Professional Documents
Culture Documents
1 Introduction
The unintentional emanation of physical energy is a major threat to privacy. Ad-
versaries can eavesdrop on sensitive information via electromagnetic emanation
from computers or their peripherals. Tempest refers to the techniques, investi-
gations, and studies of compromising emanations and their application to eaves-
dropping, as well as to the information leakage through emanations. Tempest has
been a concern regarding computer security in military and governmental insti-
tutions for a long time; however, much of the information gathered on Tempest
technologies has not been publicly disclosed.
Several Tempest test receivers are now available to non governmental insti-
tutions, and a few researchers have published details of their experiments [1,
2, 4, 8, 10]. These papers have verified that Tempest is a potential problem and
warn that it is a serious issue. Kuhn and Anderson [6, 8] have proposed a coun-
termeasure; the use of a filtered fonts with spectral characteristics. They claim
that their fonts, called the Tempest fonts, significantly reduces the effective range
of eavesdropping at a negligible cost in image quality and prevents adversaries
obtaining on-screen information.
In this paper, we report on our experiments on the reconstruction of images
containing text written in the Tempest fonts and verify the effectiveness in a
particular situation. We also show that the fonts do not provide sufficient secu-
rity in certain attack models where the adversary uses sophisticated equipment.
Furthermore, we propose and discuss an alternative to the Tempest fonts. Kuhn
and Anderson use only Fourier transformation as a low-pass filter. We use a
C.H. Lim and M. Yung (Eds.): WISA 2004, LNCS 3325, pp. 457–469, 2004.
c Springer-Verlag Berlin Heidelberg 2004
458 Hidema Tanaka, Osamu Takizawa, and Akihiro Yamamura
2 Tempest Fonts
Kuhn and Anderson [6, 8] performed experiments on recovering PC screen images
using an ESL model 400 Tempest monitoring receiver and a dipole antenna. They
developed the Tempest fonts to protect privacy from the Tempest threat, and
their Tempest fonts package can be downloaded at [7]. The fonts contained in
the package is a filtered and anti-aliased version of the Courier font.
Kuhn and Anderson claim that the Tempest fonts provide adequate security
in a certain situation at less cost than preparing perfectly shielded devices and
peripherals.
3 Outline of Experiments
3.1 Equipment
In our experiments, we used an FSET22 receiver and FrameControl ver. 4.24
image processing software. The FSET22 specifications are shown in Table 1.
FrameControl can process the signal from the FSET22 at 256 frames/3 s. We
used an Anritsu MP666A logarithm periodic antenna (20 ∼ 2000 MHz), an
Anritsu MA2601B/C near magnetic field probe (5 ∼ 1000 MHz) and a TOKIN
EIP-100 injection probe (80 KHz ∼ 30 MHz).
The effectiveness of image processing is especially important. Our image pro-
cessing software could create an averaged image from up to 256 frames. The soft-
ware we used has almost the same capabilities as Adobe Photoshop, and it works
in real time. Note that our equipment is not classified and can be purchased from
a commercial firm.
1. eavesdroppers embed a near magnetic field probe in the vicinity of the target,
2. eavesdroppers try to catch emanation outside of the room in which the target
machine is located,
3. eavesdroppers try to receive signals transmitted by the power supply line.
The results of each experiment are described in Sections 4.1, 4.2, and 4.3,
respectively.
[Step 1] Search for the source location of the electromagnetic wave emission.
[Step 2] Adjust the parameters for the received frequency.
[Step 3] Adjust the parameters for the synchronous frequency.
[Step 4] Apply image processing.
460 Hidema Tanaka, Osamu Takizawa, and Akihiro Yamamura
We repeated these steps until we got a clear reconstruction of the target dis-
play. Measurement of the synchronous frequency using a probe is very important
in Tempest. Our instruments were accurate to within six figures below a decimal
point with regard to both the horizontal and vertical frequencies of the VGA
signal. Since the synchronous frequency is a unique value for each PC, if we know
the correct parameters for the synchronous frequency, we do not have to carry
out Step 3. We show both the horizontal and vertical synchronous frequencies for
each of our targets in Table 2. Since the CRT was connected to the VAIO VGA
connector, the synchronous frequencies of the CRT and VAIO were identical.
4 Experiments
In this experiment, we placed the near magnetic field probe very close to the
targets (the IBM, VAIO, and CRT). Reconstructed images (for the IBM and
CRT) obtained by averaging 128 frames are shown in Fig. 2. The reconstructed
image for the VAIO was almost the same as that for the IBM, so we do not show
it in Fig. 2. The parameter values that provided the best results for the IBM and
CRT are listed in Table 3. We can distinguish many characters in the Tempest
fonts from the images in Fig. 2; this led us to conclude that we can obtain the
semantics of text (natural language) written in the Tempest fonts.
Evaluation and Improvement of the Tempest Fonts 461
Table 3. Parameter values used to reconstruct images using the near magnetic field
probe.
Frequency [MHz] Bandwidth [MHz]
IBM 461.2 20.0
CRT 57.4 20.0
Fig. 3. Reconstructed image of Tempest font averaged from 128 frames obtained using
an antenna at a distance of 4 m: (left) VAIO, (right) CRT.
Fig. 4. Reconstructed image of Tempest font averaged from 128 frames obtained using
an injection probe. The probe was set about 30 m from the CRT.
Fig. 6. Another processed reconstructed image of Tempest fonts. (We used the same
image as in the left figure of Fig. 2.)
constructed images. An attack using near magnetic field probes is the most dan-
gerous in terms of the reconstructed image quality, so countermeasures against
Tempest attacks should be evaluated in terms of their effectiveness against at-
tacks using near magnetic field probes. In Section 5, we evaluate an improvement
made to the Tempest fonts in experiments where we used only near magnetic
field probes.
Evaluation and Improvement of the Tempest Fonts 465
our filtered fonts. Compared to the Tempest fonts (Fig. 1), our filtered fonts is
grayer and characters like are harder to read.
Fig. 8. Best reconstructed image of (left) Tempest fonts and (right) our filtered fonts.
(IBM, near-magnetic-field probe).
6 Conclusion
should be used in the Fourier transformation and Gaussian filter differ depend-
ing on the type and size of the source font and the pertinent environment. Our
future work will be aimed at solving these problems.
References
10. J-J. Quisquater and D. Samyde, Electromagnetic analysis (EMA): measures and
countermeasures for smart cards, Smart cards programming and security (e-Smart
2001), Lecture Notes in Computer Science, Vol. 2140, Springer-Verlag, 2001,
pp.200–210.
11. P. Smulders, The threat of information theft by reception of electromagnetic radi-
ation from RS-232 cables, Computer and Security 9, 1990.
12. Video Electronics Standards Association http://www.vesa.org/
13. W. van Eck, Electromagnetic radiation from video display units: An eavesdropping
risk?, Computers and Security 4, 1985.