idea for a fun little security project
hellekin at gnu.org
Mon Nov 17 22:27:26 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
On 11/17/2014 09:35 AM, Werner Almesberger wrote:
> Nice ! I'd make the keyboard just "USB keyboard" - doesn't matter
> how plain or fancy it is. Also, the endpoint could be more local,
> e.g., inside a virtual machine or inside a Linux-on-a-USB-stick.
*** Going a step further, you could have a wireless keyboard that you
flash with your firmware, or a cabled-USB keyboard that you'd plug not
directly into the computer, but into an USB device:
_ _____/ \_ _____.---------.
| | | | \_____
| | USB Secure Hardware Key | | USB to Keyboard _____
_| |_____ _| |_____,----------|
^. \____________________/ `----------'
: computer USB Host
The USB Secure Hardware Key would offer 3 functionalities:
1. bootable Tails system
2. wireless keyboard connection
3. cabled keyboard connection
Both 2. and 3. would provide the encryption capability.
- - If you boot on the device, and you use a cabled keyboard, you're safe.
- - If you boot on the device, and you use a FLASHED wireless keyboard,
you're almost safe.
- - If you boot on the computer, and you use the device simply as a
key-scrambler, you could definitely tunnel this either through networked
virtual machines or the Internet.
And if you remove the wireless part, and use micro-USB instead, you can
have a fully featured encrypted keyboard for your mobile phone, which is
probably a good thing to have given that we have more fingers than two
I think the latter option (no wireless) is actually more interesting, as
the only attacker left is a tempest-capable trickster that can
reverse-engineer the encrypted data stream, or a smarter trickster who
can simply record the noise of the keys as you type and reconstruct the
sequence, which can actually be done using lasers on a window to amplify
the tiny vibrations into delivering an audible definition.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-----END PGP SIGNATURE-----
More information about the discussion