summaryrefslogtreecommitdiff
path: root/paper/research_directions.tex
diff options
context:
space:
mode:
Diffstat (limited to 'paper/research_directions.tex')
-rw-r--r--paper/research_directions.tex880
1 files changed, 880 insertions, 0 deletions
diff --git a/paper/research_directions.tex b/paper/research_directions.tex
new file mode 100644
index 0000000..602d09b
--- /dev/null
+++ b/paper/research_directions.tex
@@ -0,0 +1,880 @@
+\documentclass[12pt,a4paper,notitlepage]{article}
+\usepackage[utf8]{inputenc}
+\usepackage[a4paper,textwidth=17cm, top=2cm, bottom=3.5cm]{geometry}
+\usepackage[T1]{fontenc}
+\usepackage[
+ backend=biber,
+ style=numeric,
+ natbib=true,
+ url=true,
+ doi=true,
+ eprint=false
+ ]{biblatex}
+\addbibresource{directions.bib}
+\usepackage{amssymb,amsmath}
+\usepackage{listings}
+\usepackage{eurosym}
+\usepackage{wasysym}
+\usepackage{amsthm}
+\usepackage{tabularx}
+\usepackage{multirow}
+\usepackage{multicol}
+\usepackage{tikz}
+
+\usetikzlibrary{arrows}
+\usetikzlibrary{backgrounds}
+\usetikzlibrary{calc}
+\usetikzlibrary{decorations.markings}
+\usetikzlibrary{decorations.pathreplacing}
+\usetikzlibrary{fit}
+\usetikzlibrary{patterns}
+\usetikzlibrary{positioning}
+\usetikzlibrary{shapes}
+
+\usepackage{hyperref}
+\usepackage{tabularx}
+\usepackage{commath}
+\usepackage{graphicx,color}
+\usepackage{subcaption}
+\usepackage{float}
+\usepackage{footmisc}
+\usepackage{array}
+\usepackage[underline=false]{pgf-umlsd}
+\usetikzlibrary{calc}
+%\usepackage[pdftex]{graphicx,color}
+%\usepackage{epstopdf}
+
+\newcommand{\foonote}[1]{\footnote{#1}}
+\newcommand{\degree}{\ensuremath{^\circ}}
+\newcolumntype{P}[1]{>{\centering\arraybackslash}p{#1}}
+
+\author{Sebastian Götte {\texttt<secureusb@jaseg.net>} @Mori lab, Waseda University}
+\title{Securing the USB interface}
+\date{December 12 2018}
+\begin{document}
+\maketitle
+
+\section{Introduction}
+\subsection{Problem definition}
+A computer's USB interface is hard to secure. Though overall security is quite good today, the USB interface has not
+received enough attention. In particular HIDs are a problem, as they are naturally very highly privileged.
+Off-the-shelf USB HID attack tools exist. In particular from a security point of view extremely bad ideas such as
+WebUSB\cite{misc01} are set to increase this already large attack surface even further.
+
+\subsection{Contributions}
+This work includes three key contributions. First, it demonstrates a practical implementation of a complete,
+backwards-compatible secure USB system using QubesOS and a single new piece of security hardware. Second, it shows a
+novel interactive user-friendly cryptographic handshaking scheme based on out-of-band communication. Third, it shows and
+proposes some techniques for the design of general secure protocols that are not limited to USB alone.
+
+\section{The state of the art in mitigation}
+Several ways to secure the USB interface have been proposed that can be broadly categorized as follows.
+\begin{itemize}
+ \item USB firewalls are software or hardware that protects the host from requests deemed invalid similar to a network firewall\cite{tian01,angel01,kang01,bates01,loe01}.
+ \item USB device authentication uses some sort of user feedback or public key infrastructure to authenticate the device when it connects\cite{usb01,griscioli01,wang01,he01}.
+ \item USB bus encryption encrypts the raw USB payloads to ward off eavesdroppers\cite{neugschwandtner01,weinstein01}.
+ \item For wireless protocols, every conceivable pairing model has been tried. However, not many have been applied to
+ USB\cite{arun01,uzun01,kobsa01,saxena01}.
+ \item Compartmentalized systems such as QubesOS separate vulnerable components with large attack surface such as the USB device drivers into VMs to not inhibit exploitation but mitigate its consequences.
+\end{itemize}
+
+\begin{table}
+ \setlength{\extrarowheight}{5pt}
+ \begin{tabular}{l|P{10mm}|P{15mm}|P{15mm}|P{15mm}|P{17mm}|P{25mm}|}
+ &\multicolumn{3}{c|}{\bfseries Attacks} & \multicolumn{2}{c|}{\bfseries Eavesdropping} & \multirow{2}{25mm}{\centering\bfseries Backwards\newline compatible} \\\cline{2-6}
+ & \bfseries HID &\bfseries Host\newline exploit &\bfseries Device\newline exploit&\bfseries Bus-level &\bfseries Physical layer & \\\hline
+ Firewalls & $\bigcirc$ & $\triangle$ & $\times$ & $\triangle$ & $\times$ & $\bigcirc$ \\
+ Device authentication & $\bigcirc$ & $\times$ & $\times$ & $\triangle$ & $\times$ & $\times$ \\
+ Bus encryption & $\triangle$ & $\times$ & $\times$ & $\bigcirc$ & $\bigcirc$ & $\times$ \\
+ Plain QubesOS setup\footnotemark
+ & $\triangle$ & $\triangle$ & $\triangle$ & $\triangle$ & $\times$ & $\bigcirc$ \\
+ Our work & $\bigcirc$ & $\bigcirc$ & $\bigcirc$ & $\bigcirc$ & $\bigcirc$ & $\bigcirc$
+ \end{tabular}
+ \caption{Comparison of approaches to USB security}
+ \label{approach_comparison}
+\end{table}
+\footnotetext{Requires separate USB host controller for HIDs}
+
+We compare these approaches w.r.t. several attacks in \ref{approach_comparison}. Overall we found that QubesOS is the
+only advance towards securing this interface that is both \emph{practical} and \emph{effective}. Other approaches have
+not been successful so far likely due to market inertia and backwards-incompatibility.
+QubesOS approaches the problem by running a separate VM with the USB host controllers mapped through via IOMMU. This VM
+runs a linux kernel with a small set of white-listed USB device drivers (HID and mass storage device) and a USB-over-IP
+backend. A set of Qubes services pass through any HID input arriving inside this VM into dom0, and coordinate exporting
+USB mass storage devices as Xen block devices. Any other USB devices can be passed-through to other VMs through
+USB-over-IP-over-QubesRPC, a Xen vChan-based inter-VM communication system.
+QubesOS is still lacking in that it's compartmentalization becomes essentially useless when it is used with a USB HID
+keyboard that does not have its own dedicated PCIe USB host controller, as any normal desktop and most recent laptop
+computers. The issue here is that USB HID is neither authenticated nor encrypted, and the untrusted USB VM sits in the
+middle of this data stream, which thus allows it trivial privilege escalation via keystroke injection.
