3.4 EM analysis of an RSA application on an Android phone
The second example is an RSA application running on an HTC Evo 4G phone. The application was written using an open source cryptographic library. It performs a modular exponentiation with a 2048-bit modulus, using the Chinese Remainder Theorem. The application computes a straightforward modular exponentiation using the algorithm shown in Figure 1
The emissions were collected by placing a magnetic field pickup coil behind phone. The carrier frequency of the signal was 39.99 MHz. The acquisition bandwidth was 500 KHz, and the filtered bandwidth was 250 KHz. A snapshot of the collected data is shown in Figure 12
Figure 12: Data collected from HTC Evo 4G phone using near field antenna placed behind phone
In these traces, the widths and heights of the multiplication and addition operations are the same. In some of the cases, however, there is a very short gap between the operations, while in other cases there is larger gap. In the straightforward implementation shown in Figure 1
, a square can be followed by either another square, or a multiply. In contrast, a multiply is always followed by a square. In the above trace, there are never two short gaps in a row. Hence, whenever there are two large gaps in a row the corresponding bit of the secret exponent is a zero. Similarly, a short gap indicates the corresponding bit of the secret exponent is a one. By analyzing the pattern of gaps, an attacker could extract the entire secret exponent using a single trace.
3.5 EM analysis of an AES application on an Android phone
The final example is an AES application running on an HTC phone. The application invokes the Bouncy Castle AES provider. The application performs a bulk AES encryption using a 128-bit key.
The emissions were collected with a baseband m-field trace capture on a sampling scope. The acquisition bandwidth was 100 MHz, and the filtered bandwidth was 60 MHz. A snapshot of the collected data is shown in Figures 13 and 14
Figure 13: Data collected from HTC phone using m-field trace capture on a sampling scope
Figure 14: The individual AES operations in the bulk decryption