Re: Trojan Keyboard Driver (was Re: Viewing Current Password)

[Al Lipscomb <arl_(_at_)_q7_(_dot_)_net>]

> The gist is -- keyboards are dumb. They need to be smart. Putting a
> cryptosystem atop the protocol between keyboard and computer would
> defeat this particular attack (it sounds like they used the commercial
> keyghost device ;) if the cryptosystem were strong enough. If the
> keyboard had a smart card reader, and could interface with the smart
> card to retrieve a session key shared between the smart card and
> computer host (either using public key encryption, or some very crafty
> symmetric algorithm :) then one would know the cable is safe. If the
> decryption is done by the cpu, that would make attacks against the
> mother board much more difficult.
> 
If they have control of the hardware there is almost nothing you are going
to do that will prevent them from getting into the data. You must be able
to maintain physical control of the hardware to even begin to be safe. Instead
of a smart card to provide a key you would want to move the message to a PDA
for decryption. 

A thought would be to write a java applet that would display a random keyboard
and let you type your password in with a mouse.