[8444] in cryptography@c2.net mail archive
Re: NONSTOP Crypto Query
daemon@ATHENA.MIT.EDU (Arnold G. Reinhold)
Sun Jan 14 23:51:26 2001
Mime-Version: 1.0
Message-Id: <v04210104b68776d60dc3@[24.218.56.92]>
In-Reply-To: <93oe6k$uk9$1@abraham.cs.berkeley.edu>
Date: Sun, 14 Jan 2001 12:11:05 -0500
To: cryptography@c2.net
From: "Arnold G. Reinhold" <reinhold@world.std.com>
Cc: John Young <jya@pipeline.com>, daw@cs.berkeley.edu (David Wagner)
Content-Type: text/plain; charset="iso-8859-1" ; format="flowed"
Content-Transfer-Encoding: quoted-printable
One interesting question is exactly how strong radio frequency=20
illumination could cause compromise of information being processed by=20
electronic equipment. I have an idea for a mechanism whereby such=20
illumination could induce generation of harmonic and beat frequencies=20
that are modulated by internal data signals.
This mechanism is based on an effect that is familiar to ham radio=20
operators, who are often bedeviled by neighbors complaining of=20
television interference. Here is a quote from the chapter on=20
interference in an old (1974) edition of the ARRL Radio Amateur's=20
Handbook:
"Harmonics by Rectification"
"Even though the transmitter is completely free from harmonic output=20
it is still possible for interference to occur because of harmonics=20
generated outside the transmitter. These result from rectification of=20
fundamental-frequency currents induced in conductors in the vicinity=20
of the transmitting antenna. Rectification can take place at any=20
point where two conductors are in poor electrical contact, a=20
condition that frequently exists in plumbing, downspouting, BX cables=20
crossing each other, ... It can also occur ... in power supplies,=20
speech equipment, etc. that may not be enclosed in the shielding=20
about the RF circuits."
In the case of computer equipment, the conductor could be a wire,=20
external cable or even a trace on a printed circuit board. Now=20
imagine that the source of rectification is not a poor connection,=20
but a transistor junction in a logic gate or line driver. As that=20
device is switched on and off, RF rectification may be switched on=20
and off as well, modulating the generated harmonic with the input=20
signal. If that signal carries sensitive information, all the=20
information would be broadcast on the harmonic output. Keyboard=20
interfaces, video output circuits and serial line drivers come to=20
mind as excellent candidates for this effect, since they often carry=20
sensitive information and are usually connected to long wires that=20
can absorb the incident RF energy and radiate the harmonics.
All an attacker has to do is monitor a site transmitting at frequency=20
f and analyze any signals at 2*f, 3*f, etc. If the site has more than=20
one transmitter, say a command hut, or a naval ship, there are also=20
beat frequencies to consider f1+f2, f1-f2, 2*f1+f2, 2*f1-f2, etc.=20
Note that harmonics and beats radiated from the equipment under=20
attack are vastly easier to detect that any re-radiation at the=20
fundamental frequency, which would be swamped by the primary=20
transmitter's signal.
There is also a potential active attack where an adversary=20
frequency-sweeps your equipment with RF hoping to find a parasitic=20
harmonic generator. This might be the "resonance" technology Peter=20
Wright referred to. If the source illumination causes a resonance=20
by, say, operating at 1/4 the electrical wavelength of the video=20
output cable, any effect might be magnified greatly. (The even=20
harmonics would be suppressed, but odd harmonics would not be.)=20
Illumination could be done directly or over telephone, cable TV or=20
power lines.
This might also explain "NONSTOP testing and protection being=20
especially needed on vehicles, planes and ships." since they often=20
carry multiple radio transmitters and are more easily exposed to=20
monitoring and external illumination than a fixed site inside a=20
secure perimeter.
The two code names (NONSTOP and HIJACK) might possibly refer to the=20
passive and active modes. Or NONSTOP may refer to radiated signals=20
and HIJACK to signals over hardwire lines. Or one could cover all the=20
effects I am proposing and the other something completely different.=20
Whatever.
=46WIW,
Arnold Reinhold
At 2:23 AM +0000 1/13/2001, David Wagner wrote:
>In a paper on side channel cryptanalysis by John Kelsey, Bruce Schneier,
>Chris Hall, and I, we speculated on possible meanings of NONSTOP and HIJACK=
:
>
> [...]
> It is our belief that most operational cryptanalysis makes use of
> side-channel information. [...] And Peter Wright discussed data
> leaking onto a transmission line as a side channel used to break a
> French cryptographic device [Wri87].
>
> The (unclassified) military literature provides many examples of
> real-world side channels. [...] Peter Wright's crosstalk anecdote
> is probably what the HIJACK codeword refers to [USAF98]. Along
> similar lines, [USAF98] alludes to the possibility that crosstalk from
> sensitive hardware near a tape player might modulate the signal on the
> tape; [USAF98] recommends that tapes played in a classified facility be
> degaussed before they are removed, presumably to prevent side channels
> from leaking. Finally, one last example from the military literature
> is the NONSTOP attack [USAF98, Chapters 3-4]: after a careful reading
> of unclassified sources, we believe this refers to the side channel
> that results when cryptographic hardware is illuminated by a nearby
> radio transmitter (e.g. a cellphone), thereby modulating the return
> signal with information about what the crypto gear is doing [AK98].
> [...]
>
> [AK98] R. Anderson and M. Kuhn, "Soft Tempest: Hidden Data Transmission
> Using Electromagnetic Emanations," Proc. 2nd Workshop on
> Information Hiding, Springer, 1998.
> [USAF98] US Air Force, Air Force Systems Security Memorandum 7011--
> Emission Security Countermeasures Review, 1 May 1998.
> [Wri87] P. Wright, Spycatcher, Viking Penguin Inc., 1987.
> =A0
>The above is excerpted from the conclusions of
> J. Kelsey, B. Schneier, D. Wagner, C. Hall,
> "Side channel cryptanalysis of product ciphers",
> Journal of Computer Security, vol. 8, pp. 141--158, 2000.
> http://www.cs.berkeley.edu/~daw/papers/sidechan-final.ps
>
>Do remember, please, that these are just guesses.
>
>Also, credit is due to Ross Anderson and Markus Kuhn for informative
>discussions on this topic.
