Hamdi ALTINER, Hamdi ALTINER, Ediz ŞAYKOL, Ediz ŞAYKOL

VERİ GÜVENLİĞİNDE TEMPEST SALDIRI TÜRLERİ ÜZERİNE TARİHSEL BİR İNCELEME

Hayatımızın bir vazgeçilmezi haline gelen bilgisayarlar, günümüzde bazen farkında olmadan kendimiz bazen de kötü niyetli kişiler tarafından çok etkin bir ateşsiz silah olarak kullanılabilmektedir. Gayri yasal yollarla elde edilen bilgilerin ifşa edilmesi ile dünya çapında kaoslar oluşturulmakta, ülke güvenlikleri tehlikeye atılmakta, sağlık, elektrik, haberleşme hizmetleri gibi hayati faaliyetler durdurulmakta, şirketler zarara uğratılmakta ve özel hayatın gizliliği ihlal edilerek, hızla büyüyen bir ağ gibi tüm insanlık bu tehditlere karşı savunmasız hale gelmektedir. Bu tehditler artan hız ve karmaşıklıkta devam etmekte olup bilişim hayatımızın içerisinde yer aldığı sürece de devam edecektir. Bilişim güvenliğinin sağlanmasına yönelik çabalar bitmeyen ve devamlı iyileştirmeler ile güncel tutulması gereken bir faaliyet olmalıdır. Bu nedenle bilişim güvenliği bir son durum değil, hiç bitmeyen, yaşayan bir süreç olarak algılanmalıdır. Kişisel bilişim güvenliğine kıyasla kurumsal bilişim güvenliği daha çok bileşenli, önemli ve yönetimi zor bir süreçtir. Bu nedenle daha yüksek bir maliyet ve iş gücü gerektirir. Bilişim güvenliği pek çok ana ve alt konulardan meydana gelmektedir ancak özellikle gizli bilgilerin işlendiği kurumlarda uyulması gereken güvenlik önlemlerinin başında TEMPEST gelmektedir. Bilgi güvenliğinin değerini artırdığı günümüzde TEMPEST konusunun önemi daha da belirginleşmiştir.

Anahtar Kelimeler:

TEMPEST, Bilişim Güvenliği, Elektromanyetik Girişim, Elektromanyetik Güvenlik, Elektromanyetik Uyum, Elektronik İstihbarat, Uzaysal Işıma, Ekranlama, Yan Kanal Saldırıları, Elektromanyetik Analiz

A CHRONOLOGICAL REVIEW ON TEMPEST ATTACKS IN DATA SECURITY

As an inevitable part of our life, computers sometimes can be used like a nonfirearm unconsciously by ourselves or by malicious people. By disclosing illegally obtained information, worldwide chaoses can be created, security of countries can be endangered, vital services like health, electricity, communication can be interrupted, companies can be undermined and violating privacy of prive life and like a growing network all humanity becomes vulnerable against this threats. These threats continue in increasing speed and complexity, and will last as long as information technology takes place in our life. The efforts for securing information security must be up to date activity with long lasting and continuous improvements. Therefore Information Security must be considered as a never ending process. In comparison with personnel information security, institutional information security is much more complex and hard to manage process. Therefore it requires higher costs and manpower. IT Security consist of many main and sub topics but especially in security related institutions TEMPEST comes at the head of main precautions. Nowadays on which Information Security's value increased, importance of TEMPEST issue became more evident.

Keywords:

TEMPEST, Bilişim Güvenliği, Elektromanyetik Girişim, Elektromanyetik Güvenlik, Elektromanyetik Uyum, Elektronik İstihbarat, Uzaysal Işıma, Ekranlama, Yan Kanal Saldırıları, Elektromanyetik Analiz,

