Thursday, August 9, 2007

Numbers stations, CPU signals, Russian poker

The numbers station have been outdated. The new smart and wily kid on the block is actually the old cyphertext. Not only does the text look innocent, having been encrypted with NORVA, but it also serves as a vehicle for unrelated, second purpose messaging.

Thus, a message in NORVA


Besides conveying a message the likes of


The secondary meaning of the NORVA is


which could stand for anything, unrelated to the plaintext.


The new methods of the side-channel attack are the CRT diffuse visible light scan (link to PDF), CPU’s HLT state pickup, HD head seek scan.

It is also possible to distinguish various behaviors of CPU and memory operations. This is observed for artificial cases, like cycles of various CPU instructions, as well as for real-life cases, like RSA decryption.

A low-frequency acoustic source yield information on a much faster CPU in two ways. When the CPU is working on a long operation, it creates a characteristic acoustic spectral signature. Second, the temporal information about the length of each operation is obtained, and this can be used to launch a timing attack, especially when a cryptomaster can affect the input to the operation.

The valuable acoustic information lies above 10KHz, whereas typical noises, including computer fan noise, are found at lower frequencies and can thus be filtered out by proper equipment. In a task-switching systems, different tasks can be distinguished by their different acoustic spectra. When several computers are present, they can be told apart by their unique acoustic signatures, since these are dictated by the hardware, the component temperatures, and other environmental conditions. Very similar to working submarine passive sonar. Here is when SALWISS comes in handy.

The CPU instruction that is the least difficult to detect is the 80x86 HLT instruction. This instruction puts the CPU into a low-power sleep phase until the next hardware interrupt. Modern CPUs temporarily shut down many of the on-chip circuits, thereby significantly lowering power consumption and altering acoustic emissions for relatively long time. The difference between active computation, which never involves HLT instructions, and an idle CPU, where the kernel executes HLT instructions in its idle state, is very distinct. If the only program open is a cryptographic application, then this already suffices to detect the moment the program wakes up for input and when it finishes its cryptographic tasks, and this information can be used to launch timing attacks. There are, of course, other, subtler acoustic cues that carry detailed information.


I hope more of you knew of Alexander Zaporozhsky. He is the one who helped CIA to bust Hansen. The Russians outsmarted Langley by letting Zaporozhsky visit Moscow unencumbered, building up his feeling of a secure status quo. His last visit was a result of his own yearning to come, entirely oblivious to the intensive operation culminating with his arrival in Moscow for the last time, putting an end to his cushy life in a Maryland suburb.

It seems (hoping against hope that it is no more than “seems”) that while the US security organizations are preoccupied with politically correct policies reflecting the views of new world order, grand new democracies and nation building, Russia, now rid of ideologies that used to guide USSR and KGB till the point of bankruptcy, has succeeded in streamlining its security operations into a no-nonsense, low-profile, mean, lean spying machine.

Nobody got lucky with the original NORVA message (see below).

No comments: