22 January 2002: See TEMPEST Timeline: http://cryptome.org/tempest-time.htm 10 February 2000: Add two messages. Tempest effects in 1884. 7 February 2000: Add three messages. Tempest effects in 1914. 3 February 2000: Add message on East Germans. 1 February 2000. These are responses to Cryptome's request for information on the history of TEMPEST technology. Other comments or pointers to early research on TEMPEST are welcomed: jya@pipeline.com. Thanks. For comprehensive TEMPEST information see: http://www.eskimo.com/~joelm/tempest.html.
Date: Sat, 15 Jan 2000 22:44:22 -0500 On Sat, Jan 15, 2000 at 09:18:55PM -0500, John Young wrote on cryptography@c2.net:
> A French journal claimed about TEMPEST in December 1999 that: I've been told by people trained within the beast many years ago that at least one of the very first examples of TEMPEST type attack used by US intelligence (the NSA et al) if not the first was the accidental discovery that recordings made of encrypted Russian teletype messages captured by the Berlin tunnel wiretaps in the early 50s contained what at first seemed faint interfering clicks on the audio tone carriers carrying the teletype traffic, which later turned out to be from the electromagnets on the teletype machine printing the plaintext. By building suitable electronics to recover the faint impulses it became possible to reconstruct the cleartext of the traffic without breaking the electromechanical code machines used (probably not disimilar to the US TYPEX or SIGABA machines and not that easy to break given computational capabilities of the era). Not being present at these briefings I cannot testify to the accuracy of what I was told or to the exact details of what was intercepted in the clicks (could just have been such things as stepping of the code wheels or other clues to breaking the cipher rather than the actual plaintext of traffic). I did get the impression from the story I was told that to some degree or another the discovery was accidental and fortitious rather than as a result of some prior expectation that such an information leak existed. Whether knowledge of such information leaks went back further than the early 50s isn't clear to me. I think it fairly obvious to anyone who worked with the equipment and had the power of mind to think about what was going on and what he was hearing, but when and how the problem first came to the attention of those interested in exploiting it is less clear. I can vouch for certain elements of the story in that I played around with radio teletype gear of the era back in the early 60's and actually had to overcome serious problems with radiated radio noise from the electromagnets in the machines as current to them was interrupted by a common device of the era called a polar relay. The spark gap transmitter formed by a polar relay and teletype electomagnet could generate considerable energy up and down the radio spectrum - enough energy to sometimes jam reception of the very radioteletype signal that was driving the machine. And this energy very obviously matched the information the machine was being fed to print. You presumable have read [Peter] Wright's Spycatcher, with its account of the British discovery of what they called Rafter - unintentional radiation of useful information from local oscillators of receivers. This is another form of TEMPEST attack, and many sources would place the origin of it as World War II era - when a great deal of effort went into shielding receivers so that local oscillator radiation would not provide a beacon for enemy submarines to home in on. I certainly was informed about Van Eck type attack on video display technology many years before Van Eck published his paper in 1985. It is hard for me to recall who told me about the vulnerablity and when, but it must have been the early 70s or maybe the very late 60s. A lot of this depends on who actually succeeded in building an intercept system, and solved all the engineering problems of optimizing the pickup of useful signal and nulling out interference and so forth. Actually exploiting TEMPEST requires tricks which are still highly classified, some justifiably so because they are novel inventions and others pretty obvious to a technically trained investigator.
Date: Sun, 23 Jan 2000 14:40:26 GMT pgut001@cs.auckland.ac.nz (Peter Gutmann) wrote:
> I was reading an early-80's paper on OS security and it mentioned
Edited by Lance J Hoffman of UCB
This book covers publicly-available crypto of the period (looks very weak
now) Page 77
Passive infiltraton may be accomplished by wiretapping or by electomagnetic Page 84
In addition to the spectrum of threats arising from wiretapping, electro-
12. R.L. Dennis, Security in computer environment, SP2440/000/01,
Another chapter has (starting on page 101) a section called "THE PARADOX
OF
It should be noted that this Memorandum has been purposely written to be So can anyone say whether there are interesting things in that ref 12 ?
Source: Hardcopy from Charles Babbage Institute Center for the History of Information Processing, University of Minnesota, Minneapolis, MN; The System Development Corporation Collection. This is an excerpt on electromagnetic radiation of computers (TEMPEST) from a 31-page computer security report.
UNCLASSIFIED AD 640 648 SECURITY IN THE COMPUTER ENVIRONMENT Robert L. Dennis System Development Corporation Santa Monica, California 18 August 1966 Processed for . . . DEFENSE DOCUMENTATION CENTER DEFENSE SUPPLY AGENCY ------------------------------------------------------------------------------ This document is being distributed by the Clearinghouse for Federal Scientific and Technical Information, Department of Commerce, as a result of a recent agreement between the Department of Defense (DOD) and the Department of Commerce (DOC). The Clearinghouse is distributing unclassified, unlimited documents which are or have been announced in the Technical Abstract Bulletin (TAB) of the Defense Documentation Center. ------------------------------------------------------------------------------ SECURITY IN THE COMPUTING ENVIRONMENT Robert L. Dennis August 18, 1966 SYSTEM DEVELOPMENT CORPORATION 2500 COLORADO AVE SANTA MONICA, CALIFORNIA 90406 A Summary of the Quarterly Seminar, Research Security Administrators - June 17, 1965 Santa Monica, California ------------------------------------------------------------------------------ August 18, 1966 -1- SP-2440/000/01 (Page 2 Blank) INTRODUCTION On June 17, 1965, System Development Corporation hosted a conference in behalf of the Research Secuity Administrators to look further at the problems of safeguarding classified information in relation to coputers and computer technology. The meeting was the second of what is hoped will be a series of conferences to explore the many aspects of this general subject, ranging from the security aspect of time sharing to the protection of computer storage media. This summary is a digest of the presentations made by the panelists and includes some floor discussion on various topics as they were given. Research Security Administrators would welcome comments on this paper as well as suggestions of ways and means to best continue and broaden the extent and scope of these studies. ------------------------------------------------------------------------------ [Snip pp. 3-15; nothing on EMR.] ------------------------------------------------------------------------------ August 18, 1966 -16- SP-2440/000/01 ELECTROMAGNET1C RADIATION FROM COMPUTERS Jerome A. Russell, Computation Division, University of California, Lawrence Radiation Laboratory I am here to talk about electromagnetic radiation, and this we all have. Every machine radiates electromagnetic energy beeause of the wires transmitting current, and magnetic and electrostatic fields are generated by these--they are all actually little transmitters. The entire machine sends out radiation. Every time a magnetic tape transport starts and stops, you get wide bands of transmitted noise. Our problem is to minimize the possibility of someone outside the fence picking up these noises, and they can be picked up if you have a sophisticated enough receiver. At Livermore we have a radiation problem like everyone else, and you can't say, "Well, let somebody try to figure out what it all means," because that is not enough proof it's secure. I would hate to have this task myself; it would be a life-long job, I am sure. We do take pains to control the radiation as much as we can. The Edison Company lines coming in are all run through banks which have shielding in them. We do this to protect the computers, not necessarily to make the information secure, but it does keep the information from going back to the power lines. With the teletype setup, we have a multi-programming or multi-processing system which we call Octopus. We have twisted pair cables carrying the teletype leads to the physicists' and mathematicians' offices. These cables are enshielded according to a classified regulation which says you have to have a shield on it of a certain nature, and we do. We don't share the telephone facility with regular voice-lined systems. [Snip balance of report; nothing on EMR.]
[Cryptome: The SDC report discusses how to compartmentalize files on time-shared computers so that deliberate or accidental access is denied to unauthorized users. While mentioned, encryption of files is not considered an option for denial of access, though the reasons for this are not given in the report. Other discussion was on how to remove classified data from electronic media -- "cores," "drums," disks and tapes -- to assure that no recovery is possible, even by the most sophisticated laboratory methods. Degaussing devices were novel then (1965): according to the report only one had been approved for classified data removal. There are indications that discussion of classified matters were omitted from the report.]
Date: Mon, 24 Jan 2000 08:46:56 -0500 Regarding the question of how far back TEMPEST goes, I took a look at David Kahn's "The Codebreakers" which was copyrighted in 1967. TEMPEST is not listed in the index. However I did find the following paragraph in a portion of the chapter on N.S.A. that discusses efforts to improve the US State Department's communications security (p. 714): "... the department budgeted $221,400 in 1964 for 650 KW-7's. ... The per-item cost of $4,500 may be due in part to refinements to prevent inductive or galvanic interaction between the key pulses and the plaintext pulses, which wire tappers could detect in the line pulse and use to break the unbreakable system through its back door. " This would be the electro-mechanical equivalent of TEMPEST and suggests that NSA was well aware of the compromising potential of incidental emanations long before the computer communications era. Another useful data point would be earliest reports about the BBC's system for detecting unlicensed television receivers. That system used vans equipped to detect a TV's local oscillator, but may well be an offshoot of emanations intelligence research.
From: "Steven M. Bellovin" <smb@research.att.com> > quoting David Kahn's "The Codebreakers" (1967): Similar attacks are discussed in Peter Wright's "Spycatcher". (Is that legal yet in the U.K.?) By chance, a profile of Transmeta's David Ditzel in today's NY Times states that his father was working on Tempest issues for NSA circa 1962.
New York Times, January 24, 2000: Designer Bets on Brainpower Over Battery Power [excerpt] David Ditzel, 43, recalled that his father, who was a chemical engineer employed by the Monsanto company, had moved the family to Washington under mysterious circumstances when little David was 5 years old. They lived there for two years. "I had no idea what he was doing, but 20 years later I learned that he had gone to work temporarily for the National Security Agency to work on their Project Tempest," Mr. Ditzel recalled. Tempest was a successful N.S.A. operation to secure electronic communications equipment form potential eavesdroppers.
Date: Mon, 24 Jan 2000 15:06:57 -0500 (EST) By 1970-71 the US Air Force was testing its own facilities for emanations, and as a low grade enlisted person with a Top Secret/Crypto clearance, I was allowed to see the results of a test conducted against a facility where I worked. The site used KY-8's and KY-28's, and we thought we were very secure. The people in the Tempest van read us like a book, having picked up signals on the way to KY's. I got the impression Tempest was fairly well institutionalized by then, at least in the USAF, and that some of the old hands had seen this before. I can't recall whether the term 'Tempest' itself was an acronym, although most sources now say it was not (e.g., online computer dictionary) but these sources could be wrong.
Date: Mon, 24 Jan 2000 17:14:34 -0800 TEMPEST (NACSIM-5001) was intended to to prevent 'compromising emanations', including classified information leaking on encrypted links. This is the basic RED/BLACK separation. The rest is filtering, in general sufficient to meet FCC Part A. The KW-7/TSEC had an ancilliary interface unit that provided additional filtering, but I don't believe it was available in 1964. The biggest impact to low baud rate secure teletype systems was the use of MIL STD 883B (low voltage, low current signalling roughly compatible with RS-232, although operating at +/- 6 Volts). Originally Teletypes used 60 milliamp current loops and mechanical relays. The result was enormous inductive spikes that could be detected at significant distances from the plaintext (RED) TTY. The current value was dropped to 20 MA. Eventually solid state relays were adopted based on cost. Another piece of equipment of the same era, the KG-13/TSEC (and various derivitives), had been modified by adding filtering modules and a 883B interface in a module on the back. There was a separated compartment for RED and BLACK interfaces, and the BLACK interface contained an AC power filter. For those who have subscribed to 'Electronics' or 'Signal' over the years, you may have noticed a general lack of advertisements for TEMPEST tested equipment. This is in part due to requirements for SCIFs and TEMPEST waivers for intelligence end users. TEMPEST certifying is expensive, even more so than FCC/CDE, etc compliance testing, although roughly equivalent. The paper trail is probably reminiscient of aircraft parts. FIPS-140-1 is borrowed in part from the COMSEC audit for cryptographic systems. Throughout the history of COMSEC equipment, maintenance persons were forbidden the use of uncertified replacement parts, although from the mid '70s National Stocking Number parts in the Federal Supply System were crossed to unclassified components. Today, COMSEC equipment is all repaired at depots.
[The Thing does not appear to exploit EMR, but does it?]
From: "Alexandre Alvarez" <aalvarez@acm.org> "The Ultimate Spy" book (by Keith Melton, published by Dorling Kindersley) describes "the thing", a Russian spying device in the 1950's, it also features a lot of radio equipment and a non-contact (induction) spying device for telephones (based on the Hall phenomenon).
The Ultimate Spy Book, H. Keith Melton, London, 1996. p. 84. [Excerpt] THE THING In the early 1950s, a Soviet listening device was found in the American Embassy in Moscow. This came to the attention of the world when it was displayed at the United Nations by the American ambassador in May, 1960. It was a cylindrical metal object that had been hidden inside the wooden carving of the Great Seal of the United States -- the emblem on the wall over the ambassador's desk -- which had been presented to him by the Soviets. The Great Seal features a bald eagle, beneath whose beak the Soviets had drilled holes to allow sound to reach the device. At first, Western experts were baffled as to how the device, which became known as The Thing (illustration omitted here) worked, because it had no batteries or electrical circuits. Peter Wright of Britain's MI5 discovered the principle by which it operated. MI5 later produced a copy of the device (codenamed SATYR) for use by both British and American intelligence. How the Thing Worked: A radio beam was aimed at the antenna from a source outside the building. A sound that struck the diaphragm caused variations in the amount of space (and the capacitance) between it and the tuning post plaste. These variations altered the charge on the antenna, creating modulations in the reflected radio beam. These were picked up and interpreted by the receiver.
