jaseg/secure-hid
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add comparison table, include system diagrams

Browse source
This commit is contained in:
jaseg 2018-11-30 18:33:38 +09:00
parent be2e8e1198
commit f610e8a995
6 changed files with 32097 additions and 246 deletions
Download patch file Download diff file Expand all files Collapse all files

BIN
directions/research_directions.pdf
View file

Binary file not shown.

217
directions/research_directions.tex
View file

@ -3,13 +3,13 @@
\usepackage[a4paper,textwidth=17cm, top=2cm, bottom=3.5cm]{geometry}
\usepackage[T1]{fontenc}
\usepackage[
backend=biber,
style=numeric,
natbib=true,
url=true,
doi=true,
eprint=false
]{biblatex}
backend=biber,
style=numeric,
natbib=true,
url=true,
doi=true,
eprint=false
]{biblatex}
\addbibresource{directions.bib}
\usepackage{amssymb,amsmath}
\usepackage{listings}
@ -26,12 +26,17 @@
\usepackage{graphicx,color}
\usepackage{subcaption}
\usepackage{float}
\usepackage{footmisc}
\usepackage{array}
\usepackage[underline=false]{pgf-umlsd}
\usetikzlibrary{calc}
%\usepackage[pdftex]{graphicx,color}
%\usepackage{epstopdf}
\newcommand{\foonote}[1]{\footnote{#1}}
\newcommand{\degree}{\ensuremath{^\circ}}
\newcolumntype{P}[1]{>{\centering\arraybackslash}p{#1}}
\author{Sebastian Götte {\texttt<secureusb@jaseg.net>} @Mori lab, Waseda University}
\title{Research directions in secure USB devices}
\date{November 19 2018}
@ -55,6 +60,23 @@ Research exists in various directions.
\item Compartmentalized systems such as QubesOS have been implemented
\end{itemize}
\begin{table}
\setlength{\extrarowheight}{5pt}
\begin{tabular}{l|P{10mm}|P{15mm}|P{15mm}|P{15mm}|P{17mm}|P{25mm}|}
&\multicolumn{3}{c|}{\bfseries Attacks} & \multicolumn{2}{c|}{\bfseries Eavesdropping} & \multirow{2}{25mm}{\centering\bfseries Backwards\newline compatible} \\\cline{2-6}
& \bfseries HID &\bfseries Host\newline exploit &\bfseries Device\newline exploit&\bfseries Bus-level &\bfseries Physical layer & \\\hline
Firewalls & $\bigcirc$ & $\triangle$ & $\times$ & $\triangle$ & $\times$ & $\bigcirc$ \\
Device authentication & $\bigcirc$ & $\times$ & $\times$ & $\triangle$ & $\times$ & $\times$ \\
Bus encryption & $\triangle$ & $\times$ & $\times$ & $\bigcirc$ & $\bigcirc$ & $\times$ \\
Plain QubesOS setup\footnotemark
& $\triangle$ & $\triangle$ & $\triangle$ & $\triangle$ & $\times$ & $\bigcirc$ \\
Our work & $\bigcirc$ & $\bigcirc$ & $\bigcirc$ & $\bigcirc$ & $\bigcirc$ & $\bigcirc$
\end{tabular}
\caption{Comparison of approaches to USB security}
\label{approach_comparison}
\end{table}
\footnotetext{Requires separate USB host controller for HIDs}
Overall, QubesOS is the only significant practical advance towards securing this interface. Other approaches have not
been successful so far. A likely reason for this is large market inertia and necessary backwards-compatibility.
@ -97,6 +119,19 @@ Since sensitive HIDs are isolated from other USB devices effectively on a separa
\textcite{neugschwandtner01} are entirely prevented. Even much scarier physical attacks on USB such as \textcite{su01}
are prevented given an adequate hardware implementation, which fortunately is no too complicated.
\subsection{Diagram of a conventional setup}
\begin{figure}[H]
\includegraphics[scale=0.8]{system_diagram_without_secureusb.eps}
\caption{Diagram of a conventional unprotected system}
\label{diagram_without}
\end{figure}
\subsection{Diagram of a SecureHID-protected system}
\begin{figure}[H]
\includegraphics[scale=0.8]{system_diagram_with_secureusb.eps}
\caption{Diagram of a SecureHID-protected system}
\label{diagram_with}
\end{figure}
\subsection{Key points}
\begin{itemize}
\item A practical example of a complete, secure USB system using Qubes
@ -156,8 +191,8 @@ A working prototype has been completed.
\end{itemize}
