TEMPEST and Electronic Security
Created | Updated Sep 23, 2005
In the context of this entry, TEMPEST does not refer to any kind of inclement weather, Shakespeare play, 1980s Atari arcade game or World War II fighter aircraft. It refers to 'compromising emanations', or the study and prevention of unintentional electrical or electromagnetic emissions which, if intercepted by a well-equipped enemy, could be deciphered and exploited. Some might find the remainder of this entry a little dry, so meteorologists, fans of English literature or dodgy graphics, and war historians may leave now.
Origin of the Term
The term TEMPEST was coined by a group of researchers within the CESG at GCHQ1 in Cheltenham, UK. It was a codeword, now declassified but still in common use. As a codeword it is capitalised by tradition. It is not an acronym, despite many claims to the contrary and countless (sometimes very impressive) attempts to expand it2. The term now refers to a technique used mainly by the military to ensure that secure data remains so. Standards are maintained by, amongst others, GCHQ in the UK and the National Security Agency in the US, and all military equipment processing secure data3 must comply. These standards are invariably classified, so this Entry does not attempt to quantify any of the parameters involved.
Notwithstanding matters of national security, the problems and techniques are equally relevant to any device processing sensitive data, and high bandwidth digital communications such as the Internet, public-domain secure transaction processing, and the increasing ingenuity of fraudsters mean TEMPEST countermeasures are becoming increasingly important in the civilian world.
The Problem
At its most basic level, a transmitting antenna is just a piece of wire (a conductor). If you send an alternating current through it, the current causes the conductor to emit electric and magnetic fields that vary in line with the current. It therefore follows that any conductor carrying an alternating or rapidly varying current will radiate correspondingly, to a degree. All electrical equipment, by definition, contains conductors that carry electrical currents. So, it follows that everything electrical transmits everything it does to the world at large, and anyone clever enough can receive it.
Of course, in reality it is much more complicated. The efficiency of an antenna depends on its length and the wavelength of the signal on it – for good efficiency the antenna should be a half-wavelength long, or multiple thereof. As wavelength is inversely proportional to frequency, a lower frequency signal requires a longer antenna and vice versa. A conductor that is short, relative to the wavelength of the signal it carries, will not radiate much. Thus in the old days when data transmission was pretty much limited to baseband audio signals of around 3kHz (ie, similar to that of the telephone), an efficient antenna would have had to be about 50km long. Nowadays of course we use much higher data rates. For example, a 3GHz clock signal in a typical PC could be easily transmitted using an antenna only 5cm long, and there are loads of pieces of wire and bits of metal in a PC that are 5cm long or more.
Similarly, any piece of wire can act as a receiving antenna, so any wire in close proximity to one carrying secure data is capable of picking up the secure signal and smuggling it to wherever the wire ends up.
A simple demonstration can be carried out at home with no specialised equipment and only a modicum of knowledge. Set up a TV set to display a large, basic picture such as a white vase or butterfly against a black background. The TV must have a traditional CRT screen as the experiment probably wouldn't work with flat screens4. Take another TV set connected to a portable aerial, and place it in an adjacent room. The second TV can then be tuned to the screen emissions of the first (this is the tricky bit), and the picture displayed on the first will become clearly visible on the second.
EMC and TEMPEST
As an engineering discipline, TEMPEST has many similarities to the techniques used to ensure ElectroMagnetic Compatibility (EMC), albeit with slightly different goals. However, as it is principally concerned with keeping secrets out of enemy hands it is usually addressed under the heading of security.
EMC is concerned with preventing a product from upsetting the operation of another, nearby device by limiting its emissions to a defined level and also ensuring that a product can withstand a defined level of interference without throwing a wobbly (termed 'susceptibility'). Thus you can place your DVD player next to your telly and they'll both work. EMC covers, amongst other things:
- Radiated emissions – electric and magnetic fields radiated into space by the equipment.
- Conducted emissions – interference induced on to connecting signal cables and power lines.
- Radiated susceptibility – a device's immunity to radiated electric and magnetic fields.
- Conducted susceptibility – immunity to conducted interference on signal and power cables, ability to withstand electrostatic discharge, etc.
Any attempts to impose sensitivity limits on an enemy's detection equipment are unlikely to be entirely successful5. Therefore, TEMPEST countermeasures are concerned purely with emissions. As the threshold of detection is generally way lower than the threshold of mutual interference, the limits placed on TEMPEST emissions are far more stringent than those of commercial EMC standards.
