This paper presents a new attack on keyboards.
\smallskip

The attack consists in depositing on each keyboard key a small
ionic salt quantity ({\sl e.g.} some NaCl on key 0, some KCl on
key 1, LiCl on key 2, SrCl$_2$ on key 3, BaCl$_2$ on key 4,
CaCl$_2$ on key 5...). As the user enters his PIN, salts get mixed
and leave the keyboard in a state that leaks secret information.
Nicely enough, evaluating the entropy loss due to the chemical
trace turns out to be a very interesting combinatorial exercise.
\smallskip

Under the assumption that mass spectroscopic analysis can reveal with accuracy
the mixture of chemical compounds
generated by the user, we show that, for moderate-size
decimal PINs, the attack would generally disclose the PIN.
\smallskip

The attack may apply to door PIN codes, phone numbers dialed from
a hotel rooms, computer keyboards or even ATMs.
\ss

While we did not implement the chemical part of the attack, a number of mass spectrometry
specialists confirmed to the authors its feasibility

David Naccache

Eric Brier

Pascal Paillier

Cryptology ePrint Archive

Chemical Combinatorial Attacks on KeyboardsEric Brier David Naccache, Pascal PaillierGemplus Card International Gemplus Card InternationalApplied Research & Security Centre Applied Research & Security CentreLa Vigie. Avenue des Jujubiers 34 rue GuynemerLa Ciotat, F-13705, France Issy les Moulineaux cedex, F-92447, Franceeric.brier@gemplus.com {david.naccache,pascal.paillier}@gemplus.comAbstract. This paper presents a new attack on keyboards.The attack consists in depositing on each keyboard key a small ionic saltquantity (e.g. some NaCl on key 0, some KCl on key 1, LiCl on key 2,SrCl2 on key 3, BaCl2 on key 4, CaCl2 on key 5...). As the user entershis PIN, salts get mixed and leave the keyboard in a state that leakssecret information. Nicely enough, evaluating the entropy loss due to thechemical trace turns out to be a very interesting combinatorial exercise.Under the assumption that mass spectroscopic analysis can reveal withaccuracy the mixture of chemical compounds generated by the user, weshow that, for moderate-size decimal PINs, the attack would generallydisclose the PIN.The attack may apply to door PIN codes, phone numbers dialed from ahotel rooms, computer keyboards or even ATMs.While we did not implement the chemical part of the attack, a numberof mass spectrometry specialists confirmed to the authors its feasibility.1 IntroductionThis paper presents a new attack on keyboards and PIN-pads.The attack consists in depositing on each keyboard key a small ionic saltquantity (e.g. some NaCl on key 0, some KCl on key 1, LiCl on key 2, SrCl2 onkey 3, BaCl2 on key 4, CaCl2 on key 5...). As the user enters his PIN, salts getmixed and leave the keyboard in a state that leaks secret information.This first phase of the attack is illustrated below for the PIN 1592.1 2 3c1 c2 c34 5 6c4 c5 c67 8 9c7 c8 c9* 0 #c0Ã1 2 3c1 c2, c9, c5, c1 c34 5 6c4 c5, c1 c67 8 9c7 c8 c9, c5, c1* 0 #c02The second part of the attack consists in collecting samples from the keyboardand analyzing these using a mass spectrometer (e.g. [1]).In mass spectrometry, a substance is bombarded with an electron beam hav-ing sufficient energy to fragment the molecule. The positive fragments which areproduced (cations and radical cations) are accelerated in a vacuum through amagnetic field and are sorted on the basis of mass-to-charge ratio. Since the bulkof the ions produced in the mass spectrometer carry a unit positive charge, thevalue m/e is equivalent to the molecular weight of the fragment. The analysis ofmass spectroscopy information involves the re-assembling of fragments, workingbackwards to generate the original molecule. A schematic representation of amass spectrometer is shown below:Figure A.A very low concentration of sample molecules is allowed to leak into the ion-ization chamber (which is under a very high vacuum) where they are bombardedby a