Researchers: How ‘leaky’ smart phones give up their crypto keys

Researchers: How ‘leaky’ smart phones give up their crypto keys

• By William Jackson
• Feb 28, 2012

SAN FRANCISCO — Smart phones being used for sensitive transactions leak data that can be used to recover the cryptographic keys securing connections, researchers say.

Tests using about $1,000 worth of off-the-shelf equipment were able to pick up power usage information from phones' CPUs from as far away as 30 feet, said Benjamin Jun, vice president of technology at Cryptography Research Inc. The data can be analyzed to reveal the cryptographic keys being generated and used.

"That distance was a surprise to me," said Jun, who is presenting results of the research at this week's RSA Conference. Picking off the signals at that distance required a fairly bulky cell base station antenna. But smaller loop and e-field antennas were able to pick up usable signals at distances of a few inches or a few feet.

More from RSA:

Offense must be the new defense, RSA chief says

Tony Bennett left his heart, others leave mobile devices in San Francisco

"What we're trying to do here is not show the limits of what can be done," but to determine the amount of data leakage and demonstrate the dangers it poses, Jun said.

By analyzing power consumption in the CPU during cryptographic processes, data — including crypto keys — could be extracted.

Passive power analysis attacks against cryptography are not new. They were documented in the 1990s by Cryptography Research, and practical countermeasures are available. They include reducing or obfuscating the signals being leaked, masking them with noise, adding randomness to the crypto processes, or changing protocol usages to make the keys less obvious.

Unfortunately, some of these measures can have performance impacts of from 10 to 400 percent, depending on the countermeasures and the algorithm being used.

Fixes can be implemented in the smart-phone hardware, operating systems and applications. Manufacturers and developers are responding to the threat, Jun said.

"This is a bit of an eye-opener," he said. "We're getting a lot of response at all three levels. " Although security has not often been a priority in smart-phone design and application development, "there are mobile devices shipping today with countermeasures, so I think it is a matter of when, not if, it is done."

<!

Читать полностью или написать коммент.. Про установку спутниковых тарелок в Московской областиhttp://tarelka-tv.ru/