PDF

___

JMcNamara, ''The Complete, Unofficial TEMPEST Information Page", at http://www.eskimo.com/~joelm/tempest.html.
Major General RFH Nalder, 'History of the Royal Corps of Signals', published by the Royal Signals Institution (1958).
USA National Security Agency (NSA), TEMPEST: A signal problem; Cryptologic Spectrum, 1972.
Ulusal Elektronik ve Kriptoloji Araştırma Enstitüsü Dergisi Cilt:2 Sayı:3 "TEMPEST, TEMPEST'in Keşfi ve Sinyal Analizi, Değerlendirme Kriterleri ve Ölçüm Sistemleri, Cihaz Tasarımı". Mayıs-Ağustos 2010.
W Ware, ' Security Controls for Computer Systems: Report of Defense Science Board Task Force on Computer Security', Rand Report R609-1, The RAND Corporation, Santa Monica, CA (Feb 1970), available from http://csrc.nist.gov/publications/history/index.html.
P Wright, 'Spycatcher-The Candid Autobiography of a Senior Intelligence Officer',William Heinemann Australia, 1987, ISBN 0-85561-098-0
W Van Eck, ''Electromagnetic Radiation from Video Display Units: An Eavesdropping Risk? in Computers and Security v 4 (1985) pp 269-286.
RJ Anderson, MG Kuhn, ' 'Tamper Resistance-a Cautionary Note", in Proceedings of the Second Usenix Workshop on Electronic Commerce (Nov 96) pp 1-11; http://www.cl.cam.ac.uk/users/rja14/tamper.html.
P Kocher, ''Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems", in Advances in Cryptology-Crypto 96 Springer LNCS v 1109 pp 104-113, 1996
MG Kuhn, RJ Anderson, ''Soft Tempest: Hidden Data Transmission Using Electromagnetic Emanations", in Proceedings of the Second International Workshop on Information Hiding (Portland, Apr 98), Springer LNCS v 1525 pp 126-143.
P Kocher, ''Differential Power Analysis", in Advances in Cryptology-Crypto 99 Springer LNCS v 1666 pp 388-397; a brief version was presented at the rump session of Crypto 98.
MG Kuhn, ''Optical Time-Domain Eavesdropping Risks of CRT Displays" in IEEE Symposium on Security and Privacy (2002)
D Asonov, R Agrawal, ''Keyboard Acoustic Emanations", IBM Almaden Research Center, 2004.
L Zhuang, F Zhou, JD Tygar, ''Keyboard Acoustic Emanations Revisited" in 12th ACM Conference on Computer and Communications Security (2005).
SJ Murdoch, ''Hot or Not: Revealing Hidden Services by their Clock Skew", in 13th ACM Conference on Computer and Communications Security. 2006
Ross Anderson "Security Engineering: A Guide to Building Dependable Distributed Systems" Second Edition, Chapter 17, Emission Security, Cambridge, January 2008.
USA Air Force, Emissoin Security Countermeasures Reviews; USA Air Force Systems Security Security Memorandum 7011, 1998.
R Gonggrijp, WJ Hengeveld, A Bogk, D Engling, H Mehnert, F Rieger, P Scheffers, B Wels, ''Nedap/Groenendaal ES3B voting computer-a security analysis", Oct 2006, at http://www.wijvertrouwenstemcomputersniet.nl/Nedap-en
L. Ordu, S. B. Ors, "Yan Kanal Analizi Saldirilarina Genel Bakis", Ulusal Elektronik Imza Sempozyumu Bildiriler Kitabi, sayfa: 242-249, 07-08 Aralık 2006.
Anderson, R., Kuhn, M., Tamper resistance - a cautionary note, Proceedings of the 2nd USENIX Workshop on Electronic Commerce, 1-11, 1996.
Kommerling, O. ve Kuhn, M.G., Design principles for tamper resistant smartcard processors, Workshop on Smartcard Technology 1999
Boneh, D., DeMillo, R.A., Lipton R.J., On the importance of checking cryptographic protocols for faults, EUROCRYPT'97, vol 1233, 37-51, 1997
Joye M., Lenstra A.K. and Quisquater J.-J, Chinese remaindering based cryptosystem in the presence of faults. Journal of Cryptology, 4(12), 241-245, 1999.
Örs, S.B., Hardware Design Of Elliptic Curve Cryptosystems And Side-Channel Attacks. PhD thesis, Katholieke Universiteit Leuven, Faculteit Toegepaste Wetenschappen, Departement Elektrotechniek, Kasteelpark Arenberg 10, 3001 Leuven (Heverlee), Belgium, February 2005.
D Brumley, D Boneh, ''Remote timing attacks are practical", in Computer Networks v 48 no 5 (Aug 2005) pp 701-716
Dhem J.F., Design of an effcient public-key cryptographic library for RISC-based smart cards. PhD thesis, UCL Crypto Group, Laboratoire de microelectronique (DICE), May 1998.
Walter C.D., Montgomery exponentiation needs no final subtraction. Electronic letters, 35(21) 1831-1832, October 1999.
Walter C.D., MIST: An efficient, randomized exponentiation algorithm for resisting power analysis. vol 2271 of Lecture Notes in Computer Science, pages 53-66, San Jose, USA, February 2002.
