15 January 2001

To: cryptography@c2.net
From: daw@mozart.cs.berkeley.edu (David Wagner)
Subject: Re: NONSTOP Crypto Query
Date: 13 Jan 2001 02:23:16 GMT

In a paper on side channel cryptanalysis by John Kelsey, Bruce Schneier, Chris Hall, and I, we speculated on possible meanings of NONSTOP and HIJACK:

... It is our belief that most operational cryptanalysis makes use of side-channel information.  [...]  And Peter Wright discussed data leaking onto a transmission line as a side channel used to break a French cryptographic device [Wri87].

The (unclassified) military literature provides many examples of real-world side channels.  [...]  Peter Wright's crosstalk anecdote is probably what the HIJACK codeword refers to [USAF98]. Along similar lines, [USAF98] alludes to the possibility that crosstalk from sensitive hardware near a tape player might modulate the signal on the tape; [USAF98] recommends that tapes played in a classified facility be degaussed before they are removed, presumably to prevent side channels from leaking. Finally, one last example from the military literature is the NONSTOP attack [USAF98, Chapters 3-4]: after a careful reading of unclassified sources, we believe this refers to the side channel that results when cryptographic hardware is illuminated by a nearby radio transmitter (e.g. a cellphone), thereby modulating the return signal with information about what the crypto gear is doing [AK98]. ...

[AK98] R. Anderson and M. Kuhn, "Soft Tempest: Hidden Data Transmission Using Electromagnetic Emanations," Proc. 2nd Workshop on Information Hiding, Springer, 1998.

[USAF98] US Air Force, Air Force Systems Security Memorandum 7011 -- Emission Security Countermeasures Review, 1 May 1998.

[Wri87] P. Wright, Spycatcher, Viking Penguin Inc., 1987.

The above is excerpted from the conclusions of J. Kelsey, B. Schneier, D. Wagner, C. Hall, "Side channel cryptanalysis of product ciphers", Journal of Computer Security, vol. 8, pp. 141--158, 2000.


Do remember, please, that these are just guesses.

Also, credit is due to Ross Anderson and Markus Kuhn for informative discussions on this topic.