Breaking The Encryption on Your Mobile Phone — Without Touching It
A paper presented at the USENIX Security Symposium outlined how RSA encryption keys can be cracked from the radio waves emitted by a mobile phone [here]:
The researchers used the EM radiation emitted from the processor is it performs complex RSA calculations, and then used a timing attack to recover the private key. Figure 2 outlines the capture of the signal and the identification of the key parts of the signal which are gathered:
It works without even knowing the actual ciphertext. This type of attack is known as a side-channel attack, and these types of attacks have been well-known in the industry to break encryption. Common side channel attack vectors include monitoring variations in the electrical power signal, and temperature levels, and have even included monitoring the sound emitted from a system.
In the past, the electromagnetic radiation has also been used to attack a range of devices including SIM card readers and mobile phones, but it has often been used to identify the tell-tail signs of symmetric key encryption (such as in AES). This new paper focuses on a more challenging area of public key encryption, and the tell-tail signs of the RSA method. The researchers focus on finding the point at which the OpenSSL library uses Montgomery modular multiplication, and then pick off its operations, in order to provide a guess for the numbers used within the decryption process of RSA. This reveals the decryption key (d,N).
Montgomery modular multiplication
With the RSA method — which is a public key method, where we have a public key and private key — and the Diffie-Hellman method — where we perform a secret key exchange — we perform large exponential calculations, such as:
C = Mᵉ (mod N)
M = Cᵈ (mod N)