\item Benchmark cryptography routines (will likely turn out to be ``wayyy fast'' for HID, fast enough for full-speed
USB. High-speed cannot be done with the current architecture as we can't get data out the chip at high-speed
data rates. \textcite{srivaths01} raise the issue of running crypto on embedded systems, but in this case it
turns out with somewhat modern hardware and cryptography there is no problem at all.
data rates. \textcite{srivaths01} raise the issue of running crypto on embedded systems, but in this case it
turns out with somewhat modern hardware and cryptography there is no problem at all.
\end{itemize}
\newpage
@ -165,65 +200,65 @@ A working prototype has been completed.
\section{High-level protocol design}
\begin{figure}
\centering
\begin{sequencediagram}
\newinst{kbd}{Keyboard}
\newinst[3]{dev}{SecureHID}
\newinst[5]{host}{Host}
\centering
\begin{sequencediagram}
\newinst{kbd}{Keyboard}
\newinst[3]{dev}{SecureHID}
\newinst[5]{host}{Host}
\mess{host}{}{dev}
\path (mess from) -- (mess to) node[midway, above] {\emph{COBS sync (null byte)}};
\mess{host}{}{dev}
\draw[->,>=angle 60] (mess from) -- (mess to) node[midway, above] {\textsc{Initiate Handshake}};
\mess{host}{}{dev}
\path (mess from) -- (mess to) node[midway, above] {\emph{COBS sync (null byte)}};
\mess{host}{}{dev}
\draw[->,>=angle 60] (mess from) -- (mess to) node[midway, above] {\textsc{Initiate Handshake}};
\begin{sdblock}{Noise XX handshake}{}
\mess{host}{}{dev}
\path (mess from) -- (mess to) node[midway, above] {$\textsc{Handshake}, e$};
\mess{dev}{}{host}
\path (mess from) -- (mess to) node[midway, above] {$\textsc{Handshake}, e,ee,s,es$};
\mess{host}{}{dev}
\path (mess from) -- (mess to) node[midway, above] {$\textsc{Handshake}, s,se$};
\end{sdblock}
\begin{sdblock}{Noise XX handshake}{}
\mess{host}{}{dev}
\path (mess from) -- (mess to) node[midway, above] {$\textsc{Handshake}, e$};
\mess{dev}{}{host}
\path (mess from) -- (mess to) node[midway, above] {$\textsc{Handshake}, e,ee,s,es$};
\mess{host}{}{dev}
\path (mess from) -- (mess to) node[midway, above] {$\textsc{Handshake}, s,se$};
\end{sdblock}
\begin{sdblock}{Pairing}{Triggered by user interaction after unsuccessful handshake}
\mess{dev}{}{host}
\draw[->,>=angle 60] (mess from) -- (mess to) node[midway, above] {\textsc{Pairing Start}};
\stepcounter{seqlevel}
\begin{sdblock}{Pairing}{Triggered by user interaction after unsuccessful handshake}
\mess{dev}{}{host}
\draw[->,>=angle 60] (mess from) -- (mess to) node[midway, above] {\textsc{Pairing Start}};
\stepcounter{seqlevel}
\mess{kbd}{keystroke}{dev}
\addtocounter{seqlevel}{-1}
\mess{dev}{}{host}
\path (mess from) -- (mess to) node[midway, above] {$\textsc{Pairing Input},E(\text{keystroke})$};
\stepcounter{seqlevel}
\mess{kbd}{}{dev}
\addtocounter{seqlevel}{-1}
\path (mess from) -- (mess to) node[midway, above] {keystroke};
\path (mess from) -- (mess to) node[midway, above, yshift=5mm] {$\vdots$};
\mess{dev}{}{host}
\path (mess from) -- (mess to) node[midway, above] {$\textsc{Pairing Input},E(\text{keystroke})$};
\path (mess from) -- (mess to) node[midway, above, yshift=5mm] {$\vdots$};
\stepcounter{seqlevel}
\mess{kbd}{keystroke}{dev}
\addtocounter{seqlevel}{-1}
\mess{dev}{}{host}
\path (mess from) -- (mess to) node[midway, above] {$\textsc{Pairing Input},E(\text{keystroke})$};
\stepcounter{seqlevel}
\mess{kbd}{}{dev}
\addtocounter{seqlevel}{-1}
\path (mess from) -- (mess to) node[midway, above] {keystroke};
\path (mess from) -- (mess to) node[midway, above, yshift=5mm] {$\vdots$};
\mess{dev}{}{host}
\path (mess from) -- (mess to) node[midway, above] {$\textsc{Pairing Input},E(\text{keystroke})$};
\path (mess from) -- (mess to) node[midway, above, yshift=5mm] {$\vdots$};
\stepcounter{seqlevel}
\mess{kbd}{}{dev}
\addtocounter{seqlevel}{-1}
