The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 19 Issue 80

Wednesday 10 June 1998

Contents

o Ill-Litt-er-ate comment on U.S. cryptography policy?
Steve Crocker
o 1998 "Risks of Key Recovery" report now available
Matt Blaze
o Differential Power Analysis
Paul Kocher
o SLAC hack attack
PGN
o Pioneer is calling for the ROM upgrade of their old GPS systems
Chiaki Ishikawa
o NJ motor vehicle department computer crash
David Wittenberg
o Burglars foiled by cordless phone interception
Matthew Delaney
o German high-speed train disaster
Martin Virtel
o Update on German risks ...
Debora Weber-Wulff
o Re: Local Geophysical Resonance
Geoff Speare
o Info on RISKS (comp.risks)

Ill-Litt-er-ate comment on U.S. cryptography policy?

Steve Crocker <crocker@cybercash.com>
Tue, 09 Jun 1998 09:29:52 -0400
The 1998 Electronic Privacy Information Center (EPIC) Cryptography and
Privacy Conference took place on 8 Jun 1998 in Washington D.C.  It was an
excellent program, but unfortunately the most memorable moment was a
response from Principal Associate Deputy Attorney General Robert Litt.  Litt
appeared on a panel about US Encryption Policy.  During the Q&A, he was
asked about the National Research Council's report last year on cryptography
policy, Cryptography's Role In Securing the Information Society ("CRISIS").

For those unfamiliar with the report, it's a monumental and thorough work.
The committee included a former deputy Secretary of State (Kenneth W. Dam),
a former deputy commander in chief of the European command in Germany (W.Y.
Smith), a former deputy director of NSA (Ann Caracristi), a former Attorney
General (Benjamin Civiletti).  13 of the 16 committee members had full
security clearances and received the much touted behind the scenes
briefings from the intelligence community.  They concluded "debate over the
national cryptographic policy can be carried out in a reasonable manner on
an unclassified basis."

Nonetheless, Litt responded that it was written before he came on board and
therefore he didn't feel obliged to read it.  The audience gasped.
Undersecretary of Commerce for Export Administration, William Reinsch,
sitting with him on the panel looked disgusted.  Jim Bidzos, president of
RSA, later quipped it was "a gaff of EPIC proportions."  The hallway talk
the rest of the day reflected shock at the combination of naivete and
arrogance that continues to pervade the Administration.

Steve Crocker, CyberCash, Inc., 2100 Reston Parkway, Reston, VA 20191
+1 703 716 5214 (Main number +1 703 620 4200)  crocker@cybercash.com

  [Note: There was no Subject: line on Steve's message as received.  The
  one above was added by the moderator, after checking with Webster.  PGN]


1998 "Risks of Key Recovery" report now available

Matt Blaze <mab@research.att.com>
Wed, 10 Jun 1998 08:28:56 -0400
In May of last year, a group of 11 cryptographers and computer security
researchers released a technical study of the risks, costs, and complexities
of deploying so-called "key-recovery" systems proposed by the U.S. and other
governments.  The report, entitled "The Risks of Key Recovery, Key Escrow,
and Trusted Third Party Encryption", concluded that building a secure,
economical key-recovery infrastructure of the kind required would be "beyond
the current competency of the field."

In the year since the report was first issued, there has been a great deal
of government, industry, and research activity toward designing,
prototyping, and building key-recovery systems to meet government or
commercial requirements.  We have revisited our study to take into account
the latest work on key recovery and have issued an updated study.  The
report, published by the Center for Democracy and Technology, was released
at the 1998 EPIC Cryptography Conference in Washington DC on June 8th.

The 1998 edition of "The Risks of Key Recovery" report is now available on
the web at:

    <http://www.crypto.com/key_study>

>From the report's preface:

  One year after the 1997 publication of the first edition of this
  report, its essential finding remains unchanged and substantively
  unchallenged: The deployment of key recovery systems designed to
  facilitate surreptitious government access to encrypted data and
  communications introduces substantial risks and costs.  These risks
  and costs may not be appropriate for many applications of encryption,
  and they must be more fully addressed as governments consider policies
  that would encourage ubiquitous key recovery.