high-energy electron beam. The molecules fragment and the positive ionsproduced are accelerated through a charged array into an analyzing tube. Thepath of the charged molecules is bent by an applied magnetic field. Ions havinglow mass (low momentum) will be deflected most by this field and will collidewith the walls of the analyzer. Likewise, high momentum ions will not be de-flected enough and will also collide with the analyzer wall. Ions having the propermass-to-charge ratio, however, will follow the path of the analyzer, exit throughthe slit and collide with the Collector. This generates an electric current, whichis then amplified and detected. By varying the strength of the magnetic field,the mass-to-charge ratio which is analyzed can be continuously varied.The output of the mass spectrometer shows a plot of relative intensity versusthe mass-to-charge ratio (m/e). The most intense peak in the spectrum is termedthe base peak and all others are reported relative to it’s intensity. The peaksChemical Combinatorial Attacks on Keyboards 3themselves are typically very sharp, and are often simply displayed by the deviceas vertical lines.The process of fragmentation follows simple and predictable chemical path-ways and the ions which are formed will reflect the most stable cations andradical cations which that molecule can form. The highest molecular weightpeak observed in a spectrum will typically represent the parent molecule, minusan electron, and is termed the molecular ion.Having inferred what chemicals each keys contain, the attacker can proceedand try the PIN candidates one by one. The next section focuses on this thirdcombinatorial aspect of the attack1.2 Combinatorial AnalysisWe denote by Pd` the set of PINs of length ` chosen amongst d digits. Thechemical trace of a PIN is a map which associates to each digit the set of itspredecessors on the keyboard. We denote by τ(p) the chemical trace of PIN pand define the set of all possible traces as T d` = τ(Pd`).2.1 Action of PermutationsThe permutation group Sd on digits has a natural action on PIN values and thisaction extends to the traces. We define the cosets under this action as:P̃d` = Pd` /Sd and T̃ d` = T d` /SdThe trace map extends to cosets as a map:τ̃ : P̃d` −→ T̃ d`Representatives of cosets in P̃d` are easy to define: these are PINs wherein thedigit 0 is used before 1, which is used before 2 etc. We call such PINs canonicalPINs.The cardinality of P̃d` , which equals the number of canonical PINs of length`, is easy to compute by virtue of the following proposition:Proposition 1. ]P̃d` is the exponential Bell number B` as soon as d ≥ `.Proof. It suffices to exhibit a bijective map between canonical PINs and par-titions of the set {1, 2, · · · , `}. To associate a partition to a canonical PIN, wepack together positions where the digits take the same value. To map back apartition to a canonical PIN, we just associate a value to each partition, suchthat new digits occur in ascending order. ut1 It should be stressed that while we did not experiment the chemical part of the at-tack, a number of spectrometry experts (Henri Boccia, Jorge Davilla etc.) confirmedto the authors its practical feasibility.4The following definitions will be useful in order to study the set T̃ d` .Definition 1. Let p be a PIN. The signature of a digit δ in p is given by (a, b) ∈N × N, where a is the number of predecessors of δ and b the number of itssuccessors.In the following definition, we use an ordering of the set N × N. The chosenordering is not relevant, the lexicographic order being just fine for our purpose.Definition 2. Let p be a PIN. The signature of p is the ordered list of thesignatures of p’s digits.Example: The signature of p = 47524 is {(2, 4), (3, 3), (4, 2), (4, 4)}. Thissignature was computed as follows: Digit 7 has two predecessors (4 and itself)and four successors (itself, 5, 2, and 4) hence the element (2, 4) in the signature.Digit 5 has