+
+\subsection{Usage scenarios}
+
+Today USB's level security is still adequate for most everyday users. In general, attacks against USB either require
+special malicious hardware or require re-flashing of existing peripherals with custom malicious firmware. Today's
+low-level cybercrime targeting everyday users is still focused on much easier tasks such as stealing passwords through
+phishing, installing cryptolocker malware by means of malicious email attachments and extracting sensitive user data
+with malicious browser addons. Fortunately, we have not yet entered an age where average computer users need to worry
+about the type of attack this work defends against. Still, it can be expected that with the general increase of overall
+computer security, eventually attackers will have to graduate to more advanced means--and since at this time the
+landscape of effective defenses against USB attacks is very sparse, your author considers it important to explore the
+avenues to effective defence ealier rather than later in order to be prepared for evolving attacks.
+
+Despite the banality of everyday cybersecurity described above, there already are some people and organizations who face
+advanced attacks including USB attacks. Due to their exceedingly simple execution, USB HID attacks are a very attractive
+way to perform targeted attacks. For this reason, specialized USB attack hardware is already available commercially at
+low cost. For users facing targeted attacks like this, SecureHID might already provide practical benefits.
+The users most at risk of targeted attacks are those either working with highly sensitive data or working with highly
+privileged access. The former group would include people such as journalists working with their sources and politicians
+working with confidential information. The latter group would include law enforcement officials, often being endowed
+with wide-ranging electronic access to databases and other confidential information. Further, system administrators and
+computer programmers are often provided highly privileged access to critical systems for software deployment using
+systems such as Ansible or uploading software packages into software repositories such as PyPI.
+
+In all of these scenarios there are many users with very poweful adversaries. In case of a software developer or systems
+administrator that would be competing companies or foreign intelligence agencies trying to gain access to internal
+networks to steal confidential information. In case of a journalist that would be whoever they are writing about and
+here the most interesting articles might come with the most powerful enemies. Finally, a security researcher would by
+nature of their work, out of academic interest specifically be looking for the most dangerous targets they could find.
+
+Some users might be able to reduce their attack surface to USB attacks by reducing their use of untrusted USB devices,
+but in many everyday scenarios such as those described above this is not an option. A security researcher needs to
+connect to untrusted devices in order to analyze them, and using a second, isolated machine for this is very
+inconvenient. A journalist or politician will frequently have to read USB flash drives with documents for their work,
+and again simply solving the problem by air-gapping is an effective but impractical mitigation. In all of these cases,
+SecureHID would be an effective mitigation.
+
+\section{Approach}
+\subsection{System overview}
+The goal of SecureHID is to enable the first reasonably secure system using both HID and arbitrary untrusted devices on
+the same USB host controller, based on QubesOS. SecureHID consists of a USB HID encryption box to be put between
+keyboard and computer and a piece of software run inside QubesOS. After initial pairing with the host software, the
+encryption box will encrypt and sign any USB HID input arriving from the keyboard and forward the encrypted data to the
+host. The host software running outside the untrusted USB VM will receive the encrypted and signed data from the
+untrusted USB VM, verify and decrypt it, and inject the received HID input events into Qubes's input event handling
+system.
+
+A schematic diagram of a system employing SecureHID is shown in figure \ref{diagram_with}. Two major points that can be
+seen here are that first, SecureHID requires no specialized hardware on either end and transparently plugs into the
+existing USB stack. Second, a SecureHID-protected setup has two well-defined security boundaries, one inside the
+SecureHID device between host and device side, and one in the host operating system between USB driver VM and
+hypervisor. These security boundaries allow a clean separation of a SecureHID setup into untrusted and trusted domains
+and greatly simpliefies reasoning about overall system security. Communication across these security boundaries is
+limited to the simple SecureHID protocol. We describe the design of the SecureHID protocol in section \ref{prot_desc}
+and elaborate its security properties in section \ref{prot_ver}. The security of the protocol's core components has been
+formally verified in the past and the protocol has been kept simple enough to allow exhaustive verification and testing.
+
+\begin{figure}[p]
+ \includegraphics[scale=0.8]{system_diagram_with_secureusb.eps}
+ \caption{Diagram of a SecureHID-protected system}
+ \label{diagram_with}
+\end{figure}
+
+\subsection{System security properties}
+This system is sufficient to secure any USB setup, especially unmodified desktop PCs or laptops where a USB host
+controller is shared between both HIDs and other devices. Attack surface is reduced such that a \emph{full compromise}
+of the system becomes unlikely, since plain HID is no longer supported. The remaining attack surface consists only of a
+\emph{compromise of the USB VM}. This attack surface is small enough that other sensitive devices such as USB audio
+devices can safely be connected. A compromise of the USB driver VM no longer gives full system access, but at best
+allows listening in on the microphone. Since a compromised USB VM in general does not have network access, such an
+attack will be mostly harmless in most scenarios. Additionally, the most likely attacking devices would be custom
+hardware or a compromised smartphone. Custom hardware can easily be outfitted with a microphone, essentially turning it
+into a bug irrespective of USB functionality, and smartphones already have microphones by definition.
+
+A practical mitigation for potential information leakage through microphones, webcams and other sensitive devices would
+be to simply unplug them when not used. Microphones could also be connected to a PCIe-based sound card (such as the
+integrated sound card of most laptops) and webcams could potentially be isolated to a separate USB host controller.
+
+\subsection{USB physical-level and bus-level attacks}
+Since sensitive HIDs are isolated from other USB devices effectively on a separate bus, bus-level attacks such as
+\textcite{neugschwandtner01} are entirely prevented. The much scarier physical attacks on USB such as \textcite{su01}
+can be prevented thanks to the clear security boundary inside the SecureHID device. Since there is only four wires
+needed between the trusted and untrusted sides (Ground, VCC, serial RX and serial TX) and the serial link is running at
+a comparatively low speed (115.2kBd easily suffice), analog filtering is a viable measure against sidechannels. On the
+ground and VCC rails extensive filtering using series inductors and large capacitors can be used to decouple both sides.
+Additionally, both sides' microcontrollers can optionally be fed from separate voltage regulators powered off the USB 5V
+rail to reduce side-channels. The serial link can be filtered to limit its analog bandwidth to above serial speeds
+(50kHz) but much below the trusted microcontroller's system clock (72MHz). Finally, on the untrusted microcontroller
+choosing UART pins that are not multiplexed to its internal ADC elminates the risk of direct measurements by a
+compromised microcontroller firmware and leaves only indirect measurements of power supplies or coupling into other
+pins' signals. This means that with a few very inexpensive hardware countermeasures (an additional voltage regulator and
+a handful of capacitors, inductors and resistors for filtering) any analog side-channels between trusted and untrusted
+side can be ruled out.