From: "Ben Noll" <gibubba@hotmail.com> From my unititiated understanding, TEMPEST was originally designed during the Cold War era by the East Germans. Now, when it started, the equipment was supposedly a "threat" even though it took a tractor trailer and a support truck. Classified aside, what is the threat possibility in the modern age of miniaturization? Could it be man-portable? Is the importance still there like it was in the '60s?
Date: Thu, 03 Feb 2000 10:27:13 -0500 The released version of the official History of CBNRC [the agency that is now Canada's CSE] records that Communications Security Board policy paper CSB/82, approved in September 1959, expanded CBNRC's COMSEC mission to include provision of "technical advice and support on electronic emission security [ELSEC] matters".[1] It also records that CSB policy paper CSB/91, approved early in 1960, expanded the COMSEC mission to include TEMPEST: "The paper recommended that the Director CBNRC should assume responsibility in Canada for carrying out field tests and providing government departments with technical advice and assistance on radiation problems, and that he be authorized to acquire the resources required to carry out these tasks. CSB/91, therefore, was the mandate for CBNRC activity in the TEMPEST field."[2] I don't know, and it doesn't explain, the difference between these two fields. [1.] Kevin O'Neill, ed., History of CBNRC, 1987, Chapter 16, Annex F, pp. 1, 5. [2.] Ibid., Chapter 17, p. 43. - Bill Robinson
[By Cryptome] Source: http://www.tscm.com/TSCM101tempest.html "TEMPEST was 'invented' in 1918 when Herbert Yardley and his staff of the Black Chamber were engaged by the U.S. Army to develop methods to detect, intercept, and exploit covert radio transmitters. The initial research identified that "normal unmodified equipment" was allowing classified information to be passed to the enemy through a variety of technical weaknesses. A classified program was then created to develop methods to suppress these "compromising emanations". However, the actual acronym known as TEMPEST was only coined in the late 60's and early 70's (and is now considered an obsolete term, which has since, been replaced by the phrase "Emissions Security" or EMSEC)." About the author: "James M. Atkinson is one of a small number of people who have been formally certified and trained by the NSA as a TEMPEST Engineer, and Cryptographic Technician. He has extensive experience with the design and development of SIGINT systems to exploit and/or control compromising emanations. Additionally, he has many hours of experience working deep inside highly classified U.S. and NATO cryptographic, communications, and computer systems."
Date: Sat, 05 Feb 2000 11:10:05 -0500 We are researching a timeline for the history of TEMPEST technology and found an account which claims the earliest discovery of compromising emanations was in 1918 by Herbert Yardley and his American Black Chamber cryptology unit of the military.(1) David Kahn writes in The Codebreakers that Yardley went Europe in 1918 to be instructed on Allies techniques for cryptanalysis and other intelligence tools, in particular British methods of M.I. 1(b).(2) We would appreciate leads or pointers to information in Great Britain on earliest mentions of TEMPEST technology, in particular any that might reveal whether it might have been the English who told Yardley about it. This is not to discount the possiblity that the 'invention' was made in the US and that Yardley may have informed the Allies of it. We are putting contributions on the timeline at: http://cryptome.org/tempest.old Thanks very much. (1) http://www.tscm.com/TSCM101tempest.html [see preceding item] (2) The Codebreakers, Chapter 12, p. 354.
