All electronic devices emit electromagnetic radiation. Because every wire that carries current creates a magnetic field, electronic devices create some small magnetic fields when in use. These magnetic fields can unintentionally reveal information about the operation of a device if not properly designed. Because all electronic devices are affected by this phenomena, the term ‘device’ can refer to anything from a desktop computer, to mobile phone, to a smart card.
Electromagnetic waves are a type of wave that originate from charged particles, are characterized by varying wavelength and are categorized along the electromagnetic spectrum. Any device that uses electricity will emit electromagnetic radiation due to the magnetic field created by charged particles moving along a medium. For example, radio waves are emitted by electricity moving along a radio transmitter, or even from a satellite.
In the case of electromagnetic side-channel attacks, attackers are often looking at electromagnetic radiation emitted by computing devices, which are made up of circuits. Electronic circuits consist of semiconducting materials upon which billions of transistors are placed. When a computer performs computations, such as encryption, electricity running through the transistors create a magnetic field and electromagnetic waves are emitted.
Electromagnetic waves can be captured using an induction coil and an analog to digital converter can then sample the waves at a given clock rate and convert the trace to a digital signal to be further processed by computer.
The electronic device performing the computations is synced with a clock that is running at frequencies on the order of mega-hertz (MHz) to giga-hertz (GHz). However, due to hardware pipelining, and complexity of some instructions, some operations take multiple clock cycles to complete. Therefore, it is not always necessary to sample the signal at such a high clock rate. It is often possible to get information on all or most of the operations while sampling on the order of kilo-hertz (kHz). Different devices leak information at different frequencies. For example, Intel’s Atom processor will leak keys during RSA and AES encryption at frequencies between 50 MHz and 85 MHz. Android version 4.4’s Bouncy Castle library implementation of ECDSA is vulnerable to key extraction side channel attacks around the 50 kHz range.
Every operation performed by a computer emits electromagnetic radiation and different operations emit radiation at different frequencies. In electromagnetic side-channel attacks, an attacker is only interested in a few frequencies at which encryption is occurring. Signal processing is responsible for isolating these frequencies from the vast multitude of extraneous radiation and noise. To isolate certain frequencies, a bandpass filter, which blocks frequencies outside of a given range, must be applied to the electromagnetic trace. Sometimes, the attacker does not know which frequencies encryption is performed at. In this case, the trace can be represented as a spectrogram, which can help determine which frequencies are most prevalent at different points of execution. Depending on the device being attacked and the level of noise, several filters may need to be applied.
Electromagnetic attacks can be broadly separated into simple electromagnetic analysis (SEMA) attacks and differential electromagnetic analysis (DEMA) attacks.
In Simple Electromagnetic Analysis (SEMA) attacks, the attacker deduces the key directly by observing the trace. It is very effective against asymmetric cryptography implementations. Typically, only a few traces are needed, though the attacker needs to have a strong understanding of the cryptographic device and of the implementation of the cryptographic algorithm. An implementation vulnerable to SEMA attacks will perform a different operation depending on whether the bit of the key is 0 or 1, which will use different amounts of power and/or different chip components. This method is prevalent in many different types of side-channel attacks, in particular, power analysis attacks. Thus, the attacker can observe the entire computation of encryption and can deduce the key.
For example, a common attack on asymmetric RSA relies on the fact that the encryption steps rely on the value of the key bits. Every bit is processed with a square operation and then a multiplication operation if and only if the bit is equal to 1. An attacker with a clear trace can deduce the key simply by observing where the multiplication operations are performed.
In some cases, Simple Electromagnetic Analysis is not possible or does not provide enough information. Differential Electromagnetic Analysis (DEMA) attacks are more complex, but are effective against symmetric cryptography implementation, against which SEMA attacks are not. Additionally unlike SEMA, DEMA attacks do not require much knowledge about the device being attacked.
While the fact that circuits that emit high-frequency signals may leak secret information was known since 1982 by the NSA, it was classified until 2000, which was right around the time that the first electromagnetic attack against encryption was shown by researchers. Since then, many more complex attacks have been introduced.
Smart cards, often colloquially referred to as “chip cards” were designed to provide a more secure financial transaction than a traditional credit card. They contain simple embedded integrated circuits designed to performed cryptographic functions. They connect directly to a card reader which provides the power necessary to perform an encrypted financial transaction. Many side-channel attacks have been shown to be effective against smart cards because they obtain their power supply and clock directly from the card reader. By tampering with a card reader, it is simple to collect traces and perform side-channel attacks. Other works, however, have also shown that smart cards are vulnerable to electromagnetic attacks as well.
A field-programmable gate arrays (FPGA) have been commonly used to implement cryptographic primitives in hardware to increase speed. These hardware implementations are just as vulnerable as other software based primitives. In 2005, an implementation of elliptic curve encryption was shown vulnerable to both SEMA and DEMA attacks. The ARIA block cipher is a common primitive implemented with FPGAs that has been shown to leak keys.