The reports authors include Hal Abelson, Ross Anderson, Steven M. Bellovin,
Josh Benaloh, Matt Blaze, Whitfield Diffie, John Gilmore, Peter G. Neumann,
Ronald L. Rivest, Jeffrey I. Schiller, and Bruce Schneier.


Differential Power Analysis

Paul Kocher <paul@cryptography.com>
Tue, 09 Jun 1998 20:33:25 -0700
Information is now available online about three related attacks we have
developed at Cryptography Research: Simple Power Analysis, Differential
Power Analysis, and High-Order Differential Power Analysis.

The basic idea of the attacks is that the power consumption of a device
(such as a smartcard) is statistically correlated to the operations it
performs.  By monitoring the power usage (or electromagnetic radiation,
etc.) during cryptographic operations, it is possible to obtain information
correlated to the keys.  The collected data is then analyzed to actually
find the keys.  The three attacks use increasingly sophisticated analysis
methods.

We have implemented these attacks against a large number of smartcards,
and at this point do not believe that any cryptographic smartcards on
the market are immune to these analysis techniques.

There is now an initial summary on Differential Power Analysis on our web
page at http://www.cryptography.com/dpa, and more information will be put on
the website as it becomes available.  A condensed text version is also
attached below.  Paul Kocher

INTRODUCTION TO DIFFERENTIAL POWER ANALYSIS
Paul Kocher, Joshua Jaffe, Ben Jun, Cryptography Research

Introduction: Power Variation

Integrated circuits are built out of individual transistors, which act as
voltage-controlled switches. Current flows across the transistor substrate
when charge is applied to (or removed from) the gate. This current then
delivers charge to the gates of other transistors, interconnect wires, and
other circuit loads. The motion of electric charge consumes power and
produces electromagnetic radiation, both of which are externally detectable.

Therefore, individual transistors produce externally observable electrical
behavior. Because microprocessor logic units exhibit regular transistor
switching patterns, it is possible to easily identify macro-characteristics
(such as microprocessor activity) by the simple monitoring of power
consumption. DPA type attacks perform more sophisticated interpretations of
this data.

Simple Power Analysis (SPA)

In SPA attacks, an attacker directly observes a system's power
consumption. The amount of power consumed varies depending on the
microprocessor instruction performed. Large features such as DES rounds, RSA
operations, etc. may be identified, since the operations performed by the
microprocessor vary significantly during different parts of these
operations. At higher magnification, individual instructions can be
differentiated. SPA analysis can, for example, be used to break RSA
implementations by revealing differences between multiplication and squaring
operations. Similarly, many DES implementations have visible differences
within permutations and shifts (e.g., the PC1 permutation or rotates of the
C and D registers), and can thus be broken using SPA. While Cryptography
Research found many smartcards to be vulnerable to SPA analysis, it is not
particularly difficult to build SPA-resistant devices.

The figure [see web site] shows SPA monitoring from a single DES operation
performed by a typical smartcard. The upper trace shows the entire
encryption operation, including the initial permutation, the 16 DES rounds,
and the final permutation. The lower trace is a detailed view of the second
and third rounds.

Differential Power Analysis (DPA)

DPA is a much more powerful attack than SPA, and is much more difficult to
prevent. While SPA attacks use primarily visual inspection to identify
relevant power fluctuations, DPA attacks use statistical analysis and error
correction techniques to extract information correlated to secret keys.

Implementation of a DPA attack involves two phases: Data collection and data
analysis. Data collection for DPA may be performed as described previously
by sampling a device's power consumption during cryptographic operations as
a function of time. For DPA, a number of cryptographic operations using the
target key are observed.

The following steps provide an example of a DPA attack process for technical
readers. (More detailed information will follow in the near future.) The
following explanation presumes a detailed knowledge of the DES algorithm.