Date: Sun, 6 Feb 2000 12:52:10 +0000 (GMT) On Sat 05 Feb, John Young wrote: [see preceding item] The earliest mention of TEMPEST effects that I can recall relates to the interception by earth loop leakage of enemy field telephone conversations in late-1914. Prior to WW1, field telephones were connected using a single core insulated cable and earth return via ground spikes. This halved the weight and bulk of telephone cable to be laid; important considerations when keeping mobile brigade headquarters connected to rear divisional headquarters. The British Army used horse-drawn cable wagons from which cable could be laid at a full gallop; the most prized crew position being that of the horseman whose task was to guide the cable safely onto the top of a hedgerow or into a roadside ditch by means of a stick with a metal loop on its end. After the initial manoeuvres, WW1 quickly settled into static field siege warfare on the Western Front, in which units of the opposing sides were often entrenched within a very few hundred yards of each others' positions. As artillery fire direction became more important, telephone connections extended down to battalion/regimental level in the forward dugouts. It was very soon discovered that there was considerable crosstalk on field telephone circuits and that some of what could be heard emanated from the enemy side. Listening posts were quickly established to exploit the effect, using well-spaced earth spike pickups to maximise the strength of the intercepted signals. At the same time, of course, protective measures both procedural and technical were introduced; the latter including a massive programme to convert all field telephone circuits to a twin core cable configuration. All of the foregoing from memory of Major-General R F H Nalder's History of the Royal Corps of Signals. I cannot recall the publication date, but probably middle-1950s, since I last saw a copy in 1964. The USA did not enter the WW1 until 1917, and I do not recall ever reading of any UK/USA intelligence cooperation prior to that date. Thus it seems improbable that the US Army could claim invention of TEMPEST technology per se, though there is no reason to dispute that Yardley and his colleagues were working in the radio effects field in 1918. It would be interesting to hear more about exactly what they were exploiting or protecting against; I think it would be too early for them to be direction-finding on superheterodyne oscillator signals radiated from spies' radio receivers. Regards to all, Mike. -- M J D Brown: Newhaven, Peterchurch, Herefordshire HR2 0RT, England
Date: Mon, 07 Feb 2000 10:56:23 +0000 At 12:52 06/02/2000, Mike Brown wrote:
> ... Prior to WW1, field telephones ... I am not unspeakably ancient but I did this -- in the early 1960s, in the school Cadet Force along the lanes of Sussex and with teams of highly-trained runners instead of a horse. The handsets were 1939-45 or later and I believed at the time that single-wire working had been current practice during that war.
> It was very soon discovered that there was considerable crosstalk That too. No hint to the enthusiastic youngsters that twin-wire was normal in the field. Rodney.
Date: Wed, 09 Feb 2000 22:14:36 +0000 Major General Nalder's "History of the Royal Corps of Signals" was indeed published in the late 50's, 1958 to be exact. Two references predate the quoted examples, one from the British Army Expedition to the Nile and Suakin in 1884-85 and a later one from the start of the First World War. The Nile / Suakin expedition identified the effects that TEMPEST was brought in to overcome. Induction interference meant the vibrators used to communicate with the front line troops had to be removed from the circuit. The Russians were regularly being intercepted by the Germans at the start of the Eastern Front campaign during the First World War. It directly contributed to the early defeat of the Russians, where two armies were defeated by a numerically smaller German force defending East Prussia. I accept the latter example is not pure Tempest, however it does lay the foundations for subsequent activities ...... indeed the Germans reacted to the easy interception of wireless by not using it as much as they would have wished. Surely this is indicative of the earliest forms of Tempest related activities (not using the medium !!). Communications interception occurred regularly throughout 1914 as the cavalry, equipped with wireless supplied signallers, were used in a dismounted role, releasing them to undertake communications interception duties. Also during October 1914 early direction finding experiments were carried out, using the first valve receiver, a Bellini Tosi. The next stage was during 1915 when it became necessary to take appropriate steps to prevent line communication interception by the Germans. During the early part of 1915, in a effort to rebuilt communications post bombardments, a large number of earth return circuit cables had been laid by non communications trained troops with chaotic results. At the same time, German attemtps to tap French lines was identified. This led to the first serious efforts to identify crosstalk and indeed if physical connection was required to intercept signals was conducted during June and July 1915 using a wireless receiver coupled to repeating coils in the ratio of 1 to 16. Telephone conversations could be heard at ranges of up to 100 yards and buzzer signals 300 yards. By August, the French were able to intercept German signals using a well earthed low-resistance telephone receiver. These developments led to the issuing of the first set of counter-measures and the creation of listening apparatus. Valve listening sets were tried out during 1916 and earth return circuits, abolished in the forward zones (3000 yards), being replaced with twisted cable metallic circuits. During Oct 1916 early attempts to jam listening devices using buzzers started. These were unsuccessful tending to drown out friendly conversations as well. German interception techniques were ahead of Allied ones and this had the consequence of ensuring their com-sec procedures were also ahead. However, British attempts to nullify interception resulted in the development of the small current DC signalling phone (nicknamed Fullerphone) at the end of 1915, invented by Captain A C Fuller. After field trials it was put into full scale production during 1916. Thus this would be the first recorded active Tempest activity as a result of orders from the Director of Army Signals to the Signal Service Training Centre issued in August 1915. It was here that Captain Fuller worked and invented the Fullerphone. However, I do believe due credit must be given to the Germans who had clearly led the developments up to this point. Maybe some more research will unearth information in this area, however after similar research regarding Second World War developments proved rather fruitless, I don't hold out much hope. It only remains to say that the experiences learnt during this period were then passed on to the US Army units being trained in England and France prior to being committed to the front line. It may well be here that the US Signal Corps carried on further work with (or via) Herbert Yardley and his American Black Chamber model !! Regards Adrian
|