Information leakage through electromagnetic radiation of ps / 2 keyboard
This article presents the acquisition of
electromagnetic radiations of PS/2 keyboard in
different cases of side channel attacks: the
acquisition of radiated signals in space (near field
and far field) and the acquisition of conducted
disturbances through the power line and over the
LAN cable. The obtained data will then be
processed by a program on MATLAB to restore
the keystroke. This research builds a program
based on the Falling Edge Transition technique of
the signal to detect the position of the key and
based on the characteristics of the keystroke to
convert the radiated signal to scancode, then
compare it with scancode library to recover the
keystroke. The program works well with obtained
data in case of capturing radiated signals in near
field of the PS/2 keyboard
Trang 1
Trang 2
Trang 3
Trang 4
Trang 5
Trang 6
Trang 7
Trang 8
Trang 9
Trang 10
Tóm tắt nội dung tài liệu: Information leakage through electromagnetic radiation of ps / 2 keyboard
Nghiên cứu Khoa học và Công nghệ trong lĩnh vực An toàn thông tin No 2.CS (10) 2019 51 Information Leakage Through Electromagnetic Radiation of PS/2 Keyboard Duc Chinh Bui, The Minh Ngo, Ngoc Vinh Hao Nguyen, Manh Tuan Pham Abstract— Computer keyboards are often used to enter data for a computer system, data could be normal information or confidential information such as password, key. Keyboards use electronic components so they will generate electromagnetic radiation that can reveal information. This article presents the acquisition of electromagnetic emanating from the PS/2 keyboards through different paths (in space, through power line or via LAN cable). After acquisition we develop a program on MATLAB to recover the keystroke signal from data which is obtained in the near field of PS/2 keyboard. The result of this side channel attack is recovered an average of more than 70% of the keystrokes in near field of PS/2 keyboards. Our best attack can recover up to more than 90% of the keystrokes. From this result, we conclude that PS/2 keyboards generate electromagnetic radiations which can cause the loss of information and they are not safe to use when entering confidential information. Tóm tắt— Bàn phím máy tính thường được sử dụng để nhập dữ liệu đầu vào cho một hệ thống máy tính, các dữ liệu có thể là văn bản thông thường hoặc thông tin cần được bảo mật như mật khẩu hay khóa. Bàn phím sử dụng các linh kiện điện tử, vì thế chúng sẽ gây ra bức xạ điện từ dẫn đến lộ lọt các thông tin khi gõ phím. Bài báo này trình bày về việc thu các tín hiệu bức xạ điện từ phát ra từ bàn phím PS/2 khi gõ phím qua các con đường khác nhau (nhiễu bức xạ trong không gian, nhiễu dẫn trên đường nguồn, qua mạng LAN). Từ đó, nghiên cứu xây dựng một module chương trình trên MATLAB để khôi phục lại tín hiệu gõ phím từ các dữ liệu thu được trong trường gần của bàn phím. Kết quả của cách tấn công trên kênh kề này là khôi phục trung bình được hơn 70% ký tự được gõ trong trường gần của bàn phím PS/2. Trường hợp tốt nhất kết quả có thể lên đến hơn 90% ký tự được gõ. Từ kết quả nghiên cứu trên, nhóm nghiên cứu rút ra kết luận, các loại bàn phím1 1 This manuscript is received June 14, 2019. It is commented on June 17, 2019 and is accepted on June 24, 2019 by the first reviewer. It is commented on June 16, 2019 and is accepted on June 25, 2019 by the second reviewer. PS/2 đều phát ra các bức xạ điện từ gây mất mát thông tin và không an toàn để sử dụng khi nhập các thông tin cần được bảo mật. Keywords— Electromagnetic radiation; PS/2 keyboard; acquisition of electromagnetic; recovery keystroke. Từ khóa— Bức xạ điện từ; bàn phím PS/2; thu bức xạ điện từ; khôi phục tín hiệu gõ phím. I. INTRODUCTION Today, with the development of science and technology, information leakage through electromagnetic radiations of electronic devices such as monitors, keyboards, printers... has been published through research works in the world. Those researches indicate that it is possible to recover the original information from electromagnetic radiations with appropriate hardware and software. One component of the computer system that has the highest risk of information leakage is the computer keyboard. Keyboard is an input device of a computer system, used to enter normal information, confidential information or sensitive information. When the keyboard has hardware weaknesses that can be exploited, it will cause loss of information for computer systems regardless of the subsequent security and authentication. The exploitation of electromagnetic radiation appeared for decades. Research on compromising electromagnetic emanations have been carried out such as radiation detection of Bell 131-B2 devices [8], recovering displayed images on CRT [4], recovery of displayed images on LCD [4], attack on secret keys [9], captures video radiations [12], attack electromagnetic radiation on Elliptic curves cryptographic on FPGA or exploits compromising electromagnetic radiation of the keyboard [8]. With computer keyboards, research in the world has presented different exploitations of leaked information [5] such as through optical radiation [7], video string analysis or using the Journal of Science and Technology on Information security 52 No 2.CS (10) 2019 keyboard's LED as an auxiliary channel to collect data [3], exploit acoustic radiation to restore keystrokes [2, 11] and especially exploit electromagnetic radiations [4] or conducted radiation noise on the power line [1]. This article presents the acquisition of electromagnetic radiations of PS/2 keyboard in different cases of side channel attacks: the acquisition of radiated signals in space (near field and far field) and the acquisition of conducted disturbances through the power line and over the LAN cable. The obtained data will then be processed by a program on MATLAB to restore the keystroke. This research builds a program based on the Falling Edge Transition technique of the signal to detect the position of the key and based on the characteristics of the keystroke to convert the radiated signal to scancode, then compare it with scancode library to recover the keystroke. The program works well with obtained data in case of capturing radiated signals in near field of the PS/2 keyboard. The structure of this article consists of 5 parts. Section 1 is a general introduction. Section 2 describes an overview of the electromagnetic radiation of the keyboard. Section 3 describes acquisition method of PS/2 keyboards in different setups. Section 4 describes development a program on MATLAB to restore keystrokes. Section 5 presents results of the measurements of radiated signals in different setups and the results of restoring keystroke in near field. ... n the 237. B. Keystroke signal recovery program for electromagnetic radiation of keyboard Based on the falling edge technique mentioned above and analysed characteristics of scancode such as the first bit is bit 0 (start), the last bit is bit 1 (stop), bit 1 always has a larger amplitude than the bit 0... we built a program on MATLAB to recover the keystroke signal from obtained electromagnetic radiations of the PS/2 keyboard with the block diagram of the acquisition and recovery process is shown in Fig.6. Journal of Science and Technology on Information security 56 No 2.CS (10) 2019 Fig.6. Diagram of capture and recover keystrokes process The process of capturing and recovery keystroke includes following steps: First, use the antenna system or probe with appropriate sensitivity and in combination with the spectrum analyzer to capture radiated signal of keyboard. Then, collected data will be saved and transmitted to the computer for processing. MATLAB program for recovery keystroke will read data file in fixed-length frame. Use threshold to eliminate noise and find data locations that contain pressed keys. Locate the falling edge and arrange the detected keys into groups of keys (see Table 1). Use the characteristics of the keyboard scancode (bit 1 or bit 0) to convert keystroke data to scancode. Compare the transferred scancode with the keyboard's scancode library to determine the keystroke and print out the result. The algorithm flowchart of capturing and recovery keystrokes process is shown in Fig.7. Flowchart in Fig.7 includes the following steps: 1. Initiate the connection between the computer and the receiver via LAN cable. 2. Set up the necessary parameters of the measurement: Center frequency. Sample rate. Time of acquisition. Trigger. 3. The program will wait until the receiver completes the settings and send a notification to computer. 4. When the receiver is ready, the program will send a request to start measuring and wait for the receiver to respond. 5. When the receiver has completed a measurement, a notification will be sent and computer will read the measurement data in the receiver memory. 6. When data is available, the program will perform analysis and display the result on the screen. 7. After completing the data analysis, the program can continue measuring (go back to step 4) or stop. Fig.7. Algorithm flowchart of capturing and restoring keystrokes process Nghiên cứu Khoa học và Công nghệ trong lĩnh vực An toàn thông tin No 2.CS (10) 2019 57 Note that the time of acquisition or the number of samples collected per frame must be large enough to contain all pulses of a keystroke. In order to minimize the amount of redundant data collected, the collection method only focuses on data frames that contain keystroke by using trigger. In principle, the clock is always high when there is no data transmitted between the keyboard and the computer, so the first clock pulse is always changing the state from 1 to 0, which means appearing a falling edge. Based on the above rule, the program selects trigger so that receiver starts from the first clock pulse of keystroke pulse sequence. The algorithm flowchart of analyzing obtained data process in Fig.8. Flowchart in Fig.8 includes the following steps: Step 1. From receiver