On Sun, Jul 09, 2006 at 08:22:10PM +0200, Tobias Ulmer wrote: > Encrypting data from the keyboard is also not a real option, > because you need a shared secret (or something like hostkeys, how do > you know that the usb sniffer can't do MITM attacks?). The keyboard > needs to be pretty "intelligent" to do that.
Uhm.. I think I did say public key encryption right? Where exactly is a shared secret needed in this? > Rewiring the keys... , you get something like a rot13 encryption, > anybody can figure that out. Yeah but it works against devices that are confident that everything has rot26 encryption. And if you can "mod" your keyboard in 10 minutes for nothing at all, except perhaps a 2 euro plug for the cables, why not? > Anyway, the electromagnetic radiation(?) is probably so high that > nobody bothers with usb sniffers. I know it was possible to see a good > image of a crt in about 25m distance by just amplifying the signal back > in '96 (I was interested in building mini-bugs and have a few books > about the technology available to this time). Perhaps a keyboard that uses light instead of electrical signals is an overall better solution? Aren't laser emitting diodes fairly cheap today and the price of roughly 4 meters of fibre-optic cable should be acceptable for a keyboard right? Until then, USB keyboards encrypting would be better right? How much are you willing to spend for a secure keyboard anyhow? How much are people spending for "wireless" keyboards? > The only practical solution i can see is using a laptop with good > shielding and build a grounded copper case arround it. Make sure that > there is no HF going out on any cables, no external devices etc. > To meassure that the stuff really works, you may need an oscilloscope... Not everyone likes laptops. > I think the best is not to rely on encryption of hardware at all and > consider everything 'buged'. The only 'secure' thing is ram and the cpu. > Don't have a firewire port in your computer, it allows access to any > memory location [2]. That's not a guarantee. But little change by little change will isolate insecurities until a system is secure, right? (didn't somene coin the phrase "security is a process"?) > Tinfoil hat linux [3] is worth a look (There are more interresting links > on that page) > > Still paranoid? ;) > > > [snip] > > Tobias > > [1] > http://64.233.183.104/search?q=cache:JcI2ggxM8OEJ:www.rootsecure.net/content/downloads/pdf/ssh_timing_attack.pdf > > [2] > http://64.233.183.104/search?q=cache:YZy7R1pb6bUJ:pacsec.jp/psj04/psj04-dornseif-e.ppt > > [3] http://tinfoilhat.shmoo.com/ regards, -peter -- Here my ticker tape .signature #### My name is Peter Philipp #### lynx -dump "http://en.wikipedia.org/w/index.php?title=Pufferfish&oldid=20768394"; | sed -n 131,136p #### So long and thanks for all the fish!!!