\path (mess from) -- (mess to) node[midway, above] {\emph{enter}};
\mess{dev}{}{host}
\draw[->,>=angle 60] (mess from) -- (mess to) node[midway, above] {\textsc{Pairing Success}};
\end{sdblock}
\mess{kbd}{}{dev}
\addtocounter{seqlevel}{-1}
\path (mess from) -- (mess to) node[midway, above] {\emph{enter}};
\mess{dev}{}{host}
\draw[->,>=angle 60] (mess from) -- (mess to) node[midway, above] {\textsc{Pairing Success}};
\end{sdblock}
\begin{sdblock}{Input passthrough}{Started after successful handshake or pairing}
\mess{kbd}{keystroke}{dev}
\path (mess from) -- (mess to) node[midway, below, yshift=-2mm] {$\vdots$};
\begin{sdblock}{Input passthrough}{Started after successful handshake or pairing}
\mess{kbd}{keystroke}{dev}
\path (mess from) -- (mess to) node[midway, below, yshift=-2mm] {$\vdots$};
\addtocounter{seqlevel}{-1}
\mess{dev}{}{host}
\path (mess from) -- (mess to) node[midway, above] {$\textsc{Data},E(\text{keystroke})$};
\path (mess from) -- (mess to) node[midway, below, yshift=-2mm] {$\vdots$};
\stepcounter{seqlevel}
\end{sdblock}
\end{sequencediagram}
\caption{A successful prototype protocol pairing}
\label{protocol_diagram}
\addtocounter{seqlevel}{-1}
\mess{dev}{}{host}
\path (mess from) -- (mess to) node[midway, above] {$\textsc{Data},E(\text{keystroke})$};
\path (mess from) -- (mess to) node[midway, below, yshift=-2mm] {$\vdots$};
\stepcounter{seqlevel}
\end{sdblock}
\end{sequencediagram}
\caption{A successful prototype protocol pairing}
\label{protocol_diagram}
\end{figure}
The basic protocol consists of two stages: \textsc{pairing} and \textsc{data}. When the device powers up, it enters
@ -248,33 +283,33 @@ A successful protocol run always starts like this:
\item \textsc{host} initiates pairing by sending \textsc{initiate handshake} to device
\item \textsc{device} and \textsc{host} follow noise state machine for \textsc{XX} handshake
\item After the handshake completes, both \textsc{device} and \textsc{host} have received each other's static public key
$rs$ and established a shared secret connection key. At this point, the possibility of an MITM attacker having
actively intercepted the handshake remains.
$rs$ and established a shared secret connection key. At this point, the possibility of an MITM attacker having
actively intercepted the handshake remains.
\item \textbf{Channel binding.} Both \textsc{device} and \textsc{host} calculate the \emph{handshake hash} as per noise spec\cite{perrin01}. This
hash uniquely identifies this session and depends on both local and remote ephemeral and static keys $le, re, ls,
rs$. Both parties encode a 64-bit part of this hash into a sequence of english words by dictionary lookup. This
sequence of words is called the \emph{fingerprint} of the connection.
hash uniquely identifies this session and depends on both local and remote ephemeral and static keys $le, re, ls,
rs$. Both parties encode a 64-bit part of this hash into a sequence of english words by dictionary lookup. This
sequence of words is called the \emph{fingerprint} of the connection.
\item \textsc{host} prompts the user to enter the \emph{fingerprint} into a keyboard connected to \textsc{device}.
\item As the user enters the \emph{fingerprint}, \textsc{device} relays any input over the yet-unauthenticated encrypted
noise channel to \textsc{host}. \textsc{host} displays the received user input in plain text in a regular input
field in the pairing GUI. This display is only for user convenience and not relevant to the cryptographic handshake.
A consequence of this is that a MITM could observe the \emph{fingerprint}\footnote{
A MITM could also modify the fingerprint information sent from \textsc{device} to \textsc{host}. This would be
very obvious to the user, since the fingerprint appearing on the \textsc{host} screen would differ from what she
types.
}.
