From 386d16314fdb3af805da1f38b50343806de40aaa Mon Sep 17 00:00:00 2001 From: jaseg Date: Tue, 2 Mar 2021 19:29:55 +0100 Subject: Rename paper tex files --- IEICE_ISEC2019_goette_securehid_final_shrunken.pdf | Bin 677029 -> 0 bytes ...CE_ISEC2019_goette_securehid_final_shrunken.pdf | Bin 0 -> 677029 bytes paper/.gitignore | 1 + paper/research_directions.tex | 880 --------------------- paper/securehid.tex | 880 +++++++++++++++++++++ 5 files changed, 881 insertions(+), 880 deletions(-) delete mode 100644 IEICE_ISEC2019_goette_securehid_final_shrunken.pdf create mode 100644 doc/IEICE_ISEC2019_goette_securehid_final_shrunken.pdf delete mode 100644 paper/research_directions.tex create mode 100644 paper/securehid.tex diff --git a/IEICE_ISEC2019_goette_securehid_final_shrunken.pdf b/IEICE_ISEC2019_goette_securehid_final_shrunken.pdf deleted file mode 100644 index acecf86..0000000 Binary files a/IEICE_ISEC2019_goette_securehid_final_shrunken.pdf and /dev/null differ diff --git a/doc/IEICE_ISEC2019_goette_securehid_final_shrunken.pdf b/doc/IEICE_ISEC2019_goette_securehid_final_shrunken.pdf new file mode 100644 index 0000000..acecf86 Binary files /dev/null and b/doc/IEICE_ISEC2019_goette_securehid_final_shrunken.pdf differ diff --git a/paper/.gitignore b/paper/.gitignore index 0cc2376..22dabdc 100644 --- a/paper/.gitignore +++ b/paper/.gitignore @@ -8,3 +8,4 @@ *.bib~* *.run.xml *-eps-converted-to.pdf +securehid.pdf diff --git a/paper/research_directions.tex b/paper/research_directions.tex deleted file mode 100644 index 602d09b..0000000 --- a/paper/research_directions.tex +++ /dev/null @@ -1,880 +0,0 @@ -\documentclass[12pt,a4paper,notitlepage]{article} -\usepackage[utf8]{inputenc} -\usepackage[a4paper,textwidth=17cm, top=2cm, bottom=3.5cm]{geometry} -\usepackage[T1]{fontenc} -\usepackage[ - backend=biber, - style=numeric, - natbib=true, - url=true, - doi=true, - eprint=false - ]{biblatex} -\addbibresource{directions.bib} -\usepackage{amssymb,amsmath} -\usepackage{listings} -\usepackage{eurosym} -\usepackage{wasysym} -\usepackage{amsthm} -\usepackage{tabularx} -\usepackage{multirow} -\usepackage{multicol} -\usepackage{tikz} - -\usetikzlibrary{arrows} -\usetikzlibrary{backgrounds} -\usetikzlibrary{calc} -\usetikzlibrary{decorations.markings} -\usetikzlibrary{decorations.pathreplacing} -\usetikzlibrary{fit} -\usetikzlibrary{patterns} -\usetikzlibrary{positioning} -\usetikzlibrary{shapes} - -\usepackage{hyperref} -\usepackage{tabularx} -\usepackage{commath} -\usepackage{graphicx,color} -\usepackage{subcaption} -\usepackage{float} -\usepackage{footmisc} -\usepackage{array} -\usepackage[underline=false]{pgf-umlsd} -\usetikzlibrary{calc} -%\usepackage[pdftex]{graphicx,color} -%\usepackage{epstopdf} - -\newcommand{\foonote}[1]{\footnote{#1}} -\newcommand{\degree}{\ensuremath{^\circ}} -\newcolumntype{P}[1]{>{\centering\arraybackslash}p{#1}} - -\author{Sebastian Götte {\texttt} @Mori lab, Waseda University} -\title{Securing the USB interface} -\date{December 12 2018} -\begin{document} -\maketitle - -\section{Introduction} -\subsection{Problem definition} -A computer's USB interface is hard to secure. Though overall security is quite good today, the USB interface has not -received enough attention. In particular HIDs are a problem, as they are naturally very highly privileged. -Off-the-shelf USB HID attack tools exist. In particular from a security point of view extremely bad ideas such as -WebUSB\cite{misc01} are set to increase this already large attack surface even further. - -\subsection{Contributions} -This work includes three key contributions. First, it demonstrates a practical implementation of a complete, -backwards-compatible secure USB system using QubesOS and a single new piece of security hardware. Second, it shows a -novel interactive user-friendly cryptographic handshaking scheme based on out-of-band communication. Third, it shows and -proposes some techniques for the design of general secure protocols that are not limited to USB alone. - -\section{The state of the art in mitigation} -Several ways to secure the USB interface have been proposed that can be broadly categorized as follows. -\begin{itemize} - \item USB firewalls are software or hardware that protects the host from requests deemed invalid similar to a network firewall\cite{tian01,angel01,kang01,bates01,loe01}. - \item USB device authentication uses some sort of user feedback or public key infrastructure to authenticate the device when it connects\cite{usb01,griscioli01,wang01,he01}. - \item USB bus encryption encrypts the raw USB payloads to ward off eavesdroppers\cite{neugschwandtner01,weinstein01}. - \item For wireless protocols, every conceivable pairing model has been tried. However, not many have been applied to - USB\cite{arun01,uzun01,kobsa01,saxena01}. - \item Compartmentalized systems such as QubesOS separate vulnerable components with large attack surface such as the USB device drivers into VMs to not inhibit exploitation but mitigate its consequences. -\end{itemize} - -\begin{table} - \setlength{\extrarowheight}{5pt} - \begin{tabular}{l|P{10mm}|P{15mm}|P{15mm}|P{15mm}|P{17mm}|P{25mm}|} - &\multicolumn{3}{c|}{\bfseries Attacks} & \multicolumn{2}{c|}{\bfseries Eavesdropping} & \multirow{2}{25mm}{\centering\bfseries Backwards\newline compatible} \\\cline{2-6} - & \bfseries HID &\bfseries Host\newline exploit &\bfseries Device\newline exploit&\bfseries Bus-level &\bfseries Physical layer & \\\hline - Firewalls & $\bigcirc$ & $\triangle$ & $\times$ & $\triangle$ & $\times$ & $\bigcirc$ \\ - Device authentication & $\bigcirc$ & $\times$ & $\times$ & $\triangle$ & $\times$ & $\times$ \\ - Bus encryption & $\triangle$ & $\times$ & $\times$ & $\bigcirc$ & $\bigcirc$ & $\times$ \\ - Plain QubesOS setup\footnotemark - & $\triangle$ & $\triangle$ & $\triangle$ & $\triangle$ & $\times$ & $\bigcirc$ \\ - Our work & $\bigcirc$ & $\bigcirc$ & $\bigcirc$ & $\bigcirc$ & $\bigcirc$ & $\bigcirc$ - \end{tabular} - \caption{Comparison of approaches to USB security} - \label{approach_comparison} -\end{table} -\footnotetext{Requires separate USB host controller for HIDs} - -We compare these approaches w.r.t. several attacks in \ref{approach_comparison}. Overall we found that QubesOS is the -only advance towards securing this interface that is both \emph{practical} and \emph{effective}. Other approaches have -not been successful so far likely due to market inertia and backwards-incompatibility. -QubesOS approaches the problem by running a separate VM with the USB host controllers mapped through via IOMMU. This VM -runs a linux kernel with a small set of white-listed USB device drivers (HID and mass storage device) and a USB-over-IP -backend. A set of Qubes services pass through any HID input arriving inside this VM into dom0, and coordinate exporting -USB mass storage devices as Xen block devices. Any other USB devices can be passed-through to other VMs through -USB-over-IP-over-QubesRPC, a Xen vChan-based inter-VM communication system. -QubesOS is still lacking in that it's compartmentalization becomes essentially useless when it is used with a USB HID -keyboard that does not have its own dedicated PCIe USB host controller, as any normal desktop and most recent laptop -computers. The issue here is that USB HID is neither authenticated nor encrypted, and the untrusted USB VM sits in the -middle of this data stream, which thus allows it trivial privilege escalation via keystroke injection. - -\subsection{Usage scenarios} - -Today USB's level security is still adequate for most everyday users. In general, attacks against USB either require -special malicious hardware or require re-flashing of existing peripherals with custom malicious firmware. Today's -low-level cybercrime targeting everyday users is still focused on much easier tasks such as stealing passwords through -phishing, installing cryptolocker malware by means of malicious email attachments and extracting sensitive user data -with malicious browser addons. Fortunately, we have not yet entered an age where average computer users need to worry -about the type of attack this work defends against. Still, it can be expected that with the general increase of overall -computer security, eventually attackers will have to graduate to more advanced means--and since at this time the -landscape of effective defenses against USB attacks is very sparse, your author considers it important to explore the -avenues to effective defence ealier rather than later in order to be prepared for evolving attacks. - -Despite the banality of everyday cybersecurity described above, there already are some people and organizations who face -advanced attacks including USB attacks. Due to their exceedingly simple execution, USB HID attacks are a very attractive -way to perform targeted attacks. For this reason, specialized USB attack hardware is already available commercially at -low cost. For users facing targeted attacks like this, SecureHID might already provide practical benefits. -The users most at risk of targeted attacks are those either working with highly sensitive data or working with highly -privileged access. The former group would include people such as journalists working with their sources and politicians -working with confidential information. The latter group would include law enforcement officials, often being endowed -with wide-ranging electronic access to databases and other confidential information. Further, system administrators and -computer programmers are often provided highly privileged access to critical systems for software deployment using -systems such as Ansible or uploading software packages into software repositories such as PyPI. - -In all of these scenarios there are many users with very poweful adversaries. In case of a software developer or systems -administrator that would be competing companies or foreign intelligence agencies trying to gain access to internal -networks to steal confidential information. In case of a journalist that would be whoever they are writing about and -here the most interesting articles might come with the most powerful enemies. Finally, a security researcher would by -nature of their work, out of academic interest specifically be looking for the most dangerous targets they could find. - -Some users might be able to reduce their attack surface to USB attacks by reducing their use of untrusted USB devices, -but in many everyday scenarios such as those described above this is not an option. A security researcher needs to -connect to untrusted devices in order to analyze them, and using a second, isolated machine for this is very -inconvenient. A journalist or politician will frequently have to read USB flash drives with documents for their work, -and again simply solving the problem by air-gapping is an effective but impractical mitigation. In all of these cases, -SecureHID would be an effective mitigation. - -\section{Approach} -\subsection{System overview} -The goal of SecureHID is to enable the first reasonably secure system using both HID and arbitrary untrusted devices on -the same USB host controller, based on QubesOS. SecureHID consists of a USB HID encryption box to be put between -keyboard and computer and a piece of software run inside QubesOS. After initial pairing with the host software, the -encryption box will encrypt and sign any USB HID input arriving from the keyboard and forward the encrypted data to the -host. The host software running outside the untrusted USB VM will receive the encrypted and signed data from the -untrusted USB VM, verify and decrypt it, and inject the received HID input events into Qubes's input event handling -system. - -A schematic diagram of a system employing SecureHID is shown in figure \ref{diagram_with}. Two major points that can be -seen here are that first, SecureHID requires no specialized hardware on either end and transparently plugs into the -existing USB stack. Second, a SecureHID-protected setup has two well-defined security boundaries, one inside the -SecureHID device between host and device side, and one in the host operating system between USB driver VM and -hypervisor. These security boundaries allow a clean separation of a SecureHID setup into untrusted and trusted domains -and greatly simpliefies reasoning about overall system security. Communication across these security boundaries is -limited to the simple SecureHID protocol. We describe the design of the SecureHID protocol in section \ref{prot_desc} -and elaborate its security properties in section \ref{prot_ver}. The security of the protocol's core components has been -formally verified in the past and the protocol has been kept simple enough to allow exhaustive verification and testing. - -\begin{figure}[p] - \includegraphics[scale=0.8]{system_diagram_with_secureusb.eps} - \caption{Diagram of a SecureHID-protected system} - \label{diagram_with} -\end{figure} - -\subsection{System security properties} -This system is sufficient to secure any USB setup, especially unmodified desktop PCs or laptops where a USB host -controller is shared between both HIDs and other devices. Attack surface is reduced such that a \emph{full compromise} -of the system becomes unlikely, since plain HID is no longer supported. The remaining attack surface consists only of a -\emph{compromise of the USB VM}. This attack surface is small enough that other sensitive devices such as USB audio -devices can safely be connected. A compromise of the USB driver VM no longer gives full system access, but at best -allows listening in on the microphone. Since a compromised USB VM in general does not have network access, such an -attack will be mostly harmless in most scenarios. Additionally, the most likely attacking devices would be custom -hardware or a compromised smartphone. Custom hardware can easily be outfitted with a microphone, essentially turning it -into a bug irrespective of USB functionality, and smartphones already have microphones by definition. - -A practical mitigation for potential information leakage through microphones, webcams and other sensitive devices would -be to simply