three predecessors (4, 7 and itself) and three successors (itself, 2and 4) hence the element (3, 3) in the signature. Digit 2 has four predecessors(4, 7, 5 and itself) and two successors (itself and 4) hence the element (4, 2) inthe signature. Finally, digit 4 has four predecessors (itself, 7, 5 and 2) and foursuccessors (7, 5, 2 and itself) hence the element (4, 4) in the signature.The definition of the signature only considers predecessors and successors andcan thus be naturally extended to traces. We give without a proof the followingproposition:Proposition 2. The signature is invariant under the action of the group Sd.Furthermore, two traces t1 and t2 have the same signature if and only if thereexists a permutation σ ∈ Sd such that:t2 = σ · t12.2 How Many PINs Are There?We intend to count the number of PINs p such that τ(p) = t. Let P be thepre-image of t̃ through the function τ̃ . Within each coset ci in P, there exists(at least) a PIN πi such that τ(πi) = t.Let p denote a PIN such that t = τ(p). We have t̃ = τ̃(p̃). This implies thatthere exists an index i such that p̃ = π̃i, which can be expressed as p = σ · πi.Transposing to traces, we get:t = τ(p) = τ(σ · πi) = σ · τ(πi) = σ · t.Putting things together, the number of PINs p satisfying τ(p) = t is equal tothe product of the number of cosets in the preimage of t̃ by the number ofpermutations σ such that σ · t = t. We call the set of such permutations thestabilizer of t.The signature of the trace t is an ordered set of couples of integers. This setcan be permuted. The stabilizer of this signature consists in the permutationsChemical Combinatorial Attacks on Keyboards 5leaving the set ordered. It is possible to prove that the stabilizer of the trace andthe stabilizer of its signature have the same number of elements. The advantagehere is that the signature’s stabilizer is much easier to determine than the trace’sstabilizer.3 Evaluating the Entropy Loss Due to the AttackTo quantify the amount of secret information revealed by the attack, we denoteby w(p) the number of PINs q such that τ(p) = τ(q). We need to evaluatefor each integer n the function ed` (n) counting the number of PINs satisfyingw(p) = n. The observations made in the in the previous section allow to performthis task.Step 1 Produce all the canonical PINs recursively. The function doing that issimply (Mathematica notation):Rec[lst , k , n ] := Module[{i},If[k == 0, Treat[lst]; Return[]];For[i = 1, i ≤ n, i++, Rec[Append[lst, i], k - 1, n]];Rec[Append[lst, n + 1], k - 1, n + 1];];Note that whenever a canonical PIN is generated, Rec launches Treat on it.Step 2 Treat Computes the signature of a canonical PIN. The intermediatevariable pre contains the number of predecessors of each digit and suc containsthe number of successors of each digit. Using Transpose, one obtains for eachdigit the number of its predecessors and successors. Sorting the so-obtained listyields the PIN’s signature:Treat[lst ] := Module[{t, l, s, i, j},l = Max[lst];t = 1;pre = Table[i, {i, 1, l}];For[i = 1, i ≤ Length[lst], i++,t = Max[t, lst[[i]]];pre[[lst[[i]]]] = t;];suc = {};For[i = 1, i ≤ l, i++,s = 0;For[j = 1, j ≤ l, j++, If[pre[[j]] ≥ i, s++]];AppendTo[suc, s];];τ = Sort[Transpose[{pre, suc}]];AppendTo[types, τ];];6Step 3 We can now count for each signature the number of correspondingcanonical PINs and multiply the result by the cardinality of the signature’sstabilizer (given by AutoSym):Nice[lst ] := Sort[({Length[Position[lst, #]], #}) & /@ Union[lst]];AutoSym[lst ] := Times @@ ((#[[1]]!) & /@ Nice[lst]);Compute[l , d ] := Module[{ν, σ, nb, z, a, m, n},(* computing canonical PINs *)types = {};Rec[{1}, l - 1, 1];(* grouping traces *)ν = Nice[types];(* computing entropy *)nb = z = 0;For[i = 1, i ≤ Length[ν], i++,σ = AutoSym[ν[[i, 2]]];a = ν[[i, 1]]*σ;m = Max @@ ν[[i, 2]];n = ν[[i, 1]]*(d!