noise channel to \textsc{host}. \textsc{host} displays the received user input in plain text in a regular input
field in the pairing GUI. This display is only for user convenience and not relevant to the cryptographic handshake.
A consequence of this is that a MITM could observe the \emph{fingerprint}\footnote{
A MITM could also modify the fingerprint information sent from \textsc{device} to \textsc{host}. This would be
very obvious to the user, since the fingerprint appearing on the \textsc{host} screen would differ from what she
types.
}.
\item When the user has completed entering the fingerprint, the device checks the calculated fingerprint against the
entered data. If both match, the host is signalled \textsc{success} and \textsc{data} phase is entered. If they do
not match, the host is signalled \textsc{failure}\footnote{
Note that this means a MITM could intercept the \textsc{failure} message and forge a \textsc{success} message.
This means both are just for user convenience \emph{absent} an attacker. If an attacker is present, she will be
caught in the next pairing step.
} and \textsc{pairing} state is re-entered unless the maximum number of tries since powerup has been exceeded.
Failure is indicated to the user by \textsc{device} through a very annoying beep accompanied by angrily flashing
LEDs.
entered data. If both match, the host is signalled \textsc{success} and \textsc{data} phase is entered. If they do
not match, the host is signalled \textsc{failure}\footnote{
Note that this means a MITM could intercept the \textsc{failure} message and forge a \textsc{success} message.
This means both are just for user convenience \emph{absent} an attacker. If an attacker is present, she will be
caught in the next pairing step.
} and \textsc{pairing} state is re-entered unless the maximum number of tries since powerup has been exceeded.
Failure is indicated to the user by \textsc{device} through a very annoying beep accompanied by angrily flashing
LEDs.
\item \textbf{Data phase.} \textsc{host} asks the user for confirmation of pairing \emph{in case the device did not sound an alarm} by
pressing a button on the GUI. When the user does this, the host enters \textsc{data} state and starts input
passthrough.
pressing a button on the GUI. When the user does this, the host enters \textsc{data} state and starts input
passthrough.
\end{enumerate}
Roughly speaking, this protocol is secure given that the only way to MITM a (EC)DH key exchange is to perform two (EC)DH key exchanges with both parties, then relay messages. Since both parties have different static keys, the resulting two (EC)DH sessions will have different handshake hashes under the noise framework. The channel binding step reliably detects this condition through an out-of-band transmission of the \textsc{host} handshake hash to \textsc{device}.
@ -311,14 +346,14 @@ The only specialty here is that this OOB transmission is relayed back from \text
%\begin{figure}
%\tikzstyle{block} = [rectangle, draw, text centered, minimum height=4em]
%\begin{tikzpicture}[node distance=2cm, auto]
% \node[block](matrix){Key matrix}
% \node[block](hidctrl){Keyboard controller}
% \node[block](hubs){USB hubs}
% \node[block](roothub){USB host controller}
% \node[block](pcie){PCIe bus}
% \node[block](sys-usb-kernel){USB VM kernel}
% \node[block](sys-usb-agent){USB VM userspace agent}
% \node[block](dom0){dom0 agent}
% \node[block](matrix){Key matrix}
% \node[block](hidctrl){Keyboard controller}
% \node[block](hubs){USB hubs}
% \node[block](roothub){USB host controller}
% \node[block](pcie){PCIe bus}
% \node[block](sys-usb-kernel){USB VM kernel}
% \node[block](sys-usb-agent){USB VM userspace agent}
% \node[block](dom0){dom0 agent}
%\end{tikzpicture}
%\label{qubes-hid-stack}
%\caption{The USB HID input stack in a QubesOS setup}

