Monday, March 21, 2011

Side channel attacks with encrypted data

In cryptography, a side channel attack is any attack based on information gained from the physical implementation of a cryptosystem, rather than brute force or theoretical weaknesses in the algorithms. For example, timing information, power consumption, electromagnetic leaks or even sound can provide an extra source of information which can be exploited to break the system.

Several examples that I think are interesting are;
  • Secure web applications; Bruce Schneier's excellent blog (which is required reading if you have any interest in security/crypto) describes the attack carried out on the IRS's (what they call the Inland Revenue in the US) online tax form site; leaks a fairly accurate estimate of your Adjusted Gross Income (AGI). This happens because the exact set of questions you have to answer, and the exact data tables used in tax preparation, will vary based on your AGI. To give one example, there is a particular interaction relating to a possible student loan interest calculation, that only happens if your AGI is between $115,000 and $145,000 -- so that the presence or absence of the distinctively-sized message exchange relating to that calculation tells an eavesdropper whether your AGI is between $115,000 and $145,000. By assembling a set of clues like this, an eavesdropper can get a good fix on your AGI, plus information about your family status, and so on.
  • Compromise of HDCP; The encryption used over HDMI displays is industrial strength and cannot be broken by brute force methods (not in this universe, anyway!) - instead by freezing the memory used by a software BluRay player you can be assured that the volume-key is somewhere in memory. By stepping through 128-bits at a time and having a try at decrypting the first few frames of video (which are very clear when they are decrypted) you quickly find the key for that BluRay or HD-DVD disk.
  • The use of 'cribs' when decrypting Enigma traffic; Bletchley Park had typically less than a day to decrypt most traffic captured from German wireless telegraphy as they changed the rotor-positions in the Enigma machines every twenty-four hours. Apparently the intelligence gained by the French who were experts at recognizing the morse-key style of German operators (and hence were able to track which army group Fritz or Herman worked for) along with a knowledge the ten most profane German swear words and ten most common German girl's names meant they code-breakers had a head-start with seed-words which cut down the key-space to a manageable size that was process-able by 1942 mechanical computers!

Interesting though these examples are, the one that really peaked my fancy this week was the side-channel attach described by the Associated for Computing Machinery on the encryption used in VOIP systems. It turns out that most VOIP systems (Skype included) use variable-bitrate compression ahead of the encryption process (typ. AES at 128-bits). It turns out that by training a Markov Model with the encrypted data (yet knowing what the words spoken were) you can subsequently get around 50% accuracy with data streams from unknown talkers. Given that English has a lot of redundancy you could glean most of what was being said!

Read all about it here.

No comments: