Some Cool Crypto Research and Its Implications for Businesses

Posted by John Norman, Senior Consulting Engineer
September 25, 2014

Traditionally, encryption is considered very good as long as developers stick with industry-standard algorithms and well-tested implementations. Today, that would include 128-bit AES or 4096 bit public keys.

Indeed, most real-world examples of criminals (and intelligence agencies) who have gotten their hands on encrypted data didn’t have anything to do with finding flaws in the math. Rather, they found it easier to just pw0n servers/workstations/laptops connected to the Internet with malware or exploit a mistake in the implementation. (Even the best encryption algorithms in the world can't protect against web apps that allow attackers to bypass security or use protocols that allow people to negotiate down to less secure options.)

However, researchers in Australia have recently discovered a relatively cheap way to extract crypto keys out of computer hardware that can be physically touched or accessed electrically, such as through a connected Ethernet cable.

Read Get Your Hands Off My Laptop for the full write-up, but essentially, these researchers were able to use fluctuating electrical signals from the ground of a USB, Ethernet cable, or the computer's case to deduce what processing was going on, and then determine what keys were in use—without any type of network or other access.

"Through suitable cryptanalysis and signal processing, we have extracted 4096-bit RSA keys and 3072-bit ElGamal keys from laptops, via each of these channels, as well as via power analysis and electromagnetic probing. Despite the GHz-scale clock rate of the laptops and numerous noise sources, the full attacks require a few seconds of measurements using Medium Frequency signals (around 2 MHz), or one hour using Low Frequency signals (up to 40 kHz). We have extracted keys from laptops of various models, running GnuPG (popular open source encryption software, implementing the OpenPGP standard). The attacks exploit several side channels."

While the majority of our customers probably don't need to worry about this, this could certainly have implications for companies dealing in highly-sensitive and secure data, like those in the banking and defense industries.

Specifically, these organizations need to pay extra attention to the physical design of their racks, cabling and networks. They need to ensure that there aren’t any physical wires leading from servers that handle key material—including SSL acceleration boxes, key servers, etc.—to the outside world.

Furthermore, businesses should always spring for proper grounding jobs performed by licensed installers or electricians. This used to be standard in computer rooms, but people have become dangerously complacent about it. Companies with environments that are especially sensitive might even consider shielded racks, fiber interconnects instead of copper, or ‘room within a room’ solutions at their colocation facilities.

About John Norman An active member of the Southern California information security community, John Norman has accumulated over 16 years of experience and cross-platform certified training with the industry’s leading storage, server, networking, and security technologies. As a consulting engineer at ASG, John has a proven track record of designing superior, customer-focused IT solutions with an emphasis on IT security.

Filed Under: Data Security

0 Responses to 'Some Cool Crypto Research and Its Implications for Businesses'

Leave a Comment

Please copy "0cwnRBFgDsjnT7OZHXekRXT3YCDCDT7z" into the field labeled "Uncaptcha"