Figure 12 (adjunta abajo) depicts the spectrogram of two identical RSA signing operations in sequence, using the same 4096 bit key and message. Each signing operation is preceded by a short delay during which the CPU is in a sleep state. Figure 12 contains several interesting effects.The delays, where the computer is idle, are manifested as bright horizontal strips. Between these strips, the two signing operations can be clearly distinguished. Halfway through each signing operation there is a transition at several frequency bands (marked with yellow arrows). This transition corresponds to a detail in the RSA implementation of GnuPG. For public key n = pq, the RSA signature s = md mod n is computed by evaluating md mod (p−1) mod p and md mod (q−1) mod q, and combining these via the Chinese Remainder Theorem. The first half of the signing operation corresponds to the exponentiation modulo p, and the secondto the exponentiation modulo q. Note that the transition between these secret modules is clearly visible. Moreover, this effect is consistent and reproducible (in various frequency ranges) not only on the Evo N200, but on many modern machines made by various manufacturers. For example, Figure 13 contains the recording of RSA signatures executed on a Lenovo ThinkPad T61 using the same key as in Figure 12. Note that while not as prominent as in the case of the Evo N200, the RSA operations are clearly visible
at 34–36 kHz.
For concreteness, our case study focused on a particular cryptographic implementation (that of GnuPG 1.x), chosen ciphertext channel (OpenPGP-encrypted e-mail messages processed by Enigmail), and class of computers (laptops). However, we expect that similar attacks will be feasible for other software, protocols and hardware.
#97#93 Insisto, el código da igual, han hecho la prueba sobre GnuPG porque era el que daba resultados más "espectaculares" al poder forzarlo a descifrar muchos mensajes, pero la vulnerabilidad radica en el hecho de que los PCs "suenan" distinto al ejecutar distintas operaciones. Y da igual si es código abierto o cerrado mientras utilicen algoritmos de cifrado conocidos.
#93 En lo de el código disponible tienes razón, se puede hacer de otra forma de manera que aunque conocieses el código de GnuPg no te valiese de nada, y lo de las modificaciones no me refería a RSA, de él no he hablado, sólo de GnuPG, el programa en sí, y de la CPU, eso depende de lo que modifiques (si por ejemplo incluyo un generador de ruido aleatorio, no). Por lo demás estamos diciendo lo miso, no han roto RSA porque no han atacado a RSA, sólo a GnuPG, sobre ciertas máquinas y en ciertas condiciones, pero este algoritmo no vale para nada, si te dan un mensaje ya cifrado con RSA cuando no tenías "la oreja puesta".
#79 Nosotros claro que podemos seguir durmiendo tranquilos. Esto no son más que pistas de hacia dónde se pueden dirigir futuras técnicas para explotar algoritmos criptogŕaficos. Hay formás más sencillas de robarle a la gente su clave privada sin recurrir a estas paranoias
#41 porque la tercera pregunta era común, las chungas son la primera y la segunda, q si te fijas no levanta nadie la mano en la izquierda y se quedan con cara de WTF!!
4.1 The sound of a single secret key
Figure 12 (adjunta abajo) depicts the spectrogram of two identical RSA signing operations in sequence, using the same 4096 bit key and message. Each signing operation is preceded by a short delay during which the CPU is in a sleep state. Figure 12 contains several interesting effects. The delays, where the computer is idle, are manifested as bright horizontal strips. Between these strips, the two signing operations can be clearly distinguished. Halfway through each signing operation there is a transition at several frequency bands (marked with yellow arrows). This transition corresponds to a detail in the RSA implementation of GnuPG. For public key n = pq, the RSA signature s = md mod n is computed by evaluating md mod (p−1) mod p and md mod (q−1) mod q, and combining these via the Chinese Remainder Theorem. The first half of the signing operation corresponds to the exponentiation modulo p, and the secondto the exponentiation modulo q. Note that the transition between these secret modules is clearly visible. Moreover, this effect is consistent and reproducible (in various frequency ranges) not only on the Evo N200, but on many modern machines made by various manufacturers. For example, Figure 13 contains the recording of RSA signatures executed on a Lenovo ThinkPad T61 using the same key as in Figure 12. Note that while not as prominent as in the case of the Evo N200, the RSA operations are clearly visible
at 34–36 kHz.