+
+\section{Cryptographic design}
+
+\subsection{Protocol description}
+\label{prot_desc}
+The basic protocol consists of two stages: \textsc{pairing} and \textsc{data}. When the device powers up, it enters
+\textsc{pairing} state. When the host enumerates a new device, it enters \textsc{pairing} state. If any fatal
+communication errors occur, both host and device re-enter \textsc{pairing} state. To make the implementation robust
+against host software crashing, devices being unplugged etc. without opening it up to attacks, the host can request the
+device to re-enter \textsc{pairing} state a limited number of times after powerup.
+
+\textsc{pairing} state consists of a number of substates as set by \textcite{perrin01}. The device runs noise's
+\textsc{XX} scheme, i.e. both host and device each contribute both one ephemeral key $e$ and one static key $s$ to the
+handshake, and the public halves of the static keys are transmitted during handshake encrypted by the emphemeral keys.
+
+The cryptographic primitives instantiated in the prototype are X25519 for the ECDH primitive, BLAKE2s as a hash and
+ChaCha20-Poly1305 as AEAD for the data phase. ECDH instead of traditional DH was chosen for its small key size and fast
+computation. Since no variant of RSA is used, key generation is fast. An ad-hoc prototype device-side random number
+generator has been implemented based on BLAKE2s and the STM32's internal hardware RNG.
+
+\begin{figure}[h]
+ \centering
+ \begin{sequencediagram}
+ \newinst{kbd}{Keyboard}
+ \newinst[3]{dev}{SecureHID}
+ \newinst[5]{host}{Host}
+
+ \mess{host}{}{dev}
+ \path (mess from) -- (mess to) node[midway, above] {\emph{COBS sync (null byte)}};
+ \mess{host}{}{dev}
+ \draw[->,>=angle 60] (mess from) -- (mess to) node[midway, above] {\textsc{Initiate Handshake}};
+
+ \begin{sdblock}{Noise XX handshake}{}
+ \mess{host}{}{dev}
+ \path (mess from) -- (mess to) node[midway, above] {$\textsc{Handshake}, e$};
+ \mess{dev}{}{host}
+ \path (mess from) -- (mess to) node[midway, above] {$\textsc{Handshake}, e,ee,s,es$};
+ \mess{host}{}{dev}
+ \path (mess from) -- (mess to) node[midway, above] {$\textsc{Handshake}, s,se$};
+ \end{sdblock}
+
+ \begin{sdblock}{Pairing}{Triggered by user interaction after unsuccessful handshake}
+ \mess{dev}{}{host}
+ \draw[->,>=angle 60] (mess from) -- (mess to) node[midway, above] {\textsc{Pairing Start}};
+ \stepcounter{seqlevel}
+
+ \mess{kbd}{keystroke}{dev}
+ \addtocounter{seqlevel}{-1}
+ \mess{dev}{}{host}
+ \path (mess from) -- (mess to) node[midway, above] {$\textsc{Pairing Input},E(\text{keystroke})$};
+ \stepcounter{seqlevel}
+ \mess{kbd}{}{dev}
+ \addtocounter{seqlevel}{-1}
+ \path (mess from) -- (mess to) node[midway, above] {keystroke};
+ \path (mess from) -- (mess to) node[midway, above, yshift=5mm] {$\vdots$};
+ \mess{dev}{}{host}
+ \path (mess from) -- (mess to) node[midway, above] {$\textsc{Pairing Input},E(\text{keystroke})$};
+ \path (mess from) -- (mess to) node[midway, above, yshift=5mm] {$\vdots$};
+ \stepcounter{seqlevel}
+
+ \mess{kbd}{}{dev}
+ \addtocounter{seqlevel}{-1}
+ \path (mess from) -- (mess to) node[midway, above] {\emph{enter}};
+ \mess{dev}{}{host}
+ \draw[->,>=angle 60] (mess from) -- (mess to) node[midway, above] {\textsc{Pairing Success}};
+ \end{sdblock}
+
+ \begin{sdblock}{Input passthrough}{Started after successful handshake or pairing}
+ \mess{kbd}{keystroke}{dev}
+ \path (mess from) -- (mess to) node[midway, below, yshift=-2mm] {$\vdots$};
+
+ \addtocounter{seqlevel}{-1}
+ \mess{dev}{}{host}
+ \path (mess from) -- (mess to) node[midway, above] {$\textsc{Data},E(\text{keystroke})$};
+ \path (mess from) -- (mess to) node[midway, below, yshift=-2mm] {$\vdots$};
+ \stepcounter{seqlevel}
+ \end{sdblock}
+ \end{sequencediagram}
+ \caption{A successful prototype protocol pairing}
+ \label{protocol_diagram}
+\end{figure}
+
+A successful pairing looks like this:
+\begin{enumerate}
+\item \textbf{Handshake.} \textsc{device} is connected to \textsc{host}
+\item \textsc{host} initiates pairing by sending \textsc{initiate handshake} to device
+\item \textsc{device} and \textsc{host} follow noise state machine for the \textsc{XX} handshake. See figure
+ \ref{crypto_diagram} for a complete flowchart of cryptographic operations during this handshake. The handshake and
+ subsequent Noise protocol communication are specified in \textcite{perrin01} and their security properties are
+ formally verified in \textcite{kobeissi01}. Section \ref{sec_prop} analyzes the implications of these security
+ properties for this research.
+\item After the handshake completes, both \textsc{device} and \textsc{host} have received each other's static public key
+ $rs$ and established a shared secret connection key. At this point, the possibility of an MITM attacker having
+ actively intercepted the handshake remains. At this point \textsc{device} and \textsc{host} will both notice they do
+ not yet know each other's static keys. \textsc{host} will respond to this by showing the pairing GUI dialog.
+ \textsc{deivce} will sound an alarm to indicate an untrusted connection to the user.
+\item \textbf{Channel binding.} Both \textsc{device} and \textsc{host} calculate the \emph{handshake hash} as per noise
+ spec\cite{perrin01}. This hash uniquely identifies this session and depends on both local and remote ephemeral and
+ static keys $le, re, ls, rs$. Both parties encode a 64-bit part of this hash into a sequence of english words by
+ dictionary lookup. This sequence of words is called the \emph{fingerprint} of the connection.
+\item \textsc{host} prompts the user to enter the \emph{fingerprint} into a keyboard connected to \textsc{device}. The
+ user presses the physical pairing button on \textsc{device} to stop the alarm and start pairing. This step prevents
+ an attacker from being able to cause the device to send unencrypted input without user interaction by starting
+ pairing.
+\item As the user enters the \emph{fingerprint}, \textsc{device} relays any input over the yet-unauthenticated encrypted
+ noise channel to \textsc{host}. \textsc{host} displays the received user input in plain text in a regular input
+ field in the pairing GUI. This display is only for user convenience and not relevant to the cryptographic handshake.
+ A consequence of this is that a MITM could observe the \emph{fingerprint}\footnote{
+ A MITM could also modify the fingerprint information sent from \textsc{device} to \textsc{host}. This would be
+ very obvious to the user, since the fingerprint appearing on the \textsc{host} screen would differ from what she
+ types.
+ }. We show in section \ref{prot_ver} that this does not reduce the protocol's security.
