This invention is related to the protection of confidential computer data against eavesdroppers who try to reconstruct it from the electromagnetic emanations generated by computers.
It has been known to military organizations since at least the early 1960s that computers generate electromagnetic radiation which not only interferes with radio reception, but which also makes information about the processed data available to a remote radio receiver (see for example Peter Wright: Spycatcherxe2x80x94The Candid Autobiography of a Senior Intelligence Officer. William Heinemann Australia, 1987, ISBN 0-85561-098-0). Known as compromising emanation or Tempest radiation, this electromagnetic broadcast of data has been a significant concern in security-sensitive computer applications. Compromising emanations of video display units (see for example Wim van Eck: Electromagnetic Radiation from Video Display Units: An Eavesdropping Risk? Computers and Security vol 4 (1985) 269-286; Erhard Mxc3x6ller, Lutz Bernstein, Ferdinand Kolberg: Schutzmaxcex2 nahmen gegen kompromittierende elektromagnetische Emissionen von Bildschirmsichtgerxc3xa4ten [Protective measures against compromising electromagnetic emissions from video display terminals]. Labor fxc3xcr Nachrichtentechnik, Fachhochschule Aachen, Aachen, Germany) and serial data cables (see Peter Smulders: The Threat of Information Theft by Reception of Electromagnetic Radiation from RS-232 Cables. Computers and Security vol 9 (1990) 53-58) have been described in the open literature. One common and expensive countermeasure is to fit metallic shielding to the device, the room, or the entire building (see Electromagnetic Pulse (EMP) and Tempest Protection for Facilities. Engineer Pamphlet EP 1110-3-2, 469 pages, U.S. Army Corps of Engineers, Publications Depot, Hyattsville, Dec. 31, 1990; and Deborah Russell, G. T. Gangemi Sr.: Computer Security Basics. O""Reilly and Associates, 1991, ISBN 0-937175-71-4). Cross-correlation test methods suitable for verifying the effectiveness of such shielding have been described in Wolfgang Bitzer, Joachim Opfer: Schaltungsanordnung zum Messen der Korrelationsfunktion zwischen zwei vorgegebenen Signalen [Circuit arrangement for measuring the correlation function between two given signals]. German Patent DExcx9c3911155xcx9cC2, Deutsches Patentamt, Nov. 11, 1993, and Joachim Opfer, Reinhart Engelbart: Verfahren zum Nachweis von verzerrten und stark gestxc3x6rten Digitalsignalen und Schaltungsanordnung zur Durchfxc3xchrung des Verfahrens [Method for the detection of distorted and strongly interfered digital signals and circuit arrangement for implementing this method]. German Patent DExcx9c4301701xcx9cC1, Deutsches Patentamt, May 5, 1994. Devices that generate a correlated jamming signal in order to make eavesdropping more difficult have been described in John H. Dunlavy: System for Preventing Remote Detection of Computer Data from TEMPEST Signal Emissions. U.S. Pat. No. 5,297,201, Mar. 22, 1994, and Lars Hoivik: System for Protecting Digital Equipment Against Remote Access. U.S. Pat. No. 5,165,098, Nov. 17, 1992.
The electromagnetic data-dependent signals generated by computers and emanated over the air, or via power supply and communication cables, are rather weak and distorted. In addition, if several computers are located in close proximity, their signals will be overlaid. The eavesdropper will therefore use various techniques to separate the signals of interest from the background noise before attempting further decoding (see Markus G. Kuhn, Ross J. Anderson: Soft Tempest: Hidden Data Transmission Using Electromagnetic Emanations, in David Aucsmith (Ed.): Information Hiding, Second International Workshop, IH""98, Portland, Oreg., USA, Apr. 15-17, 1998, Proceedings, LNCS 1525, Springer-Verlag, ISBN 3-540-65386-4, pp. 126-143). Periodic averaging is a very powerful noise elimination technique and can be applied to many signals of particular interest from computer systems that process confidential data. If the signal of interest s(t) has a known period T such that s(t)=s(t+T) most of the time, then the eavesdropper can reconstruct from the received noisy signal r(t)=s(t)+n(t), where n(t) is uncorrelated background noise, a noise-reduced estimate of the signal from a moving average:       ζ    ⁡          (      t      )        =                    1                              n            2                    -                      n            1                    +          1                    ⁢                        ∑                      i            =                          n              1                                            n            2                          ⁢                  xe2x80x83                ⁢                              s            ⁡                          (                              t                +                iT                            )                                ⁢                      xe2x80x83                    ⁢          for          ⁢                      xe2x80x83                    ⁢          0                      ≤    t     less than     T  
which has a significantly better signal-to-noise ratio than s(t).