Terminology
Sensitive data or devices containing or processing sensitive data are usually referred to as 'red'. This does not imply any particular classification, merely that you don't want the data to escape. Conversely, non-sensitive data and equipment is 'black'. Sensitive or classified data that has been suitably encrypted is also considered black. A device processing red data but incorporating adequate protection to contain emissions can be black. A cable carrying black data that passes close to red equipment, and thus has the potential to pick up red data, can be considered red.
Example One: The Mundane
The easiest way to explain the jargon is by example. Imagine you want to pay your credit card bill online from your home PC, and your modem is connected via a wireless LAN or Bluetooth link. First, you find the credit card company's website. The request you send for the site address is broadcast over the LAN and then over the Internet. It is publicly available, but you don't really care: the request itself contains no useful or sensitive information. This data is termed black.
You then type your bank details into the appropriate fields using the keyboard, and the keyboard sends this information down a wire and into the computer, where it is shuffled around a lot and displayed on your monitor. This data is termed red: your sensitive bank details were sent over a wire to your monitor with no encryption or protection. Your house is now known as a red environment, as sensitive red data is flying around freely. If a suitably equipped spy were lurking in your bathroom, he would now know your bank details.
This scenario would be considered a low TEMPEST risk however. The red environment of your house contains physical protection – walls, doors and windows – to prevent snoopers.
Next you hit 'submit' and your bank details get encrypted and sent onwards, first by broadcast in your local area over the radio network, and then onwards to the credit card company's web-host over the public internet – a black environment. The data is still sensitive, but is encrypted, and so it is also regarded as black. Anyone at all could intercept your local radio signals or tap into the internet, but the data is useless without the key.
The red/black boundary – the point of encryption – is contained well within the physical protection afforded by your house, so the risk is still low. So far so good.
Now, remember that the video cable is still carrying your unencrypted, red bank details to keep the picture on your monitor refreshed. Suppose that this cable is located close to the wireless LAN or Bluetooth transceiver in the snakepit of cables behind your PC. The video signal may be a relatively fast digital stream, and the cable will radiate. This radiated signal may couple on to the amplifier stage in the transceiver, be superimposed over the intentionally-transmitted, encrypted, black signal, and then be amplified and broadcast into space. Such radio devices are intended for use over short range, up to tens of metres, but given sensitive enough receiving equipment it may be detectable kilometres away. The spy no longer has to break into your house, he could extract your bank details from the intentionally broadcast signal from two blocks away.
In this example, the transceiver is known as a 'TEMPEST leakage path'. In a home PC, or in fact most commercial data processing equipment, there is very little to stop a sensitive unencrypted signal coupling onto a leakage path. Alternative leakage paths could be a telephone line, nearby radio or TV aerial cable, copper pipe, or the power cable to the PC itself, which could potentially carry the signal many miles away. The chain of events described here is admittedly unlikely, but if the stakes are high enough someone will try to exploit the possibility.
Example Two: The Cold War
Now we are armed with the knowledge of a simple and low-risk day-to-day example, let's scale it up to a more realistic scenario. During the cold war, the Soviets used to field spy ships disguised as fishing boats. These contained an elaborate array of receiving equipment intended to listen into and decipher enemy communications. Now suppose there is a large warship within earshot of one of these vessels. Such a ship would typically carry a large number of transmitters, several command/control systems, weapon control systems and several hundred kilometre.s of cable, any of which could be carrying data at the highest classifications.
Given the number of potential leakage paths, the chances of the Soviet spy ship picking up something useful would be extremely high if TEMPEST were not considered in the warship's design.
Leakage Paths
The main types of TEMPEST Leakage Path (TLP) are as follows:
- Unintentional radiation from red equipment, strong enough to be picked up directly.
- Coupling onto black equipment or cables. Red emissions can be picked up by black wires or equipment and propagated. The unwanted red data is described as parasitic. As black equipment and cables do not need to be protected, the parasitic red data can escape.
- By coupling onto an intentional emitter. A secure data storage device may be located close to an insecure radio transmitter. Secure data coupled on to the radio may be amplified and transmitted for all to hear.
- By conduction. As your computer generates its ones and zeros, it will create tiny surges and glitches in the mains current supplying it. Given sensitive enough equipment, these could be interpreted by reading the mains cable from several miles away.
Countermeasures
Some of the techniques used to prevent stray signals straying too far are described below. These are generally similar to those used for EMC protection, although again TEMPEST requirements are usually far more stringent.
Physical Separation
The easiest and often most effective protection measure is to simply separate secure and insecure equipment and cabling. Physical separation is intended to ensure that any red emissions are sufficiently weak by the time they reach the outside world or a potential leakage path to be below detection levels.
