누설전자파를 위한 방사 보안 레벨 및 신호 복원

학위논문 (박사)-- 서울대학교 대학원 : 전기·컴퓨터공학부, 2013. 8. 김성철.In this dissertation, reconstruction of electromagnetic emanation security (EMSEC)-channel information for video display units and printer are reconstructed using the averaging technique and proposed adaptive deringing filter. Also, emission security limits are proposed based on the analysis of the indoor EMSEC-channel. An emitted waveform from equipment which manages the important information can be detected and restored intentionally using the sensitive antenna and high performance receiver. These documents related to the EMSEC have classified by high confidentiality so that these are prohibited to publish by military organization. For this reason, reasonable emission security limits for various electronic devices dealing with significant information are necessary. Firstly, we try to identify the exact a signal characteristics and the frequency components to measure and analyze the spectrum of electromagnetic waves which are contained information on personal computer (PC) and printer. The target devices are the desktop, laptop and laser printer which is generally used in the domestic offices in this study. The printer processed a large amount of information for a short period of time, there may be leaked the information in this process. To verify the leakage of electromagnetic spectrum that contains information, we measure and analyze the whole spectrum from 100 MHz to 1000 MHz. Secondly, we represent how to build the EMSEC-system and to restore the signal leakage of electromagnetic waves on the basis of the signal characteristics of the electromagnetic wave leakage of printer and video display unit (VDU) of PC. The parameters that can improve the performance of signal recovery of the leakage electromagnetic wave, it can be given antenna sensitivity, resolution bandwidth (RBW) of the receiver, and signal processing gain. To adjust the signal processing gain, antenna which have the high antenna gain, and the use of wider RBW on receiver are improved hardware of EMSEC system. Whereas image restoration algorithm for EMSEC system as post-processing is a portion corresponding to the software of EMSEC system. Techniques for increasing signal strength and noise reduction are particularly important when trying to measure compromising emanations because the magnitude of these signals can be extremely small. Averaging technique find to achieve maximum cross correlation between recorded electromagnetic leaked signals. That method is a practical, highly effective and widely used technique for increasing the signal-to-noise ratio (SNR) of a periodic signal, such as that generated by the image-refresh circuitry in a video display system. But, the printer and facsimile exhibit aperiodicity in their EMSEC-channel information during their operation state unlike video display systems. Since the aperiodic EMSEC-channel information of equipments such as printers and faxes is not involved in processing gain, the differences between periodic- and aperiodic compromising emanations need to be considered in order to establish emission security limits. In addition to, we propose the adaptive deringing filter to reconstruct the EMSEC- channel information from PC and printer. We can obtain that the minimum peak signal-to-noise ratio (PSNR) enhancement is 2 and maximum PSNR enhancement is 10 compared with the original reconstructed image. Next, we perform the EMSEC-channel measurements in the 100?1000 MHz frequency bands. Second, we analyze the pathloss characteristics of the indoor EMSEC-channel based on these measurements. We find the frequency correlation pathloss characteristics of compromising emanations to determine the reasonable total radio attenuation (TRA). Also, the pathloss exponent value have a range from 1.06 to 2.94 depending on frequency band and the CMs, which in turn differed with propagation environments. Through this EMSEC-channel analysis, we affirm that the TRA, which is one of the key parameters for determining the security limits for compromising emanations, follows the Rician distribution. However, previous work assumed that radio attenuations would have constant values. We found that the TRA does not show significant differences depending on the frequency bands and has the following range depending on the environment, 29?41dB at CM2, a 42?57 dB at CM3, a 47?57 dB at CM4, and 24?29 at CM5. In addition to, CM3 and CM4 have greater TRA than CM2 and CM5. Based on the experimental results of this study, we propose security limits on periodic as well as aperiodic EMSEC-channel information. The proposed security limits on compromising emanations are classified into two levels according to the TRA and the level of required confidentiality. Periodic emission security limits for class A is 24, 28, 35 dBμV/m in the 100-400 MHz, 400-900 MHz and 900-1000 MHz, respectively. And periodic emission security limits for class B is 4, 1, 3, 5 dBμV/m in the 100-200 MHz, 200-600 MHz, 600-700 MHz and 700-1000 MHz, respectively. Aperiodic emission security limits are weaker than the processing gain Gp, 23 dBi than periodic emission security limits owing to the redundancy caused by repetitive signals. So, that the periodic EMSEC-channel information is easily leaked and reconstructed, which results in a potential risk. Thus, the periodic emission security limits must be stronger than the aperiodic emission security limits. We can then compare our security limits with other security limits and existing civil and military EMC standards. Future works may include characterization and reconstruction of FAX, smartcard and other electronics. And it is need to EMSEC-channel analysis in more complex environments.Chapter 1 Introduction.............................................................1 1.1 Historic background and previous work......................................3 1.2 Motivation and scope...................................................................6 Chapter 2 Detection of Compromising Emanations................9 2.1 Introduction..................................................................................9 2.2 Compromising Emanations from Video Display Units.............10 2.2.1 Property of Video Display Units ..............................................10 2.2.2 Leakage path of Video Display Units........................................11 2.2.3Measurement system...................................................................13 2.2.4 Measurement result....................................................................15 2.3 Compromising Emanations from Printer...................................17 2.3.1 Property of Printer.....................................................................17 2.3.2 Leakage path of Printer..............................................................19 2.3.3 Measurement system..................................................................20 2.3.4 Measurement result....................................................................21 2.4 Conclusion..................................................................................23 Chapter 3 Reconstruction of Compromising Emanations.....25 3.1 Introduction................................................................................25 3.2 EMSEC system for Reconstruction...........................................26 3.3 Reconstruction of Compromising Emanations from Video Display Units....................................................................................26 3.3.1 Characteristics of EMSEC-channel information from VDUs...26 3.3.2 Reconstruction result.................................................................30 3.4 Reconstruction of Compromising Emanations from Printer… 31 3.4.1 Characteristics of EMSEC-channel information from Printer..31 3.4.2 Reconstruction result.................................................................34 3.5 Adaptive Deringing Filter for EMSEC-channel information Reconstruction..................................................................................36 3.6 Conclusion..................................................................................40 Chapter 4 Characteristic of Frequency Correlation EMSEC-Channel in indoor environments............................................42 4.1 Introduction................................................................................42 4.2 Measurement methodology........................................................43 4.2.1 Measurement system..................................................................43 4.2.2 Measurement scenario and environment...................................43 4.3 Analysis of indoor EMSEC-Channel for Compromising Emanations…………………………………..................................46 4.3.1 Frequency correlation property of indoor EMSEC-Channel....47 4.3.2 Pathloss characteristics of indoor EMSEC-Channel.................52 4.4 Conclusion..................................................................................56 Chapter 5 Emission Security Limits for Compromising Emanations.............................................................................58 5.1 Introduction................................................................................58 5.2 Parameters for Emission Security Limits …………………….58 5.2.1 Total radio attenuation...............................................................60 5.2.2 Radio noise.................................................................................65 5.2.3 Antenna gain..............................................................................67 5.2.4 Signal processing gain...............................................................68 5.2.5 Minimum SNR for reconstruction.............................................69 5.2.6 Receiver noise figure.................................................................70 5.2.7 Calculation of emission security limits.....................................71 5.3 Proposed Emission Security Limits...........................................72 5.4 Comparison with Public Standards and Other Security Limits.75 5.4.1 CISPR 22 and MIL-STD-461E.................................................75 5.4.2 Security limits for Markus Kuhn...............................................76 5.4.3 ITU-T K.84 Guidelines..............................................................78 5.5 Conclusion..................................................................................84 Chapter 6 Summary and Further Study.................................86 Bibliography 90 Abstract in Korean.................................................................95Docto