unplug them when not used. Microphones could also be connected to a PCIe-based sound card (such as the -integrated sound card of most laptops) and webcams could potentially be isolated to a separate USB host controller. - -\subsection{USB physical-level and bus-level attacks} -Since sensitive HIDs are isolated from other USB devices effectively on a separate bus, bus-level attacks such as -\textcite{neugschwandtner01} are entirely prevented. The much scarier physical attacks on USB such as \textcite{su01} -can be prevented thanks to the clear security boundary inside the SecureHID device. Since there is only four wires -needed between the trusted and untrusted sides (Ground, VCC, serial RX and serial TX) and the serial link is running at -a comparatively low speed (115.2kBd easily suffice), analog filtering is a viable measure against sidechannels. On the -ground and VCC rails extensive filtering using series inductors and large capacitors can be used to decouple both sides. -Additionally, both sides' microcontrollers can optionally be fed from separate voltage regulators powered off the USB 5V -rail to reduce side-channels. The serial link can be filtered to limit its analog bandwidth to above serial speeds -(50kHz) but much below the trusted microcontroller's system clock (72MHz). Finally, on the untrusted microcontroller -choosing UART pins that are not multiplexed to its internal ADC elminates the risk of direct measurements by a -compromised microcontroller firmware and leaves only indirect measurements of power supplies or coupling into other -pins' signals. This means that with a few very inexpensive hardware countermeasures (an additional voltage regulator and -a handful of capacitors, inductors and resistors for filtering) any analog side-channels between trusted and untrusted -side can be ruled out. - -\section{Cryptographic design} - -\subsection{Protocol description} -\label{prot_desc} -The basic protocol consists of two stages: \textsc{pairing} and \textsc{data}. When the device powers up, it enters -\textsc{pairing} state. When the host enumerates a new device, it enters \textsc{pairing} state. If any fatal -communication errors occur, both host and device re-enter \textsc{pairing} state. To make the implementation robust -against host software crashing, devices being unplugged etc. without opening it up to attacks, the host can request the -device to re-enter \textsc{pairing} state a limited number of times after powerup. - -\textsc{pairing} state consists of a number of substates as set by \textcite{perrin01}. The device runs noise's -\textsc{XX} scheme, i.e. both host and device each contribute both one ephemeral key $e$ and one static key $s$ to the -handshake, and the public halves of the static keys are transmitted during handshake encrypted by the emphemeral keys. - -The cryptographic primitives instantiated in the prototype are X25519 for the ECDH primitive, BLAKE2s as a hash and -ChaCha20-Poly1305 as AEAD for the data phase. ECDH instead of traditional DH was chosen for its small key size and fast -computation. Since no variant of RSA is used, key generation is fast. An ad-hoc prototype device-side random number -generator has been implemented based on BLAKE2s and the STM32's internal hardware RNG. - -\begin{figure}[h] - \centering - \begin{sequencediagram} - \newinst{kbd}{Keyboard} - \newinst[3]{dev}{SecureHID} - \newinst[5]{host}{Host} - - \mess{host}{}{dev} - \path (mess from) -- (mess to) node[midway, above] {\emph{COBS sync (null byte)}}; - \mess{host}{}{dev} - \draw[->,>=angle 60] (mess from) -- (mess to) node[midway, above] {\textsc{Initiate Handshake}}; - - \begin{sdblock}{Noise XX handshake}{} - \mess{host}{}{dev} - \path (mess from) -- (mess to) node[midway, above] {$\textsc{Handshake}, e$}; - \mess{dev}{}{host} - \path (mess from) -- (mess to) node[midway, above] {$\textsc{Handshake}, e,ee,s,es$}; - \mess{host}{}{dev} - \path (mess from) -- (mess to) node[midway, above] {$\textsc{Handshake}, s,se$}; - \end{sdblock} - - \begin{sdblock}{Pairing}{Triggered by user interaction after unsuccessful handshake} - \mess{dev}{}{host} - \draw[->,>=angle 60] (mess from) -- (mess to) node[midway, above] {\textsc{Pairing Start}}; - \stepcounter{seqlevel} - - \mess{kbd}{keystroke}{dev} - \addtocounter{seqlevel}{-1} - \mess{dev}{}{host} - \path (mess from) -- (mess to) node[midway, above] {$\textsc{Pairing Input},E(\text{keystroke})$}; - \stepcounter{seqlevel} - \mess{kbd}{}{dev} - \addtocounter{seqlevel}{-1} - \path (mess from) -- (mess to) node[midway, above] {keystroke}; - \path (mess from) -- (mess to) node[midway, above, yshift=5mm] {$\vdots$}; - \mess{dev}{}{host} - \path (mess from) -- (mess to) node[midway, above] {$\textsc{Pairing Input},E(\text{keystroke})$}; - \path (mess from) -- (mess to) node[midway, above, yshift=5mm] {$\vdots$}; - \stepcounter{seqlevel} - - \mess{kbd}{}{dev} - \addtocounter{seqlevel}{-1} - \path (mess from) -- (mess to) node[midway, above] {\emph{enter}}; - \mess{dev}{}{host} - \draw[->,>=angle 60] (mess from) -- (mess to) node[midway, above] {\textsc{Pairing Success}}; - \end{sdblock} - - \begin{sdblock}{Input passthrough}{Started after successful handshake or pairing} - \mess{kbd}{keystroke}{dev} - \path (mess from) -- (mess to) node[midway, below, yshift=-2mm] {$\vdots$}; - - \addtocounter{seqlevel}{-1} - \mess{dev}{}{host} - \path (mess from) -- (mess to) node[midway, above] {$\textsc{Data},E(\text{keystroke})$}; - \path (mess from) -- (mess to) node[midway, below, yshift=-2mm] {$\vdots$}; - \stepcounter{seqlevel} - \end{sdblock} - \end{sequencediagram} - \caption{A successful prototype protocol pairing} - \label{protocol_diagram} -\end{figure} - -A successful pairing looks like this: -\begin{enumerate} -\item \textbf{Handshake.} \textsc{device} is connected to \textsc{host} -\item \textsc{host} initiates pairing by sending \textsc{initiate handshake} to device -\item \textsc{device} and \textsc{host} follow noise state machine for the \textsc{XX} handshake. See figure - \ref{crypto_diagram} for a complete flowchart of cryptographic operations during this handshake. The handshake and - subsequent Noise protocol communication are specified in \textcite{perrin01} and their security properties are - formally verified in \textcite{kobeissi01}. Section \ref{sec_prop} analyzes the implications of these security - properties for this research. -\item After the handshake completes, both \textsc{device} and \textsc{host} have received each other's static public key - $rs$ and established a shared secret connection key. At this point, the possibility of an MITM attacker having - actively intercepted the handshake remains. At this point \textsc{device} and \textsc{host} will both notice they do - not yet know each other's static keys. \textsc{host} will respond to this by showing the pairing GUI dialog. - \textsc{deivce} will sound an alarm to indicate an untrusted connection to the user. -\item \textbf{Channel binding.} Both \textsc{device} and \textsc{host} calculate the \emph{handshake hash} as per noise - spec\cite{perrin01}. This hash uniquely identifies this session and depends on both local and remote ephemeral and - static keys $le, re, ls, rs$. Both parties encode a 64-bit part of this hash into a sequence of english words by - dictionary lookup. This sequence of words is called the \emph{fingerprint} of the connection. -\item \textsc{host} prompts the user to enter the \emph{fingerprint} into a keyboard connected to \textsc{device}. The - user presses the physical pairing button on \textsc{device} to stop the alarm and start pairing. This step prevents - an attacker from being able to cause the device to send unencrypted input without user interaction by starting - pairing. -\item As the user enters the \emph{fingerprint}, \textsc{device} relays any input over the yet-unauthenticated encrypted - noise channel to \textsc{host}. \textsc{host} displays the received user input in plain text in a regular input - field in the pairing GUI. This display is only for user convenience and not relevant to the cryptographic handshake. - A consequence of this is that a MITM could observe the \emph{fingerprint}\footnote{ - A MITM could also modify the fingerprint information sent from \textsc{device} to \textsc{host}. This would be - very obvious to the user, since the fingerprint appearing on the \textsc{host} screen would differ from what she - types. - }. We show in section \ref{prot_ver} that this does not reduce the protocol's security. -\item When the user has completed entering the fingerprint, the device checks the calculated fingerprint against the - entered data. If both match, the host is signalled \textsc{success} and \textsc{data} phase is entered. If they do - not match, the host is signalled \textsc{failure}\footnote{ - Note that this means a MITM could intercept the \textsc{failure} message and forge a \textsc{success} message. - This means both are just for user convenience \emph{absent} an attacker. If an attacker is present, she will be - caught in the next pairing step. - } and \textsc{pairing} state is re-entered unless the maximum number of tries since powerup has been exceeded. - Failure is indicated to the user by \textsc{device} through a very annoying beep accompanied by angrily flashing - LEDs. -\item \textbf{Data phase.} \textsc{host} asks the user for confirmation of pairing \emph{in case the device did not - sound an alarm} by pressing a button on the GUI. When the user does this, the host enters \textsc{data} state and - starts input passthrough. -\end{enumerate} - -Roughly speaking, this protocol is secure given that the only way to MITM a (EC)DH key exchange is to perform two (EC)DH -key exchanges with both parties, then relay messages. Since both parties have different static keys, the resulting two -(EC)DH sessions will have different handshake hashes under the noise framework. The channel binding step reliably -detects this condition through an out-of-band transmission of the \textsc{host} handshake hash to \textsc{device}. -The only specialty here is that this OOB transmission is relayed back from \textsc{device} to \textsc{host} allowing the -MITM to intercept it. This is only done for user convenience absent a MITM and the result is discarded by \textsc{host}. -Since the handshake hash does as a hash does not leak any sensitive information about the keys used during the -handshake, it being exposed does not impact protocol security. - -\subsection{Protocol verifictation} -\label{prot_ver} -\subsubsection{Noise security properties} -\label{sec_prop} -According to \textcite{perrin01} and proven by \textcite{kobeissi01} Noise's XX pattern provides strong forward-secrecy, -sender and receiver authentication and key compromise impersonation resistance. Strong forward secrecy means an attacker -can only decrypt messages by compromising the receivers private key and performing an active impersonation. Strong -forward secrecy rules out both physical and protocol-level eavesdropping attacks by malicious USB devices and implies -that an attacker can never decrypt past protocol sessions. An implication of the static key checks done on both sides of -the connection is that an attacker would need to compromise both host and device in order to remain undetected for e.g. -keylogging. Compromising only one party the worst that can be done is impersonating the SecureHID device to perform a -classical HID attack. In this case, the attacker cannot read user input and the user would notice this by SecureHID -indicating a not connected status and thus the keyboard not working. -% FIXME possibly detect this by having session counter etc.? - -To verify that these security properties extend to the overall SecureHID protocol it suffices to show the following -three properties. -\begin{enumerate} -\item The SecureHID implementation of Noise XX adheres to the Noise specification, i.e. the handshake is performed - correctly. \label{adh0} -\item Both sides' static keys are verified. \label{adh1} -\item All sensitive data is encapsulated in Noise messages after the handshake has ended, and none is sent before. - \label{adh2} -\end{enumerate} - -\ref{adh0} has been validated by manual code review and cross-validation of our implementation against other Noise -implementations. % FIXME write more, do more here -\ref{adh1} has been validated by manual code review. %FIXME do simulation here -Since all sensitive data in our application is handled on the device in a single place (the USB HID request handling -routine), \ref{adh2} is easily validated by code review. USB HID reports are only transmitted either encrypted after the -handshake has been completed or in plain during pairing. Since the host will only inject reports into the input -subsystem that have been properly authenticated and encrypted (and not the unauthenticated reports sent during pairing), -the protocol is secure in this regard. Since pairing keyboard input is only passed through after the host's pairing -request has been acknowledged by the user with SecureUSB's physical pairing button the user would certainly notice an -attack trying to exfiltrate data this way. Were pairing input passed through automatically without explicit user -acknowledgement, an attacker could start pairing mode just as the user starts typing in a password prompt such as the -one of \texttt{sudo} or a password field and might not notice the attack until they have typed out their entire password -to the attacker. - -\subsubsection{Handshake hash non-secrecy} - -\begin{figure}[p] - \centering - \tikzset{% - h/.style = {->, very thick}, - ck/.style = {->, very thick}, - key/.style = {->}, - ki/.style = {key, color=red}, - kr/.style = {key, color=red}, - ke/.style = {dashed}, - ks/.style = {solid}, - phaselbl/.style = {font=\bfseries, anchor=west} - } - \begin{tikzpicture}[scale=0.8] - \node(protoname) at (0, 0){\texttt{"Noise\_XX\_25519\_ChaChaPoly\_BLAKE2s"}}; - \node[draw,thick,below=1em of protoname] (inithash) {$H$}; - \node[below=2em of inithash, xshift= 6.5em] (ck){$ck$}; - \node[below=2em of