+\item When the user has completed entering the fingerprint, the device checks the calculated fingerprint against the
+ entered data. If both match, the host is signalled \textsc{success} and \textsc{data} phase is entered. If they do
+ not match, the host is signalled \textsc{failure}\footnote{
+ Note that this means a MITM could intercept the \textsc{failure} message and forge a \textsc{success} message.
+ This means both are just for user convenience \emph{absent} an attacker. If an attacker is present, she will be
+ caught in the next pairing step.
+ } and \textsc{pairing} state is re-entered unless the maximum number of tries since powerup has been exceeded.
+ Failure is indicated to the user by \textsc{device} through a very annoying beep accompanied by angrily flashing
+ LEDs.
+\item \textbf{Data phase.} \textsc{host} asks the user for confirmation of pairing \emph{in case the device did not
+ sound an alarm} by pressing a button on the GUI. When the user does this, the host enters \textsc{data} state and
+ starts input passthrough.
+\end{enumerate}
+
+Roughly speaking, this protocol is secure given that the only way to MITM a (EC)DH key exchange is to perform two (EC)DH
+key exchanges with both parties, then relay messages. Since both parties have different static keys, the resulting two
+(EC)DH sessions will have different handshake hashes under the noise framework. The channel binding step reliably
+detects this condition through an out-of-band transmission of the \textsc{host} handshake hash to \textsc{device}.
+The only specialty here is that this OOB transmission is relayed back from \textsc{device} to \textsc{host} allowing the
+MITM to intercept it. This is only done for user convenience absent a MITM and the result is discarded by \textsc{host}.
+Since the handshake hash does as a hash does not leak any sensitive information about the keys used during the
+handshake, it being exposed does not impact protocol security.
+
+\subsection{Protocol verifictation}
+\label{prot_ver}
+\subsubsection{Noise security properties}
+\label{sec_prop}
+According to \textcite{perrin01} and proven by \textcite{kobeissi01} Noise's XX pattern provides strong forward-secrecy,
+sender and receiver authentication and key compromise impersonation resistance. Strong forward secrecy means an attacker
+can only decrypt messages by compromising the receivers private key and performing an active impersonation. Strong
+forward secrecy rules out both physical and protocol-level eavesdropping attacks by malicious USB devices and implies
+that an attacker can never decrypt past protocol sessions. An implication of the static key checks done on both sides of
+the connection is that an attacker would need to compromise both host and device in order to remain undetected for e.g.
+keylogging. Compromising only one party the worst that can be done is impersonating the SecureHID device to perform a
+classical HID attack. In this case, the attacker cannot read user input and the user would notice this by SecureHID
+indicating a not connected status and thus the keyboard not working.
+% FIXME possibly detect this by having session counter etc.?
+
+To verify that these security properties extend to the overall SecureHID protocol it suffices to show the following
+three properties.
+\begin{enumerate}
+\item The SecureHID implementation of Noise XX adheres to the Noise specification, i.e. the handshake is performed
+ correctly. \label{adh0}
+\item Both sides' static keys are verified. \label{adh1}
+\item All sensitive data is encapsulated in Noise messages after the handshake has ended, and none is sent before.
+ \label{adh2}
+\end{enumerate}
+
+\ref{adh0} has been validated by manual code review and cross-validation of our implementation against other Noise
+implementations. % FIXME write more, do more here
+\ref{adh1} has been validated by manual code review. %FIXME do simulation here
+Since all sensitive data in our application is handled on the device in a single place (the USB HID request handling
+routine), \ref{adh2} is easily validated by code review. USB HID reports are only transmitted either encrypted after the
+handshake has been completed or in plain during pairing. Since the host will only inject reports into the input
+subsystem that have been properly authenticated and encrypted (and not the unauthenticated reports sent during pairing),
+the protocol is secure in this regard. Since pairing keyboard input is only passed through after the host's pairing
+request has been acknowledged by the user with SecureUSB's physical pairing button the user would certainly notice an
+attack trying to exfiltrate data this way. Were pairing input passed through automatically without explicit user
+acknowledgement, an attacker could start pairing mode just as the user starts typing in a password prompt such as the
+one of \texttt{sudo} or a password field and might not notice the attack until they have typed out their entire password
+to the attacker.
+
+\subsubsection{Handshake hash non-secrecy}
+
+\begin{figure}[p]
+ \centering
+ \tikzset{%
+ h/.style = {->, very thick},
+ ck/.style = {->, very thick},
+ key/.style = {->},
+ ki/.style = {key, color=red},
+ kr/.style = {key, color=red},
+ ke/.style = {dashed},
+ ks/.style = {solid},
+ phaselbl/.style = {font=\bfseries, anchor=west}
+ }
+ \begin{tikzpicture}[scale=0.8]
+ \node(protoname) at (0, 0){\texttt{"Noise\_XX\_25519\_ChaChaPoly\_BLAKE2s"}};
+ \node[draw,thick,below=1em of protoname] (inithash) {$H$};
+ \node[below=2em of inithash, xshift= 6.5em] (ck){$ck$};
+ \node[below=2em of inithash, xshift=-6.5em] (h){$h$};
+ \coordinate (labelbase) at (-5,0);
+
+ \draw[->] (protoname) -- (inithash);
+ \draw[->] (inithash) -- ++(0,-2em) coordinate(im0) -| (ck);
+ \draw[->] (im0) -| (h);
+
+ \node[right=7em of ck] (ei){$\mathbf{e_i}$};
+ \node[right=8.5em of ck] (er){$\mathbf{e_r}$};
+ \node[right=10em of ck] (si){$\mathbf{s_i}$};
+ \node[right=11.5em of ck] (sr){$\mathbf{s_r}$};
+