However, in most practical applications it is impossible to achieve sufficient separation. Aircraft, for instance, simply aren't big enough; in a computer, red and black signals may be present simultaneously in the same case or even on the same chip during encryption. However, it is common to separate secure and insecure computers and networks in an office, and they are often sited in different rooms.
Electrical Separation (Screening)
Equipment and cabling is fully encased in metal, with any required apertures made sufficiently small, relative to the signal wavelength, to prevent the radiation from escaping. The screens provide similar signal attenuation to a large physical gap6. Like everything else, there are degrees of screening and a TEMPEST-grade flexible conduit will provide hundreds of times the attenuation of the simple foil screen of a typical network cable.
The periphery of a screened enclosure will often form a red/black boundary, and the enclosure may be containing red data in a black environment or protecting black data from contamination in a red environment. A screened enclosure may be a single cable, a computer casing, a room or an entire ship. All penetrations and apertures in the enclosure should be protected using one or other of the techniques described here. In TEMPEST-grade equipment, even the gaps between adjoining metal panels are often fully sealed using conductive gaskets or sealant.
Care should also be taken when installing cable runs – red and black cables should be separated as far as possible and if they need to cross, they should do so at right angles. Two cables run parallel to each other for any appreciable distance will end up carrying the same data.
Filtering
Where a cable has to pass through a red/black boundary, a filter may be inserted to filter out all frequencies except the wanted signal. In practice, this is usually a low-pass filter that merely blocks everything above a certain frequency, on the basis that any parasitic red signal is likely to be of high frequency. Clearly this has limitations, as any parasitic signals within the pass band will still get through, and a low-pass filter cannot be used if the wanted signal is high frequency itself. A proper TEMPEST-grade filter must also prevent a radiated red signal from sneaking around the side of the filter and coupling onto the black side. This, combined with the high levels of performance required usually mean that these are large, heavy and expensive.
In practice, filters can be active or passive electrical and electronic devices, or merely metal apertures or holes with very carefully-chosen dimensions.
Digitising
This can be effective when you have to route a signal from a red environment into a black one. When an analogue signal is converted to digital, it is sampled at intervals and the signal level recorded as a number. It follows that a parasitic signal will probably be either of too high a frequency for the sampler to code, or will be of too low amplitude relative to the wanted signal and will be ignored. The true benefit comes as a by-product of the way every piece of digital equipment processes its data. In an analogue device, such as an amplifier, the signal is passed right through from input to output with whatever signal conditioning the device makes (ie, in the case of an amplifier, making it bigger). In a digital device, the shape of the electrical signal itself is not important, only the number it codes, so the device will recreate the number internally and produce a completely new reconstructed signal on the output. However, merely using digital equipment won't let you off the hook: radiated emissions on the red side could easily propagate around the device or even through it and couple themselves to the output.
Fibre Optics
An optical fibre is made of glass, doesn't conduct electricity, doesn't radiate and nor does it pick up unwanted interference. What goes in one end pretty much comes out the other, with few, if any, surprises. Thus a fibre cable carrying black data can be happily routed straight through a red area with no shielding, and you can be confident that it won't take anything sensitive with it. In many cases it is better to convert an electrical signal to optical and then back to electrical just to cross a red/black boundary, as the media converters are likely to be much smaller and cheaper than the requisite filter.
Risks
In most development projects where TEMPEST is a consideration, some kind of risk assessment will be carried out. TEMPEST can account for a large proportion of the cost of a product, so it is important not to place too many restrictions on it. After all, computers have advanced so much recently that it would be a shame if they had to revert to two-ton shielded metal monoliths. Hence the home PC offers no protection whatsoever but the risk of compromise is negligible and the results wouldn't exactly be catastrophic.
A bank ATM may afford limited protection as it has to process thousands of individuals' bank details every day, and is located in a vulnerable spot. A secure communications system installed in an army Landrover would have many more restrictions applied to it than the same equipment fixed within the protected area of a military airfield. In the warship example, each compartment would be assessed according to equipment classification and risk – sensitive equipment would not be fitted in vulnerable compartments unless it was otherwise protected. Access to certain areas would be physically restricted, perhaps even to members of the crew.
Should you, as an individual, be worried? The answer is: probably not. Although you may be happily broadcasting your intimate financial details over a much wider area than you anticipated, the cost of the equipment needed to intercept these details would probably far outweigh the gains from any credit-card fraud. The chances of your details being stolen by hackers using worms or suchlike installed on your PC are much, much higher. If on the other hand you are a conspiracy theorist and revel in that sort of thing, you can invent all sorts of imaginative scenarios involving detector vans parked outside, or postmen with suspiciously long cellphone aerials to keep yourself awake at night.