehicle networks Eran Tromer Transportation CybserSecurity 1 18 Feb 2014 The first vehicle computer D-17B Minuteman I guidance system 2 The first vehicle computer D-17B

554 views • 10 slides
Welcome to the Welcome to the First MiniWorkshop MiniWorkshop on on First Acoustic

Welcome to the Welcome to the First MiniWorkshop MiniWorkshop on on First Acoustic

Welcome to the Welcome to the First MiniWorkshop MiniWorkshop on on First Acoustic Cosmic Ray Detection Acoustic Cosmic Ray Detection A few facts: G.Gratta, Welcome 1st Acoustic MiniWorkshop, Stanford, Sept 13-14, 03 2

136 views • 10 slides
CT CTC-CRF CRF CRF-based sin ingle-stage acoustic ic modeli ling wit ith CT CTC topology

CT CTC-CRF CRF CRF-based sin ingle-stage acoustic ic modeli ling wit ith CT CTC topology

CT CTC-CRF CRF CRF-based sin ingle-stage acoustic ic modeli ling wit ith CT CTC topology Hongyu Xiang, Zhijian Ou Speech Processing and Machine Intelligence (SPMI) Lab Tsinghua University http://oa.ee.tsinghua.edu.cn/ouzhijian/ 1

339 views • 21 slides
Numerical approximation of acoustic scattering by fractal screens Andrea Moiola

Numerical approximation of acoustic scattering by fractal screens Andrea Moiola

UMI, P AVIA , 27 S EPTEMBER 2019 Numerical approximation of acoustic scattering by fractal screens Andrea Moiola http://matematica.unipv.it/moiola/ Joint work with S.N. Chandler-Wilde (Reading), D.P . Hewett (UCL) A. Caetano (Aveiro)

854 views • 57 slides
Acoustic Liquid- -Level Determination of Level Determination of Acoustic Liquid Gradients and

Acoustic Liquid- -Level Determination of Level Determination of Acoustic Liquid Gradients and

Gas Well De-Liquification Workshop Adams Mark Hotel, Denver, Colorado March 5 - 7, 2007 Acoustic Liquid- -Level Determination of Level Determination of Acoustic Liquid Gradients and BHP in Flowing Gas Wells Gradients and BHP in Flowing Gas

522 views • 28 slides
Acoustic particle detection Robert Lahmann HAP Workshop: The Non-Thermal Universe Erlangen,

Acoustic particle detection Robert Lahmann HAP Workshop: The Non-Thermal Universe Erlangen,

Acoustic particle detection Robert Lahmann HAP Workshop: The Non-Thermal Universe Erlangen, 21-Sept-2016 Outline Introduction: acoustic neutrino detection The first generation of acoustic neutrino test setups Lessons learned

686 views • 37 slides
The ABS The ABS Acoustic Bubble Spectrometer Acoustic Bubble Spectrometer by G. L.

The ABS The ABS Acoustic Bubble Spectrometer Acoustic Bubble Spectrometer by G. L.

The ABS The ABS Acoustic Bubble Spectrometer Acoustic Bubble Spectrometer by G. L. Chahine D YNAFLOW , I NC . Jessup, MD www.dynaflow-inc.com Email: glchahine@dynaflow-inc.com www.dynaflow-inc.com Background Background Bubbles

238 views • 21 slides
Bulk and Surface Acoustic Waves in Piezoelectric Media Introductory Course on Multiphysics

Bulk and Surface Acoustic Waves in Piezoelectric Media Introductory Course on Multiphysics

Introduction Piezoelectricity Anisotropic media Bulk acoustic waves Surface Acoustic Waves (SAW) SAW examples Bulk and Surface Acoustic Waves in Piezoelectric Media Introductory Course on Multiphysics Modelling T OMASZ G. Z IELI NSKI

1.33k views • 66 slides
T-Type Acoustic Inspection System Acoustic Measurement of Storage Tank Sludge Crude Oil Storage

T-Type Acoustic Inspection System Acoustic Measurement of Storage Tank Sludge Crude Oil Storage

T-Type Acoustic Inspection System Acoustic Measurement of Storage Tank Sludge Crude Oil Storage Tanks Sludge Settles in Bottom of Tank Reduces Storage Capacity Sludge Surface Topology Not Uniform Monitoring Required for Capacity Accounting

696 views • 35 slides
Acoustic Fingerprinting Soundz Jake Runzer June 28, 2018 Jake Runzer Acoustic Fingerprinting

Acoustic Fingerprinting Soundz Jake Runzer June 28, 2018 Jake Runzer Acoustic Fingerprinting

Acoustic Fingerprinting Soundz Jake Runzer June 28, 2018 Jake Runzer Acoustic Fingerprinting June 28, 2018 1 / 35 Outline What is Acoustic Fingerprinting 1 Fingerprinting for Music Identification 2 Spectrograms 3 History 4 My

743 views • 35 slides
Broad band acoustic detectors J.P. Zendri* on behalf of the AURIGA collaboration

Broad band acoustic detectors J.P. Zendri* on behalf of the AURIGA collaboration

Broad band acoustic detectors J.P. Zendri* on behalf of the AURIGA collaboration www.auriga.lnl.infn.it 5 th International LISA Symposium 12-15 July 2004 Acoustic detector noise budget:one dimensional lumped model Quantum mechanics constrain T

576 views • 23 slides
On the Predictability of Underwater Acoustic Communications Performance: the KAM11 Data Set as a

On the Predictability of Underwater Acoustic Communications Performance: the KAM11 Data Set as a

On the Predictability of Underwater Acoustic Communications Performance: the KAM11 Data Set as a Case Study Beatrice Tomasi, Prof. James C. Preisig, Prof. Michele Zorzi ACM WUWNet 2011, Seattle Objectives and motivations Underwater Acoustic

712 views • 17 slides
Finding Buried Targets Using Acoustic Excitation Zackary R. Kenz Advisor: Dr. H.T. Banks In

Finding Buried Targets Using Acoustic Excitation Zackary R. Kenz Advisor: Dr. H.T. Banks In

Math Modeling Acoustic Model Simulations Conclusion Finding Buried Targets Using Acoustic Excitation Zackary R. Kenz Advisor: Dr. H.T. Banks In collaboration with Dr. Shuhua Hu, Dr. Grace Kepler, Clay Thompson NCSU, L3 Communications

758 views • 49 slides
Surface Acoustic Wave Enhancement of Photocathode Quantum Efficiency Boqun Dong, Andrei Afanasev,

Surface Acoustic Wave Enhancement of Photocathode Quantum Efficiency Boqun Dong, Andrei Afanasev,

Muons, Inc. Surface Acoustic Wave Enhancement of Photocathode Quantum Efficiency Boqun Dong, Andrei Afanasev, Mona Zaghloul George Washington University Rolland Johnson, Alan Dudas, Vadim Dudnikov Muons/MuPlus Inc. - http://muonsinc.com/

640 views • 24 slides
sparse arrays for acoustic source localization Authors: T. Lan, Y.L. Wang (Corresponding author)

sparse arrays for acoustic source localization Authors: T. Lan, Y.L. Wang (Corresponding author)

A novel grating lobes suppression method of sparse arrays for acoustic source localization Authors: T. Lan, Y.L. Wang (Corresponding author) and N. Zou(Speaker) zounan@hrbeu.edu.cn Author Affiliations: 1. Acoustic Science and Technology

458 views • 12 slides

More recommend