On Sun, Jul 09, 2006 at 09:17:00PM +0200, Peter Philipp wrote:
> On Sun, Jul 09, 2006 at 08:22:10PM +0200, Tobias Ulmer wrote:
> > Encrypting data from the keyboard is also not a real option,
> > because you need a shared secret (or something like hostkeys, how do
> > you know that the usb sniffer can't do MITM attacks?). The keyboard
> > needs to be pretty "intelligent" to do that.
>
> Uhm.. I think I did say public key encryption right? Where exactly is a
> shared secret needed in this?
>
> > Rewiring the keys... , you get something like a rot13 encryption,
> > anybody can figure that out.
>
> Yeah but it works against devices that are confident that everything has
> rot26 encryption. And if you can "mod" your keyboard in 10 minutes for
> nothing at all, except perhaps a 2 euro plug for the cables, why not?
Because if it's eventually read by a human, a human that bothered to bug
your keyboard in the first place, it can be easily decoded.
> > Anyway, the electromagnetic radiation(?) is probably so high that
> > nobody bothers with usb sniffers. I know it was possible to see a good
> > image of a crt in about 25m distance by just amplifying the signal back
> > in '96 (I was interested in building mini-bugs and have a few books
> > about the technology available to this time).
>
> Perhaps a keyboard that uses light instead of electrical signals is an
> overall better solution? Aren't laser emitting diodes fairly cheap today
> and the price of roughly 4 meters of fibre-optic cable should be acceptable
> for a keyboard right? Until then, USB keyboards encrypting would be better
> right? How much are you willing to spend for a secure keyboard anyhow? How
> much are people spending for "wireless" keyboards?
Light-conducting cables are apparently harder to tap than electrical,
but they certainly can be tapped by one of the big TLAs.
As to secure keyboard prices, I wouldn't bother buying one, even if it
was no more expensive than a regular keyboard - none of my hard drives
are encrypted, so an encrypted keyboard is nonsense.
Oh, your hard drives *are* encrypted, no? Otherwise, this discussion
would be quite pointless.
> > The only practical solution i can see is using a laptop with good
> > shielding and build a grounded copper case arround it. Make sure that
> > there is no HF going out on any cables, no external devices etc.
> > To meassure that the stuff really works, you may need an oscilloscope...
>
> Not everyone likes laptops.
>
> > I think the best is not to rely on encryption of hardware at all and
> > consider everything 'buged'. The only 'secure' thing is ram and the cpu.
> > Don't have a firewire port in your computer, it allows access to any
> > memory location [2].
>
> That's not a guarantee. But little change by little change will isolate
> insecurities until a system is secure, right? (didn't somene coin the
> phrase "security is a process"?)
No amount of painting over holes will ever make something secure. (See
Internet Explorer for a fine example...)
Joachim
