Design and implementation of keyboard to prevent information leakage

1 Overview of the working principle of the keyboard

The keyboard is the most common device in the computer, and it is also the device that is most easily intercepted and reproduced except for the display. According to the principle of red-black separation to prevent information leakage, we have successfully developed a red-black separation to prevent information leakage keyboard.

First, let's analyze the working principle of the keyboard. There is only one main chip for keyboards now. A keyboard consists of three parts: a dedicated chip, a key, and an interface. The dedicated chip provides the host interface, row lines, column lines, and keyboard subsystem control microprogram; the keys are arranged at the intersection of the row and column lines; the host interface has a total of 4 lines: power, ground, clock, and data. The working principle is as follows.

① The pins of the clock and data lines on the host and keyboard sides are OC gates, and the level is high under normal circumstances. Either the host or the keyboard can pull the level of these two lines down. When both lines are high, the keyboard can send data; when the clock is low, the keyboard is prohibited from sending data; when the clock is high and the data is low, it means that the host wants to send a command and the keyboard is ready to receive it.

② After power-on, the keyboard starts self-test. If the self-test is normal, it sends AAH to the host and starts scanning the keys.

③ After determining that a key is pressed, it sends the scan code of this key to the host and starts timing, and then continues scanning. If the key is still not lifted after 0.5 s, and no new key is pressed, it will send the scan code of this key continuously: 30 per second. Up to 3 keys can be pressed at the same time. If a new key is pressed within 0.5 s, the new key will be timed.

④ When a key is lifted, send the end code of this key.

⑤ After receiving the command code sent by the host, the keyboard sends FAH to respond and starts to execute this command.

The data rule for the keyboard to communicate with the host is: each group of data consists of 11 bits: 1 start bit (logic 0), 8 data bits (low bit first), 1 check bit (odd check), and 1 stop bit (logic 1). The data format of its data bit is: the clock is a square wave sent by the keyboard subsystem, with a period of about 80μs and the falling edge is valid. The clock is only available when the code is sent. Each key has a scan code. The host will also send some commands. Table 1 gives the scan code of each key. Table 1 Keyboard Scan

This is an open industrial standard, and all PC keyboards are like this. Its communication with the host must be carried out in accordance with the above standard. This provides great convenience for the production, maintenance and use of spare parts, but it also makes it possible for keyboard keys to cause information leakage.