In contrast to smart cards, which are simple devices performing a single function, personal computers are doing many things at once. Thus, it is much more difficult to perform electromagnetic side-channel attacks against them, due to high levels of noise and fast clock rates. Despite these issues, researchers in 2015 and 2016 showed attacks against a laptop using a near-field magnetic probe. The resulting signal, observed for only a few seconds, was filtered, amplified, and digitized for offline key extraction. Most attacks require expensive, lab-grade equipment, and require the attacker to be extremely close to the victim computer. However, some researchers were able to show attacks using cheaper hardware and from distances of up to half a meter. These, attacks, however, required the collection of more traces than the more expensive attacks.
Smart phones are of particular interest for electromagnetic side-channel attacks. Since the advent of mobile phone payment systems such as Apple Pay, e-commerce systems have become increasingly commonplace. Likewise, the amount of research dedicated to mobile phone security side channel attacks has also increased. Currently most attacks are proofs of concept that use expensive lab-grade signal processing equipment. One of these attacks demonstrated that a commercial radio receiver could detect mobile phone leakage up to three meters away.
However, attacks using low-end consumer grade equipment have also shown successful. By using an external USB sound card and an induction coil salvaged from a wireless charging pad, researchers were able to extract a user's signing key in Android's OpenSSL and Apple's CommonCrypto implementations of ECDSA.
Widely used theoretical encryption schemes are mathematically secure, yet this type of security does not consider their physical implementations, and thus, do not necessarily protect against side-channel attacks. Therefore, the vulnerability lies in the code itself, and it is the specific implementation that is shown to be insecure. Luckily, many of the vulnerabilities shown have since been patched. Vulnerable implementations include, but are definitely not limited to, the following:Libgcrypt - cryptographic library of GnuPG, implementation of ECDH public-key encryption algorithm (since patched)
GnuPG implementation of 4096-bit RSA (since patched)
GnuPG implementation of 3072-bit ElGamal (since patched)
GMP implementation of 1024-bit RS
OpenSSL implementation of 1024-bit RSA
The attacks described thus far have mainly focused on the use of induction to detect unintended radiation. However, the use of far-field communication technologies like that of AM radios can also be used for side-channel attacks, although no key extraction methods for far-field signal analysis have been demonstrated. Therefore, a rough characterization of potential adversaries using this attack range from highly educated individuals to low to medium funded cartels. The following demonstrates a few possible scenarios:
Point of sale systems that accept payment from mobile phones or smart cards are vulnerable. Induction coils can be hidden on these systems to record financial transactions from smart cards or mobile phone payments. With keys extracted, a malicious attacker could forge his own card or make fraudulent charges with the private key. Belgarric et al. propose a scenario where mobile payments are performed with bitcoin transactions. Since the Android implementation of the bitcoin client uses ECDSA, the signing key can be extracted at the point of sale. These types of attacks are only slightly more complex than magnetic card stripe skimmers currently used on traditional magnetic strip cards.
Many public venues such as Starbucks are already offering free public wireless charging pads. It was previously shown that the same coils used in wireless charging can be used for detection of unintended radiation. Therefore, these charging pads pose a potential hazard. Malicious charging pads might attempt to extract keys in addition to charging a user’s phone. When coupled with packet sniffing capabilities of public wifi, the keys extracted could be used to perform man-in-the-middle attacks on users. If Far Field attacks are discovered, an attacker only needs to point his antenna at a victim to perform these attacks; the victim need not be actively charging their phone on one of these public pads.
Several countermeasures against electromagnetic attacks have been proposed, though there is no one perfect solution. Many of the following countermeasures will make electromagnetic attacks harder, not impossible.
One of the most effective ways to prevent electromagnetic attacks is to make it difficult for an attacker to collect an electromagnetic signal at the physical level. Broadly, the hardware designer could design the encryption hardware to reduce signal strength or to protect the chip. Circuit and wire shielding, such as a Faraday cage, are effective in reducing the signal, as well as filtering the signal or introducing extraneous noise to mask the signal. Additionally, most electromagnetic attacks require attacking equipment to be very close to the target, so distance is an effective countermeasure. Circuit designers can also use certain glues or design components in order to make it difficult or impossible to depackage the chip without destroying it.
As many electromagnetic attacks, especially SEMA attacks, rely on asymmetric implementations of cryptographic algorithms, an effective countermeasure is to ensure that a given operation performed at a given step of the algorithm gives no information on the value of that bit. Randomization of the order of bit encryption, process interrupts, and clock cycle randomization, are all effective ways to make attacks more difficult.
The classified National Security Agency program TEMPEST focuses on both the spying on systems by observing electromagnetic radiation and the securing of equipment to protect against such attacks.
The Federal Communications Commission outlines the rules regulating the unintended emissions of electronic devices in Part 15 of the Code of Federal Regulations Title 47. The FCC does not provide a certification that devices do not produce excess emissions, but instead relies on a self-verification procedure.