  1.  Make power consumption measurements of the last few rounds of
      1000 DES operations. Each sample set consists of 100000 data
      points. The data collected can be represented as a two-
      dimensional array S[0...999][0...99999], where the first index
      is the operation number and the second index is the sample. For
      this example, the attacker is also assumed to have the
      encrypted ciphertexts, C[0...999].

  2.  The attacker next chooses a key-dependent selection function D.
      In this case, the selection function would have the form
      D(Ki,C), where Ki is some key information and C is a
      ciphertext. For the example, the attacker's goal will be to
      find the 6 bits of the DES key that are provided as the input
      to the DES S box 4, so Ki is a 6-bit input. The result of
      D(Ki,C) would be obtained by performing the DES initial
      permutation (IP) on C to obtain R and L, performing the E
      expansion on R, extracting the 6-bit input to S4, XORing with
      Ki, and using the XOR result as the input to the standard DES
      S4 lookup operation. A target bit (for example, the most
      significant bit) of the S result is selected. The P permutation
      is applied to the bit. The result of the D(Ki,C) function is
      set to 0 if the single-bit P permutation result and the
      corresponding bit in L are equal, and otherwise D(Ki,C) yields 1.

  3.  A differential average trace T[0...63][0...99999] is
      constructed from the data set S using the results of the
      function D. In particular:  [See web site for formula]

  4.  The attacker knows that there is one correct value for Ki;
      other values are incorrect. The attack goal is to identify the
      correct value. In the trace T[i][0...99999] where i=Ki,
      D(i,C[k]) for any k will equal the value of the target bit in L
      of the DES operation before the DES F function result was
      XORed. When the target device performed the DES operations,
      this bit value was stored in registers, manipulated in logic
      units, etc. -- yielding detectable power consumption
      differences. Thus, for the portions of the trace T[i=Ki] where
      that bit was present and/or manipulated, the sample set T[i]
      will show power consumption biases. However, for samples T[i !=
      Ki], the value of D(i,C[k]) will not correspond to any
      operation actually computed by the target device. As a result,
      the trace T[i] will not be correlated to anything actually
      performed, and will average to zero. (Actually, T[i != Ki] will
      show small fluctuations due to noise and error that is not
      statistically filtered out, and due to biases resulting from
      statistical properties of the S tables. However, the largest
      biases will correspond to the correct value of Ki.)

  5.  The steps above are then repeated for the remaining S boxes to
      find the 48 key bits for the last round. The attack can then be
      repeated to find the previous round's subkey (or the remaining
      8 bits can be found using a quick search.)

While the effects of a single transistor switching would be normally be
impossible to identify from direct observations of a device's power
consumption, the statistical operations used in DPA are able to reliably
identify extraordinarily small differences in power consumption.

The figure below [see Web site] is a DPA trace from a typical smartcard,
showing the power consumption differences from selecting one input bit to a
DES encryption function used as a random number generator. (The function of
D was chosen to equal the value of plaintext bit 5.) The input initial
permutation places this bit as part of the R register, affecting the
first-round F function computation and results. Round 2 effects (due to the
use of counter mode) are also strong. The trace was produced using 1000
measurements, although the signals would be discernible with far fewer.

High-Order Differential Power Analysis (HO-DPA)

While the DPA techniques described above analyze information across a single
event between samples, high-order DPA may be used to correlate information
between multiple cryptographic suboperations. Naive attempts to address DPA
attacks can introduce or miss vulnerabilities to HO-DPA attacks.

In a high-order DPA attack, signals collected from multiple sources, signals
collected using different measuring techniques, and signals with different
temporal offsets are combined during application of DPA
techniques. Additionally, more general differential functions (D) may be
applied. More advanced signal processing functions may also be applied. The
basic HO-DPA processing function is thus a more general form of the of the
standard DPA function.

Today HO-DPA are primarily of interest to system implementers and
researchers, since no actual systems are known that are vulnerable to HO-DPA
that are not also vulnerable to DPA. However, DPA countermeasures must also
address HO-DPA attacks to be effective.