2 Analysis of keyboard information leakage

In order to verify the characteristics of the electromagnetic field of keyboard information leakage, the following test is carried out: when the keyboard keeps pressing the "H" key, the spectrum analyzer is used to measure the conducted emission characteristics of the signal line connecting the keyboard and the host, and the results are shown in Figure 1. Figure 1 Conducted emission characteristics of keyboard [page] When different keys are pressed, the spectrum line received by the spectrum analyzer shifts in frequency. According to the principle of information correlation, the obtained spectrum line is related to the key information, indicating that it contains the keyboard scan code information. This information is the keyboard code and is defined as a red signal. The following is a specific analysis of the path of the red signal generated by the keyboard. Figure 2 is a circuit diagram of an ordinary keyboard, which is implemented using an 8051 single-chip microcomputer. Figure 2 Ordinary keyboard circuit The pins of the key array part (P0, P2 and part of P1) in Figure 2 are high-low conversion levels, which are used to determine which key is pressed and which key is lifted. These signals are meaningless even if they are intercepted, so they are defined as black signals. In addition, reset level, crystal oscillator, etc. are also black signals. The keyboard has two signal lines connected to the host, namely the clock line (KBDCLK) and the data line (KBCDATA). The clock line provides the clock signal for the keyboard to communicate with the host. It is sent by the keyboard and the falling edge is valid. That is to say, at the falling edge of each clock, the host reads the data prepared by the keyboard into the accumulator "ACC", and sends it to the CPU for processing after reading the valid "stop bit". However, for the same keyboard, the clock cycle, frequency, and level are the same; they are slightly different for different keyboards. In the same keyboard, the clock of all data sent is the same. Therefore, this signal has nothing to do with the key information and is also a black signal. The keyboard has different keys. After they are selected accordingly, they will send the corresponding key code data to the host through the data line. Therefore, in Figure 2, only the data line is the red signal. Let's analyze the path of the red signal inside the chip. Figure 3 is the internal block diagram of 8051. Figure 3 8051 block diagram In Figure 3, the hollow arrow indicates the path of the red signal. Inside the 8051, this part sends out the column scan level, reads in the row scan level, and after the key is pressed, the ALU calculates and places it in the accumulator ACC. The ACC is then sent to a pin of P3 one bit at a time. Inside the chip, this red signal is serial binary code data, with a baud rate of 12.5 Kbps, a pulse width of 80μs, a conversion time of 1.4μs, and odd parity. The specific waveform is shown in Figure 4. Figure 4 Scan code waveform of the keyboard sending "H" Through the above test, it can be seen that the path of the red signal in the keyboard starts from the accumulator in the microprocessor, through a data pin to a section of the circuit that ends at the host data port. There are two main threats to the RF radiation of the harmonics of the keyboard scan cycle: one is to attack the radiation of the keyboard cable at its response frequency harmonics; the second is to attack the scan code detected in the return signal modulated by the nonlinear cross effect. 3 Red and black separated anti-information leakage keyboard 3.1 Design In order to prevent keyboard leakage, we have developed a red and black separated anti-information leakage keyboard. This keyboard uses optical signals to transmit data. The keyboard and the host are connected by plastic optical cables. The keyboard is powered by batteries to minimize electromagnetic radiation. The designed low-voltage circuit is powered by two No. 5 batteries. A low-voltage 8051 microcontroller is used as the main chip to realize key selection and scanning and send data. In order to save power, a technology is used in the design, that is, the microcontroller is in a dormant state when no key is pressed. The encoding of ordinary keyboards is a fixed standard value, as listed in Table 1. If this plain code is not properly defended, it will be reproduced once it is intercepted, causing serious consequences. The defense technology here includes a programmable keyboard microcontroller. Since the scan cycle is random, the scan code is encrypted before it is transmitted to the PC. When a key is pressed, the number of key scans within the cycle will be random and the value will change instead of the original constant. In this way, when the user prints a pattern or uses it in all cases, even if the value is intercepted by an attacker, the information given to them is not the key value. [page] For this purpose, you need to modify the system and set the password yourself. We changed the program of the keyboard microcontroller. Even if the other party can detect the electromagnetic leakage information of the keyboard during operation, the intercepted information is meaningless. Because the light signal generated and emitted by the keyboard is not a universal scan code, as shown in Figure 3, the red signal path no longer transmits a universal scan code, but a password. There is a corresponding single-chip microcomputer on the host side to receive the password and convert it into a keyboard standard code and send it to the host. This mechanism on the host side is sealed inside the shielded chassis, and electromagnetic waves will not leak out. Another advantage of encryption coding is that the coding method can be changed frequently, which is very useful for confidential departments. Here only the device driver of the PC is involved, and it is solidified in the keyboard microcontroller. The following mainly discusses the device driver of the keyboard or the keyboard microcontroller program algorithm. ① The functions implemented are exactly the same as those of the ordinary keyboard described in Section 1. ② The keyboard should scan each key continuously. When a key is pressed, it will send a data description and start timing. If the key is not released after 0.5 s, it will continue to send this key, 30 times per second. ③ During the timing process and continuous code sending process, other keys are monitored without stopping. ④ When sending a key continuously, if other keys are pressed, stop sending this key, send the newly pressed key and start timing it. ⑤ If a key is lifted, send an end code to the host to inform that the key has been lifted. ⑥ There are 104 fixed bits in the bit addressing area in the RAM, and each bit provides a flag for a key. When scanning a key, first check the corresponding bit. If this key was pressed before, set this bit to 1; if this key was not pressed before, set this bit to 0. Then check whether it is pressed now. If it is just pressed, send the scan code. If it is not pressed now, process the next key. If it is lifted now, send the end code. ⑦ These 104 keys should be scanned in turn and timed at the same time. If a key has been pressed and not lifted, it should be sent continuously after 0.5 s, and 30 keys should be sent per second. When 4 keys are pressed at the same time, no new ones will be recorded. The programming flow of the keyboard microcontroller program according to the above algorithm is shown in Figure 5. Figure 5 Keyboard program flow 3.2 In realizing the red-black separation anti-information leakage keyboard, a low-voltage chip was selected for the single-chip microcomputer, and a plastic optical cable with a diameter of 1 mm was selected for the optical cable. The keyboard structure was designed in two parts, the structure and the circuit, according to the red-black separation rule, and a prototype was made and small-scale production was carried out. Figure 6 is the red-black separation anti-information leakage keyboard we developed. Figure 6 TEMPEST-111 keyboard The red-black separation anti-information leakage keyboard has high reliability, and the information security test technical indicators can reach the A-type machine standard. When the red-black separation anti-information leakage keyboard was tested with a spectrum analyzer, the results are shown in Figure 7. It can be seen from the test results that there is no electromagnetic radiation. Figure 7 The spectrum of the TEMPEST keyboard when sending "H" Ending remarks









































































Through the design of the red-black separation anti-information leakage keyboard, we realize that to design an anti-information leakage device, we must first conduct circuit analysis to find the leakage path of the red signal. Only through analysis and demonstration can we start the red-black separation of the circuit and the encryption of the software code. In the design of shielding, absorption, isolation and grounding of the red signal line of the circuit, it is necessary to avoid the red signal being modulated by nonlinear cross effects, which is one of the successful experiences of this design.