Cyber Defense Advisors

Side Channels Are Common

@ Bruce, ALL,

“Side Channels Are Common”

Not “common” but “ubiquitous” and inevitable in all communications channels.

I’ve been through this a few times on the blog over the past two decades.

But the proof if people want to work it out is fundemental to physics.

To communicate is a process of “work” thus uses energy over time, and no work process is 100% efficient. Therefore the waste energy is a loss that as it has borh an amplitude and a time function can and does carry information.

Further Claude Shannon proved that not only does the transfer of information require redundancy he also showed how much information could be sent in a period of time due to the bandwidth of the channel.

Gus Simmons showed via his Prisoners problem that all information channels due to the redundance, could have another information channel in the redundance of the first channel and not only can you not stop it you can not prove it is being used.

For any information to be carried by energy two things are required,

1, Sufficient bandwidth to carry the information.2, Sufficient energy in the available bandwidth to overcome the inherant noise caused by charge movment of free electrons under thermal influance (Johnson-Nyquist noise[1]) and the like.

There are three basic ways energy from the inefficience from work can be transported and it decays with distance(r),

1, Conduction, decay 1/(r)2, Radiation, decay 1/(r^2)3, Convection, decay ~1/(r^3)

The fundementals of TEMPEST and Passive EmSec and since the 1980’s “Electromagnetic Compatability”(EMC) is you control three things,

1, Energy2, Bandwidth3, Distance

So that any “compromising emissions” are “put below the standards mask” which for TEMPEST and EmSec is the assumed “noise floor”(-174dBm).

The thing you have to be carefull of is “transducers” that convert one type of energy to another.

For instance consider the noise from a moving train, normally the sound power level drops with the square of the distance. However it also gets conducted along the rails that then re-radiate it. If you stand at a quiet railway station you can hear the rails twitch long before you can hear or often see the train.

Similar applies to “sound powered telephones” the moving coil microphone generates electrical current from the sound energy, that is then conducted down the telephone pair where at the ear piece another moving coil turns it back into sound energy.

All coils in a magnetic field move when a changing current goes through them. This includes the filter inductors that reduce “electrical bandwidth” which is why you can hear some older lower frequency “Switch Mode Power Supplies”(SMP) “sing” under certain load conditions.

Likewise all capacitors generate sound due to energy going into and comming out of storage.

Fun fact if you make a large capacitor with two 1m square aluminium plates, and you put polythene sheet between them and connect them up to a flourescent tube. If you hinge the top plate and lift the open edge up and down the tube will flash.

Electrical arcs have considerable power in them and it can be very lineraly converted to sound look up Quad ESL Electro-Static Loud speakers to see how long they’ve been in peoples homes and in recording studios.

I’ve a very very long list of such energy channels and how they can be modulated with intentional or unintentionally information.

In the US TEMPEST is still technically “classified” so difficult to get information on. However all you need to know can be found in high school physics books as basic knowledge and books on EMC for the basics of the more specialised knowledge.

There is further information like “clock the inputs, clock the outputs” to stop both system transparancy and time based “jitter” side channels down to a low bandwidth. Also “Fail Hard, Fail Long” to reduce the bandwidth of protocol side channels.

Importantly remember that attacks are not always passive thus apply care with regards channels going in reverse such as those for errors and exceptions.

[1] Johnson-Nyquist noise also called thermal noise, Johnson noise, or Nyquist noise is the random electronic noise caused by the thermal agitation of charge carriers (primarily free electrons within an electrical conductor when it is at equilibrium. This happens regardless of any applied voltage and is related to the resistance of the conductor and the bandwidth available. ALL physical resistors have a voltage noise that can be found from,

VNR =√(4kTBR)

Where,

k = Boltzmann’s Constant 1.38 x 10-23T = Absolute Temperature = T(°C+273.15)B = Bandwidth in HzR = Resistance in Ohms.

So, for a 1000 ohm resistor at 25°C it generates a VNR of 4nV / √Hz.

Mostly for ease of usage noise is given as a power value in a bandwidth of 1hz (unless otherwise stated). So P = V^2/R therefore PN = 4kTB and is given in Decibel milliwatts (dBm). As a rule of thumb the “noise floor” at room temprature in a one hz bandwidth is assumed to be -174dBm