+ \node[draw,thick,below=3em of h] (mix0){MixHash};
+ \node[right=1em of mix0] (str0){\texttt{""}};
+ \node[left] at (str0 -| labelbase) (lbl0){\parbox{10em}{\raggedleft No preamble,\\use empty string}};
+
+ \draw[h] (h) -- (mix0);
+ \draw[->] (str0) -- (mix0);
+
+%---
+ \node[draw,thick,below=2em of mix0] (mix1){MixHash};
+ \node[left] at (mix1 -| labelbase) (tok0){$e\rightarrow $};
+ \draw[h] (mix0) -- (mix1);
+ \draw[ki,ke] (ei) |- (mix1);
+
+ \node[draw,thick,below=2em of mix1] (mix2){MixHash};
+ \node[right=1em of mix2] (str2){\texttt{""}};
+ \node[left] at (str2 -| labelbase) (lbl2){\parbox{10em}{\raggedleft EncryptAndHash\\No payload and\\$k$ unset}};
+ \draw[->] (str2) -- (mix2);
+ \draw[h] (mix1) -- (mix2);
+
+ \coordinate (a) at ($ (mix0) !0.5! (mix1) $);
+ \coordinate (b0) at (a -| lbl0.south west);
+ \draw[dashed] (b0) -- ($ (b0 -| sr) + (1em,0) $);
+%---
+ \node[draw,thick,below=4em of mix2] (mix3){MixHash};
+ \node[left] at (mix3 -| labelbase) (tok3){$e\leftarrow $};
+ \draw[h] (mix2) -- (mix3);
+ \draw[kr,ke] (er) |- (mix3);
+
+ \coordinate (sync4) at (mix3 -| ck);
+ \node[draw,thick,below=2em of sync4] (kmix1){MixKey};
+ \node[left] at (kmix1 -| labelbase) (tok4){$ee\leftarrow $};
+ \node[draw,thick,right=1em of kmix1] (dh0){ECDH};
+ \draw[ck] (ck) -- (kmix1);
+ \draw[ki,ke] (ei) |- ($ (dh0.east) + (0,0.2em) $);
+ \draw[kr,ke] (er) |- ($ (dh0.east) - (0,0.2em) $);
+ \draw[->] (dh0) -- (kmix1);
+
+ \coordinate (sync5) at (kmix1 -| h);
+ \node[draw,thick,below=2em of sync5] (mix5){MixHash};
+ \node[draw,thick,right=2em of mix5] (enc5){$E$};
+ \node[left] at (mix5 -| labelbase) (lbl5){$s\leftarrow $};
+ \draw[h] (mix3) -- (mix5);
+ \draw[->] (enc5) -- (mix5);
+ \draw[->] ($ (kmix1.west) - (2em,0) $) -| (enc5);
+ \draw[kr,ks] (sr) |- (enc5);
+
+ \coordinate (sync6) at (mix5 -| ck);
+ \node[draw,thick,below=2em of sync6] (kmix6){MixKey};
+ \node[left] at (kmix6 -| labelbase) (tok6){$es\leftarrow $};
+ \node[draw,thick,right=1em of kmix6] (dh6){ECDH};
+ \draw[ck] (kmix1) -- (kmix6);
+ \draw[ki,ke] (ei) |- ($ (dh6.east) + (0,0.2em) $);
+ \draw[kr,ks] (sr) |- ($ (dh6.east) - (0,0.2em) $);
+ \draw[->] (dh6) -- (kmix6);
+
+ \coordinate (sync7) at (kmix6 -| h);
+ \node[draw,thick,below=2em of sync7] (mix7){MixHash};
+ \node[draw,thick,right=2em of mix7] (enc7){$E$};
+ \node[right=1em of enc7] (str7){\texttt{""}};
+ \node[left] at (mix7 -| labelbase) (lbl7){\parbox{10em}{\raggedleft DecryptAndHash\\ No payload}};
+ \draw[h] (mix5) -- (mix7);
+ \draw[->] (enc7) -- (mix7);
+ \draw[->] (kmix1.west) -- ++(-2em,0) |- ($ (enc5.south) !0.25! (enc7.north) $) -- (enc7);
+ \draw[->] (str7) -- (enc7);
+
+ \coordinate (a) at ($ (mix2) !0.5! (mix3) $);
+ \coordinate (b1) at (a -| lbl2.south west);
+ \draw[dashed] (b1) -- ($ (b1 -| sr) + (1em,0) $);
+% ---
+ \node[draw,thick,below=4em of mix7] (mix8){MixHash};
+ \node[draw,thick,right=2em of mix8] (enc8){$E$};
+ \node[left] at (mix8 -| labelbase) (lbl8){$s\rightarrow $};
+ \draw[h] (mix7) -- (mix8);
+ \draw[->] (enc8) -- (mix8);
+ \draw[->] (kmix6.west) -- ++(-2em,0) |- ($ (enc7.south) !0.25! (enc8.north) $) -- (enc8);
+ \draw[ki,ks] (si) |- (enc8);
+
+ \coordinate (sync9) at (mix8 -| ck);
+ \node[draw,thick,below=2em of sync9] (kmix9){MixKey};
+ \node[left] at (kmix9 -| labelbase) (tok9){$se\rightarrow $};
+ \node[draw,thick,right=1em of kmix9] (dh9){ECDH};
+ \draw[ck] (kmix6) -- (kmix9);
+ \draw[ki,ks] (si) |- ($ (dh9.east) - (0,0.2em) $);
+ \draw[kr,ke] (er) |- ($ (dh9.east) + (0,0.2em) $);
+ \draw[->] (dh9) -- (kmix9);
+
+ \coordinate (sync10) at (kmix9 -| h);
+ \node[draw,thick,below=2em of sync10] (mix10){MixHash};
+ \node[draw,thick,right=2em of mix10] (enc10){$E$};
+ \node[right=1em of enc10] (str10){\texttt{""}};
+ \node[left] at (mix10 -| labelbase) (lbl10){\parbox{10em}{\raggedleft EncryptAndHash\\ No payload}};
+ \draw[h] (mix8) -- (mix10);
+ \draw[->] (enc10) -- (mix10);
+ \draw[->] (kmix9.west) -| (enc10);
+ \draw[->] (str10) -- (enc10);
+
+ \coordinate (a) at ($ (mix7) !0.5! (mix8) $);
+ \coordinate (b2) at (a -| lbl2.south west);
+ \draw[dashed] (b2) -- ($ (b2 -| sr) + (1em,0) $);
+% ---
+ \coordinate (sync11) at (mix10 -| ck);
+ \node[draw,thick,below=5em of sync11,xshift=-1em] (finkdf){HKDF};
+ \node[below=2em of finkdf,xshift=-1em] (k1){$\mathbf{k_1}$};
+ \node[below=2em of finkdf,xshift= 1em] (k2){$\mathbf{k_2}$};
+ \node[left=1em of finkdf,yshift=2em] (str11){\texttt{""}};
+ \draw[ck] (kmix9) -- (finkdf.north -| kmix9);
+ \draw[ck] (k1 |- finkdf.south) -- (k1);
+ \draw[ck] (k2 |- finkdf.south) -- (k2);
+ \draw[->] (str11) -| ($ (finkdf.north) - (1em,0) $);
+
+ \coordinate (sync11a) at (finkdf.south -| h);
+ \node[below=2em of sync11a] (hout){$\mathbf{h}$};
+ \draw[h] (mix10) -- (hout);
+
+ \node[left] at (finkdf -| labelbase) (lbl13){\parbox{10em}{\raggedleft Split}};
+
+ \coordinate (a) at ($ (mix10) !0.5! (finkdf) $);
+ \coordinate (b3) at (a -| lbl10.south west);
+ \draw[dashed] (b3) -- ($ (b3 -| sr) + (1em,0) $);
+%---
+ \node[phaselbl, rectangle] at ($ (b0) !0.5! (b0 |- protoname) $) (setup){setup};
+ \node[phaselbl, circle] at ($ (b0) !0.5! (b1) $) (ph0){0};
+ \node[phaselbl, circle] at ($ (b1) !0.5! (b2) $) (ph1){1};
+ \node[phaselbl, circle] at ($ (b2) !0.5! (b3) $) (ph2){2};
+ \node[phaselbl, rectangle] at ($ (b3) !0.5! (b3 |- hout) $) (fin){fin};
+
+ \end{tikzpicture}
+ \caption{Cryptographic flowchart of Noise XX handshake.}
+ \label{crypto_diagram}
+\end{figure}
+
+To analyze the impact of disclosing the handshake hash to an adversary we must consider its definition. The noise
+protocol specification does not % FIXME double-check this
+guarantee that the handshake hash can be disclosed to an adversary without compromising security. Figure
+\ref{crypto_diagram} is a flowchart of the derivation of both initiator-transmit and initiator-receive symmetric
+encryption keys $k_{1,2}$ and the handshake hash $h$ during the Noise handshake. Following are the definitions of
+MixHash and MixKey according to the Noise protocol specification.
