A research paper presented at the Usenix security conference last week detailed a new technique for retrieving encryption keys from electronic devices, a method that is much faster than all previously known techniques.
The approach relies on recording electromagnetic (EM) emanations coming off a device as it performs an encryption or decryption operation.
Recovering encryption keys from EM waves is old news
The technique is not remotely novel, as it's been known and detailed since the late 90s. Several white papers describing techniques that analyze EM waves to compute and leak encryption keys have been published in the past years.
Older research on this topic relied on attackers breaking the cases of smartphones or laptops to place probes directly on the device's chip, probes meant for measuring EM emanations.
As researchers learned more about the attack, they refined their techniques to extract encryption keys without having to break down the device, by simply placing probes at various distances from the device [1, 2], and modified the technique to target higher-clock-rate devices, such as modern smartphones and PCs.
But while initial attacks developed in the 90s and early 2000s were unfeasible because they required attackers to break down devices, the ones developed in the 2010s weren't useful in real-world scenarios because they took too much time to perform. Attackers needed to collect vasts amounts of EM data before being able to recover enough details about the encryption key from the EM waves.
Breakthrough attack recovers encryption keys within seconds
But at the Usenix conference held in Baltimore last week, a seven-man team from Georgia State University (GSU) detailed a new technique that recovers RSA encryption keys within seconds.
The attack relies on observing a short window of EM waves that have emanated from a device during a single decryption operation.
GSU researchers say their devised attack can recover between 95.7% and 99.6% of the RSA encryption key. They say the attack takes under one second to execute, and they were able to recover the full encryption key using a custom reconstruction algorithm.
They tested their attack against the RSA encryption algorithm supported by the widely-used OpenSSL library, version 1.1.0g, the latest version at the time of the research.
The research team says it recovered encryption keys from two smartphones —an Alcatel Ideal and Samsung Galaxy Centura— and an embedded device running a Linux distro.
Attack requires close proximity to the device
The attack's only downside is that it still requires quite a close proximity to the "sniffed" device.
"In our experiments we place probes very close, but without physical contact with the (unopened) case of the phone, while for the embedded system board we position the probes 20 cm away from the board, so we consider the demonstrated attacks close-proximity but non-intrusive," GSU researchers said.
But researchers say this isn't an inconvenience since attackers can easily hide EM sniffing probes —for example, under a cellphone charging station at a public location, or under the tabletop surface in a coffee shop.
The research team says it contacted the OpenSSL project with mitigations that can twarth their attack, mitigations that were merged into the OpenSSL codebase on May 20, 2018.
The finer and more technical details of this attack are detailed in the white paper entitled "One&Done: A Single-Decryption EM-Based Attack on OpenSSL's Constant-Time Blinded RSA."