Solving the Problems

Cryptography Research has undertaken a substantial development effort to
understand hardware security issues and their countermeasures.  Cryptography
Research has pending patents directed to the technologies and techniques
below.

DPA and related attacks span the traditional engineering levels of
abstraction. While many previously-known cryptanalytic attacks (such as
brute force) can be analyzed by studying cryptographic algorithms, DPA
vulnerabilities result from transistor and circuit electrical behaviors
which propagate to expose logic gates, microprocessor operation, and
software implementations. This ultimately compromises the cryptography.

Techniques for addressing DPA and related attacks can be incorporated at a
variety of levels:

Transistor: No feasible alternatives to semiconductors are available today,
but alternate computation technologies (such as pure optical computing) may
exist in the future. Cryptography Research has developed gate-level logic
designs that leak substantially less information.

Circuit, Logic, Microprocessor, and Software: In physically large systems,
well-filtered power supplies and physical shielding can make attacks
infeasible. For systems with physical or cost constraints, Cryptography
Research has developed hardware and software techniques that include ways of
reducing the amount of information leaked, introducing noise into
measurements, decorrelating internal variables from secret parameters, and
temporally decorrelating cryptographic operations. In applications where
attackers do not have physical possession of the device performing
cryptographic operations, such techniques can be effective. However, because
externally-monitorable characteristics remain fundamentally correlated to
cryptographic operations, we do not recommend these approaches as a complete
solution for applications where attackers might gain physical possession of
devices.

Software and Algorithms: The most effective solution is to design and
implementing cryptosystems with the assumption that information will
leak. Cryptography Research has developed approaches for securing existing
cryptographic algorithms (including RSA, DES, DSA, Diffie-Hellman, ElGamal,
and Elliptic Curve systems) to make systems remain secure even though the
underlying circuits may leak information. In cases where the physical
hardware leaks excessively, the leak reduction and masking techniques are
also required.

Paul Kocher, President, Cryptography Research, 870 Market St., Suite 1088
San Francisco, CA 94102  415-397-0123 (FAX: -0127)  paul@cryptography.com

  [This work has enormous potential as one more technique for breaking
  weakly designed and badly implemented systems, and consequently represents
  one more forcing function that must be recognized in trying to achieve
  better systemic security.  Unfortunately, it also can break some good
  good systems.  The most important lesson is that computer-communication
  security is a weak-link problem, and at present, computer-based systems
  are riddled with weak links.  There will always be some weak links, but
  today there are far too many.  PGN]


SLAC hack attack

"Peter G. Neumann" <neumann@chiron.csl.sri.com>
Wed, 10 Jun 98 13:55:41 PDT
The Stanford Linear Accelerator Center (SLAC) computer system was the victim
of an intrusion on 2 Jun 1998 that touched about 50 files.  The intruder
logged in with a password (guessed? sniffed? borrowed?), and left as
evidence only a new zero-length file (perhaps set up with write
privileges?).  In response, SLAC cut its computers off the Internet until
yesterday while they tried to figure out what had happened, with 30 people
working overtime.  [Abstracted from *Palo Alto Daily News*, 10 Jun 1998, p. 3]


Pioneer is calling for the ROM upgrade of their old GPS systems

Chiaki Ishikawa <Chiaki.Ishikawa@personal-media.co.jp>
Wed, 10 Jun 1998 18:45:30 +0900 (JST)
Recently, I noticed that the Japanese maker of audio and other electronics
goods, Pioneer, have begun magazine ads campaign (in Japan) notifying the
users of their old GPS-based automobile navigation aids of the problem of
their old ROM firmware.  (I am sure there are similar systems in USA. The
automobile navigation system essentially shows the map on a small display
and indicates where you are and where your target is, etc..)

The one page black and white ads states that certain old models of their
GPS-based systems won't show correct positions beginning on 22 Aug 1999, and
urge the users of such systems to contact Pioneer office for upgrading the
ROM.