22622
directions/system_diagram_with_secureusb.eps Normal file
View file

File diff suppressed because it is too large Load diff

214
directions/system_diagram_with_secureusb.svg
View file

@ -14,67 +14,77 @@
viewBox="0 0 210 297"
version="1.1"
id="svg8"
enable-background="new"
inkscape:version="0.92.3 (2405546, 2018-03-11)"
sodipodi:docname="system_diagram_with_secureusb.svg">
sodipodi:docname="system_diagram_with_secureusb.svg"
enable-background="new">
<defs
id="defs2"><marker
inkscape:stockid="Arrow1Lstart"
orient="auto"
refY="0.0"
refX="0.0"
id="Arrow1Lstart"
style="overflow:visible"
inkscape:isstock="true">
<path
id="path7078"
d="M 0.0,0.0 L 5.0,-5.0 L -12.5,0.0 L 5.0,5.0 L 0.0,0.0 z "
style="fill-rule:evenodd;stroke:#000000;stroke-width:1pt;stroke-opacity:1;fill:#000000;fill-opacity:1"
transform="scale(0.8) translate(12.5,0)" />
</marker>
<marker
inkscape:stockid="Tail"
orient="auto"
refY="0.0"
refX="0.0"
id="Tail"
style="overflow:visible"
inkscape:isstock="true">
<g
id="g7126"
transform="scale(-1.2)"
style="stroke:#000000;stroke-opacity:1;fill:#000000;fill-opacity:1">
<path
id="path7114"
d="M -3.8048674,-3.9585227 L 0.54352094,0"
style="fill:#000000;fill-rule:evenodd;stroke:#000000;stroke-width:0.8;stroke-linecap:round;stroke-opacity:1;fill-opacity:1" />
<path
id="path7116"
d="M -1.2866832,-3.9585227 L 3.0617053,0"
style="fill:#000000;fill-rule:evenodd;stroke:#000000;stroke-width:0.8;stroke-linecap:round;stroke-opacity:1;fill-opacity:1" />
<path
id="path7118"
d="M 1.3053582,-3.9585227 L 5.6537466,0"
style="fill:#000000;fill-rule:evenodd;stroke:#000000;stroke-width:0.8;stroke-linecap:round;stroke-opacity:1;fill-opacity:1" />
<path
id="path7120"
d="M -3.8048674,4.1775838 L 0.54352094,0.21974226"
style="fill:#000000;fill-rule:evenodd;stroke:#000000;stroke-width:0.8;stroke-linecap:round;stroke-opacity:1;fill-opacity:1" />
<path
id="path7122"
d="M -1.2866832,4.1775838 L 3.0617053,0.21974226"
style="fill:#000000;fill-rule:evenodd;stroke:#000000;stroke-width:0.8;stroke-linecap:round;stroke-opacity:1;fill-opacity:1" />
<path
id="path7124"
d="M 1.3053582,4.1775838 L 5.6537466,0.21974226"
style="fill:#000000;fill-rule:evenodd;stroke:#000000;stroke-width:0.8;stroke-linecap:round;stroke-opacity:1;fill-opacity:1" />
</g>
</marker>
</defs>
id="defs2">
<marker
inkscape:stockid="Arrow1Lstart"
orient="auto"
refY="0.0"
refX="0.0"
id="Arrow1Lstart"
style="overflow:visible"
inkscape:isstock="true">
<path
id="path7078"
d="M 0.0,0.0 L 5.0,-5.0 L -12.5,0.0 L 5.0,5.0 L 0.0,0.0 z "
style="fill-rule:evenodd;stroke:#000000;stroke-width:1pt;stroke-opacity:1;fill:#000000;fill-opacity:1"
transform="scale(0.8) translate(12.5,0)" />
</marker>
<marker
inkscape:stockid="Tail"
orient="auto"
refY="0.0"
refX="0.0"
id="Tail"
style="overflow:visible"
inkscape:isstock="true">
<g
id="g7126"
transform="scale(-1.2)"
style="stroke:#000000;stroke-opacity:1;fill:#000000;fill-opacity:1">
<path
id="path7114"
d="M -3.8048674,-3.9585227 L 0.54352094,0"
style="fill:#000000;fill-rule:evenodd;stroke:#000000;stroke-width:0.8;stroke-linecap:round;stroke-opacity:1;fill-opacity:1" />
<path
id="path7116"
d="M -1.2866832,-3.9585227 L 3.0617053,0"
style="fill:#000000;fill-rule:evenodd;stroke:#000000;stroke-width:0.8;stroke-linecap:round;stroke-opacity:1;fill-opacity:1" />
<path
id="path7118"
d="M 1.3053582,-3.9585227 L 5.6537466,0"
style="fill:#000000;fill-rule:evenodd;stroke:#000000;stroke-width:0.8;stroke-linecap:round;stroke-opacity:1;fill-opacity:1" />
<path
id="path7120"
d="M -3.8048674,4.1775838 L 0.54352094,0.21974226"
style="fill:#000000;fill-rule:evenodd;stroke:#000000;stroke-width:0.8;stroke-linecap:round;stroke-opacity:1;fill-opacity:1" />
<path
id="path7122"
d="M -1.2866832,4.1775838 L 3.0617053,0.21974226"