Three periodic signals found in a typical computer may contain confidential information and are thus of particular interest to an eavesdropper:
1. The video display signal is generated by writing the content of the display frame buffer to the display with a period equivalent to the vertical refresh frequency of the cathode-ray tube, liquid crystal panel, or other display device.
2. A microcontroller or a specialized circuit in the keyboard applies voltages in succession to each row of a matrix circuit to which the keys are connected. Scanning the column lines for this voltage allows the microcontroller or specialized circuit to determine which key is currently pressed in order to report the appropriate key code word to the main processor (see Ed L. Sonderman, Walter Z. Davis: Scan-controlled keyboard, U.S. Pat. No. 4,277,780, Jul. 7, 1981). This scan cycle is repeated with high frequency to ensure that no key-press events are missed. The sequence of instructions executed in the scan loop often depends on which key is currently pressed. Therefore the precise shape of the emanations reveals information about key presses, and manually entered text may be reconstructed by an eavesdropper.
3. In most mass storage devices such as magnetic or magneto-optical discs, data is organized into storage tracks and a motor moves the head between them. After data has been read from or written to a track, the head usually remains located on that track until a request to access another track is received. During this time, the readout amplifier receives, amplifies and emits the data content of the storage track periodically, where the period is identical to the rotation time of the disk.
The present invention is a low-cost means of making it more difficult for an eavesdropper to gain knowledge about the data processed on a normal computer system that features standard components such as a video display, a keyboard and a hard disk. In its most general terms the presents invention proposes that instead of, or in addition to, physical screening of an electronic system, the system should be designed or modified to reduce (or substantially eliminate) the generation of electromagnetic signals which are periodic or otherwise predictable.
Accordingly, the invention may be expressed as a method of obstructing the reconstruction of information contained in an electronic apparatus from electromagnetic emissions, by reducing the energy of certain periodic signals in electromagnetic emissions generated by the system and destroying the periodicity of residual signals or other signals.
These methods may involve only software or firmware changes in the computer system and can therefore be implemented at a much lower cost than the conventional techniques described above, in which electromagnetic radiation is reabsorbed after it has been generated (i.e. physical shielding). They may also be implemented using low-cost hardware devices. Whether they are implemented in software, firmware or hardware, these techniques can also be combined with traditional physical shields in order to provide an independent layer of protection against shield failure.
The general means of protection is to render signals more difficult for an attacker to recover using periodic averaging and cross-correlation techniques. Three specific methods are filtering out from periodic signals those spectral components that cause the highest levels of compromising radiation, spreading the spectrum of the residual information-bearing radiation using a sequence unknown to the attacker, and removing periodic signals directly. We will describe examples of these three techniques in turn.
An example of the first method consists of displaying text on the video display device using a special font that employs a plurality of pixel luminosities in order to represent character glyphs. The use of more than two pixel luminosities to display anti-aliased characters and thus avoid staircase effects in slanted lines and italic characters has been described in Richard B. Preiss, John C. Dalrymple: System and method for smoothing the lines and edges of an image on a raster-scan display, U.S. Pat. No. 4,672,369, Jun. 9, 1987, and Bradley J. Beitel, Robert D. Gordon, Joseph B. Witherspoon III: Anti-alias font generation, U.S. Pat. No. 5,390,289, Feb. 14, 1995}. The innovation in the present invention is to use a font specially designed so that the horizontal spatial frequency spectrum of the glyphs is adapted to the emission spectrum of the video display device so as to reduce the broadcast energy and thus minimize the range within which eavesdroppers can identify the displayed characters.
An example of the second method consists, firstly, of using a random number generator to select one of a number of character glyphs which are visually similar but which are generated by different video signals, in order to make it more difficult to reconstruct the signal using signal processing techniques; and secondly, introducing a variable delay into the keyboard matrix scan cycle, which makes it harder for eavesdroppers to reconstruct the compromising emissions of the keyboard. The innovation in the present invention is to randomise the inadvertently emitted signal and thus make its reconstruction by an attacker more difficult.
An example of the third method is to modify the device driver software or controller firmware responsible for the control of disk drives, or in general any mass storage device that uses moveable read/write heads to access a plurality of storage tracks on the surface of a storage medium. The innovation in the present invention is to park inactive read/write heads on a storage track that does not contain confidential data.