HardSSH
-
Upload
phillip-odonnell -
Category
Documents
-
view
28 -
download
0
description
Transcript of HardSSH
HardSSH
Cryptographic Hardware Key
Team May07-20: Steven Schulteis (Cpr E)
Joseph Sloan (EE, Cpr E, Com S)
Michael Ekstrand (Cpr E)
Taylor Schreck (Cpr E)
Faculty Adviser: Doug Jacobson Clients: Michael Ekstrand
Steven Schulteis
Abstract
The Secure Shell (SSH) protocol allows for secure logins on remote computers without disclosing passwords or keys to intermediate devices on the network. However, when using an untrusted public computer which may have various malicious programs running, it is still possible for authentication credentials to be disclosed. This project focuses on building a device which will perform all the encryption and authentication operations necessary for SSH connections. Host software is being developed which will run on the untrusted computer and use the device to make an SSH connection to a remote server. Since all authentication is done on the device, using keys programmed into the device from a private, trusted computer, a user can establish a secure connection without compromising their authentication credentials in a public computing lab.
IntroductionProblem StatementWhen users log in to a Secure Shell (SSH) server from an untrusted computer (e.g., at a library), they have no way of protecting their authentication information from an attacker who may have tampered with the machine (left figure below). We solve this problem by storing authentication information in the device and passing it through the untrusted host in a way that the host can’t read it (see right figure below).
Operating Environment• Frequently transported (must withstand
jostling/dropping)• Access to USB port • Room temperature during operation
Intended Users• SSH users who use public computing
resources (students, hobbyists, employees)• Some technical knowledge
Intended Uses• Protect authentication credentials from
compromise• Does not provide extra security after login
Assumptions• User can access a trusted computer• User has USB read/write access on trusted
& untrusted computers
Limitations• Device enclosure no larger than 2”x3.5”x.5”• Powered by USB only
Deliverables/End Product• Working prototype and firmware• Host software for using and managing the
device• User’s manual
Project RequirementsDesign ObjectiveTo develop an implementation of SSH on an external USB device, with necessary accompanying software, to allow secure access to SSH servers from untrusted public computers.
Functional Requirements
Design Constraints• The device must be powered solely by USB• The device must be small, about 2" x 3.5" x
0.5“• All software and firmware must be buildable
with free toolchains
Milestones• Problem defined• Technology considered & selected• Product designed• Prototype implemented• Product tested• Product documentation completed• Product demonstration completed
Proposed Approach & ConsiderationsProposed ApproachBuild a small USB device with an embedded microcontroller which will implement the authentication and encryption layers of the SSH protocol. A host software program will provide data transfer between the device and the remote server and provide a user interface for using the SSH connection (data flow during operation will occur as in the diagram below). When run on a private trusted computer, the host software will allow the firmware, keys, and other sensitive data items on the device to be updated.
Technologies Considered
Testing Considerations• Test each component as it is developed• Perform final integration testing• Have non-team-members test the product
for usability
Estimated Resources & SchedulePersonnel Effort
Project Schedule
Financial Resources
Other resources• Freely available software packages (GCC
compiler suite, Eclipse IDE, Java)• IAR Embedded Workbench compiler
(came with prototype board)• JTAG debugging stub (provided by senior
design)• Prototype board paid for by the Information
Assurance Center
Item w/ labor w/o labor
Prototype board $300 $300
Parts $182 $182
PCB $120 $120
Labor (@ 10.50/hr) $9188 $0
Totals $9790 $602
Closing Summary
The HardSSH device provides a more secure mechanism for using SSH software on untrusted systems. The project's solution includes the device hardware itself, the firmware implementing the SSH encryption and authentication, and the host software to use the device. With this solution, the user can login with SSH on an untrusted computer without compromising authentication information.
• The device shall connect to and be fully powered by USB
• User can define servers, load SSH private key, and perform other trusted functions
• The project shall allow the user to connect to a remote SSH server without disclosing authentication credentials to the local computer
• The device shall have updatable firmware
Hardware• Custom-built USB device (chosen)Firmware• Embedded Linux• FreeRTOS or eCos• Custom software stack (chosen)Host Software• C• Python• Java (chosen)
Problem Solution
End Product Data Flow
Projected Hours
Taylor
Joe
Michael
Steve
202 205
229239