style="fill:#000000;fill-rule:evenodd;stroke:#000000;stroke-width:0.8;stroke-linecap:round;stroke-opacity:1;fill-opacity:1" />
<path
id="path7124"
d="M 1.3053582,4.1775838 L 5.6537466,0.21974226"
style="fill:#000000;fill-rule:evenodd;stroke:#000000;stroke-width:0.8;stroke-linecap:round;stroke-opacity:1;fill-opacity:1" />
</g>
</marker>
<filter
inkscape:collect="always"
style="color-interpolation-filters:sRGB"
id="filter12742"
x="-0.026609355"
width="1.0532187"
y="-0.0077467796"
height="1.0154936">
<feGaussianBlur
inkscape:collect="always"
stdDeviation="0.41059571"
id="feGaussianBlur12744" />
</filter>
</defs>
<sodipodi:namedview
id="base"
pagecolor="#ffffff"
@ -82,9 +92,9 @@
borderopacity="1.0"
inkscape:pageopacity="0.0"
inkscape:pageshadow="2"
inkscape:zoom="0.70710679"
inkscape:cx="239.57751"
inkscape:cy="699.28303"
inkscape:zoom="0.70710678"
inkscape:cx="77.048822"
inkscape:cy="675.70454"
inkscape:document-units="mm"
inkscape:current-layer="layer2"
showgrid="false"
@ -95,7 +105,11 @@
inkscape:window-y="50"
inkscape:window-maximized="0"
inkscape:measure-start="0,0"
inkscape:measure-end="0,0" />
inkscape:measure-end="0,0"
fit-margin-top="2"
fit-margin-left="2"
fit-margin-right="2"
fit-margin-bottom="2" />
<metadata
id="metadata5">
<rdf:RDF>
@ -104,7 +118,7 @@
<dc:format>image/svg+xml</dc:format>
<dc:type
rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
<dc:title />
<dc:title></dc:title>
</cc:Work>
</rdf:RDF>
</metadata>
@ -10426,39 +10440,34 @@
id="g5245"
class="st1"
style="opacity:0.2;fill:#cc0000"
transform="matrix(0.26458333,0,0,0.26458333,145.6944,119.77935)">
</g>
transform="matrix(0.26458333,0,0,0.26458333,145.6944,119.77935)" />
<g
id="Layer_2"
transform="matrix(0.26458333,0,0,0.26458333,145.6944,119.77935)">
</g>
transform="matrix(0.26458333,0,0,0.26458333,145.6944,119.77935)" />
<g
transform="matrix(0.16536458,0,0,0.16536458,3.6591496,107.86071)"
id="g5281">
<g
style="fill:#cc0000"
id="g5241">
<circle
style="fill:#cc0000"
class="st0"
cx="32"
cy="32"
r="32"
id="circle5239" />
</g>
<circle
style="fill:#cc0000"
class="st0"
cx="32"
cy="32"
r="32"
id="circle5239" />
</g>
<g
style="fill:#ffcc00"
id="g5249">
<path
style="fill:#ffcc00"
inkscape:connector-curvature="0"
class="st3"
d="M 28.1,56.1 C 28.1,56.1 12,53.7 12,40 12,26.3 33,25 28.4,8 c 0,0 15.7,4.9 11.9,20.2 0,0 2.1,-1.3 3.7,-3.9 0,0 8,6.2 8,15.5 0,9.3 -11,16.2 -16.3,16.2 0,0 5.6,-7.6 0.5,-12.5 -7.3,-7 -4.2,-11.4 -4.2,-11.4 0,0 -17.8,8.7 -3.9,24 z"
id="path5247" />
</g>
<path
style="fill:#ffcc00"
inkscape:connector-curvature="0"
class="st3"
d="M 28.1,56.1 C 28.1,56.1 12,53.7 12,40 12,26.3 33,25 28.4,8 c 0,0 15.7,4.9 11.9,20.2 0,0 2.1,-1.3 3.7,-3.9 0,0 8,6.2 8,15.5 0,9.3 -11,16.2 -16.3,16.2 0,0 5.6,-7.6 0.5,-12.5 -7.3,-7 -4.2,-11.4 -4.2,-11.4 0,0 -17.8,8.7 -3.9,24 z"
id="path5247" />
</g>
</g>
<g
transform="matrix(0.16536458,0,0,0.16536458,3.6591496,210.29175)"
@ -10569,6 +10578,39 @@
height="5.7062044"
x="121.65137"
y="123.30882" />
<rect
style="opacity:1;vector-effect:none;fill:#fffde9;fill-opacity:1;stroke:none;stroke-width:1;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
id="rect5747-3"
width="6.5948758"
height="5.7062044"
x="121.65137"
y="110.5002" />
<rect
style="opacity:1;vector-effect:none;fill:#fffde9;fill-opacity:1;stroke:none;stroke-width:1;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
id="rect5747-6"
width="6.5948758"
height="5.7062044"
x="121.65137"
y="212.46191" />
<g
id="g8063"
style="stroke:#610000;stroke-opacity:1;opacity:0.34;stroke-width:0.5;stroke-miterlimit:4;stroke-dasharray:none;filter:url(#filter12742)">
<path
inkscape:connector-curvature="0"
id="path5640-7"
d="m 95.105469,101.23828 v 1 H 124.41016 V 227.44336 H 90.427734 v 1 H 125.41016 V 101.23828 Z"