memory, the program checks to see if there is enough data for analysis. If not, exit program or else, analysis will be executed. Step 2. From the data block, read out N data samples. N is defined so that it can contain no more than 1 pulse of clock. Step 3. Find falling edge in those N data samples (radiated impulse detection). If not, go back to step 1 and read the next N data samples, if there is a falling edge then go to step 4. Step 4. When appearing a falling edge, the program will read the next N1 samples, N1 will include the entire data of a keystroke. N1 is determined based on the keyboard’s clock frequency and the receiver sample rate. Step 5. Find the remaining falling edges positions in the N1 samples. Step 6. Based on the searching results for the position of falling edges, divide the keystroke into the key group according to Table 1 for falling edge traces. Step 7. Based on the characteristics of the keyboard scancode to recover scancode of the keystroke. Step 8. Compare the scancode results with the scancode library and display the results on the screen. Then go back to Step 1. Fig.8. Algorithm flowchart of analyzing radiatied signal process V. EXPERIMENTAL RESULTS The experiments capture radiated signal as described in Part III with 4 different cases. The results are shown in Fig.9 to Fig.12. Fig.9. Radiated signal of key A is captured in near field Journal of Science and Technology on Information security 58 No 2.CS (10) 2019 Fig.10. Radiated signal of key H is captured in far field Fig.11. Radiated signal of key A is captured through the power line Fig.12. Radiated signal of key A is captured over LAN cable The above test results show that the PS/2 keyboard emits electromagnetic radiations and these radiated signals can be obtained in different cases such as in far field, near field, conducted disturbance through power line and over LAN cable. Test cases have been successful on different PS/2 keyboards with different radiation amplitude and the scancode pattern does not change. The radiated frequency range of PS/2 keyboards is from 20MHz to 300MHz. In particular, the amplitude of radiation when receiving in near field is 20- 30dB higher than the background noise and can clearly distinguish the signal pulses (bit 1 and 0), making the recovery process easier. For the remaining cases, the radiation amplitude is 10- 15dB higher than the background noise, in addition the background noise is irregular, so restoring the keystroke signal is more complicated in near field. Our program is currently experimenting with the results of obtained signal in near field. The obtained data in near field is processed in program presented in Part IV to perform recovery keystroke. The results are shown in Fig.13 with the keystroke sequence of "vien khoa hoc cong nghe mat ma". This example results in a true 26/30 keystroke ~ 86,67%. Fig.13. Results of running program Based on a number of tests, as shown in Table 2, the results show that the program can recover averaged more than 70% of keystrokes. In the best cases of background noise as well as amplitude of the radiated signal, the result can up to 90% of keystrokes. With the case of Vietnamese typing with Vietkey or Unikey, the signal transmitted from the keyboard to the computer remains the same. Therefore, we can still recover the original text. From the above test results, it can be confirmed that PS/2 keyboards have a high risk of leaking information, that can cause the loss of important data and unsuitable for high security systems. TABLE 2. EXPERIMENTAL RESULTS OF RECOVERY KEYSTROKE Keystroke Recovered keystroke Tỷ lệ abcdefghijklmn amchefghijilmn 11/14 ~ 79% conghoaxahoi conghoaxahoi 12/12 ~ 100% vienkhcnmm vienkhcnmm 10/10 ~ 100% cong hoa xa hoi chu nghia viet nam cong hoa xa joi nhurnghiarvigt nam 26/31 ~ 84% vien khoa hoc cong nghe mat ma vienrkboa joc nongrnehe mat ja 23/30 ~ 76% Nghiên cứu Khoa học và Công nghệ trong lĩnh vực An toàn thông tin No 2.CS (10) 2019 59 hello good morning hgllo gooh morning 16/18 ~ 89% bùi đức chính buif jhuwcs nhinbs 14/18 ~78% demo thu ban phim co day dgmo thu ban phim co day 22/23 ~ 96% Future studies are being carried out by us regarding restoring other cases of PS/2 keyboards, such as eliminating the increase of noise and amplifying the radiated signals. In addition, we are also studying methods of capturing radiated signals of other keyboards such as USB keyboard, wireless keyboard and Laptop keyboard. This requires improving the acquisition process by using preamplifiers as well as testing in environments with low background noise such as semi-anechoic chamber. The initial results of these studies are relatively positive, but the results are not comprehensive so we do not present in this article. VI. CONCLUSION The keyboard is an input component of a computer system, so if it is attacked, security of the system becomes insignificant. This article has proven the risk of information leakage through electromagnetic radiations of PS/2 keyboard. The