+
+\begin{align}
+ \text{MixHash}(h,\text{input}) &= h' = H(h || \text{input})\\
+ \text{MixKey}(ck, \text{input}) &= (ck', k_\text{temp}) = \text{HKDF}(ck, \text{input}, 2)\\
+\end{align}
+
+Noise's hash-based key derivation function (HKDF) is defined using the HMAC defined in RFC2104\cite{rfc2104}. The hash
+function $H$ employed here depends on the cipher spec used. SecureHID uses BLAKE2s.
+\begin{equation}
+ \text{HMAC}(K, \text{input}) = H\left(\left(K \oplus opad\right)
+ || H\left(\left(K \oplus ipad\right) || \text{input} \right)\right)
+\end{equation}
+
+The HKDF is defined for two and three outputs as follows.
+\begin{equation}
+ \text{HKDF}(ck, \text{input}, n_\text{out}) =
+ \left\{\begin{array}{ll}
+ (q_0, q_1) &: n_\text{out} = 2\\
+ (q_0, q_1, q_2) &: n_\text{out} = 3\\
+ \end{array}\right.
+\end{equation}
+
+The outputs $q_i$ are derived from chained HMAC invocations. First, a temporary key $t'$ is derived from the chaining key $ck$
+and the input data using the $HMAC$, then depending on $n_\text{out}$ the HMAC is chained twice or thrice to produce
+$q_{\{0,1,2\}}$.
+\begin{gather}
+ t' = \text{HMAC}(ck, \text{input})\\
+ \underbrace{\text{HMAC} \Bigl(t',
+ \underbrace{\text{HMAC} \bigl(t',
+ \underbrace{\text{HMAC} (t',
+ 1_{16})}_{q_0}
+ || 2_{16}\bigr)}_{q_1}
+ || 3_{16}\Bigr)}_{q_2}
+\end{gather}
+
+Relevant to this protocol implementation's security are the following two properties, both of which can be derived from
+figure \ref{crypto_diagram}:
+\begin{enumerate}
+\item Initiator and responder ephemeral and static keys are all mixed into the handshake hash at least once.\label{fp1}
+\item Knowledge of the handshake hash does not yield any information on the symmetric AEAD keys $k_1$ and $k_2$.\label{fp2}
+\end{enumerate}
+
+\ref{fp1} is evident since $e_i$ and $e_r$ are mixed in directly and $s_i$ and $s_r$ are mixed in after encryption with
+temporary encryption keys derived from $ck$ at the $s\rightarrow$ and $s\leftarrow$ steps during the handshake.
+We can see \ref{fp2} applies by following the derivation of $h$ backwards. If an attacker learned anything about $k1$ or
+$k2$ during an attack by (also) observing $h$ that they did not learn before, we could construct an oracle allowing both
+reversal of $H$ in the final invocation of $MixHash$ and breaking $E$ using this attacker. The attacker would have to
+reverse $H$ at some point since $h = H(\hdots)$ in the final invocation of MixHash. The attacker would have to recover
+the key of $E$ in at least one invocation since $s_i$ and $s_r$ are only mixed into $h$ after either being encrypted
+using $E$ or being used after ECDH to generate a key for $E$. Since the result of ECDH on $e_i$ and $e_r$ is mixed into
+$h$ in the $ee\leftarrow$ and following DecryptAndHash steps, $h$ is blinded to an attacker so that they cannot even
+determine a given $k_1$ and $k_2$ match a given $h$ without compromising ECDH security.
+This means that given the underlying primitives are secure, we do not leak any information on $k1$ or $k2$ by disclosing
+$h$.
+
+% FIXME find and consistently apply a nice name for this handshake method
+\subsection{Alternative uses for interactive public channel binding}
+\label{altuse}
+
+The channel binding method described above can be used in any scenario where a secure channel between two systems must
+be established where one party has a display of some sort and the other party has an input device of some sort.
+
+\paragraph{Relation to screen-to-photodiode interfaces}
+There have been many systems using a flashing graphic on a screen to transmit data to a receiver containing a photodiode
+held against the screen. Such systems have been used to distribute software over broadcast television but have also been
+used for cryptographic purposes. One widely-deployed example is the ``Flickertan'' system used for wire transfer
+authorization in Germany where a smartcard reader with five photodiodes is held against a flickering image on the bank
+website's wire transfer form\cite{schiermeier01,schiermeier02,braun01}. Systems such as this one do not benefit from the
+interactive channel binding process described in this paper since they do not require any direct user interaction. They
+could however be used as an alternative means for channel binding in any system also supporting interactive pairing as
+described above. The handshake fingerprint would simply be encoded into the flicker signal and transmitted to the other
+endpoint in that way. Similarly, QR-codes or other barcodes could be used to a device containing a camera. The primary
+advantage of photodiode-based systems is that they incur lower implementation complexity and don't require a potentially
+expensive camera.
+
+\paragraph{Adaption for SSH identity distribution}
+Our interactive channel binding method using a passphrase could be used for key establishment in an SSH setup.
+SSH includes a powerful built-in public-key authentication system, but does not include key management functionality.
+To grant and revoke public key-based access to a host or account, SSH expects the user to manually manage a textual
+\texttt{authorized\_keys} file containing all public keys allowed to login to a particular host or account. Mutual
+authentification is supported by default, using a trust on first use system storing host key fingerprints in a
+\texttt{known\_hosts} file. SSH's identity management system is well-tested and can be considered secure for almost any
+purpose. It is however very simplistic and shifts the burden of access management and identity synchronization to the
+user. Except in very simple use cases, the user will have to provide their own identity management layer on top of the
+primitives provided by SSH. Common implementations of this include offloading \texttt{authorized\_keys} functionality to
+LDAP or automatically generating \texttt{authorized\_keys} files from a configuration management system. The secure
+implementation of any such system incurs a large organizational overhead. SSH keys are too long to be practically
+read-out aloud which in case of small organizations often leads ot insecure practices such as sharing of SSH public keys
+through chat, email or wiki pages for initial access during say, onboarding of a new employee. Though such out-of-band
+key distribution schemes may well be secure often the OOB channel's security is not adequately considered in advance.
