idea for a fun little security project

Felix sucotronic at gmail.com
Mon Nov 17 07:23:59 UTC 2014


Mmmm, nice idea to implement. As always, I tried to do some search in order
to check if something similar exists, and only found a software approach
(that personally I'll not trust xD), that is called KeyScrambler (
https://www.qfxsoftware.com/ks-windows/how-it-works.htm).

Well, here is my attempt to draw Werners idea:

[image: Inline image 1]

It would be also interesting if it is possible to develop some kind of web
browser addon in order interpret the data from the device.


On Sun, Nov 16, 2014 at 11:17 PM, Werner Almesberger <werner at almesberger.net
> wrote:

> I had a discussion where keyloggers came up and thought of this:
> if your keystrokes go to a remote location, e.g., to a VNC or
> similar session, you could encrypt the keystrokes at the keyboard,
> defeating any keyloggers (hardware or software) on the way.
>
> Should be pretty easy to implement: you need USB host, USB device,
> and some way to set up keys, e.g., by the remote peer sending the
> key on a different channel (e.g., to the screen), either initiating
> key setup directly (if it can send commands on USB) or asking the
> user to initiate key setup, and the user then typing in the key.
>
> The encryption would have to use a stream cypher to avoid simple
> statistical attacks. If keystrokes can get lost on the way, there
> would also have to be some "clock synchronization" scheme.
>
> To defeat keystroke timing analysis (we won't assume that the enemy
> doesn't have a few bored scientists in the their team, right ? :),
> the device should add some randomness to keystroke timing.
>
> Advanced issue: automatic session (unencrypted to local system,
> encrypted to remote system) switching. If the "terminal" software
> can generate local USB operations (e.g., the HID set/get feature
> commands), then it could probably use that for this purpose.
>
> Probably needs a button or equivalent to enable firmware updates.
> It could use the keyboard, but that requires a fair amount of
> preparation. Better to keep it simple.
>
> One LED should do nicely: off = no encryption, on = encrypted (make
> it illuminate a lock symbol), blinking = awaiting key input or some
> other maintenance action.
>
> Note: won't protect wireless keyboards against RF snooping.
>
> Except for HID host/device drivers, one should be able to find
> pretty much all the needed parts in the Anelok, Y-Box, and
> Ben-WPAN projects. As an added bonus, the HID code could then be
> contributed back to Anelok :-)
>
> - Werner
>
> _______________________________________________
> Qi Hardware Discussion List
> Mail to list (members only): discussion at lists.en.qi-hardware.com
> Subscribe or Unsubscribe:
> http://lists.en.qi-hardware.com/mailman/listinfo/discussion
>



-- 
Felix
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.en.qi-hardware.com/pipermail/discussion/attachments/20141117/8de5587d/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: idea.png
Type: image/png
Size: 85099 bytes
Desc: not available
URL: <http://lists.en.qi-hardware.com/pipermail/discussion/attachments/20141117/8de5587d/attachment-0001.png>


More information about the discussion mailing list


interactive