It does not bother to explain the reason for the problem, i.e., rollover of
the week count, etc.. I think it is all right since the ads page is meant
for general public. My father has a similar system in his car, but I doubt
if he cares about the integer overflow, etc..

I submit this to RISKS because I feel Pioneer is doing the right thing and
should be commended.  That it uses black and white subdued layout seems to
me that they are trying to place the ads in as many magazines as possible
within their budget.

I just wonder if there are other old models used widely from other companies
which will begin malfunctioning, i.e. posting incorrect positions after that
date.

Ishikawa, Chiaki, Personal Media Corp, Shinagawa, Tokyo, Japan 142
ishikawa@personal-media.co.jp.NoSpam Chiaki.Ishikawa@personal-media.co.jp.NoSpam

  [The GPS bit-overflow problem in certain receivers was noted in RISKS-18.24,
  whereby the date will reset to 6 Jan 1980 at the end of 21 Aug 1999.  PGN]


NJ motor vehicle department computer crash

David Wittenberg <dkw@cs.brandeis.edu>
Tue, 9 Jun 1998 12:50:10 -0400 (EDT)
The New Jersey Department of Motor Vehicles installed a system upgrade to
improve performance over the weekend.  After one hour of use Monday morning
it crashed, preventing field offices from processing new licenses,
registrations and titles.  A spokesman was unable to provide any details.
The state extended a June 30 deadline to July 7 for anyone affected.
Apparently no data was lost, and the system did function properly during
weekend tests.  [New York Times electronic edition, "Bureau's Computer Crash
Strands Thousands of Car Owners" June 9, 1998.  dkw stark abstracting.]

--David Wittenberg              dkw@cs.brandeis.edu


Burglars foiled by cordless phone interception

Matthew Delaney <delaney@j51.com>
Sat, 06 Jun 1998 17:15:58 -0400
The June 6th edition of the Albany (NY) Times Union reports that 3 men
from Saratoga County, NY were charged with conspiracy after a woman
intercepted the cordless phone conversation of 2 of them planning to rob
and beat an elderly woman in her home. After hearing the first names of
the men on her scanner, she called police who believed they knew the
identity of the men and followed one of the suspects to a neighborhood
where they circled around several times and left. Police investigators
found an elderly lady living alone in that neighborhood who identified
one of the suspects as someone who did work on her deck previously.

The woman who reported the conversation wished to remain anonymous.
Which is interesting, because as I understand FCC law, she could also be
charged with a crime because she was monitoring a cordless phone
conversation (made illegal a few years) and she disclosed the content of
that conversation to someone else (which I believe has been illegal for
even longer).

The risks? When you are using that cordless phone, someone else may be
listening, even if it's illegal.

--Matthew Delaney


German high-speed train disaster

Martin Virtel <virtel@zeit.de>
Sun, 7 Jun 1998 16:48:12 +0200 (MEST)
Tabloid magazine *Neue Revue* quotes a survivor, Wolf-Rüdiger
Schliebener, confirming earlier news that passengers heard strange noises
about two minutes before the disaster, while the train started rocking and
shaking.  As the broken wheel (thought to be the cause of the disaster) was
located somewhere in the second unit, the driver up in front didn't notice
anything.

After the wheel broke, the train continued going on for two minutes at its
cruise speed of 200 km/h, until the broken wheel destabilized the whole
train and the last part of it went off the rail and hit a bridge.

The point Schliebener made was that passengers noticed something was wrong,
but the train lacked appropriate emergency brakes or any other means of
telling the driver that there was something wrong.  Which is true?  AFAIK:
there are two emergency brakes located at the doors, but none within the
cabin (which, for non-Germans, looks pretty much like a airplanes cabin,
whith two rows of seats on each side).  Schliebener told *Neue Revue* he
wondered why the driver did not start to brake.  In effect, he never did:
the train was stopped automatically after all but the first unit went off
the rails. The driver seemed surprised - he hadn't noticed anything until
the train stopped automatically.