/(d - m)!);nb += n;z += Log[2, a]*n;];Print[N[z/nb, 20], " bits"];];Which evaluation (e.g. In[1]:= Compute[9,10]) yields:5.2080553744037319192 bits4 Results For Decimal PINs (d = 10)In this section, we report for 3 ≤ ` ≤ 8, the number of PINs having a given wvalue and H(Pd` ), the amount of information (PIN entropy) not recovered bythe chemical attack. The authors actually computed e10` (n) for 3 ≤ ` ≤ 12 andall n values but the tables for ` ≥ 9 are too voluminous to be included here (68,122, 226 and 429 nonzero n values were respectively found for ` = 9,10,11 and12).Chemical Combinatorial Attacks on Keyboards 7n ` = 3 ` = 4 ` = 5 ` = 6 ` = 7 ` = 81 730 5770 45370 337690 2268010 134870502 270 1440 15120 120960 967680 78624003 24304 20520 35280 635040 67132805 1516506 4320 9077407 5040 42342308 360 806409 45360 81648010 7200 57600 655200 604800011 332640 565488012 1440 110880 181440 556416013 196560014 84672015 46440016 665280020 10080021 319032022 990 66528024 48384028 42336030 2160032 23040 40320 193536035 123480036 136080038 38304044 33264047 426384048 48384052 2340 314496056 141120 169344058 730800060 181440068 102816070 211680084 60480102 73440108 12960114 5130120 201600128 967680132 1995840140 1411200144 30240 362880152 191520198 1140480240 10800303 218160336 1693440456 1149120600 72000720 12096002304 4838402664 319680Table 2. Values of e10` (n).` 3 4 5 6 7 8 9 10 11 12H(P10` ) 0.27 0.63 1.15 1.84 2.74 3.86 5.21 6.80 8.62 10.68Table 3. Values of H(P10` ).84.1 Attacking Ratified PINsPIN codes are usually protected against guessing by ratification counters. Aratification counter simply counts the number of presentations of false PINs andblocks the system as soon as this number reaches a threshold r. The followingtable lists the attacker’s success probability for d = 10 as a function of ` and r.Typically, in the case of usual ATMs (` = 4, r = 3), the attack will succeedin 98% of the cases. In GSM cards (where ` = 8, r = 3) the attacker’s successodds will still be 37%.` ½ 3 4 5 6 7 8 9 10 11 12r = 1 0.865 0.734 0.604 0.469 0.339 0.226 0.137 0.074 0.035 0.014r = 2 1.000 0.892 0.754 0.600 0.452 0.318 0.204 0.117 0.059 0.025r = 3 1.000 0.978 0.829 0.671 0.517 0.370 0.242 0.142 0.073 0.032r = 4 1.000 0.982 0.903 0.742 0.581 0.422 0.280 0.167 0.088 0.040r = 5 1.000 0.986 0.926 0.804 0.629 0.458 0.305 0.184 0.098 0.045r = 6 1.000 0.991 0.950 0.836 0.678 0.493 0.330 0.201 0.108 0.050r = 7 1.000 0.996 0.966 0.868 0.711 0.529 0.355 0.217 0.118 0.055r = 8 1.000 1.000 0.974 0.899 0.744 0.558 0.380 0.234 0.127 0.060Table 4. Ratification Counter Probabilities for d = 10.5 CountermeasuresA tactile screen keyboard where digits are assigned random positions seemsto be the most efficient protection against the attack described in this pa-per. Low-tech but nonetheless efficient countermeasures consist in assigning adifferent finger to each key or, alternatively, keying the obfuscation sequence0123456789876543210 before using the terminal...References1. http://chipo.chem.uic.edu/web1/ocol/spec/MS1.htmChemical Combinatorial Attacks on Keyboards 9APPENDIXCanonical PINs for d = 10 and ` = 4canonical0000111122223333444455556666777788889999000100020003000400050006000700080009111011121113···9998001000200030004000500060007000800090110111211131···9989001100220033004400550066007700880099110011221133···9988001200130014001500160017001800190021002300240025···9987010002000300040005000600070008000900101112111311···9899010102020303040405050606070708080909101012121313···9898010201030104010501060107010801090201020302040205···9897011002200330044005500660077008800990100112211331···9889011102220333044405550666077708880999100012221333···9888011201130114011501160117011801190221022302240225···9887012001300140015001600170018001900210023002400250···9879012101310141015101610171018101910212023202420252···9878012201330144015501660177018801990211023302440255···9877012301240125012601270128012901320134013501360137···9876

Chemical Combinatorial Attacks on Keyboards

Abstract

Similar works

Full text

Available Versions

Cryptology ePrint Archive