[Dev] Cynara

Jussi Laako jussi.laako at linux.intel.com
Mon Apr 14 12:36:41 GMT 2014

On 12.4.2014 6:14, Carsten Haitzler (The Rasterman) wrote:
>> Yes, but I also know how to modify it and not let X11 access certain
>> input devices. I don't have any plans for wayland, maybe once it matures.
> you use x11... you're screwed. see my xinput example. your keyboard is
> sniffable by any client, should they desire, regardless of "secure grabs".

How would x11 sniff my inputs when the input is not coming from the 
kernel driver to x11 at all?

Even with simplest approach; I don't think x11 is listening to 
/dev/ttyS0 for example by default?

> and it is not isolated. it's a conduit through with pretty much all input and
> output happens for a user. thus it sees all of this. if this app is something

Not at least voice inputs through my microphone yet. I didn't notice it 
watching on my serial I/O devices either, but I could be wrong.

(you can get serial port number keypads for pin code inputs easily)

> and so to ask the user for a passowrd or challenge.. the display server drives
> the app tells it to do its thing, when password is requested display server
> fakes a previously saved one and app does what it is meant to do, but not
> driven by user.

Password is never entered in the same device/computer as the PIN code 
and you need both to complete the operation. You would need to hack into 
two devices and somehow orchestrate interaction between the two.

Use OTP lists on paper like banks do and saving any of the previous 
passwords won't help you at all.

> you force the app to do it as the user would. click buttons and enter text
> (passwords or whatever).

Doesn't help. App doesn't ever see the challenge-response that requires 
user interaction to pass. App can only make requests that need external 
means to complete.

I'm curious how your display server would enter RSA SecurID codes, or 
passwords from an OTP list (on paper)?

You have two devices, A and B. Request to perform operation X is done in 
device A using username+password. This goes to the server over internet. 
This server sends challenge to a smart card in device B. Device B asks 
PIN code (possibly something like RSA SecurID that changes every 10 
seconds) and creates response the goes back to the server. Now the 
operation X from device A completes.

More information about the Dev mailing list