article also presented the successful acquisition of electromagnetic radiations from PS/2 keyboard with cases of electromagnetic radiation in near field, far field and conducted disturbance through the power line and over LAN cable. Result of the keystroke recovery program can achieve an average of 70% of the keystrokes and up to more than 90% of keystrokes in the best case. With PS/2 keyboard, it is difficult to improve the hardware to avoid attacks as when improving the errors of software or operating system with patches. Therefore, for a high security computer system, keyboards with lower electromagnetic radiation leakage should be used and tested before being use in practice as well as applying some techniques to reduce electromagnetic radiation, such as using filters, shielding or generate noise. ACKNOWLEDGMENT This work was supported by Institute of Cryptographic Science and Technology, Viet Nam. REFERENCES [1]. Andrea Barisan Daniele Bianco, “Side Channel Attacks Using Optical Sampling of Mechanical Energy and Power Line Leakage”, Copyright Inverse Path Ltd, 2009. [2]. Asonov, D., and Agrawal, R., “Keyboard Acoustic Emanations”, In IEEE Symposium on Security and Privacy, 2004. [3]. Blzarotti, D., Cova, M., and Vigna, G., “Clearshot: Eavesdropping on keyboard input from video”, In IEEE Symposium on Security and Privacy, 2008. [4]. Kuhn, M. G., “Compromising Emanations: Eavesdropping risks of Computer Displays”, Technical Report, 2003. [5]. John V. Monaco, “SoK: Keylogging Side Channels”, IEEE Symposium on Security and Privacy, 2018. [6]. Lizhuang, Fengzhou, J. D. Tygar, “Keyboard Acoustic Emanations Revisited”, In Proceedings of the 12th ACM Conference on Computer and Communications Security, November 2005. [7]. Loughry, J., and Umphress, D. A., “Information leakage from optical emanations”, ACM Trans. Inf. Syst. Secur, 2002. [8]. Martin Vuagnoux, Sylvain Pasini, “Compromising Electromagnetic Emanations of Wired and Wireless Keyboards”, Security and Cryptography Laboratory, 2007-2009. [9]. Smulders, P., “The Threat of Information Theft by Reception of Electromagnetic Radiation from RS- 232 Cables”, Computers and Security, 1990. [10]. Tuttlebee, W., “Software Defined Radio: Enabling Technologies”, John Wiley and Sons, England, 2003. [11]. Tzipora Halevi, Nitesh Saxena, “Keyboard acoustic side channel attacks: exploring realistic and security-sensitive scenarios”, International Journal of Information Security, Springer, 2014. [12]. Van Eck, W., “Electronagmetic radiation from video Display Units: An eavesdropping risk?”, Comput. Secur, 198. Journal of Science and Technology on Information security 60 No 2.CS (10) 2019 ABOUT THE AUTHOR M.Sc. Duc Chinh Bui Workplace: Institute of Cryptographic Science and Technology, Vietnam Government Information Security Commission. Email: ducchinh1108@gmail.com Education: Received the Degree of Engineer in Electronics and Telecommunication Engineering in 2013 and the Degree of Master of Enginerring in Electronics Engineering in 2016 from the School of Electronics and Telecommunications, Hanoi University of Science and Technology, Vietnam. Research today: Field of electromagnetic compatibility, include solutions to ensure EMC for electronic devices and exploit information leakage through side channels. M.Sc. The Minh Ngo Workplace: Institute of Cryptographic Science and Technology, Vietnam Government Information Security Commission. Email: ntminh1963@yahoo.com Education: Received the Degree of Engineer from Faculty of Electrical Engineering and Informatics, Budapest University of Technology and Economics, Hungary, in 1987. Received the Degree of Master of Engineering from Academy of Cryptography Techniques, Vietnam, in 2005. Research today: Field of electromagnetic compatibility, include solutions to ensure EMC for electronic devices and research about EMC standards. Ngoc Vinh Hao Nguyen Workplace: Institute of Cryptographic Science and Technology, Vietnam Government Information Security Commission. Email: nnvh89@gmail.com Education: Received the Degree of Engineer and Master in Aerospace Radio-Electronic System from Karkov Aviation University, Ukraine, in 2013 and 2015 respectively. Research today: Field of electromagnetic compatibility. Currently, he is working on cryptography analysis through side channels. M.Sc. Manh Tuan Pham Workplace: 129 Company Limited, Vietnam Government Information Security Commission. Email: tuanpm.129@gmail.com Education: Received the Degree of Engineer from Posts and Telecommunications Institute of Technology, Vietnam, in 2003. Received the Degree of Master from Military Technical Academy, Vietnam, in 2008. Received the Degree of Doctor of Physolophy from Posts and Telecommunications Institute of Technology, Vietnam, in 2017. Research today: design and implement cryptographic algorithms on hardware; overall study of security solutions for voice and video data on different media environments.
File đính kèm:
- information_leakage_through_electromagnetic_radiation_of_ps.pdf