HardSSH

1
HardSSH Cryptographic Hardware Key Team May07-20: Steven Schulteis (Cpr E) Joseph Sloan (EE, Cpr E, Com S) Michael Ekstrand (Cpr E) Taylor Schreck (Cpr E) Faculty Adviser: Doug Jacobson Clients: Michael Ekstrand Steven Schulteis Abstract The Secure Shell (SSH) protocol allows for secure logins on remote computers without disclosing passwords or keys to intermediate devices on the network. However, when using an untrusted public computer which may have various malicious programs running, it is still possible for authentication credentials to be disclosed. This project focuses on building a device which will perform all the encryption and authentication operations necessary for SSH connections. Host software is being developed which will run on the untrusted computer and use the device to make an SSH connection to a remote server. Since all authentication is done on the device, using keys programmed into the device from a private, trusted computer, a user can establish a secure connection without compromising their authentication credentials in a public computing lab. Introduction Problem Statement When users log in to a Secure Shell (SSH) server from an untrusted computer (e.g., at a library), they have no way of protecting their authentication information from an attacker who may have tampered with the machine (left figure below). We solve this problem by storing authentication information in the device and passing it through the untrusted host in a way that the host can’t read it (see right figure below). Operating Environment • Frequently transported (must withstand jostling/dropping) • Access to USB port • Room temperature during operation Intended Users • SSH users who use public computing resources (students, hobbyists, employees) • Some technical knowledge Intended Uses • Protect authentication credentials from compromise • Does not provide extra security after login Assumptions • User can access a trusted computer • User has USB read/write access on trusted & untrusted computers Limitations • Device enclosure no larger than 2”x3.5”x.5” • Powered by USB only Deliverables/End Product • Working prototype and firmware • Host software for using and managing the device • User’s manual Project Requirements Design Objective To develop an implementation of SSH on an external USB device, with necessary accompanying software, to allow secure access to SSH servers from untrusted public computers. Functional Requirements Design Constraints • The device must be powered solely by USB • The device must be small, about 2" x 3.5" x 0.5“ • All software and firmware must be buildable with free toolchains Milestones • Problem defined • Technology considered & selected • Product designed • Prototype implemented • Product tested • Product documentation completed • Product demonstration completed Proposed Approach & Considerations Proposed Approach Build a small USB device with an embedded microcontroller which will implement the authentication and encryption layers of the SSH protocol. A host software program will provide data transfer between the device and the remote server and provide a user interface for using the SSH connection (data flow during operation will occur as in the diagram below). When run on a private trusted computer, the host software will allow the firmware, keys, and other sensitive data items on the device to be updated. Technologies Considered Testing Considerations • Test each component as it is developed • Perform final integration testing • Have non-team-members test the product for usability Estimated Resources & Schedule Personnel Effort Project Schedule Financial Resources Other resources • Freely available software packages (GCC compiler suite, Eclipse IDE, Java) • IAR Embedded Workbench compiler (came with prototype board) • JTAG debugging stub (provided by senior design) • Prototype board paid for by the Information Assurance Center Item w/ labor w/o labor Prototype board $300 $300 Parts $182 $182 PCB $120 $120 Labor (@ 10.50/hr) $9188 $0 Totals $9790 $602 Closing Summary The HardSSH device provides a more secure mechanism for using SSH software on untrusted systems. The project's solution includes the device hardware itself, the firmware implementing the SSH encryption and authentication, and the host software to use the device. With this solution, the user can login with SSH on an untrusted computer without compromising authentication information. • The device shall connect to and be fully powered by USB • User can define servers, load SSH private key, and perform other trusted functions • The project shall allow the user to connect to a remote SSH server without disclosing authentication credentials to the local computer • The device shall have updatable firmware Hardware • Custom-built USB device (chosen) Firmware • Embedded Linux • FreeRTOS or eCos • Custom software stack (chosen) Host Software •C • Python • Java (chosen) Problem Solution End Product Data Flow P rojected H ours Taylor Joe Michael Steve 202 205 229 239

description

End Product Data Flow. Solution. Problem. 202. 205. 239. 229. Cryptographic Hardware Key. HardSSH. Abstract. Proposed Approach & Considerations. Technologies Considered. Proposed Approach. - PowerPoint PPT Presentation

Transcript of HardSSH

Page 1: HardSSH

HardSSH

Cryptographic Hardware Key

Team May07-20: Steven Schulteis (Cpr E)

Joseph Sloan (EE, Cpr E, Com S)

Michael Ekstrand (Cpr E)

Taylor Schreck (Cpr E)

Faculty Adviser: Doug Jacobson Clients: Michael Ekstrand

Steven Schulteis

Abstract

The Secure Shell (SSH) protocol allows for secure logins on remote computers without disclosing passwords or keys to intermediate devices on the network. However, when using an untrusted public computer which may have various malicious programs running, it is still possible for authentication credentials to be disclosed. This project focuses on building a device which will perform all the encryption and authentication operations necessary for SSH connections. Host software is being developed which will run on the untrusted computer and use the device to make an SSH connection to a remote server. Since all authentication is done on the device, using keys programmed into the device from a private, trusted computer, a user can establish a secure connection without compromising their authentication credentials in a public computing lab.