Frank Drieschner, our reporter who went to cover the disaster, was told by
railway staff that the train's steering electronics prevent the driver from
doing anything meaningful (letting the computer do everything instead) at
speeds over 160 km/h, so if there had been emergency brakes near, they'd
probably have been disabled automatically at high speeds.

Another thing Frank told me was that the cable on the rails used by the
train control system was completely destroyed between the point where the
wheel broke and the point where the train hit the bridge.  An interruption
of the cable should make the train brake automatically, railway staff told
him.

So far, there have not been any definitive conclusions on the accident.

  [Added comment:] Whatever resonance one can imagine interferes with the
  operation of trains, the presence of proper "something is going wrong"
  feedback systems (either from the passengers via an emergency break, as I
  suggested, or a automatic one, as the next issue of Der Spiegel claims is
  installed in British high-speed trains and was dropped by the German
  railway authorities because it was too expensive) would have been of help
  in this case.

  Only imagine the passengers in the train having to remain passive as the
  train went on shaking and rattling at 200 km/h for two minutes before the
  crash.

  On the other hand, there can be a "too much flashing warning lights in the
  cockpit" problem, as several reconstructions of airplane crashes have shown.

Martin Virtel, DIE ZEIT im Internet (http://www.zeit.de)  +49 (0)40-3280-562

  [The German train disaster toll is now up to 102 people killed.]


Update on German risks ...

Debora Weber-Wulff <weberwu@tfh-berlin.de>
10 Jun 1998 09:57:13 GMT
ICE crash: Seems the Bahn had not actually been inspecting the rim wheels by
ultrasound, but by "laying on of hands". If they did not feel good, then
they would be tested. A few years ago an engineer made the suggestion to use
ultrasound for every inspection. It was not implemented because of the high
cost.  *Now* it will be standardized. Rail service is not expected to
stabilize until June 21, as all of the Type 1 ICE trainsets have to be
inspected.

Berlin S-Bahn: They were down to just 10-minute delays on the regional and
ICE trains traveling over the S-Bahn tracks and proudly gave a press
conference to that respect... on the same day that the new computer system
for controlling the switches crashed again and needed 45 minutes to begin
functioning again.

Berlin election software: Turns out, the software is not exactly for
counting votes, but for printing the election registers and the
announcements.  The statistics office had been implying that the elections
were endangered in the hopes of finally getting a much needed equipment
update....

Prof. Dr. Debora Weber-Wulff, Technische Fachhochschule Berlin, FB Informatik,
Luxemburger Str. 10, 13353 Berlin, Germany http://www.tfh-berlin.de/~weberwu/


Re: Local Geophysical Resonance (Sinyakov, RISKS-19.79)

Geoff Speare <geoff@omg.org>
Mon, 08 Jun 1998 12:41:00 -0400
This is the second Local Geophysical Resonance article I've seen in RISKS.
The first one (http://catless.ncl.ac.uk/Risks/19.58.html#subj8) aroused my
curiosity.  I found the following interesting facts:

1) Alexandre N. Sinyakov seems to be the only name attached to this
phenomenon.  He is the researcher who discovered it, the person who wrote
the computer models, the person who posts all the notices and letters, and
the person who heads the "Independent Catastrophes Investigation Center"
(see http://www.aanet.ru/nauka/siniakov/siniakov.html) whose sole purpose
seems to be to attach LGR as a cause to various catastrophes.

2) No news media (other than RISKS) seems to have carried any stories on LGR.

3) Nowhere could I find anything approximating a comprehensible and/or
scientific description of what causes LGR, or what LGR is.

>From these facts, I conclude that the "LGR phenomenon" is more of a
publicity stunt than a valid scientific phenomenon. Such apparently
unsubstantiated and bizarre material seems out of place in RISKS. I would be
curious to hear from Professor Sinyakov or anyone else more familiar with
LGR, or from anyone with an interest in debunking and a little more spare
time than myself. :)

Geoff Speare IGCN 

                    
    

Please report problems with the web pages to the maintainer

Top