+
+The interactive channel binding method described in this paper could be used to interactively transfer an SSH key's
+public to another host by simply establishing a secure channel from source to target machine in the fashion outlined
+above, then copying the key through it. Compared to current common practice this approach would allow two users to
+transfer a key by simply reading out aloud the channel binding fingerprint. This reduces the problem of a digital
+out-of-band channel trusted for direct transfer of manipulation-sensitive key material to the problem of two users being
+sure whether they're actually talking to each other instead of an impostor.
+
+A scenario using the SecureHID hardware to improve SSH security would be to terminate the SSH connection inside the
+SecureHID hardware and this way prevent a compromised host from compromising the SSH remote. This approach has the
+primary drawback that it would incur a large implementation overhead providing new attack surface. Additionally this
+approach would only work when the user is solely interacting with the remote system through keyboard input and would
+break workflows that require copying files to the remote host, or running commands in an automated fashion like a
+configuration management system such as ansible would do.
+
+\section{Hardware implementation}
+\subsection{Hardware overview}
+To demonstrate the practicality of this approach and to evaluate its usability in an everyday scenario, a hardware
+prototype has been built. Based on an initial prototype consisting of a microcontroller development board and a bundle
+of wires a custom PCB fitting an off-the-shelf case has been produced that allows future % FIXME
+usability testing in practical settings.
+
+The hardware implementation consists of two ARM microcontrollers, one for the untrusted host side and one for the
+trusted device side. Both are linked using a simple UART interface. Both microcontrollers have been chosen by their USB
+functionality. For the integrated USB host controller, we had to chose a rather powerful microcontroller on the trusted
+device side even though a much less powerful one would have sufficed even though we are doing serious cryptography on
+this microcontroller. AES encryption is done on every data packet and must compelete in time for the overall system to
+meet its latency requirement, % FIXME go into details on input latency vs. usability somewhere else
+but is fast enough by a large margin. % FIXME benchmarks
+Similarly, the hash and ECDH operations during the cryptographic handshake are fast enough by a large margin. %FIXME benchmark
+Additionally, those operations are only invoked infrequently any time the device is disconnected or the host suspends.
+
+\subsection{Hardware security measures}
+% separate power supplies, possible future filtering of power/gnd and comms link signals
+
+\subsection{Usability considerations}
+
+\paragraph{Implementation robustness}
+In many systems such as common TLS-based systems, overall system security heavily depends on implementation details such
+as certificate checking and user interface details such as the precise structure of security warning messages and how
+they can be overridden. The complexity of these components in practice often leads to insecure systems, such as a system
+using TLS checking a certificate's internal validity but omitting checks on the certificate's chain of trust. A nice
+property of the key estabilishment system outlined in this paper is that it is both very simple, reducing surface for
+errors and it tightly couples the critical channel binding step during key establishment to the overall system's user
+interface. In a system using either keyboard or mouse-based interactive channel binding, an implementation that does not
+perform the channel binding step correctly would simply not work. If the host does not display the correct fingerprint
+the user cannot enter it and the device will not complete the binding step. If the device does not relay fingerprint
+data correctly during pairing the host application would clearly indicate to the user things are amiss with the input
+not matching the fingerprint. Since the channel fingerprint is computed in a cryptographically well-defined way based
+on entropy contributed by both partners during pairing a implementer would not even be able to accidentially degrade
+fingerprint security.
+
+The critical point from an UI perspective in this pairing scheme is that the host application must display correct
+instructions to the user for them to complete pairing. In particular the host application must put emphasis on the user
+actually checking whether the device raised an alarm before confirming pairing after fingerprint input. Even if it
+didn't the user would notice the device not functioning, but an attacker might have gained unauthorized access in the
+meantime. Likewise, the device needs a clearly understandable method of indicating pairing failure to the user. In
+practice a loud buzzer and a few bright LEDs would likely suffice for this.
+
+\paragraph{Adaption to mice} Instead of a keyboard, a mouse can be used for pairing without compromising protocol
+security. In a basic scheme, the host would encode the fingerprint bit string into a permutation
+$\sigma(i) : \{n\in\mathbb N, n\le m\} \rightarrow \{n\in\mathbb N, n\le m\}$
+for an integer security parameter $m>0$
+and then display the sequence $\sigma(i)$ in a grid of buttons similar to a minesweeper field with an emualted mouse
+cursor driven by pairing input on top. The user would then click the buttons on the grid in numeric order. The device
+would do the same mouse emulation invisible to the user and would be able to observe the permutation this way. The
+fingerprint can finally be checked by decoding the permutation into a bit string and comparing. The security level for
+this method in bits is $\eta = \log_2(m!)$ or better than 80bit for $m=25$ in case of a 5x5 grid. See figure
+\ref{mouse_mockup} for a mockup of what such a system might look like.
+
+\begin{figure}[h]
+ \centering
+ \includegraphics[width=7cm]{mouse_mockup.png}
+ \caption{A mockup of what mouse-based interactive pairing might look like}
+ \label{mouse_mockup}
+\end{figure}
+
+\paragraph{Gamification}
+A second, slightly more complex approach to a mouse-based interface would be to adapt the popular game Minesweeper to
+compare fingerprints in our interactive setting. In Minesweeper, the user is presented with a fixed-size, say $20\times
+20$ $x-y$ grid of fields. Under each of $n$ of the $x\times y$ fields a mine is hidden. The user is tasked with
+uncovering all fields \emph{without} mines while \emph{flagging} those fields that contain mines. Every time the user
+uncovers a field, the number of mines on adjacent fields is shown. If there are no mines on adjacent fields, all
+adjacent fields are automatically uncovered by the game in a recusive fashion. The user wins when all mine-free fields
+have been uncovered and all fields with mines flagged, and looses when they try to uncover a field with a mine on it.
+
+The fundamental approach to use minesweeper as a pairing method would be to encode the fingerprint into the minesweeper
+field. The host would encode the fingerprint, then let the user play the game using their mouse with the usual on-screen
+graphical representation of the game field. The device would besides forwarding all mouse input events to the host
+simultaneously trace all user actions in order to Both host and device would emulate the game field and after a
+successful run the user will have marked all locations of mines, thereby out-of-band transferring the field
+configuration chosen by the host to the device.
+
+Minesweeper is very well-known and can be parametrized to be easily solved by most people. Compared to the task of
+sequentially clicking buttons as presented in the previous paragraph a user might prefer playing a game of minesweeper
+instead. While various problems surrounding minesweeper are computationally hard\cite{demaine01}, field generation is
+easy. To place $n$ mines on a $x$ by $y$ grid one simply chooses an unordered subset of $n$ elements, of which there are
+$\tbinom{xy}{n}$. For the three default difficulty levels provided by the minesweeper game included in Windows XP the
+field state contains $\approx 40$, $\approx 156$ and $\approx 348$ bits of entropy respectively. This means even just
+two rounds on beginner difficulty, or a single round on intermediate difficulty already provide a cryptographically
+significant 80 bit security level. In the context of the interactive pairing protocol presented in this work, even a
+single beginner-level round of minesweeper already reduces the chance of an undetected man in the middle attack to a
+negligible level.
