Post on 10-Sep-2018
How to secure the keyboardchain
DEF CON 23
Paul Amicelli - Baptiste David - CVO Esiea-Ouest
c Creative Commons 2.0 - b Attribution - n NonCommercial - a ShareAlike 1 / 25
The Talk
1. Background
2. Keyloggers forms
3. Main idea of our work
4. Details of our work
5. To go further
6. Finally.
Paul Amicelli - Baptiste David - CVO Esiea-Ouest - cbna 2 / 25
Keyloggers
--
"A keylogger is a little piece of software orhardware, which is able to retrieve every
keystrokes on a computer"
Background
Paul Amicelli - Baptiste David - CVO Esiea-Ouest - cbna 3 / 25
User mode ones
Easy to developp, and really efficient
Quite easy to detect and remove
Keyloggers Forms
Paul Amicelli - Baptiste David - CVO Esiea-Ouest - cbna 4 / 25
Kernel mode ones
Quite hard to develop and really, reallyefficient
Not easy to detect and quite hard to remove
Keyloggers Forms
Paul Amicelli - Baptiste David - CVO Esiea-Ouest - cbna 5 / 25
Hardware ones
Require physical access to the computer,
but the most efficient technic
Software-undetectable, sometimes easy to remove, sometimes not
Keyloggers Forms
Paul Amicelli - Baptiste David - CVO Esiea-Ouest - cbna 6 / 25
Proposed solution
Encrypt keystrokes
As close as possible to the hardware
Jamming keyloggers
Our work - Main Idea
Paul Amicelli - Baptiste David - CVO Esiea-Ouest - cbna 7 / 25
Basic Understanding
Our work - Main Idea
Paul Amicelli - Baptiste David - CVO Esiea-Ouest - cbna 8 / 25
Basic Understanding
Our work - Main Idea
Paul Amicelli - Baptiste David - CVO Esiea-Ouest - cbna 9 / 25
Basic Understanding
Our work - Main Idea
Paul Amicelli - Baptiste David - CVO Esiea-Ouest - cbna 10 / 25
Basic Understanding
Our work - Main Idea
Paul Amicelli - Baptiste David - CVO Esiea-Ouest - cbna 11 / 25
Basic Understanding
Our work - Main Idea
Paul Amicelli - Baptiste David - CVO Esiea-Ouest - cbna 12 / 25
Basic Understanding
Our work - Main Idea
Paul Amicelli - Baptiste David - CVO Esiea-Ouest - cbna 13 / 25
Keyboard driver stack
Our work - Details
Paul Amicelli - Baptiste David - CVO Esiea-Ouest - cbna 14 / 25
Encryption
Problematic
Unable to directly encrypt keystrokes with a streamcipher
Only known keystrokes are broadcasted by Windows
The rest is inhibated
Few keystrokes codes authorized
Our work - Details
Paul Amicelli - Baptiste David - CVO Esiea-Ouest - cbna 15 / 25
Encryption
White list system for input decision
Our work - Details
Paul Amicelli - Baptiste David - CVO Esiea-Ouest - cbna 16 / 25
Encryption
Solution : Jamming
Currently, a 64bits common key exchangedevery 20 keystrokes
Stream cipher initiated with the commonkey
Algorithm based on shuffle of a deck ofcards : only
Our work - Details
Paul Amicelli - Baptiste David - CVO Esiea-Ouest - cbna 17 / 25
Encryption Scheme
Our work - Details
Paul Amicelli - Baptiste David - CVO Esiea-Ouest - cbna 18 / 25
API-Driver Communication
Our work - Details
Paul Amicelli - Baptiste David - CVO Esiea-Ouest - cbna 19 / 25
Protection of the protection
Monitoring of the keyboard driver stack
Protection against DLL injection of the API
Monitoring of the registry
Our work - Details
Paul Amicelli - Baptiste David - CVO Esiea-Ouest - cbna 20 / 25
Is it working ?
Our work - Results
Paul Amicelli - Baptiste David - CVO Esiea-Ouest - cbna 21 / 25
Endless possibilities
Keystrokes combinations
Polymorphic on-screen keyboard
Time based keystrokes
Mini-game, music, colors,..
Keep keystrokes in ring 0 (GostCrypt)
Our work - To go further
Paul Amicelli - Baptiste David - CVO Esiea-Ouest - cbna 22 / 25
GostCrypta full ring 0 password version
Our work - Example
Paul Amicelli - Baptiste David - CVO Esiea-Ouest - cbna 23 / 25
State of the project
Proof of concept
Available on Github
( https:// github.com/whitekernel/gostxboard.git )
Educational purpose
Free and opensource, forever
Call for participation
Finally
®
Paul Amicelli - Baptiste David - CVO Esiea-Ouest - cbna 24 / 25
Questions ?
Maybe answers . . .
Question time
paul.amicelli@gostcrypt.org - baptiste.david@gostcrypt.org
Paul Amicelli - Baptiste David - CVO Esiea-Ouest - cbna 25 / 25