Hachez G. and Quisquater J.-J.. Montgomery exponentiation with no final subtractions: Improved results. In C. K. Koç and C. Paar, editors,Proceedings of 2nd International Workshop on Cryptographic Hardware and Embedded Systems (CHES), vol 1965 pages 293-301, Worcester, Massachusetts, USA, August 17-18 2000.
TS Messergues, EA Dabish, RH Sloan, ''Investigations of Power Analysis Attacks on Smartcards", in Usenix Workshop on Smartcard Technology, pp 151-161
R Meyer-Sommer, ''Smartly analyzing the simplicity and the power of simple power analysis on Smartcards", in Workshop on Cryptographic Hardware and Embedded Systems (2000); Springer LNCS v 1965 pp 78-92
Kang S.-M., and Leblebici Y., CMOS Digital Integrated Circuits: Analysis and Design. McGraw Hill, 2002.
Kocher, P., Jaffe, J. ve Jun, B., Differential power analysis, CRYPTO'99, vol. 1666, 388-397, 1999.
Ordu L., AES Algoritmasının FPGA Üzerinde Gerçeklenmesi ve Yan-Kanal Analizi Saldırılarına Karşı Güçlendirilmesi. Yüksek Lisans Tezi, İTÜ Fen Bilimleri Enstitüsü, Haziran 2006.
Oswald E., On Side-Channel Attacks and the Application of Algorithmic Countermeasures. PhD Thesis. June 2003.
J Quisquater, D Samyde, ''ElectroMagnetic Analysis EMA):Measures and Counter-Measures for Smart Cards" in nternational Conference on Research in Smart Cards, Springer LNCS v2140 pp 200-210.
Messerges T.S., Power Analysis Attacks and Countermeasures on Cryptographic Algorithms. PhD thesis, University of Illinois, 2002.
Borst J., Block Ciphers: Design, Analysis and Side-Channel Analysis. PhD thesis, K.U.Leuven, September 2001.
Şadi Evren ŞEKER, DES (Veri Şifreleme Standardı, Data Encryption Standard), http://www.bilgisayarkavramlari.com/2008/03/13/des-veri-sifreleme-standardi-data-encryption-standard/ (25.07.2013 arihinde erişilmiştir.)
Chari, S., Jutla C.S., Rao, J.R. ve Rohatgi, P., Towards sound approaches to counteract power-analysis attacks, CRYPTO'99, v1666, 398-412, 1999
Goubin, L. ve Patari, J., DES and differential power analysis the "duolication" method, CHES-1999, vol. 1717, 158-172. 1999.
Akkar, M.L. ve Giraud, C., An implementation of DES and AES, ecure against some attacks, CHES 2001, Third International Workshop., vol. 2162, 309-318, 2001
Oswald, E., Mangard, S., Pramstaller, N., Rijmen, V., A side-channel analysis resistant description of the AES S-Box, FSE 2005, vol. 3557, 2005
MG Kuhn, ''Electromagnetic Eavesdropping Risks of Flat-Panel Displays", in PET 2004, at http://www.cl.cam.ac.uk/~mgk25/pet2004-fpd.pdf
S Krempl, ''Lauschangriff am Geldautomaten", in Der Spiegel Jan 8 1999; at http://web.archive.org/web/20001031024042/http://www.spiegel.de/netzwelt/technologie/0,1518,13731,00.html.
ER Koch, J Sperber, 'Die Datenmafia', Rohwolt Verlag (1995) ISBN 3-499-60247-4
US Army, 'Electromagnetic Pulse (EMP) and Tempest Protection for Facilities', Corps of Engineers Publications Depot, Hyattsville (1990).
Halil Tosunoğlu, Ortak Kriterler ve Bilgi Güvenliği, TÜBİTAK -BİLGEM -UEKAE 24 Haziran 2011, ANKARA https://www.bilgiguvenligi.gov.tr/dokuman-yukle/6.-kamu-kurumlari-bilgi-teknolojileri-guv.-konf./halil-tosunoglu-8haziranbilgiguvenligigunu/download.html, ( 14.08.2013 tarihinde erişilmiştir.)
D Boneh, RA Demillo, RJ Lipton, ''On the Importance of Checking Cryptographic Protocols for Faults", in Advances in Cryptology-Eurocrypt 97, Springer LNCS v 1233 pp 37-51.
E Biham, A Shamir, ''Differential Fault Analysis of Secret Key Cryptosystems", in Advances in Cryptology-Crypto 97 Springer LNCS v 1294 pp 513-525.
J Loughry, DA Umphress, ''Information leakage from optical emanations", in ACM Transactions on Information and System Security v 5 no 3 (Aug 2002) pp 262-289
DX Song, D Wagner, XQ Tian, ''Timing analysis of keystrokes and SSH timing attacks," in Proceedings of 10th USENIX Security Symposium (2001).
SP Skorobogatov, ''Optically Enhanced Position-Locked Power Analysis", in CHES 2006 pp 61-75
Wenhan Yang, Yinghua Lu, Jun Xu, "Video information recovery from EM leakage of computers based storage oscilloscope" Beijing 2010.
Yang X N, Lou C Y, Xu J L. Theory and Application of Software Radio. Beijing: Publishing House of Electronics Industry, 2001 (in Chinese)
Zhang H X, Lu Y H, He P F, Wang H X. Text recovery from EM leakage of computers. Journal of Southwest Jiaotong University, 2007, 42(6): 653-658 (in Chinese).
Xiang C B, Zhang H Z, Song J Z, Qiao S. Automatic synchronous signal extraction and steady display of non standard video information. Journal of Data Acquisition & Processing, 2007, 22 (4): 486-490 (in Chinese).