#1 By: Cory Doctorow, December 20th, 2013 08:56
#2 By: Boundegar, December 20th, 2013 10:06
#3 By: Víctor, December 20th, 2013 10:16
If I saw that in a movie I would have cried BULLSHIT in the middle of the freaking theatre.
Now... wow... just wow.
Time to put silencers on our motherboards Mr Bond!
#4 By: technogeek, December 20th, 2013 10:18
I'm not entirely convinced that "coil whine" -- which would respond to overall system activity -- would have enough information specifically about the cryptokey to make this work.
If they were attributing this to a microphonic chip, I'd find it a bit more believable. But that's still a matter of whether the right chip is cooperating.
If they were going after radio noise, Tempest-style, I'd find it more believable.
I'm not quite ready to call bullshit. I AM ready to call for independent replication before we take the claim at all seriously.
Any sufficiently advanced technology is indistinguishable from a rigged demo.
#5 By: Jardine, December 20th, 2013 10:22
#6 By: SamSam, December 20th, 2013 11:11
The article is by some of the foremost and most reputable researchers in cryptography. While I agree with replicating all findings, I think it's hardly justifiable to assume they've just made a "rigged demo" to get some publicity.
Did you read the paper? It's very in-depth. And it builds on earlier proof-of-concept work that previously showed that this should be possible.
#7 By: SamSam, December 20th, 2013 11:13
GnuPG has already committed a fix.
Some comments describing it.
#8 By: technogeek, December 20th, 2013 11:31
Apologies if I gave the impressing I was assuming a rigged demo. I'm not; I'm a trifle concerned that they may have fooled themselves, eg by finding one particular machine which is particularly vulnerable.
Given that we believe the result, the fix seems plausible.
#9 By: Matt, December 20th, 2013 12:08
But the researchers are unimpeachable (Shamir is the "S" in RSA)
If I were him, I'd go around starting arguments with lesser crypto-nerds, just so I could finish them off with "Didn't you know? I'm the S in RSA, mofo!"
#10 By: newliminted, December 20th, 2013 12:19
I read the whole paper and I'm sold. Good read, though most of the heavier stuff is only barely understandable to me. I think one measure of the validity is this:
Current status. We have disclosed our attack to GnuPG developers and main distributors as CVE-
2013-4576 [MIT13], suggested suitable countermeasures, and worked with the developers to test them.
New versions of GnuPG 1.x, GnuPG 2.x and libgcrypt, containing these countermeasures and resisting
our current key-extraction attack, were released concurrently with this paper’s ﬁrst public posting.
However, some of the eﬀects presented in this paper (such as RSA key distinguishability) remain present.
The developers took it seriously and implemented countermeasures as they could. Still, further review and new attacks will be interesting to follow.
#11 By: newliminted, December 20th, 2013 12:20
They used more than one machine.
#12 By: newliminted, December 20th, 2013 12:21
Or make a t-shirt that says that, and wear it always.
#13 By: Eric Garner, December 20th, 2013 12:31
i wouldn't call "one machine" fooling themselves. if it works on only one machine then the attack is sound. If that one machine was one that was purchased in bulk by large corporations or governments, bonus.
#14 By: Joe Bloggs, December 20th, 2013 13:29
Am I right in understanding that the user has to be actively inputting their password in order for the extraction to work? Can it be masked by driving the cpu harder with another task simultaneously? Rendering 3dgraphics on high priority makes everything whine.
#15 By: Jon Herbert, December 20th, 2013 13:32
There's a simple fix - just play Bananaphone over and over again at maximum volume whilst doing your cryptowhatever.
#16 By: Chris Smith, December 20th, 2013 13:57
I reference I saw in the Ars comments indicates that driving the CPU makes this easier.
Think of it this way -- the sound signature of the decoding of the specialized item will always be there. If it is against a randomly loaded and thus randomly fluctuating background, it could be harder to pick out. But if it is against a solid heavily loaded CPU, then that background noise becomes consistent.
As I understand it, the noise is associated with power consumption. Fully loading the CPU will make the variance in power consumption of the non-targetted processes very low, maximizing the signal (decode process) to noise (background task) ratio.
#17 By: Stewart C. Russell, December 20th, 2013 14:02
They're not kidding about the use of sensitive equipment. I immediately recognized the robin's egg blue of a B&K preamp from the picture. That kit is crazy expensive.
#18 By: Ladyfingers, December 20th, 2013 16:38
I remember a few years ago when it was apparently possible to see what was being written to an HDD via the indicator LED. I assume they're too fast for that now.
#19 By: pjcamp, December 20th, 2013 23:53
Apparently, we hear today, Shamir is also the S in NSA.
#20 By: Cory Doctorow, December 25th, 2013 08:56
This topic was automatically closed after 5 days. New replies are no longer allowed.