IntroductionProblem StatementWhen users log in to a Secure Shell (SSH) server from an untrusted computer (e.g., at a library), they have no way of protecting their authentication information from an attacker who may have tampered with the machine (left figure below). We solve this problem by storing authentication information in the device and passing it through the untrusted host in a way that the host can’t read it (see right figure below).

Operating Environment• Frequently transported (must withstand

jostling/dropping)• Access to USB port • Room temperature during operation

Intended Users• SSH users who use public computing

resources (students, hobbyists, employees)• Some technical knowledge

Intended Uses• Protect authentication credentials from

compromise• Does not provide extra security after login

Assumptions• User can access a trusted computer• User has USB read/write access on trusted

& untrusted computers

Limitations• Device enclosure no larger than 2”x3.5”x.5”• Powered by USB only

Deliverables/End Product• Working prototype and firmware• Host software for using and managing the

device• User’s manual

Project RequirementsDesign ObjectiveTo develop an implementation of SSH on an external USB device, with necessary accompanying software, to allow secure access to SSH servers from untrusted public computers.

Functional Requirements

Design Constraints• The device must be powered solely by USB• The device must be small, about 2" x 3.5" x

0.5“• All software and firmware must be buildable

with free toolchains

Milestones• Problem defined• Technology considered & selected• Product designed• Prototype implemented• Product tested• Product documentation completed• Product demonstration completed

Proposed Approach & ConsiderationsProposed ApproachBuild a small USB device with an embedded microcontroller which will implement the authentication and encryption layers of the SSH protocol. A host software program will provide data transfer between the device and the remote server and provide a user interface for using the SSH connection (data flow during operation will occur as in the diagram below). When run on a private trusted computer, the host software will allow the firmware, keys, and other sensitive data items on the device to be updated.

Technologies Considered

Testing Considerations• Test each component as it is developed• Perform final integration testing• Have non-team-members test the product

for usability

Estimated Resources & SchedulePersonnel Effort

Project Schedule

Financial Resources

Other resources• Freely available software packages (GCC

compiler suite, Eclipse IDE, Java)• IAR Embedded Workbench compiler

(came with prototype board)• JTAG debugging stub (provided by senior

design)• Prototype board paid for by the Information

Assurance Center

Item w/ labor w/o labor

Prototype board $300 $300

Parts $182 $182

PCB $120 $120

Labor (@ 10.50/hr) $9188 $0

Totals $9790 $602

Closing Summary

The HardSSH device provides a more secure mechanism for using SSH software on untrusted systems. The project's solution includes the device hardware itself, the firmware implementing the SSH encryption and authentication, and the host software to use the device. With this solution, the user can login with SSH on an untrusted computer without compromising authentication information.

• The device shall connect to and be fully powered by USB

• User can define servers, load SSH private key, and perform other trusted functions

• The project shall allow the user to connect to a remote SSH server without disclosing authentication credentials to the local computer

• The device shall have updatable firmware

Hardware• Custom-built USB device (chosen)Firmware• Embedded Linux• FreeRTOS or eCos• Custom software stack (chosen)Host Software• C• Python• Java (chosen)

Problem Solution

End Product Data Flow

Projected Hours

Taylor

Joe

Michael

Steve

202 205

229239

Disclaimer

Disclaimer

Barclays1

Barclays1

United States Constitution

United States Constitution

The Best American Humorous Short Stories

The Best American Humorous Short Stories

Fortran

Fortran

Introduction to Six Sigma

Introduction to Six Sigma

Heidegger Kritik

Heidegger Kritik

Chapter 24

Chapter 24

Rubik's cube solution

Rubik's cube solution

xCDC14a

xCDC14a

How Computer Monitors Work

How Computer Monitors Work

Life Is Just A Dream - Or Is It?

Life Is Just A Dream - Or Is It?

Explore The Levels of Creation

Explore The Levels of Creation

Aesops Fables

Aesops Fables

Simple Functions in Haskell

Simple Functions in Haskell

Effective Parenting: Establishing Boundaries

Effective Parenting: Establishing Boundaries

Steve Jobs' Commencement Speech at Stanford

Steve Jobs' Commencement Speech at Stanford

Cakes Recipes

Cakes Recipes

Bhagavad Gita

Bhagavad Gita

Who Killed God

Who Killed God