[linux-elitists] [paper] RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis

Bill Bogstad bogstad at pobox.com
Fri Dec 20 11:02:01 PST 2013

On Fri, Dec 20, 2013 at 2:44 AM, Timothy Tuck <tek at pervasivenetwerks.com> wrote:
> On 19.12.2013 14:58, Bill Bogstad wrote:
> --- snip ---
>>> fantastic! :/
>>> So ya this basically just rendered all encryption virtually useless!
>> Not even close.   Even if one believes everything being said about the
>> result, all it means is that
>> one shouldn't let anyone be within acoustic range of their computer
>> when it is decrypting the message.
>> That isn't much harder to accomplish than not letting anyone read my
>> email over my shoulder.
> Wow, is that some special kind of crack that your on?
> Not much harder to accomplish than not letting anyone read over your
> shoulder eh?

I'm going to mostly ignore the political parts of your email.  I
suspect that I have
sympathy for what you are saying, but I can't really tell from what you wrote.

> And mind you this is with less than a 1 minute thought on what you said but
> a complete read on the paper he is quoting,
> Plus they do appear to be speaking about DURING the decryption phase and
> only during that time. Plus must last 1 hours but even so.
> Statistically 25 percent or by their placement around said laptop could view
> a screen required to read the screen but 100% can point a mic at it. Tablet
> even changes that perhaps.

25% -> 100%   a factor of four times.   From an computational perspective,
I would describe that as not much harder in the context of cryptography.

I think you are making a good point though which is that we are
talking about physical
security (of your environment) rather than computational complexity.
Still, securing your
entire perimeter before decrypting/reading your messages rather than
just 25% of it doesn't
strike me as that big a deal.  Certainly more of a pain, but if you
were already verifying that no
one had sight lines to your screen (even via telescope from a building
100s of metres away),  I see this
as only a relatively small "quantity" change rather than an actual
"quality" change.   It changes the
physical envelope that must be secured and how it must be secured, but
doesn't change the fact
that such an envelope exists nor does it dramatically change its size
(compared to the shoulder surfing
threat).   Actually, given that they only managed 4 metres with a
parabolic microphone vs. probably 100s
of metres via telescope; it seems even less of a big deal to me.

Oh, one other thing.   This compromises your key rather than a
particular message (shoulder surfing) which
is worse than any one message.  Of course, if someone is shoulder
surfing you; they can probably recover
your passphrase from viewing your keystrokes anyway.   At that point,
they only need to get a copy of your
encrypted private key.   Since it is encrypted, many people probably
don't worry about it as much as they
should.   Those people  who only decrypt their messages inside a
Faraday cage might need to beef up their
acousic dampening as well.

> Then jump to the next possibility.
> Laptops by their nature are mobile devices so If I have a known NSA employee
> who boards the train every day who sits in the very last car with his back
> facing the tail end of the train. Then from his laptop VPN's into the office
> to get a jump start on his day, In your world he has zero to worry about
> other than what happens to the train.

Unless he checks the wall behind him for hidden cameras every time he sits down,
he was never safe.  Given that regular a pattern, I would assume that
is what any attacker would do.

I'm not saying that it isn't interesting, but it is not a sky is falling result.

More information about the linux-elitists mailing list