inithash, xshift=-6.5em] (h){$h$}; - \coordinate (labelbase) at (-5,0); - - \draw[->] (protoname) -- (inithash); - \draw[->] (inithash) -- ++(0,-2em) coordinate(im0) -| (ck); - \draw[->] (im0) -| (h); - - \node[right=7em of ck] (ei){$\mathbf{e_i}$}; - \node[right=8.5em of ck] (er){$\mathbf{e_r}$}; - \node[right=10em of ck] (si){$\mathbf{s_i}$}; - \node[right=11.5em of ck] (sr){$\mathbf{s_r}$}; - - \node[draw,thick,below=3em of h] (mix0){MixHash}; - \node[right=1em of mix0] (str0){\texttt{""}}; - \node[left] at (str0 -| labelbase) (lbl0){\parbox{10em}{\raggedleft No preamble,\\use empty string}}; - - \draw[h] (h) -- (mix0); - \draw[->] (str0) -- (mix0); - -%--- - \node[draw,thick,below=2em of mix0] (mix1){MixHash}; - \node[left] at (mix1 -| labelbase) (tok0){$e\rightarrow $}; - \draw[h] (mix0) -- (mix1); - \draw[ki,ke] (ei) |- (mix1); - - \node[draw,thick,below=2em of mix1] (mix2){MixHash}; - \node[right=1em of mix2] (str2){\texttt{""}}; - \node[left] at (str2 -| labelbase) (lbl2){\parbox{10em}{\raggedleft EncryptAndHash\\No payload and\\$k$ unset}}; - \draw[->] (str2) -- (mix2); - \draw[h] (mix1) -- (mix2); - - \coordinate (a) at ($ (mix0) !0.5! (mix1) $); - \coordinate (b0) at (a -| lbl0.south west); - \draw[dashed] (b0) -- ($ (b0 -| sr) + (1em,0) $); -%--- - \node[draw,thick,below=4em of mix2] (mix3){MixHash}; - \node[left] at (mix3 -| labelbase) (tok3){$e\leftarrow $}; - \draw[h] (mix2) -- (mix3); - \draw[kr,ke] (er) |- (mix3); - - \coordinate (sync4) at (mix3 -| ck); - \node[draw,thick,below=2em of sync4] (kmix1){MixKey}; - \node[left] at (kmix1 -| labelbase) (tok4){$ee\leftarrow $}; - \node[draw,thick,right=1em of kmix1] (dh0){ECDH}; - \draw[ck] (ck) -- (kmix1); - \draw[ki,ke] (ei) |- ($ (dh0.east) + (0,0.2em) $); - \draw[kr,ke] (er) |- ($ (dh0.east) - (0,0.2em) $); - \draw[->] (dh0) -- (kmix1); - - \coordinate (sync5) at (kmix1 -| h); - \node[draw,thick,below=2em of sync5] (mix5){MixHash}; - \node[draw,thick,right=2em of mix5] (enc5){$E$}; - \node[left] at (mix5 -| labelbase) (lbl5){$s\leftarrow $}; - \draw[h] (mix3) -- (mix5); - \draw[->] (enc5) -- (mix5); - \draw[->] ($ (kmix1.west) - (2em,0) $) -| (enc5); - \draw[kr,ks] (sr) |- (enc5); - - \coordinate (sync6) at (mix5 -| ck); - \node[draw,thick,below=2em of sync6] (kmix6){MixKey}; - \node[left] at (kmix6 -| labelbase) (tok6){$es\leftarrow $}; - \node[draw,thick,right=1em of kmix6] (dh6){ECDH}; - \draw[ck] (kmix1) -- (kmix6); - \draw[ki,ke] (ei) |- ($ (dh6.east) + (0,0.2em) $); - \draw[kr,ks] (sr) |- ($ (dh6.east) - (0,0.2em) $); - \draw[->] (dh6) -- (kmix6); - - \coordinate (sync7) at (kmix6 -| h); - \node[draw,thick,below=2em of sync7] (mix7){MixHash}; - \node[draw,thick,right=2em of mix7] (enc7){$E$}; - \node[right=1em of enc7] (str7){\texttt{""}}; - \node[left] at (mix7 -| labelbase) (lbl7){\parbox{10em}{\raggedleft DecryptAndHash\\ No payload}}; - \draw[h] (mix5) -- (mix7); - \draw[->] (enc7) -- (mix7); - \draw[->] (kmix1.west) -- ++(-2em,0) |- ($ (enc5.south) !0.25! (enc7.north) $) -- (enc7); - \draw[->] (str7) -- (enc7); - - \coordinate (a) at ($ (mix2) !0.5! (mix3) $); - \coordinate (b1) at (a -| lbl2.south west); - \draw[dashed] (b1) -- ($ (b1 -| sr) + (1em,0) $); -% --- - \node[draw,thick,below=4em of mix7] (mix8){MixHash}; - \node[draw,thick,right=2em of mix8] (enc8){$E$}; - \node[left] at (mix8 -| labelbase) (lbl8){$s\rightarrow $}; - \draw[h] (mix7) -- (mix8); - \draw[->] (enc8) -- (mix8); - \draw[->] (kmix6.west) -- ++(-2em,0) |- ($ (enc7.south) !0.25! (enc8.north) $) -- (enc8); - \draw[ki,ks] (si) |- (enc8); - - \coordinate (sync9) at (mix8 -| ck); - \node[draw,thick,below=2em of sync9] (kmix9){MixKey}; - \node[left] at (kmix9 -| labelbase) (tok9){$se\rightarrow $}; - \node[draw,thick,right=1em of kmix9] (dh9){ECDH}; - \draw[ck] (kmix6) -- (kmix9); - \draw[ki,ks] (si) |- ($ (dh9.east) - (0,0.2em) $); - \draw[kr,ke] (er) |- ($ (dh9.east) + (0,0.2em) $); - \draw[->] (dh9) -- (kmix9); - - \coordinate (sync10) at (kmix9 -| h); - \node[draw,thick,below=2em of sync10] (mix10){MixHash}; - \node[draw,thick,right=2em of mix10] (enc10){$E$}; - \node[right=1em of enc10] (str10){\texttt{""}}; - \node[left] at (mix10 -| labelbase) (lbl10){\parbox{10em}{\raggedleft EncryptAndHash\\ No payload}}; - \draw[h] (mix8) -- (mix10); - \draw[->] (enc10) -- (mix10); - \draw[->] (kmix9.west) -| (enc10); - \draw[->] (str10) -- (enc10); - - \coordinate (a) at ($ (mix7) !0.5! (mix8) $); - \coordinate (b2) at (a -| lbl2.south west); - \draw[dashed] (b2) -- ($ (b2 -| sr) + (1em,0) $); -% --- - \coordinate (sync11) at (mix10 -| ck); - \node[draw,thick,below=5em of sync11,xshift=-1em] (finkdf){HKDF}; - \node[below=2em of finkdf,xshift=-1em] (k1){$\mathbf{k_1}$}; - \node[below=2em of finkdf,xshift= 1em] (k2){$\mathbf{k_2}$}; - \node[left=1em of finkdf,yshift=2em] (str11){\texttt{""}}; - \draw[ck] (kmix9) -- (finkdf.north -| kmix9); - \draw[ck] (k1 |- finkdf.south) -- (k1); - \draw[ck] (k2 |- finkdf.south) -- (k2); - \draw[->] (str11) -| ($ (finkdf.north) - (1em,0) $); - - \coordinate (sync11a) at (finkdf.south -| h); - \node[below=2em of sync11a] (hout){$\mathbf{h}$}; - \draw[h] (mix10) -- (hout); - - \node[left] at (finkdf -| labelbase) (lbl13){\parbox{10em}{\raggedleft Split}}; - - \coordinate (a) at ($ (mix10) !0.5! (finkdf) $); - \coordinate (b3) at (a -| lbl10.south west); - \draw[dashed] (b3) -- ($ (b3 -| sr) + (1em,0) $); -%--- - \node[phaselbl, rectangle] at ($ (b0) !0.5! (b0 |- protoname) $) (setup){setup}; - \node[phaselbl, circle] at ($ (b0) !0.5! (b1) $) (ph0){0}; - \node[phaselbl, circle] at ($ (b1) !0.5! (b2) $) (ph1){1}; - \node[phaselbl, circle] at ($ (b2) !0.5! (b3) $) (ph2){2}; - \node[phaselbl, rectangle] at ($ (b3) !0.5! (b3 |- hout) $) (fin){fin}; - - \end{tikzpicture} - \caption{Cryptographic flowchart of Noise XX handshake.} - \label{crypto_diagram} -\end{figure} - -To analyze the impact of disclosing the handshake hash to an adversary we must consider its definition. The noise -protocol specification does not % FIXME double-check this -guarantee that the handshake hash can be disclosed to an adversary without compromising security. Figure -\ref{crypto_diagram} is a flowchart of the derivation of both initiator-transmit and initiator-receive symmetric -encryption keys $k_{1,2}$ and the handshake hash $h$ during the Noise handshake. Following are the definitions of -MixHash and MixKey according to the Noise protocol specification. - -\begin{align} - \text{MixHash}(h,\text{input}) &= h' = H(h || \text{input})\\ - \text{MixKey}(ck, \text{input}) &= (ck', k_\text{temp}) = \text{HKDF}(ck, \text{input}, 2)\\ -\end{align} - -Noise's hash-based key derivation function (HKDF) is defined using the HMAC defined in RFC2104\cite{rfc2104}. The hash -function $H$ employed here depends on the cipher spec used. SecureHID uses BLAKE2s. -\begin{equation} - \text{HMAC}(K, \text{input}) = H\left(\left(K \oplus opad\right) - || H\left(\left(K \oplus ipad\right) || \text{input} \right)\right) -\end{equation} - -The HKDF is defined for two and three outputs as follows. -\begin{equation} - \text{HKDF}(ck, \text{input}, n_\text{out}) = - \left\{\begin{array}{ll} - (q_0, q_1) &: n_\text{out} = 2\\ - (q_0, q_1, q_2) &: n_\text{out} = 3\\ - \end{array}\right. -\end{equation} - -The outputs $q_i$ are derived from chained HMAC invocations. First, a temporary key $t'$ is derived from the chaining key $ck$ -and the input data using the $HMAC$, then depending on $n_\text{out}$ the HMAC is chained twice or thrice to produce -$q_{\{0,1,2\}}$. -\begin{gather} - t' = \text{HMAC}(ck, \text{input})\\ - \underbrace{\text{HMAC} \Bigl(t', - \underbrace{\text{HMAC} \bigl(t', - \underbrace{\text{HMAC} (t', - 1_{16})}_{q_0} - || 2_{16}\bigr)}_{q_1} - || 3_{16}\Bigr)}_{q_2} -\end{gather} - -Relevant to this protocol implementation's security are the following two properties, both of which can be derived from -figure \ref{crypto_diagram}: -\begin{enumerate} -\item Initiator and responder ephemeral and static keys are all mixed into the handshake hash at least once.\label{fp1} -\item Knowledge of the handshake hash does not yield any information on the symmetric AEAD keys $k_1$ and $k_2$.\label{fp2} -\end{enumerate} - -\ref{fp1} is evident since $e_i$ and $e_r$ are mixed in directly and $s_i$ and $s_r$ are mixed in after encryption with -temporary encryption keys derived from $ck$ at the $s\rightarrow$ and $s\leftarrow$ steps during the handshake. -We can see \ref{fp2} applies by following the derivation of $h$ backwards. If an attacker learned anything about $k1$ or -$k2$ during an attack by (also) observing $h$ that they did not learn before, we could construct an oracle allowing both -reversal of $H$ in the final invocation of $MixHash$ and breaking $E$ using this attacker. The attacker would have to -reverse $H$ at some point since $h = H(\hdots)$ in the final invocation of MixHash. The attacker would have to recover -the key of $E$ in at least one invocation since $s_i$ and $s_r$ are only mixed into $h$ after either being encrypted -using $E$ or being used after ECDH to generate a key for $E$. Since the result of ECDH on $e_i$ and $e_r$ is mixed into -$h$ in the $ee\leftarrow$ and following DecryptAndHash steps, $h$ is blinded to an attacker so that they cannot even -determine a given $k_1$ and $k_2$ match a given $h$ without compromising ECDH security. -This means that given the underlying primitives are secure, we do not leak any information on $k1$ or $k2$ by disclosing -$h$. - -% FIXME find and consistently apply a nice name for this handshake method -\subsection{Alternative uses for interactive public channel binding} -\label{altuse} - -The channel binding method described above can be used in any scenario where a secure channel between two systems must -be established where one party has a display of some sort and the other party has an input device of some sort. - -\paragraph{Relation to screen-to-photodiode interfaces} -There have been many systems using a flashing graphic on a screen to transmit data to a receiver containing a photodiode -held against the screen. Such systems have been used to distribute software over broadcast television but have also been -used for cryptographic purposes. One widely-deployed example is the ``Flickertan'' system used for wire transfer -authorization in Germany where a smartcard reader with five photodiodes is held against a flickering image on the bank -website's wire transfer form\cite{schiermeier01,schiermeier02,braun01}. Systems such as this one do not benefit from the -interactive channel binding process described in this paper since they do not require any direct user interaction. They -could however be used as an alternative means for channel binding in any system also supporting interactive pairing as -described above. The handshake fingerprint would simply be encoded into the flicker signal and transmitted to the other -endpoint in that way. Similarly, QR-codes or other barcodes could be used to a device containing a camera. The primary -advantage of photodiode-based systems is that they incur lower implementation complexity and don't require a potentially -expensive camera. - -\paragraph{Adaption for SSH identity distribution} -Our interactive channel binding method using a passphrase could be used for key establishment in an SSH setup. -SSH includes a powerful built-in public-key authentication system, but does not include key management functionality. -To grant and revoke public key-based access to a host or account, SSH expects the user to manually manage a textual -\texttt{authorized\_keys} file containing all public keys allowed to login to a particular host or account. Mutual -authentification is supported by default, using a trust on first use system storing host key fingerprints in a -\texttt{known\_hosts} file. SSH's identity management system is well-tested and can be considered secure for almost any -purpose. It is however very simplistic and shifts the burden of access management and identity synchronization to the -user. Except in very simple use cases, the user will have to provide their own identity management layer on top of the -primitives provided by SSH. Common implementations of this include offloading \texttt{authorized\_keys} functionality to -LDAP or automatically generating \texttt{authorized\_keys} files from a configuration management system. The secure -implementation of any such system incurs a large organizational overhead. SSH keys are too long to be practically -read-out aloud which in case of small organizations often leads ot insecure practices such as sharing of SSH public keys -through chat, email or wiki pages for initial access during say, onboarding of a new employee. Though such out-of-band -key distribution schemes may well be secure often the OOB channel's security is not adequately considered in advance. - -The interactive channel binding method described in this paper could be used to interactively transfer an SSH key's -public to another host by simply establishing a secure channel from source to target machine in the fashion outlined -above, then copying the key through it. Compared to current common practice this approach would allow two users to -transfer a key by simply reading out aloud the channel binding fingerprint. This reduces the problem of a digital -out-of-band channel trusted for direct transfer of manipulation-sensitive key material to the problem of two users being -sure whether they're actually talking to each other instead of an impostor. - -A scenario using the SecureHID hardware to improve SSH security would be to terminate the SSH connection inside the -SecureHID hardware and this way prevent a compromised host from compromising the SSH remote. This approach has the -primary drawback that it would incur a large implementation overhead providing new attack surface. Additionally this -approach would only work when the user is solely interacting with the remote system through keyboard input and would -break workflows that require copying files to the remote host, or running commands in an automated fashion like a -configuration management system such as ansible would do. - -\section{Hardware