idea for a fun little security project

Werner Almesberger werner at almesberger.net
Sun Nov 16 22:17:18 UTC 2014


I had a discussion where keyloggers came up and thought of this:
if your keystrokes go to a remote location, e.g., to a VNC or
similar session, you could encrypt the keystrokes at the keyboard,
defeating any keyloggers (hardware or software) on the way.

Should be pretty easy to implement: you need USB host, USB device,
and some way to set up keys, e.g., by the remote peer sending the
key on a different channel (e.g., to the screen), either initiating
key setup directly (if it can send commands on USB) or asking the
user to initiate key setup, and the user then typing in the key.

The encryption would have to use a stream cypher to avoid simple
statistical attacks. If keystrokes can get lost on the way, there
would also have to be some "clock synchronization" scheme.

To defeat keystroke timing analysis (we won't assume that the enemy
doesn't have a few bored scientists in the their team, right ? :),
the device should add some randomness to keystroke timing.

Advanced issue: automatic session (unencrypted to local system,
encrypted to remote system) switching. If the "terminal" software
can generate local USB operations (e.g., the HID set/get feature
commands), then it could probably use that for this purpose.

Probably needs a button or equivalent to enable firmware updates.
It could use the keyboard, but that requires a fair amount of
preparation. Better to keep it simple.

One LED should do nicely: off = no encryption, on = encrypted (make
it illuminate a lock symbol), blinking = awaiting key input or some
other maintenance action.

Note: won't protect wireless keyboards against RF snooping.

Except for HID host/device drivers, one should be able to find
pretty much all the needed parts in the Anelok, Y-Box, and
Ben-WPAN projects. As an added bonus, the HID code could then be
contributed back to Anelok :-)

- Werner



More information about the discussion mailing list


interactive