style="color:#000000;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:medium;line-height:normal;font-family:sans-serif;font-variant-ligatures:normal;font-variant-position:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-alternates:normal;font-feature-settings:normal;text-indent:0;text-align:start;text-decoration:none;text-decoration-line:none;text-decoration-style:solid;text-decoration-color:#000000;letter-spacing:normal;word-spacing:normal;text-transform:none;writing-mode:lr-tb;direction:ltr;text-orientation:mixed;dominant-baseline:auto;baseline-shift:baseline;text-anchor:start;white-space:normal;shape-padding:0;clip-rule:nonzero;display:inline;overflow:visible;visibility:visible;opacity:1;isolation:auto;mix-blend-mode:normal;color-interpolation:sRGB;color-interpolation-filters:linearRGB;solid-color:#000000;solid-opacity:1;vector-effect:none;fill:#404040;fill-opacity:1;fill-rule:evenodd;stroke:#610000;stroke-width:0.5;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;color-rendering:auto;image-rendering:auto;shape-rendering:auto;text-rendering:auto;enable-background:accumulate" />
<path
inkscape:connector-curvature="0"
id="path5642-5"
d="m 126.46094,104.05273 v 118.45899 h 1 V 104.05273 Z"
style="color:#000000;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:medium;line-height:normal;font-family:sans-serif;font-variant-ligatures:normal;font-variant-position:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-alternates:normal;font-feature-settings:normal;text-indent:0;text-align:start;text-decoration:none;text-decoration-line:none;text-decoration-style:solid;text-decoration-color:#000000;letter-spacing:normal;word-spacing:normal;text-transform:none;writing-mode:lr-tb;direction:ltr;text-orientation:mixed;dominant-baseline:auto;baseline-shift:baseline;text-anchor:start;white-space:normal;shape-padding:0;clip-rule:nonzero;display:inline;overflow:visible;visibility:visible;opacity:1;isolation:auto;mix-blend-mode:normal;color-interpolation:sRGB;color-interpolation-filters:linearRGB;solid-color:#000000;solid-opacity:1;vector-effect:none;fill:#404040;fill-opacity:1;fill-rule:evenodd;stroke:#610000;stroke-width:0.5;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;color-rendering:auto;image-rendering:auto;shape-rendering:auto;text-rendering:auto;enable-background:accumulate" />
<path
inkscape:connector-curvature="0"
id="path5642-8-3"
d="m 122.4375,104.05273 v 118.45899 h 1 V 104.05273 Z"
style="color:#000000;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:medium;line-height:normal;font-family:sans-serif;font-variant-ligatures:normal;font-variant-position:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-alternates:normal;font-feature-settings:normal;text-indent:0;text-align:start;text-decoration:none;text-decoration-line:none;text-decoration-style:solid;text-decoration-color:#000000;letter-spacing:normal;word-spacing:normal;text-transform:none;writing-mode:lr-tb;direction:ltr;text-orientation:mixed;dominant-baseline:auto;baseline-shift:baseline;text-anchor:start;white-space:normal;shape-padding:0;clip-rule:nonzero;display:inline;overflow:visible;visibility:visible;opacity:1;isolation:auto;mix-blend-mode:normal;color-interpolation:sRGB;color-interpolation-filters:linearRGB;solid-color:#000000;solid-opacity:1;vector-effect:none;fill:#404040;fill-opacity:1;fill-rule:evenodd;stroke:#610000;stroke-width:0.5;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;color-rendering:auto;image-rendering:auto;shape-rendering:auto;text-rendering:auto;enable-background:accumulate" />
</g>
<path
style="fill:none;fill-rule:evenodd;stroke:#404040;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
d="M 95.105476,101.7375 H 124.90949 V 227.94375 H 90.42826"