implementation} -\subsection{Hardware overview} -To demonstrate the practicality of this approach and to evaluate its usability in an everyday scenario, a hardware -prototype has been built. Based on an initial prototype consisting of a microcontroller development board and a bundle -of wires a custom PCB fitting an off-the-shelf case has been produced that allows future % FIXME -usability testing in practical settings. - -The hardware implementation consists of two ARM microcontrollers, one for the untrusted host side and one for the -trusted device side. Both are linked using a simple UART interface. Both microcontrollers have been chosen by their USB -functionality. For the integrated USB host controller, we had to chose a rather powerful microcontroller on the trusted -device side even though a much less powerful one would have sufficed even though we are doing serious cryptography on -this microcontroller. AES encryption is done on every data packet and must compelete in time for the overall system to -meet its latency requirement, % FIXME go into details on input latency vs. usability somewhere else -but is fast enough by a large margin. % FIXME benchmarks -Similarly, the hash and ECDH operations during the cryptographic handshake are fast enough by a large margin. %FIXME benchmark -Additionally, those operations are only invoked infrequently any time the device is disconnected or the host suspends. - -\subsection{Hardware security measures} -% separate power supplies, possible future filtering of power/gnd and comms link signals - -\subsection{Usability considerations} - -\paragraph{Implementation robustness} -In many systems such as common TLS-based systems, overall system security heavily depends on implementation details such -as certificate checking and user interface details such as the precise structure of security warning messages and how -they can be overridden. The complexity of these components in practice often leads to insecure systems, such as a system -using TLS checking a certificate's internal validity but omitting checks on the certificate's chain of trust. A nice -property of the key estabilishment system outlined in this paper is that it is both very simple, reducing surface for -errors and it tightly couples the critical channel binding step during key establishment to the overall system's user -interface. In a system using either keyboard or mouse-based interactive channel binding, an implementation that does not -perform the channel binding step correctly would simply not work. If the host does not display the correct fingerprint -the user cannot enter it and the device will not complete the binding step. If the device does not relay fingerprint -data correctly during pairing the host application would clearly indicate to the user things are amiss with the input -not matching the fingerprint. Since the channel fingerprint is computed in a cryptographically well-defined way based -on entropy contributed by both partners during pairing a implementer would not even be able to accidentially degrade -fingerprint security. - -The critical point from an UI perspective in this pairing scheme is that the host application must display correct -instructions to the user for them to complete pairing. In particular the host application must put emphasis on the user -actually checking whether the device raised an alarm before confirming pairing after fingerprint input. Even if it -didn't the user would notice the device not functioning, but an attacker might have gained unauthorized access in the -meantime. Likewise, the device needs a clearly understandable method of indicating pairing failure to the user. In -practice a loud buzzer and a few bright LEDs would likely suffice for this. - -\paragraph{Adaption to mice} Instead of a keyboard, a mouse can be used for pairing without compromising protocol -security. In a basic scheme, the host would encode the fingerprint bit string into a permutation -$\sigma(i) : \{n\in\mathbb N, n\le m\} \rightarrow \{n\in\mathbb N, n\le m\}$ -for an integer security parameter $m>0$ -and then display the sequence $\sigma(i)$ in a grid of buttons similar to a minesweeper field with an emualted mouse -cursor driven by pairing input on top. The user would then click the buttons on the grid in numeric order. The device -would do the same mouse emulation invisible to the user and would be able to observe the permutation this way. The -fingerprint can finally be checked by decoding the permutation into a bit string and comparing. The security level for -this method in bits is $\eta = \log_2(m!)$ or better than 80bit for $m=25$ in case of a 5x5 grid. See figure -\ref{mouse_mockup} for a mockup of what such a system might look like. - -\begin{figure}[h] - \centering - \includegraphics[width=7cm]{mouse_mockup.png} - \caption{A mockup of what mouse-based interactive pairing might look like} - \label{mouse_mockup} -\end{figure} - -\paragraph{Gamification} -A second, slightly more complex approach to a mouse-based interface would be to adapt the popular game Minesweeper to -compare fingerprints in our interactive setting. In Minesweeper, the user is presented with a fixed-size, say $20\times -20$ $x-y$ grid of fields. Under each of $n$ of the $x\times y$ fields a mine is hidden. The user is tasked with -uncovering all fields \emph{without} mines while \emph{flagging} those fields that contain mines. Every time the user -uncovers a field, the number of mines on adjacent fields is shown. If there are no mines on adjacent fields, all -adjacent fields are automatically uncovered by the game in a recusive fashion. The user wins when all mine-free fields -have been uncovered and all fields with mines flagged, and looses when they try to uncover a field with a mine on it. - -The fundamental approach to use minesweeper as a pairing method would be to encode the fingerprint into the minesweeper -field. The host would encode the fingerprint, then let the user play the game using their mouse with the usual on-screen -graphical representation of the game field. The device would besides forwarding all mouse input events to the host -simultaneously trace all user actions in order to Both host and device would emulate the game field and after a -successful run the user will have marked all locations of mines, thereby out-of-band transferring the field -configuration chosen by the host to the device. - -Minesweeper is very well-known and can be parametrized to be easily solved by most people. Compared to the task of -sequentially clicking buttons as presented in the previous paragraph a user might prefer playing a game of minesweeper -instead. While various problems surrounding minesweeper are computationally hard\cite{demaine01}, field generation is -easy. To place $n$ mines on a $x$ by $y$ grid one simply chooses an unordered subset of $n$ elements, of which there are -$\tbinom{xy}{n}$. For the three default difficulty levels provided by the minesweeper game included in Windows XP the -field state contains $\approx 40$, $\approx 156$ and $\approx 348$ bits of entropy respectively. This means even just -two rounds on beginner difficulty, or a single round on intermediate difficulty already provide a cryptographically -significant 80 bit security level. In the context of the interactive pairing protocol presented in this work, even a -single beginner-level round of minesweeper already reduces the chance of an undetected man in the middle attack to a -negligible level. - -A usability concern in this minesweeper-based pairing scheme would be user error. To improve user experience it would be -wise to still consider a round, even if the user makes a mistake and looses the game. A simple way to do this that also -intuitively handles user-set game difficulty levels would be to set a target entropy such as 40 bit, then repeat games -until the target entropy is reached with each game's outcome contributing to the entropy level depending on the -outcome's probability. -with a multivariate hypergeometric distribution here, jk - -\paragraph{Adaption to button input} -Adaption to button input using few buttons is a little bit harder. The obvious but impractical solution here is to have -the user enter a very long numeric string. Entering an 80-bit number on a two-button binary keyboard is not -user-friendly. One other option would be to emulate an on-screen keyboard similar to the ones used in arcade and console -video games for joystick input. This would be more user-friendly and would likely be a natural interface to many users -familiar with such games. One possible attack here is that if the host were to ignore dropped input packets, an attacker -might selectively drop packets in order to cause a desynchronization of host and device fingerprint input states. The -user would likely chalk up this behavior to sticky or otherwise unreliable keys and while they might find it -inconvenient, they might not actually abort the procedure. Thus it is imperative that the host verify there are no -dropped packets during pairing. This same observation is also true for keyboard or mouse-based pairing as explained -above, but an attack would be much more noticeable there to users as mice and keyboards are generally regarded reliable -by most users. - -\section{Evaluation} -% FIXME - -\section{Future work} - -The aspects outlined in section \ref{altuse} provide potential future research directions. The adaption of the system to -mouse input might be an interesting target for a user experience study, particularly in comparison with a purely -keyboard-based system. The SSH key exchange method would be an interesting target for a general-use systems -administration tool. Though we have done some basic security arguments in this paper, a more rigurous formalization -might be interresting for future use of this technology. We have soundly argued about the user experience benefits of -our method, but we have not performed any field experiments to back up these arguments. Future research might analyze -the practical security a system as outlined in this paper yields under real-world conditions. The various trade-offs of -e.g. keyboard vs. mouse input, fingerprint length and design details of the pairing UI might be analyzed with respect to -practical usability and security. - -\section{Conclusion} -% FIXME - -%\section{PCB design renderings} -%\label{ch:renderings} - -%\begin{figure}[H] -% \centering -% \begin{subfigure}[b]{0.8\textwidth} -% \centering -% \includegraphics[width=0.8\textwidth]{pcb_front.png} -% \caption{PCB front} -% \end{subfigure} % -% \begin{subfigure}[b]{0.8\textwidth} -% \centering -% \includegraphics[width=0.8\textwidth]{pcb_back.png} -% \caption{PCB back} -% \end{subfigure} -% \caption{PCB design 3D renderings} -% \label{fig:pcb3d} -%\end{figure} -% -%\begin{figure}[H] -% \centering -% \includegraphics[width=0.6\textwidth]{takachi_case.png} -% \caption{Off-the-shelf enclosure the PCB is made to fit} -% \label{fig:case} -%\end{figure} - -%\subsection{Attack surface in reasonably secure systems} -%\begin{figure} -%\tikzstyle{block} = [rectangle, draw, text centered, minimum height=4em] -%\begin{tikzpicture}[node distance=2cm, auto] -% \node[block](matrix){Key matrix} -% \node[block](hidctrl){Keyboard controller} -% \node[block](hubs){USB hubs} -% \node[block](roothub){USB host controller} -% \node[block](pcie){PCIe bus} -% \node[block](sys-usb-kernel){USB VM kernel} -% \node[block](sys-usb-agent){USB VM userspace agent} -% \node[block](dom0){dom0 agent} -%\end{tikzpicture} -%\label{qubes-hid-stack} -%\caption{The USB HID input stack in a QubesOS setup} -%\end{figure} - -\nocite{*} -\printbibliography - -\appendix -\section{Project state} -A working prototype has been completed. - -\subsection{Completed} -\begin{itemize} - \item Rough protocol design - \item Protocol implementation based on \textcite{perrin01} using noise-c (microcontroller) and noiseprotocol (python/host) - \item SRAM-based key storage with SRAM wear levelling - \item host/device signature checking - \item host/device key generation - \item proper circuit design (see appendix \ref{ch:renderings}) -\end{itemize} - -\subsection{Open issues} -\begin{itemize} - \item Both noise-c and noiseprotocol have poor code and API quality. Since most noise functionality is not needed, - just implement the protocol in bare C/python based on cryptographic primitives and scrap higher-level protocol - implementations (though they've been useful so far during prototyping). - \item Implement HID mouse host support - \item Test USB hub support - \item Replace the serial link with a custom USB link using an STM32F103 instead of the CH340G USB/serial converter - \item Properly integrate prototype host client with qubes infrastructure - \item Implement photodiode/monitor-based pairing side-channel -\end{itemize} - -\section{Possible directions} -\begin{itemize} -% \item Elaborate handshake security properties -% \begin{itemize} -% \item Possibly investigate other applications of this type of interactive handshake -% \item Possibly contrast to carmera/other backchannel systems -% \item IMHO the pairing scheme is the most interesting part of this project from a scientific point of view -% \item Prove security -% \end{itemize} -% \item Elaborate overall security properties of QubesOS-based system - \item Elaborate possible DisplayPort/HDMI-based display encryption $\rightarrow$ Bunnie's NeTV2 w/ HDMI/eDP converter -% \item Elaborate possible encrypted remote input (SSH) setups -% \begin{itemize} -% \item This might turn out to be really interesting -% \item For this to be usable the host needs to tell the device at least which keyslot to use which could turn -% out to be complex to implement securely -% \item Considering complexity, this might turn into its own research project -% \end{itemize} -% \item Showcase secure hardware interface design, contrast with wireguard protocol design -% \begin{itemize} -% \item Formally derive handshake security properties -% \item Formally derive host/device protocol security properties using noise spec -% \item Formally verify and thouroughly unit-test the host/device protocol implementation on all layers -% \item IMHO this is the most interesting part of this project from an engineering point of view -% \end{itemize} -% Waiting - \item Create custom hardware prototype - \item Benchmark cryptography routines (will likely turn out to be ``wayyy fast'' for HID, fast enough for full-speed - USB. High-speed cannot be done with the current architecture as we can't get data out the chip at high-speed - data rates. \textcite{srivaths01} raise the issue of running crypto on embedded systems, but in this case it - turns out with somewhat modern hardware and cryptography there is no problem at all. -\end{itemize} -\end{document} diff --git a/paper/securehid.tex b/paper/securehid.tex new file mode 100644 index 0000000..602d09b --- /dev/null +++ b/paper/securehid.tex @@ -0,0 +1,880 @@ +\documentclass[12pt,a4paper,notitlepage]{article} +\usepackage[utf8]{inputenc} +\usepackage[a4paper,textwidth=17cm, top=2cm, bottom=3.5cm]{geometry} +\usepackage[T1]{fontenc} +\usepackage[ + backend=biber, + style=numeric, + natbib=true, + url=true, + doi=true, + eprint=false + ]{biblatex} +\addbibresource{directions.bib} +\usepackage{amssymb,amsmath} +\usepackage{listings} +\usepackage{eurosym} +\usepackage{wasysym} +\usepackage{amsthm} +\usepackage{tabularx} +\usepackage{multirow} +\usepackage{multicol} +\usepackage{tikz} + +\usetikzlibrary{arrows} +\usetikzlibrary{backgrounds} +\usetikzlibrary{calc} +\usetikzlibrary{decorations.markings} +\usetikzlibrary{decorations.pathreplacing} +\usetikzlibrary{fit} +\usetikzlibrary{patterns} +\usetikzlibrary{positioning} +\usetikzlibrary{shapes} + +\usepackage{hyperref} +\usepackage{tabularx} +\usepackage{commath} +\usepackage{graphicx,color} +\usepackage{subcaption} +\usepackage{float} +\usepackage{footmisc} +\usepackage{array} +\usepackage[underline=false]{pgf-umlsd} +\usetikzlibrary{calc} +%\usepackage[pdftex]{graphicx,color} +%\usepackage{epstopdf} + +\newcommand{\foonote}[1]{\footnote{#1}} +\newcommand{\degree}{\ensuremath{^\circ}} +\newcolumntype{P}[1]{>{\centering\arraybackslash}p{#1}} + +\author{Sebastian Götte {\texttt} @Mori lab, Waseda University} +\title{Securing the USB interface} +\date{December 12 2018} +\begin{document} +\maketitle + +\section{Introduction} +\subsection{Problem definition} +A computer's USB interface is hard to secure. Though overall security is quite good today, the USB interface has not +received enough attention. In particular HIDs are a problem, as they are naturally very highly privileged. +Off-the-shelf USB HID attack tools exist. In particular from a security point of view extremely bad ideas such as +WebUSB\cite{misc01} are set to increase this already large attack surface even further. + +\subsection{Contributions} +This work includes three key contributions. First, it demonstrates a practical implementation of a complete, +backwards-compatible secure USB system using QubesOS and a single new piece of security hardware. Second, it shows a +novel interactive user-friendly cryptographic handshaking scheme based on out-of-band communication. Third, it shows and +proposes some techniques for the design of general secure protocols that are not limited to USB alone. + +\section{The state of the art in mitigation} +Several ways to secure the USB interface have been proposed that can be broadly categorized as follows. +\begin{itemize} + \item USB firewalls are software or hardware that protects the host from requests deemed invalid similar to a network firewall\cite{tian01,angel01,kang01,bates01,loe01}. + \item USB device authentication uses some sort of user feedback or public key infrastructure to authenticate the device when it connects\cite{usb01,griscioli01,wang01,he01}. + \item USB bus encryption encrypts the raw USB payloads to ward off eavesdroppers\cite{neugschwandtner01,weinstein01}. + \item For wireless protocols, every conceivable pairing model has been tried. However, not many have been applied to + USB\cite{arun01,uzun01,kobsa01,saxena01}. + \item Compartmentalized systems such as QubesOS separate vulnerable components with large attack surface such as the USB device drivers into VMs to not inhibit exploitation but mitigate its consequences. +\end{itemize} + +\begin{table} + \setlength{\extrarowheight}{5pt} + \begin{tabular}{l|P{10mm}|P{15mm}|P{15mm}|P{15mm}|P{17mm}|P{25mm}|} + &\multicolumn{3}{c|}{\bfseries Attacks} & \multicolumn{2}{c|}{\bfseries Eavesdropping} & \multirow{2}{25mm}{\centering\bfseries Backwards\newline compatible} \\\cline{2-6} + & \bfseries HID &\bfseries Host\newline exploit &\bfseries Device\newline exploit&\bfseries Bus-level &\bfseries Physical layer & \\\hline + Firewalls & $\bigcirc$ & $\triangle$ & $\times$ & $\triangle$ & $\times$ & $\bigcirc$ \\ + Device authentication & $\bigcirc$ & $\times$ & $\times$ & $\triangle$ & $\times$ & $\times$ \\ + Bus encryption & $\triangle$ & $\times$ & $\times$ & $\bigcirc$ & $\bigcirc$ & $\times$ \\ + Plain QubesOS setup\footnotemark + & $\triangle$ & $\triangle$ & $\triangle$ & $\triangle$ & $\times$ & $\bigcirc$ \\ + Our work & $\bigcirc$ & $\bigcirc$ & $\bigcirc$ & $\bigcirc$ & $\bigcirc$ & $\bigcirc$ + \end{tabular} + \caption{Comparison of approaches to USB security} + \label{approach_comparison} +\end{table} +\footnotetext{Requires separate USB host controller for HIDs} + +We compare these approaches w.r.t. several attacks in \ref{approach_comparison}. Overall we found that QubesOS is the +only advance towards securing this interface that is both \emph{practical} and \emph{effective}. Other approaches have +not been successful so far likely due to market inertia and backwards-incompatibility. +QubesOS approaches the problem by running a separate VM with the USB host controllers mapped through via IOMMU. This VM +runs a linux kernel with a small set of white-listed USB device drivers (HID and mass storage device) and a USB-over-IP +backend. A set of Qubes services pass through any HID input arriving inside this VM into dom0, and coordinate exporting +USB mass storage devices as Xen block devices. Any other USB devices can be passed-through to other VMs through +USB-over-IP-over-QubesRPC, a Xen vChan-based inter-VM communication system. +QubesOS is still lacking in that it's compartmentalization becomes essentially useless when it is used with a USB HID +keyboard that does not have its own dedicated PCIe USB host controller, as any normal desktop and most recent laptop +computers. The issue here is that USB HID is neither authenticated nor encrypted, and the untrusted USB VM sits in the +middle of this data stream, which thus allows it trivial privilege escalation via keystroke injection. + +\subsection{Usage scenarios} + +Today USB's level security is still adequate for most everyday users. In general, attacks against USB either require +special malicious hardware or require re-flashing of existing peripherals with custom malicious firmware. Today's +low-level cybercrime targeting everyday users is still focused on much easier tasks such as stealing passwords through +phishing, installing cryptolocker malware by means of malicious email attachments and extracting sensitive user data +with malicious browser addons. Fortunately, we have not yet entered an age where average computer users need to worry +about the type of attack this work defends against. Still, it can be expected that with the general increase of overall +computer security, eventually attackers will have to graduate to more advanced means--and since at this time the +landscape of effective defenses against USB attacks is very sparse, your author considers it important to explore the +avenues to effective defence ealier rather than later in order to be prepared for evolving attacks. + +Despite the banality of everyday cybersecurity described above, there already are some people and organizations who face +advanced attacks including USB attacks. Due to their exceedingly simple execution, USB HID attacks are a very attractive +way to perform targeted attacks. For this reason, specialized USB attack hardware is already available commercially at +low cost. For users facing targeted attacks like this, SecureHID might already provide practical benefits. +The users most at risk of targeted attacks are those either working with highly sensitive data or working with highly +privileged access. The former group would include people such as journalists working with their sources and politicians +working with confidential information. The latter group would include law enforcement officials, often being endowed +with wide-ranging electronic access to databases and other confidential information. Further, system administrators and +computer programmers are often provided highly privileged access to critical systems for software deployment using +systems such as Ansible or uploading software packages into software repositories such as PyPI. + +In all of these scenarios there are many users with very poweful adversaries. In case of a software developer or systems +administrator that would be competing companies or foreign intelligence agencies trying to gain access to internal +networks to steal confidential information. In case of a journalist that would be whoever they are writing about and +here the most interesting articles might come with the most powerful enemies. Finally, a security researcher would by +nature of their work, out of academic interest specifically be looking for the most dangerous targets they could find. + +Some users might be able to reduce their attack surface to USB attacks by reducing their use of untrusted USB devices, +but in many everyday scenarios such as those described above this is not an option. A security researcher needs to +connect to untrusted devices in order to analyze them, and using a second, isolated machine for this is very +inconvenient. A journalist or politician will frequently have to read USB flash drives with documents for their work, +and again simply solving the problem by air-gapping is an effective but impractical mitigation. In all of these cases, +SecureHID would be an effective mitigation. + +\section{Approach} +\subsection{System overview} +The goal of SecureHID is to enable the first reasonably secure system using both HID and arbitrary untrusted devices on +the same USB host controller, based on QubesOS. SecureHID consists of a USB HID encryption box to be put between +keyboard and computer and a piece of software run inside QubesOS. After initial pairing with the host software, the +encryption box will encrypt and sign any USB HID input arriving from the keyboard and forward the encrypted data to the +host. The host software running outside the untrusted USB VM will receive the encrypted and signed data from the +untrusted USB VM, verify and decrypt it, and inject the received HID input events into Qubes's input event handling +system. + +A schematic diagram of a system employing SecureHID is shown in figure \ref{diagram_with}. Two major points that can be +seen here are that first, SecureHID requires no specialized hardware on either end and transparently plugs into the +existing USB stack. Second, a SecureHID-protected setup has two well-defined security boundaries, one inside the +SecureHID device between host and device side, and one in the host operating system between USB driver VM and +hypervisor. These security boundaries allow a clean separation of a SecureHID setup into untrusted and trusted domains +and greatly simpliefies reasoning about overall system security. Communication across these security boundaries is +limited to the simple SecureHID protocol. We describe the design of the SecureHID protocol in section \ref{prot_desc} +and elaborate its security properties in section \ref{prot_ver}. The security of the protocol's core components has been +formally verified in the past and the protocol has been kept simple enough to allow exhaustive verification and testing. + +\begin{figure}[p] + \includegraphics[scale=0.8]{system_diagram_with_secureusb.eps} + \caption{Diagram of a SecureHID-protected system} + \label{diagram_with} +\end{figure} + +\subsection{System security properties} +This system is sufficient to secure any USB setup, especially unmodified desktop PCs or laptops where a USB host +controller is shared between both HIDs and other devices. Attack surface is reduced such that a \emph{full compromise} +of the system becomes unlikely, since plain HID is no longer supported. The remaining attack surface consists only of a +\emph{compromise of the USB VM}. This attack surface is small enough that other sensitive devices such as USB audio +devices can safely be connected. A compromise of the USB driver VM no longer gives full system access, but at best +allows listening in on the microphone. Since a compromised USB VM in general does not have network access, such an +attack will be mostly harmless in most scenarios. Additionally, the most likely attacking devices would be custom +hardware or a compromised smartphone. Custom hardware can easily be outfitted with a microphone, essentially turning it +into a bug irrespective of USB functionality, and smartphones already have microphones by definition. + +A practical mitigation for potential information leakage through microphones, webcams and other sensitive devices would +be to simply unplug them when not used. Microphones could also be connected to a PCIe-based sound card (such as the +integrated sound card of most laptops) and webcams could potentially be isolated to a separate USB host controller. + +\subsection{USB physical-level and bus-level attacks} +Since sensitive HIDs are isolated from other USB devices effectively on a separate bus, bus-level attacks such as +\textcite{neugschwandtner01} are entirely prevented. The much scarier physical attacks on USB such as \textcite{su01} +can be prevented thanks to the clear security boundary inside the SecureHID device. Since there is only four wires +needed between the trusted and untrusted sides (Ground, VCC, serial RX and serial TX) and the serial link