Attacking RSA through Sound

2013-12-23 by . 1 comments

Post to Twitter

A new attack against RSA has been made known this week. Details about it can be found in the paper RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis. One notable name amongst the co-authors of the paper is Adi Shamir, who was one of the three that published the algorithm.

This attack is a type of side-channel attack against RSA. A side channel attack is an attack that targets the implementation of a cryptosystem instead of targeting the algorithm. RSA has been broken by many side channel attacks in the past. The most famous of which is probably the timing attack described by Paul C. Kocher in his paper Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS and Other Systems.

This attack works by taking advantage of the fact that a computer emits different sounds when perforing different tasks. With this, it is possible to recover information about the RSA key used during the process of encryption or decryption. Genkin, Shamir and Tromer demonstrated that when the same plaintext is encrypted with different RSA keys, it is possible to discern which key was used in the encryption process. This is a form of key distinguishing attack.

This concept is not new. In fact, it is the topic of Tromer’s PhD thesis Hardware-Based Cryptanalysis published in 2007. What is new about this paper is that the researchers demonstrated an actual attack that is able to distinguish between RSA keys, instead of just the theoratical possibility. What is even more surprising is that the researchers were able to pull off the attack using mobile phones which demonstrates that the attack does not require specialized recording equipment to pull off.

Should you be worried? The attack was demonstrated in lab conditions. It might be a little harder to pull off in real life scenarios where there will presumably be much more background noise to mask the sounds. The actual attack was demonstrated on GnuPG. Updating to the latest version of GnuPG 1.4.x will fix this particular problem. Better still, use the GnuPG 2.x branch which employs RSA blinding that should protect against such side-channel attacks.

While this attack might not be practical as of now, it is very interesting still because many cryptosystems suffer from what are basically implementation problems. Once again, don’t roll your own cryptography!

For some further detail, read the related question on


Filed under Attack Crypto

One Comment

Subscribe to comments with RSS.

  • One of the questions posed in response to the revelation of this side-channel attack particularly piqued my curiosity.

    The attack demonstrated that a 4096-bit GPG private decryption key could be recovered using commodity hardware (a cellphone’s microphone), sophisticated software to interpret sound signals and to filter them, and carefully chosen input text in the form of emails. The email client (Enigmail) automatically decrypted these messages upon reception while the microphone listened in, and over the course of an hour, the software was able to construct the full 4096-bit GPG private key.

    Now, this attack is easily mitigated by setting a reasonable timeout in the GPG keyring (~5 minutes would be reasonable), which would give attackers only 5 minutes to attempt the attack. Obviously, newer versions of GPG, as mentioned in this blog post, have been patched to work around the vulnerability.

    However, what about SSL server keys? If I can reverse engineer a GPG private RSA key, what would prevent me from extracting a server’s private SSL key? I could easily craft messages to send to the server, and they would have to be decrypted by the server. Couple that with a microphone hidden in a server nearby, and given enough time, it would be at least theoretically possible to derive the private key, right?