Electromagnetic Attacks and Countermeasures

EM is a side-channel with a long history of rumors and leaks associated with its use for espionage. It is well known that defense organizations across the world are paranoid about limiting EM emanations from their equipment and facilities and conduct research on EM attacks and defenses in total secrecy. In the United States, such work is classified under the codename “TEMPEST” which is believed to be an acronym for “transient electromagnetic pulse emanation standard”. In January 2001, in response to a Freedom of Information Act (FOIA) request, some documents related to TEMPEST such as NACSIM 5000 tempest fundamentals, NACSEM 5112 NONSTOP evaluation techniques and NSTISSI no. 7000 TEMPEST countermeasures for facilities were released in redacted form and can be downloaded from the website http://www.cryptome.org. In the public domain, the significance of the EM side-channel was first demonstrated by van Eck in 1985 [11]. He showed that EM emanations from computer monitors could be captured from a distance and used to reconstruct the information being displayed. Figures 15.1 and 15.2 show a modern day recreation of this attack, where the contents of the computer monitor displaying a Word document in Figure 15.1 have been reconstructed in Figure 15.2 using only the EM emanations from that monitor. As a defense against this attack, Kuhn and Anderson in 1998 [8] developed special fonts which have substantially reduced EM leakage characteristics which make them difficult to reconstruct. The first openly published works on EM analysis of ICs and CPUs performing cryptographic operations by Quisquater and Samyde [9] and by Gandolfi, Mourtel and Olivier [5] in 2001 were quite limited. These attacks were performed on chip cards and required tiny antennas to be placed in very close proximity to the IC being attacked. In fact, the best attacks were semi-invasive, requiring the decapsulation