TEMPEST Font Protects Text Data against RF Electromagnetic Attack

Nowadays an electromagnetic penetration process of electronic devices has a big significance. Processed information in electronic form could be protected in different ways. Very often used methods limit the levels of valuable emissions. But such methods could not always be implemented in commercial devices. A new solution (soft tempest) is proposed. The solution is based on TEMPEST font. The font does not possess distinctive features. This phenomenon causes that at an output of Side Channel Attack the possibilities of recognition of each character which appears on the reconstructed image for sources in the form of graphic lines (VGA and DVI) are limited. In this way the TEMPEST font protects processed data against electromagnetic penetration not only for VGA and DVI standards. The data are protected during printing them on laser printers too

xLED: Covert Data Exfiltration from Air-Gapped Networks via Router LEDs

In this paper we show how attackers can covertly leak data (e.g., encryption keys, passwords and files) from highly secure or air-gapped networks via the row of status LEDs that exists in networking equipment such as LAN switches and routers. Although it is known that some network equipment emanates optical signals correlated with the information being processed by the device ('side-channel'), intentionally controlling the status LEDs to carry any type of data ('covert-channel') has never studied before. A malicious code is executed on the LAN switch or router, allowing full control of the status LEDs. Sensitive data can be encoded and modulated over the blinking of the LEDs. The generated signals can then be recorded by various types of remote cameras and optical sensors. We provide the technical background on the internal architecture of switches and routers (at both the hardware and software level) which enables this type of attack. We also present amplitude and frequency based modulation and encoding schemas, along with a simple transmission protocol. We implement a prototype of an exfiltration malware and discuss its design and implementation. We evaluate this method with a few routers and different types of LEDs. In addition, we tested various receivers including remote cameras, security cameras, smartphone cameras, and optical sensors, and also discuss different detection and prevention countermeasures. Our experiment shows that sensitive data can be covertly leaked via the status LEDs of switches and routers at a bit rates of 10 bit/sec to more than 1Kbit/sec per LED

Electromagnetic Eavesdropping

Protection of information against electromagnetic penetration is a huge challenge. Especially this issue applies to computer station that processes protected information and that is a source of electromagnetic disturbances. These disturbances could be correlated with processed graphic information. Therefore, very often, they are called valuable or unintentional emissions. To protect the information, different methods of engineering of electromagnetic compatibility are used, e.g. electromagnetic gaskets, signal and power filters and electromagnetic shielding. The use of these methods causes a special device to become very heavy, and the looks of such device aren’t nice. A new universal solution based on safe fonts is proposed. Safe fonts protect processed information against electromagnetic penetration in each case of graphic source of valuable emissions. These fonts protect not only Video Graphics Array (VGA) but also Digital Video Interface (DVI) standards. These fonts are also useful from electromagnetic protection’s point of view in the case of the use of laser printers. All analyses are based on images reconstructed from valuable emissions. These emissions are measured in a range of frequencies from 100 MHz to 1.5 GHz. Safe fonts are simple solution that counteract electromagnetic eavesdropping process. They can replace expensive solutions based on shielding, zoning and filtering