is running at +a comparatively low speed (115.2kBd easily suffice), analog filtering is a viable measure against sidechannels. On the +ground and VCC rails extensive filtering using series inductors and large capacitors can be used to decouple both sides. +Additionally, both sides' microcontrollers can optionally be fed from separate voltage regulators powered off the USB 5V +rail to reduce side-channels. The serial link can be filtered to limit its analog bandwidth to above serial speeds +(50kHz) but much below the trusted microcontroller's system clock (72MHz). Finally, on the untrusted microcontroller +choosing UART pins that are not multiplexed to its internal ADC elminates the risk of direct measurements by a +compromised microcontroller firmware and leaves only indirect measurements of power supplies or coupling into other +pins' signals. This means that with a few very inexpensive hardware countermeasures (an additional voltage regulator and +a handful of capacitors, inductors and resistors for filtering) any analog side-channels between trusted and untrusted +side can be ruled out. + +\section{Cryptographic design} + +\subsection{Protocol description} +\label{prot_desc} +The basic protocol consists of two stages: \textsc{pairing} and \textsc{data}. When the device powers up, it enters +\textsc{pairing} state. When the host enumerates a new device, it enters \textsc{pairing} state. If any fatal +communication errors occur, both host and device re-enter \textsc{pairing} state. To make the implementation robust +against host software crashing, devices being unplugged etc. without opening it up to attacks, the host can request the +device to re-enter \textsc{pairing} state a limited number of times after powerup. + +\textsc{pairing} state consists of a number of substates as set by \textcite{perrin01}. The device runs noise's +\textsc{XX} scheme, i.e. both host and device each contribute both one ephemeral key $e$ and one static key $s$ to the +handshake, and the public halves of the static keys are transmitted during handshake encrypted by the emphemeral keys. + +The cryptographic primitives instantiated in the prototype are X25519 for the ECDH primitive, BLAKE2s as a hash and +ChaCha20-Poly1305 as AEAD for the data phase. ECDH instead of traditional DH was chosen for its small key size and fast +computation. Since no variant of RSA is used, key generation is fast. An ad-hoc prototype device-side random number +generator has been implemented based on BLAKE2s and the STM32's internal hardware RNG. + +\begin{figure}[h] + \centering + \begin{sequencediagram} + \newinst{kbd}{Keyboard} + \newinst[3]{dev}{SecureHID} + \newinst[5]{host}{Host} + + \mess{host}{}{dev} + \path (mess from) -- (mess to) node[midway, above] {\emph{COBS sync (null byte)}}; + \mess{host}{}{dev} + \draw[->,>=angle 60] (mess from) -- (mess to) node[midway, above] {\textsc{Initiate Handshake}}; + + \begin{sdblock}{Noise XX handshake}{} + \mess{host}{}{dev} + \path (mess from) -- (mess to) node[midway, above] {$\textsc{Handshake}, e$}; + \mess{dev}{}{host} + \path (mess from) -- (mess to) node[midway, above] {$\textsc{Handshake}, e,ee,s,es$}; + \mess{host}{}{dev} + \path (mess from) -- (mess to) node[midway, above] {$\textsc{Handshake}, s,se$}; + \end{sdblock} + + \begin{sdblock}{Pairing}{Triggered by user interaction after unsuccessful handshake} + \mess{dev}{}{host} + \draw[->,>=angle 60] (mess from) -- (mess to) node[midway, above] {\textsc{Pairing Start}}; + \stepcounter{seqlevel} + + \mess{kbd}{keystroke}{dev} + \addtocounter{seqlevel}{-1} + \mess{dev}{}{host} + \path (mess from) -- (mess to) node[midway, above] {$\textsc{Pairing Input},E(\text{keystroke})$}; + \stepcounter{seqlevel} + \mess{kbd}{}{dev} + \addtocounter{seqlevel}{-1} + \path (mess from) -- (mess to) node[midway, above] {keystroke}; + \path (mess from) -- (mess to) node[midway, above, yshift=5mm] {$\vdots$}; + \mess{dev}{}{host} + \path (mess from) -- (mess to) node[midway, above] {$\textsc{Pairing Input},E(\text{keystroke})$}; + \path (mess from) -- (mess to) node[midway, above, yshift=5mm] {$\vdots$}; + \stepcounter{seqlevel} + + \mess{kbd}{}{dev} + \addtocounter{seqlevel}{-1} + \path (mess from) -- (mess to) node[midway, above] {\emph{enter}}; + \mess{dev}{}{host} + \draw[->,>=angle 60] (mess from) -- (mess to) node[midway, above] {\textsc{Pairing Success}}; + \end{sdblock} + + \begin{sdblock}{Input passthrough}{Started after successful handshake or pairing} + \mess{kbd}{keystroke}{dev} + \path (mess from) -- (mess to) node[midway, below, yshift=-2mm] {$\vdots$}; + + \addtocounter{seqlevel}{-1} + \mess{dev}{}{host} + \path (mess from) -- (mess to) node[midway, above] {$\textsc{Data},E(\text{keystroke})$}; + \path (mess from) -- (mess to) node[midway, below, yshift=-2mm] {$\vdots$}; + \stepcounter{seqlevel} + \end{sdblock} + \end{sequencediagram} + \caption{A successful prototype protocol pairing} + \label{protocol_diagram} +\end{figure} + +A successful pairing looks like this: +\begin{enumerate} +\item \textbf{Handshake.} \textsc{device} is connected to \textsc{host} +\item \textsc{host} initiates pairing by sending \textsc{initiate handshake} to device +\item \textsc{device} and \textsc{host} follow noise state machine for the \textsc{XX} handshake. See figure + \ref{crypto_diagram} for a complete flowchart of cryptographic operations during this handshake. The handshake and + subsequent Noise protocol communication are specified in \textcite{perrin01} and their security properties are + formally verified in \textcite{kobeissi01}. Section \ref{sec_prop} analyzes the implications of these security + properties for this research. +\item After the handshake completes, both \textsc{device} and \textsc{host} have received each other's static public key + $rs$ and established a shared secret connection key. At this point, the possibility of an MITM attacker having + actively intercepted the handshake remains. At this point \textsc{device} and \textsc{host} will both notice they do + not yet know each other's static keys. \textsc{host} will respond to this by showing the pairing GUI dialog. + \textsc{deivce} will sound an alarm to indicate an untrusted connection to the user. +\item \textbf{Channel binding.} Both \textsc{device} and \textsc{host} calculate the \emph{handshake hash} as per noise + spec\cite{perrin01}. This hash uniquely identifies this session and depends on both local and remote ephemeral and + static keys $le, re, ls, rs$. Both parties encode a 64-bit part of this hash into a sequence of english words by + dictionary lookup. This sequence of words is called the \emph{fingerprint} of the connection. +\item \textsc{host} prompts the user to enter the \emph{fingerprint} into a keyboard connected to \textsc{device}. The + user presses the physical pairing button on \textsc{device} to stop the alarm and start pairing. This step prevents + an attacker from being able to cause the device to send unencrypted input without user interaction by starting + pairing. +\item As the user enters the \emph{fingerprint}, \textsc{device} relays any input over the yet-unauthenticated encrypted + noise channel to \textsc{host}. \textsc{host} displays the received user input in plain text in a regular input + field in the pairing GUI. This display is only for user convenience and not relevant to the cryptographic handshake. + A consequence of this is that a MITM could observe the \emph{fingerprint}\footnote{ + A MITM could also modify the fingerprint information sent from \textsc{device} to \textsc{host}. This would be + very obvious to the user, since the fingerprint appearing on the \textsc{host} screen would differ from what she + types. + }. We show in section \ref{prot_ver} that this does not reduce the protocol's security. +\item When the user has completed entering the fingerprint, the device checks the calculated fingerprint against the + entered data. If both match, the host is signalled \textsc{success} and \textsc{data} phase is entered. If they do + not match, the host is signalled \textsc{failure}\footnote{ + Note that this means a MITM could intercept the \textsc{failure} message and forge a \textsc{success} message. + This means both are just for user convenience \emph{absent} an attacker. If an attacker is present, she will be + caught in the next pairing step. + } and \textsc{pairing} state is re-entered unless the maximum number of tries since powerup has been exceeded. + Failure is indicated to the user by \textsc{device} through a very annoying beep accompanied by angrily flashing + LEDs. +\item \textbf{Data phase.} \textsc{host} asks the user for confirmation of pairing \emph{in case the device did not + sound an alarm} by pressing a button on the GUI. When the user does this, the host enters \textsc{data} state and + starts input passthrough. +\end{enumerate} + +Roughly speaking, this protocol is secure given that the only way to MITM a (EC)DH key exchange is to perform two (EC)DH +key exchanges with both parties, then relay messages. Since both parties have different static keys, the resulting two +(EC)DH sessions will have different handshake hashes under the noise framework. The channel binding step reliably +detects this condition through an out-of-band transmission of the \textsc{host} handshake hash to \textsc{device}. +The only specialty here is that this OOB transmission is relayed back from \textsc{device} to \textsc{host} allowing the +MITM to intercept it. This is only done for user convenience absent a MITM and the result is discarded by \textsc{host}. +Since the handshake hash does as a hash does not leak any sensitive information about the keys used during the +handshake, it being exposed does not impact protocol security. + +\subsection{Protocol verifictation} +\label{prot_ver} +\subsubsection{Noise security properties} +\label{sec_prop} +According to \textcite{perrin01} and proven by \textcite{kobeissi01} Noise's XX pattern provides strong forward-secrecy, +sender and receiver authentication and key compromise impersonation resistance. Strong forward secrecy means an attacker +can only decrypt messages by compromising the receivers private key and performing an active impersonation. Strong +forward secrecy rules out both physical and protocol-level eavesdropping attacks by malicious USB devices and implies +that an attacker can never decrypt past protocol sessions. An implication of the static key checks done on both sides of +the connection is that an attacker would need to compromise both host and device in order to remain undetected for e.g. +keylogging. Compromising only one party the worst that can be done is impersonating the SecureHID device to perform a +classical HID attack. In this case, the attacker cannot read user input and the user would notice this by SecureHID +indicating a not connected status and thus the keyboard not working. +% FIXME possibly detect this by having session counter etc.? + +To verify that these security properties extend to the overall SecureHID protocol it suffices to show the following +three properties. +\begin{enumerate} +\item The SecureHID implementation of Noise XX adheres to the Noise specification, i.e. the handshake is performed + correctly. \label{adh0} +\item Both sides' static keys are verified. \label{adh1} +\item All sensitive data is encapsulated in Noise messages after the handshake has ended, and none is sent before. + \label{adh2} +\end{enumerate} + +\ref{adh0} has been validated by manual code review and cross-validation of our implementation against other Noise +implementations. % FIXME write more, do more here +\ref{adh1} has been validated by manual code review. %FIXME do simulation here +Since all sensitive data in our application is handled on the device in a single place (the USB HID request handling +routine), \ref{adh2} is easily validated by code review. USB HID reports are only transmitted either encrypted after the +handshake has been completed or in plain during pairing. Since the host will only inject reports into the input +subsystem that have been properly authenticated and encrypted (and not the unauthenticated reports sent during pairing), +the protocol is secure in this regard. Since pairing keyboard input is only passed through after the host's pairing +request has been acknowledged by the user with SecureUSB's physical pairing button the user would certainly notice an +attack trying to exfiltrate data this way. Were pairing input passed through automatically without explicit user +acknowledgement, an attacker could start pairing mode just as the user starts typing in a password prompt such as the +one of \texttt{sudo} or a password field and might not notice the attack until they have typed out their entire password +to the attacker. + +\subsubsection{Handshake hash non-secrecy} + +\begin{figure}[p] + \centering + \tikzset{% + h/.style = {->, very thick}, + ck/.style = {->, very thick}, + key/.style = {->}, + ki/.style = {key, color=red}, + kr/.style = {key, color=red}, + ke/.style = {dashed}, + ks/.style = {solid}, + phaselbl/.style = {font=\bfseries, anchor=west} + } + \begin{tikzpicture}[scale=0.8] + \node(protoname) at (0, 0){\texttt{"Noise\_XX\_25519\_ChaChaPoly\_BLAKE2s"}}; + \node[draw,thick,below=1em of protoname] (inithash) {$H$}; + \node[below=2em of inithash, xshift= 6.5em] (ck){$ck$}; + \node[below=2em of inithash, xshift=-6.5em] (h){$h$}; + \coordinate (labelbase) at (-5,0); + + \draw[->] (protoname) -- (inithash); + \draw[->] (inithash) -- ++(0,-2em) coordinate(im0) -| (ck); + \draw[->] (im0) -| (h); + + \node[right=7em of ck] (ei){$\mathbf{e_i}$}; + \node[right=8.5em of ck] (er){$\mathbf{e_r}$}; + \node[right=10em of ck] (si){$\mathbf{s_i}$}; + \node[right=11.5em of ck] (sr){$\mathbf{s_r}$}; + + \node[draw,thick,below=3em of h] (mix0){MixHash}; + \node[right=1em of mix0] (str0){\texttt{""}}; + \node[left] at (str0 -| labelbase) (lbl0){\parbox{10em}{\raggedleft No preamble,\\use empty string}}; + + \draw[h] (h) -- (mix0); + \draw[->] (str0) -- (mix0); + +%--- + \node[draw,thick,below=2em of mix0] (mix1){MixHash}; + \node[left] at (mix1 -| labelbase) (tok0){$e\rightarrow $}; + \draw[h] (mix0) -- (mix1); + \draw[ki,ke] (ei) |- (mix1); + + \node[draw,thick,below=2em of mix1] (mix2){MixHash}; + \node[right=1em of mix2] (str2){\texttt{""}}; + \node[left] at (str2 -| labelbase) (lbl2){\parbox{10em}{\raggedleft EncryptAndHash\\No payload and\\$k$ unset}}; + \draw[->] (str2) -- (mix2); + \draw[h] (mix1) -- (mix2); + + \coordinate (a) at ($ (mix0) !0.5! (mix1) $); + \coordinate (b0) at (a -| lbl0.south west); + \draw[dashed] (b0) -- ($ (b0 -| sr) + (1em,0) $); +%--- + \node[draw,thick,below=4em of mix2] (mix3){MixHash}; + \node[left] at (mix3 -| labelbase) (tok3){$e\leftarrow $}; + \draw[h] (mix2) -- (mix3); + \draw[kr,ke] (er) |- (mix3); + + \coordinate (sync4) at (mix3 -| ck); + \node[draw,thick,below=2em of sync4] (kmix1){MixKey}; + \node[left] at (kmix1 -| labelbase) (tok4){$ee\leftarrow $}; + \node[draw,thick,right=1em of kmix1] (dh0){ECDH}; + \draw[ck] (ck) -- (kmix1); + \draw[ki,ke] (ei) |- ($ (dh0.east) + (0,0.2em) $); + \draw[kr,ke] (er) |- ($ (dh0.east) - (0,0.2em) $); + \draw[->] (dh0) -- (kmix1); + + \coordinate (sync5) at (kmix1 -| h); + \node[draw,thick,below=2em of sync5] (mix5){MixHash}; + \node[draw,thick,right=2em of mix5] (enc5){$E$}; + \node[left] at (mix5 -| labelbase) (lbl5){$s\leftarrow $}; + \draw[h] (mix3) -- (mix5); + \draw[->] (enc5) -- (mix5); + \draw[->] ($ (kmix1.west) - (2em,0) $) -| (enc5); + \draw[kr,ks] (sr) |- (enc5); + + \coordinate (sync6) at (mix5 -| ck); + \node[draw,thick,below=2em of sync6] (kmix6){MixKey}; + \node[left] at (kmix6 -| labelbase) (tok6){$es\leftarrow $}; + \node[draw,thick,right=1em of kmix6] (dh6){ECDH}; + \draw[ck] (kmix1) -- (kmix6); + \draw[ki,ke] (ei) |- ($ (dh6.east) + (0,0.2em) $); + \draw[kr,ks] (sr) |- ($ (dh6.east) - (0,0.2em) $); + \draw[->] (dh6) -- (kmix6); + + \coordinate (sync7) at (kmix6 -| h); + \node[draw,thick,below=2em of sync7] (mix7){MixHash}; + \node[draw,thick,right=2em of mix7] (enc7){$E$}; + \node[right=1em of enc7] (str7){\texttt{""}}; + \node[left] at (mix7 -| labelbase) (lbl7){\parbox{10em}{\raggedleft DecryptAndHash\\ No payload}}; + \draw[h] (mix5) -- (mix7); + \draw[->] (enc7) -- (mix7); + \draw[->] (kmix1.west) -- ++(-2em,0) |- ($ (enc5.south) !0.25! (enc7.north) $) -- (enc7); + \draw[->] (str7) -- (enc7); + + \coordinate (a) at ($ (mix2) !0.5! (mix3) $); + \coordinate (b1) at (a -| lbl2.south west); + \draw[dashed] (b1) -- ($ (b1 -| sr) + (1em,0) $); +% --- + \node[draw,thick,below=4em of mix7] (mix8){MixHash}; + \node[draw,thick,right=2em of mix8] (enc8){$E$}; + \node[left] at (mix8 -| labelbase) (lbl8){$s\rightarrow $}; + \draw[h] (mix7) -- (mix8); + \draw[->] (enc8) -- (mix8); + \draw[->] (kmix6.west) -- ++(-2em,0) |- ($ (enc7.south) !0.25! (enc8.north) $) -- (enc8); + \draw[ki,ks] (si) |- (enc8); + + \coordinate (sync9) at (mix8 -| ck); + \node[draw,thick,below=2em of sync9] (kmix9){MixKey}; + \node[left] at (kmix9 -| labelbase) (tok9){$se\rightarrow $}; + \node[draw,thick,right=1em of kmix9] (dh9){ECDH}; + \draw[ck] (kmix6) -- (kmix9); + \draw[ki,ks] (si) |- ($ (dh9.east) - (0,0.2em) $); + \draw[kr,ke] (er) |- ($ (dh9.east) + (0,0.2em) $); + \draw[->] (dh9) -- (kmix9); + + \coordinate (sync10) at (kmix9 -| h); + \node[draw,thick,below=2em of sync10] (mix10){MixHash}; + \node[draw,thick,right=2em of mix10] (enc10){$E$}; + \node[right=1em of enc10] (str10){\texttt{""}}; + \node[left] at (mix10 -| labelbase) (lbl10){\parbox{10em}{\raggedleft EncryptAndHash\\ No payload}}; + \draw[h] (mix8) -- (mix10); + \draw[->] (enc10) -- (mix10); + \draw[->] (kmix9.west) -| (enc10); + \draw[->] (str10) -- (enc10); + + \coordinate (a) at ($ (mix7) !0.5! (mix8) $); + \coordinate (b2) at (a -| lbl2.south west); + \draw[dashed] (b2) -- ($ (b2 -| sr) + (1em,0) $); +% --- + \coordinate (sync11) at (mix10 -| ck); + \node[draw,thick,below=5em of sync11,xshift=-1em] (finkdf){HKDF}; + \node[below=2em of finkdf,xshift=-1em] (k1){$\mathbf{k_1}$}; + \node[below=2em of finkdf,xshift= 1em] (k2){$\mathbf{k_2}$}; + \node[left=1em of finkdf,yshift=2em] (str11){\texttt{""}}; + \draw[ck] (kmix9) -- (finkdf.north -| kmix9); + \draw[ck] (k1 |- finkdf.south) -- (k1); + \draw[ck] (k2 |- finkdf.south) -- (k2); + \draw[->] (str11) -| ($ (finkdf.north) - (1em,0) $); + + \coordinate (sync11a) at (finkdf.south -| h); + \node[below=2em of sync11a] (hout){$\mathbf{h}$}; + \draw[h] (mix10) -- (hout); + + \node[left] at (finkdf -| labelbase) (lbl13){\parbox{10em}{\raggedleft Split}}; + + \coordinate (a) at ($ (mix10) !0.5! (finkdf) $); + \coordinate (b3) at (a -| lbl10.south west); + \draw[dashed] (b3) -- ($ (b3 -| sr) + (1em,0) $); +%--- + \node[phaselbl, rectangle] at ($ (b0) !0.5! (b0 |- protoname) $) (setup){setup}; + \node[phaselbl, circle] at ($ (b0) !0.5! (b1) $) (ph0){0}; + \node[phaselbl, circle] at ($ (b1) !0.5! (b2) $) (ph1){1}; + \node[phaselbl, circle] at ($ (b2) !0.5! (b3) $) (ph2){2}; + \node[phaselbl, rectangle] at ($ (b3) !0.5! (b3 |- hout) $) (fin){fin}; + + \end{tikzpicture} + \caption{Cryptographic flowchart of Noise XX handshake.} + \label{crypto_diagram} +\end{figure} + +To analyze the impact of disclosing the handshake hash to an adversary we must consider its definition. The noise +protocol specification does not % FIXME double-check this +guarantee that the handshake hash can be disclosed to an adversary without compromising security. Figure +\ref{crypto_diagram} is a flowchart of the derivation of both initiator-transmit and initiator-receive symmetric +encryption keys $k_{1,2}$ and the handshake hash $h$ during the Noise handshake. Following are the definitions of +MixHash and MixKey according to the Noise protocol specification. + +\begin{align} + \text{MixHash}(h,\text{input}) &= h' = H(h || \text{input})\\ + \text{MixKey}(ck, \text{input}) &= (ck', k_\text{temp}) = \text{HKDF}(ck, \text{input}, 2)\\ +\end{align} + +Noise's hash-based key derivation function (HKDF) is defined using the HMAC defined in RFC2104\cite{rfc2104}. The hash +function $H$ employed here depends on the cipher spec used. SecureHID uses BLAKE2s. +\begin{equation} + \text{HMAC}(K, \text{input}) = H\left(\left(K \oplus opad\right) + || H\left(\left(K \oplus ipad\right) || \text{input} \right)\right) +\end{equation} + +The HKDF is defined for two and three outputs as follows. +\begin{equation} + \text{HKDF}(ck, \text{input}, n_\text{out}) = + \left\{\begin{array}{ll} + (q_0, q_1) &: n_\text{out} = 2\\ + (q_0, q_1, q_2) &: n_\text{out} = 3\\ + \end{array}\right. +\end{equation} + +The outputs $q_i$ are derived from chained HMAC invocations. First, a temporary key $t'$ is derived from the chaining key $ck$ +and the input data using the $HMAC$, then depending on $n_\text{out}$ the HMAC is chained twice or thrice to produce +$q_{\{0,1,2\}}$. +\begin{gather} + t' = \text{HMAC}(ck, \text{input})\\ + \underbrace{\text{HMAC} \Bigl(t', + \underbrace{\text{HMAC} \bigl(t', + \underbrace{\text{HMAC} (t', + 1_{16})}_{q_0} + || 2_{16}\bigr)}_{q_1} + || 3_{16}\Bigr)}_{q_2} +\end{gather} + +Relevant to this protocol implementation's security are the following two properties, both of which can be derived from +figure \ref{crypto_diagram}: +\begin{enumerate} +\item Initiator and responder ephemeral and static keys are all mixed into the handshake hash at least once.\label{fp1} +\item Knowledge of the handshake hash does not yield any information on the symmetric AEAD keys $k_1$ and $k_2$.\label{fp2} +\end{enumerate} + +\ref{fp1} is evident since $e_i$ and $e_r$ are mixed in directly and $s_i$ and $s_r$ are mixed in after encryption with +temporary encryption keys derived from $ck$ at the $s\rightarrow$ and $s\leftarrow$ steps during the handshake. +We can see \ref{fp2} applies by following the derivation of $h$ backwards. If an attacker learned anything about $k1$ or +$k2$ during an attack by (also) observing $h$ that they did not learn before, we could construct an oracle allowing both +reversal of $H$ in the final invocation of $MixHash$ and breaking $E$ using this attacker. The attacker would have to +reverse $H$ at some point since $h = H(\hdots)$ in the final invocation of MixHash. The attacker would have to recover +the key of $E$ in at least one invocation since $s_i$ and $s_r$ are only mixed into $h$ after either being encrypted +using $E$ or being used after ECDH to generate a key for $E$. Since the result of ECDH on $e_i$ and $e_r$ is mixed into +$h$ in the $ee\leftarrow$ and following DecryptAndHash steps, $h$ is blinded to an attacker so that they cannot even +determine a given $k_1$ and $k_2$ match a given $h$ without compromising ECDH security. +This means that given the underlying primitives are secure, we do not leak any information on $k1$ or $k2$ by disclosing +$h$. + +% FIXME find and consistently apply a nice name for this handshake method +\subsection{Alternative uses for interactive public channel binding} +\label{altuse} + +The channel binding method described above can be used in any scenario where a secure channel between two systems must +be established where one party has a display of some sort and the other party has an input device of some sort. + +\paragraph{Relation to screen-to-photodiode interfaces} +There have been many systems using a flashing graphic on a screen to transmit data to a receiver containing a photodiode +held against the screen. Such systems have been used to distribute software over broadcast television but have also been +used for cryptographic purposes. One widely-deployed example is the ``Flickertan'' system used for wire transfer +authorization in Germany where a smartcard reader with five photodiodes is held against a flickering image on the bank +website's wire transfer form\cite{schiermeier01,schiermeier02,braun01}. Systems such as this one do not benefit from the +interactive channel binding process described in this paper since they do not require any direct user interaction. They +could however be used as an alternative means for channel binding in any system also supporting interactive pairing as +described above. The handshake fingerprint would simply be encoded into the flicker signal and transmitted to the other +endpoint in that way. Similarly, QR-codes or other barcodes could be used to a device containing a camera. The primary +advantage of photodiode-based systems is that they incur lower implementation complexity and don't require a potentially +expensive camera. + +\paragraph{Adaption for SSH identity distribution} +Our interactive channel binding method using a passphrase could be used for key establishment in an SSH setup. +SSH includes a powerful built-in public-key authentication system, but does not include key management functionality. +To grant and revoke public key-based access to a host or account, SSH expects the user to manually manage a textual +\texttt{authorized\_keys} file containing all public keys allowed to login to a particular host or account. Mutual +authentification is supported by default, using a trust on first use system storing host key fingerprints in a +\texttt{known\_hosts} file. SSH's identity management system is well-tested and can be considered secure for almost any +purpose. It is however very simplistic and shifts the burden of access management and identity synchronization to the +user. Except in very simple use cases, the user will have to provide their own identity management layer on top of the +primitives provided by SSH. Common implementations of this include offloading \texttt{authorized\_keys} functionality to +LDAP or automatically generating \texttt{authorized\_keys} files from a configuration management system. The secure +implementation of any such system incurs a large organizational overhead. SSH keys are too long to be practically +read-out aloud which in case of small organizations often leads ot insecure practices such as sharing of SSH public keys +through chat, email or wiki pages for initial access during say, onboarding of a new employee. Though such out-of-band +key distribution schemes may well be secure often the OOB channel's security is not adequately considered in advance. + +The interactive channel binding method described in this paper could be used to interactively transfer an SSH key's +public to another host by simply establishing a secure channel from source to target machine in the fashion outlined +above, then copying the key through it. Compared to current common practice this approach would allow two users to +transfer a key by simply reading out aloud the channel binding fingerprint. This reduces the problem of a digital +out-of-band channel trusted for direct transfer of manipulation-sensitive key material to the problem of two users being +sure whether they're actually talking to each other instead of an impostor. + +A scenario using the SecureHID hardware to improve SSH security would be to terminate the SSH connection inside the +SecureHID hardware and this way prevent a compromised host from compromising the SSH remote. This approach has the +primary drawback that it would incur a large implementation overhead providing new attack surface. Additionally this +approach would only work when the user is solely interacting with the remote system through keyboard input and would +break workflows that require copying files to the remote host, or running commands in an automated fashion like a +configuration management system such as ansible would do. + +\section{Hardware implementation} +\subsection{Hardware overview} +To demonstrate the practicality of this approach and to evaluate its usability in an everyday scenario, a hardware +prototype has been built. Based on an initial prototype consisting of a microcontroller development board and a bundle +of wires a custom PCB fitting an off-the-shelf case has been produced that allows future % FIXME +usability testing in practical settings. + +The hardware implementation consists of two ARM microcontrollers, one for the untrusted host side and one for the +trusted device side. Both are linked using a simple UART interface. Both microcontrollers have been chosen by their USB +functionality. For the integrated USB host controller, we had