An interesting paper (summarized quite well in the MIT Technology Review) presents a new technique for discovering the keys used by popular encryption tools. By measuring the variation in voltage at various points on a computer’s case as it runs software to encrypt data, a codebreaker can identify the bits that comprise they secret key used by OpenPGP to decrypt data. Once the attacker knows the secret key, he can decrypt future communications that use the same key.
The approach is yet another example of a category of techniques called side-channel attacks. These strategies are called “side channel” because they are not related directly to the machinations that encryption and decryption algorithms use to mask and unmask data. Instead, they exploit the more subtle consequences of the fact that a computer, despite its mysterious and seemingly miraculous inner workings, is fundamentally a physical device. As a physical piece of equipment, computers give off detectable electromagnetic radiation, measurable acoustic noise, and a time-varying heat signal, and they consume a non-constant amount of power as they do their work.
As the researchers found, the strong electromagnetic fields radiated by a computer’s processor separate the electrical potential of a computer’s case from earth’s ground, giving rise to a variable voltage difference. By measuring the changes in this voltage difference, the researchers were able to discern when a bit of the secret key was a “1” and when it was a “0”. Capturing all 4096 of these bits, then, enabled them to unravel a complete secret key. They used this approach in conjunction with other side-channel attacks, like measuring the variation in a computer’s power consumption, to determine these keys after taking surprisingly few measurements.
Traditional cryptanalysis, the effort to discover encryption keys so that encrypted data can be deciphered, usually focuses on breaking the mathematics or finding holes in the programming logic. Side-channel attacks like these demonstrate that vulnerabilities in crypto systems sometimes arise through physical artifacts we can sense and measure, rather than through the more erudite analyses of algebraists.
Who knows? Maybe one day we’ll discover an approach to capturing encryption keys using our sense of smell. Don’t hold your breath.