+
+A usability concern in this minesweeper-based pairing scheme would be user error. To improve user experience it would be
+wise to still consider a round, even if the user makes a mistake and looses the game. A simple way to do this that also
+intuitively handles user-set game difficulty levels would be to set a target entropy such as 40 bit, then repeat games
+until the target entropy is reached with each game's outcome contributing to the entropy level depending on the
+outcome's probability.
+with a multivariate hypergeometric distribution here, jk
+
+\paragraph{Adaption to button input}
+Adaption to button input using few buttons is a little bit harder. The obvious but impractical solution here is to have
+the user enter a very long numeric string. Entering an 80-bit number on a two-button binary keyboard is not
+user-friendly. One other option would be to emulate an on-screen keyboard similar to the ones used in arcade and console
+video games for joystick input. This would be more user-friendly and would likely be a natural interface to many users
+familiar with such games. One possible attack here is that if the host were to ignore dropped input packets, an attacker
+might selectively drop packets in order to cause a desynchronization of host and device fingerprint input states. The
+user would likely chalk up this behavior to sticky or otherwise unreliable keys and while they might find it
+inconvenient, they might not actually abort the procedure. Thus it is imperative that the host verify there are no
+dropped packets during pairing. This same observation is also true for keyboard or mouse-based pairing as explained
+above, but an attack would be much more noticeable there to users as mice and keyboards are generally regarded reliable
+by most users.
+
+\section{Evaluation}
+% FIXME
+
+\section{Future work}
+
+The aspects outlined in section \ref{altuse} provide potential future research directions. The adaption of the system to
+mouse input might be an interesting target for a user experience study, particularly in comparison with a purely
+keyboard-based system. The SSH key exchange method would be an interesting target for a general-use systems
+administration tool. Though we have done some basic security arguments in this paper, a more rigurous formalization
+might be interresting for future use of this technology. We have soundly argued about the user experience benefits of
+our method, but we have not performed any field experiments to back up these arguments. Future research might analyze
+the practical security a system as outlined in this paper yields under real-world conditions. The various trade-offs of
+e.g. keyboard vs. mouse input, fingerprint length and design details of the pairing UI might be analyzed with respect to
+practical usability and security.
+
+\section{Conclusion}
+% FIXME
+
+%\section{PCB design renderings}
+%\label{ch:renderings}
+
+%\begin{figure}[H]
+% \centering
+% \begin{subfigure}[b]{0.8\textwidth}
+% \centering
+% \includegraphics[width=0.8\textwidth]{pcb_front.png}
+% \caption{PCB front}
+% \end{subfigure} %
+% \begin{subfigure}[b]{0.8\textwidth}
+% \centering
+% \includegraphics[width=0.8\textwidth]{pcb_back.png}
+% \caption{PCB back}
+% \end{subfigure}
+% \caption{PCB design 3D renderings}
+% \label{fig:pcb3d}
+%\end{figure}
+%
+%\begin{figure}[H]
+% \centering
+% \includegraphics[width=0.6\textwidth]{takachi_case.png}
+% \caption{Off-the-shelf enclosure the PCB is made to fit}
+% \label{fig:case}
+%\end{figure}
+
+%\subsection{Attack surface in reasonably secure systems}
+%\begin{figure}
+%\tikzstyle{block} = [rectangle, draw, text centered, minimum height=4em]
+%\begin{tikzpicture}[node distance=2cm, auto]
+% \node[block](matrix){Key matrix}
+% \node[block](hidctrl){Keyboard controller}
+% \node[block](hubs){USB hubs}
+% \node[block](roothub){USB host controller}
+% \node[block](pcie){PCIe bus}
+% \node[block](sys-usb-kernel){USB VM kernel}
+% \node[block](sys-usb-agent){USB VM userspace agent}
+% \node[block](dom0){dom0 agent}
+%\end{tikzpicture}
+%\label{qubes-hid-stack}
+%\caption{The USB HID input stack in a QubesOS setup}
+%\end{figure}
+
+\nocite{*}
+\printbibliography
+
+\appendix
+\section{Project state}
+A working prototype has been completed.
+
+\subsection{Completed}
+\begin{itemize}
+ \item Rough protocol design
+ \item Protocol implementation based on \textcite{perrin01} using noise-c (microcontroller) and noiseprotocol (python/host)
+ \item SRAM-based key storage with SRAM wear levelling
+ \item host/device signature checking
+ \item host/device key generation
+ \item proper circuit design (see appendix \ref{ch:renderings})
+\end{itemize}
+
+\subsection{Open issues}
+\begin{itemize}
+ \item Both noise-c and noiseprotocol have poor code and API quality. Since most noise functionality is not needed,
+ just implement the protocol in bare C/python based on cryptographic primitives and scrap higher-level protocol
+ implementations (though they've been useful so far during prototyping).
+ \item Implement HID mouse host support
+ \item Test USB hub support
+ \item Replace the serial link with a custom USB link using an STM32F103 instead of the CH340G USB/serial converter
+ \item Properly integrate prototype host client with qubes infrastructure
+ \item Implement photodiode/monitor-based pairing side-channel
+\end{itemize}
+
+\section{Possible directions}
+\begin{itemize}
+% \item Elaborate handshake security properties
+% \begin{itemize}
+% \item Possibly investigate other applications of this type of interactive handshake
+% \item Possibly contrast to carmera/other backchannel systems
+% \item IMHO the pairing scheme is the most interesting part of this project from a scientific point of view
+% \item Prove security
+% \end{itemize}
+% \item Elaborate overall security properties of QubesOS-based system
+ \item Elaborate possible DisplayPort/HDMI-based display encryption $\rightarrow$ Bunnie's NeTV2 w/ HDMI/eDP converter
+% \item Elaborate possible encrypted remote input (SSH) setups
+% \begin{itemize}
+% \item This might turn out to be really interesting
+% \item For this to be usable the host needs to tell the device at least which keyslot to use which could turn
+% out to be complex to implement securely
+% \item Considering complexity, this might turn into its own research project
+% \end{itemize}
+% \item Showcase secure hardware interface design, contrast with wireguard protocol design
+% \begin{itemize}
+% \item Formally derive handshake security properties
+% \item Formally derive host/device protocol security properties using noise spec
+% \item Formally verify and thouroughly unit-test the host/device protocol implementation on all layers
+% \item IMHO this is the most interesting part of this project from an engineering point of view
+% \end{itemize}
+% Waiting
+ \item Create custom hardware prototype
+ \item Benchmark cryptography routines (will likely turn out to be ``wayyy fast'' for HID, fast enough for full-speed
+ USB. High-speed cannot be done with the current architecture as we can't get data out the chip at high-speed
+ data rates. \textcite{srivaths01} raise the issue of running crypto on embedded systems, but in this case it
+ turns out with somewhat modern hardware and cryptography there is no problem at all.
+\end{itemize}
+\end{document}