to chose a rather powerful microcontroller on the trusted +device side even though a much less powerful one would have sufficed even though we are doing serious cryptography on +this microcontroller. AES encryption is done on every data packet and must compelete in time for the overall system to +meet its latency requirement, % FIXME go into details on input latency vs. usability somewhere else +but is fast enough by a large margin. % FIXME benchmarks +Similarly, the hash and ECDH operations during the cryptographic handshake are fast enough by a large margin. %FIXME benchmark +Additionally, those operations are only invoked infrequently any time the device is disconnected or the host suspends. + +\subsection{Hardware security measures} +% separate power supplies, possible future filtering of power/gnd and comms link signals + +\subsection{Usability considerations} + +\paragraph{Implementation robustness} +In many systems such as common TLS-based systems, overall system security heavily depends on implementation details such +as certificate checking and user interface details such as the precise structure of security warning messages and how +they can be overridden. The complexity of these components in practice often leads to insecure systems, such as a system +using TLS checking a certificate's internal validity but omitting checks on the certificate's chain of trust. A nice +property of the key estabilishment system outlined in this paper is that it is both very simple, reducing surface for +errors and it tightly couples the critical channel binding step during key establishment to the overall system's user +interface. In a system using either keyboard or mouse-based interactive channel binding, an implementation that does not +perform the channel binding step correctly would simply not work. If the host does not display the correct fingerprint +the user cannot enter it and the device will not complete the binding step. If the device does not relay fingerprint +data correctly during pairing the host application would clearly indicate to the user things are amiss with the input +not matching the fingerprint. Since the channel fingerprint is computed in a cryptographically well-defined way based +on entropy contributed by both partners during pairing a implementer would not even be able to accidentially degrade +fingerprint security. + +The critical point from an UI perspective in this pairing scheme is that the host application must display correct +instructions to the user for them to complete pairing. In particular the host application must put emphasis on the user +actually checking whether the device raised an alarm before confirming pairing after fingerprint input. Even if it +didn't the user would notice the device not functioning, but an attacker might have gained unauthorized access in the +meantime. Likewise, the device needs a clearly understandable method of indicating pairing failure to the user. In +practice a loud buzzer and a few bright LEDs would likely suffice for this. + +\paragraph{Adaption to mice} Instead of a keyboard, a mouse can be used for pairing without compromising protocol +security. In a basic scheme, the host would encode the fingerprint bit string into a permutation +$\sigma(i) : \{n\in\mathbb N, n\le m\} \rightarrow \{n\in\mathbb N, n\le m\}$ +for an integer security parameter $m>0$ +and then display the sequence $\sigma(i)$ in a grid of buttons similar to a minesweeper field with an emualted mouse +cursor driven by pairing input on top. The user would then click the buttons on the grid in numeric order. The device +would do the same mouse emulation invisible to the user and would be able to observe the permutation this way. The +fingerprint can finally be checked by decoding the permutation into a bit string and comparing. The security level for +this method in bits is $\eta = \log_2(m!)$ or better than 80bit for $m=25$ in case of a 5x5 grid. See figure +\ref{mouse_mockup} for a mockup of what such a system might look like. + +\begin{figure}[h] + \centering + \includegraphics[width=7cm]{mouse_mockup.png} + \caption{A mockup of what mouse-based interactive pairing might look like} + \label{mouse_mockup} +\end{figure} + +\paragraph{Gamification} +A second, slightly more complex approach to a mouse-based interface would be to adapt the popular game Minesweeper to +compare fingerprints in our interactive setting. In Minesweeper, the user is presented with a fixed-size, say $20\times +20$ $x-y$ grid of fields. Under each of $n$ of the $x\times y$ fields a mine is hidden. The user is tasked with +uncovering all fields \emph{without} mines while \emph{flagging} those fields that contain mines. Every time the user +uncovers a field, the number of mines on adjacent fields is shown. If there are no mines on adjacent fields, all +adjacent fields are automatically uncovered by the game in a recusive fashion. The user wins when all mine-free fields +have been uncovered and all fields with mines flagged, and looses when they try to uncover a field with a mine on it. + +The fundamental approach to use minesweeper as a pairing method would be to encode the fingerprint into the minesweeper +field. The host would encode the fingerprint, then let the user play the game using their mouse with the usual on-screen +graphical representation of the game field. The device would besides forwarding all mouse input events to the host +simultaneously trace all user actions in order to Both host and device would emulate the game field and after a +successful run the user will have marked all locations of mines, thereby out-of-band transferring the field +configuration chosen by the host to the device. + +Minesweeper is very well-known and can be parametrized to be easily solved by most people. Compared to the task of +sequentially clicking buttons as presented in the previous paragraph a user might prefer playing a game of minesweeper +instead. While various problems surrounding minesweeper are computationally hard\cite{demaine01}, field generation is +easy. To place $n$ mines on a $x$ by $y$ grid one simply chooses an unordered subset of $n$ elements, of which there are +$\tbinom{xy}{n}$. For the three default difficulty levels provided by the minesweeper game included in Windows XP the +field state contains $\approx 40$, $\approx 156$ and $\approx 348$ bits of entropy respectively. This means even just +two rounds on beginner difficulty, or a single round on intermediate difficulty already provide a cryptographically +significant 80 bit security level. In the context of the interactive pairing protocol presented in this work, even a +single beginner-level round of minesweeper already reduces the chance of an undetected man in the middle attack to a +negligible level. + +A usability concern in this minesweeper-based pairing scheme would be user error. To improve user experience it would be +wise to still consider a round, even if the user makes a mistake and looses the game. A simple way to do this that also +intuitively handles user-set game difficulty levels would be to set a target entropy such as 40 bit, then repeat games +until the target entropy is reached with each game's outcome contributing to the entropy level depending on the +outcome's probability. +with a multivariate hypergeometric distribution here, jk + +\paragraph{Adaption to button input} +Adaption to button input using few buttons is a little bit harder. The obvious but impractical solution here is to have +the user enter a very long numeric string. Entering an 80-bit number on a two-button binary keyboard is not +user-friendly. One other option would be to emulate an on-screen keyboard similar to the ones used in arcade and console +video games for joystick input. This would be more user-friendly and would likely be a natural interface to many users +familiar with such games. One possible attack here is that if the host were to ignore dropped input packets, an attacker +might selectively drop packets in order to cause a desynchronization of host and device fingerprint input states. The +user would likely chalk up this behavior to sticky or otherwise unreliable keys and while they might find it +inconvenient, they might not actually abort the procedure. Thus it is imperative that the host verify there are no +dropped packets during pairing. This same observation is also true for keyboard or mouse-based pairing as explained +above, but an attack would be much more noticeable there to users as mice and keyboards are generally regarded reliable +by most users. + +\section{Evaluation} +% FIXME + +\section{Future work} + +The aspects outlined in section \ref{altuse} provide potential future research directions. The adaption of the system to +mouse input might be an interesting target for a user experience study, particularly in comparison with a purely +keyboard-based system. The SSH key exchange method would be an interesting target for a general-use systems +administration tool. Though we have done some basic security arguments in this paper, a more rigurous formalization +might be interresting for future use of this technology. We have soundly argued about the user experience benefits of +our method, but we have not performed any field experiments to back up these arguments. Future research might analyze +the practical security a system as outlined in this paper yields under real-world conditions. The various trade-offs of +e.g. keyboard vs. mouse input, fingerprint length and design details of the pairing UI might be analyzed with respect to +practical usability and security. + +\section{Conclusion} +% FIXME + +%\section{PCB design renderings} +%\label{ch:renderings} + +%\begin{figure}[H] +% \centering +% \begin{subfigure}[b]{0.8\textwidth} +% \centering +% \includegraphics[width=0.8\textwidth]{pcb_front.png} +% \caption{PCB front} +% \end{subfigure} % +% \begin{subfigure}[b]{0.8\textwidth} +% \centering +% \includegraphics[width=0.8\textwidth]{pcb_back.png} +% \caption{PCB back} +% \end{subfigure} +% \caption{PCB design 3D renderings} +% \label{fig:pcb3d} +%\end{figure} +% +%\begin{figure}[H] +% \centering +% \includegraphics[width=0.6\textwidth]{takachi_case.png} +% \caption{Off-the-shelf enclosure the PCB is made to fit} +% \label{fig:case} +%\end{figure} + +%\subsection{Attack surface in reasonably secure systems} +%\begin{figure} +%\tikzstyle{block} = [rectangle, draw, text centered, minimum height=4em] +%\begin{tikzpicture}[node distance=2cm, auto] +% \node[block](matrix){Key matrix} +% \node[block](hidctrl){Keyboard controller} +% \node[block](hubs){USB hubs} +% \node[block](roothub){USB host controller} +% \node[block](pcie){PCIe bus} +% \node[block](sys-usb-kernel){USB VM kernel} +% \node[block](sys-usb-agent){USB VM userspace agent} +% \node[block](dom0){dom0 agent} +%\end{tikzpicture} +%\label{qubes-hid-stack} +%\caption{The USB HID input stack in a QubesOS setup} +%\end{figure} + +\nocite{*} +\printbibliography + +\appendix +\section{Project state} +A working prototype has been completed. + +\subsection{Completed} +\begin{itemize} + \item Rough protocol design + \item Protocol implementation based on \textcite{perrin01} using noise-c (microcontroller) and noiseprotocol (python/host) + \item SRAM-based key storage with SRAM wear levelling + \item host/device signature checking + \item host/device key generation + \item proper circuit design (see appendix \ref{ch:renderings}) +\end{itemize} + +\subsection{Open issues} +\begin{itemize} + \item Both noise-c and noiseprotocol have poor code and API quality. Since most noise functionality is not needed, + just implement the protocol in bare C/python based on cryptographic primitives and scrap higher-level protocol + implementations (though they've been useful so far during prototyping). + \item Implement HID mouse host support + \item Test USB hub support + \item Replace the serial link with a custom USB link using an STM32F103 instead of the CH340G USB/serial converter + \item Properly integrate prototype host client with qubes infrastructure + \item Implement photodiode/monitor-based pairing side-channel +\end{itemize} + +\section{Possible directions} +\begin{itemize} +% \item Elaborate handshake security properties +% \begin{itemize} +% \item Possibly investigate other applications of this type of interactive handshake +% \item Possibly contrast to carmera/other backchannel systems +% \item IMHO the pairing scheme is the most interesting part of this project from a scientific point of view +% \item Prove security +% \end{itemize} +% \item Elaborate overall security properties of QubesOS-based system + \item Elaborate possible DisplayPort/HDMI-based display encryption $\rightarrow$ Bunnie's NeTV2 w/ HDMI/eDP converter +% \item Elaborate possible encrypted remote input (SSH) setups +% \begin{itemize} +% \item This might turn out to be really interesting +% \item For this to be usable the host needs to tell the device at least which keyslot to use which could turn +% out to be complex to implement securely +% \item Considering complexity, this might turn into its own research project +% \end{itemize} +% \item Showcase secure hardware interface design, contrast with wireguard protocol design +% \begin{itemize} +% \item Formally derive handshake security properties +% \item Formally derive host/device protocol security properties using noise spec +% \item Formally verify and thouroughly unit-test the host/device protocol implementation on all layers +% \item IMHO this is the most interesting part of this project from an engineering point of view +% \end{itemize} +% Waiting + \item Create custom hardware prototype + \item Benchmark cryptography routines (will likely turn out to be ``wayyy fast'' for HID, fast enough for full-speed + USB. High-speed cannot be done with the current architecture as we can't get data out the chip at high-speed + data rates. \textcite{srivaths01} raise the issue of running crypto on embedded systems, but in this case it + turns out with somewhat modern hardware and cryptography there is no problem at all. +\end{itemize} +\end{document} -- cgit