Randomness, Quantum Mechanics - and Cryptography

John Denker jsd at av8n.com
Tue Sep 7 14:56:25 EDT 2010 

On 09/07/2010 11:19 AM, Perry E. Metzger wrote:
>> > 2) You can shield things so as to make this attack very,
>> > very difficult.
> I suspect that for some apps like smart cards that might be hard.
> OTOH, it might be straightforward to detect the attempt.

We should take the belt-and-suspenders approach:
 a) Do some reasonable amount of shielding, and
 b) detect the attack.

Detecting the attack is utterly straightforward.  

The primary defense is to "close the loop" around 
the noise-generating element.  That is, we inject 
a known calibration signal on top of the noise ... 
and use that to constantly check that the input
channel gain and bandwidth are correct.

The true noise level depends only on gain, bandwidth,
temperature, and resistance.  Blasting the system
with RF will not lower the temperature, so that's
not a threat.  So unless you have a scenario where
the RF lowers the resistance, lowers the gain,
and/or lowers the bandwidth 
_in a way that the calibrator cannot detect_
then this attack does not rise above the level of
a brute-force DoS attack, in the same category as 
the AK-47 attack or the stomp-the-smart-card-to-dust
attack.

The calibrator idea relies on the fact that the
computer's i/o system has an o as well as an i.

Note that this defense is equally effective against
both
 *) Continuing attacks, where a continuing RF blast
  drives the first stage amplifier into saturation, 
  without necessarily doing irreversible damage, and
 *) One-shot attacks, where a super-large blast does
  irreversible damage to the amplifier.

------------

Secondary defenses, if you want to go to the trouble,
include putting a canary in the coal mine, i.e.
implementing a second sensor with a different gain,
bandwidth, and resistance.  I reckon that attacking
one sensor and getting away with it is only possible
on a set of measure zero, but the chance of attacking
two non-identical sensors without either one of them 
noticing is a set of measure zero squared.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list