Side by side Swipe Overlay

Before

Width:  |  Height:  |  Size: 716 KiB

After

Width:  |  Height:  |  Size: 722 KiB

Before After
Before After

9158
directions/system_diagram_without_secureusb.eps Normal file
View file

File diff suppressed because it is too large Load diff

132
directions/system_diagram_without_secureusb.svg
View file

@ -14,67 +14,64 @@
viewBox="0 0 210 297"
version="1.1"
id="svg8"
enable-background="new"
inkscape:version="0.92.3 (2405546, 2018-03-11)"
sodipodi:docname="system_diagram_without_secureusb.svg">
sodipodi:docname="system_diagram_without_secureusb.svg"
enable-background="new">
<defs
id="defs2"><marker
inkscape:stockid="Arrow1Lstart"
orient="auto"
refY="0.0"
refX="0.0"
id="Arrow1Lstart"
style="overflow:visible"
inkscape:isstock="true">
<path
id="path7078"
d="M 0.0,0.0 L 5.0,-5.0 L -12.5,0.0 L 5.0,5.0 L 0.0,0.0 z "
style="fill-rule:evenodd;stroke:#000000;stroke-width:1pt;stroke-opacity:1;fill:#000000;fill-opacity:1"
transform="scale(0.8) translate(12.5,0)" />
</marker>
<marker
inkscape:stockid="Tail"
orient="auto"
refY="0.0"
refX="0.0"
id="Tail"
style="overflow:visible"
inkscape:isstock="true">
<g
id="g7126"
transform="scale(-1.2)"
style="stroke:#000000;stroke-opacity:1;fill:#000000;fill-opacity:1">
<path
id="path7114"
d="M -3.8048674,-3.9585227 L 0.54352094,0"
style="fill:#000000;fill-rule:evenodd;stroke:#000000;stroke-width:0.8;stroke-linecap:round;stroke-opacity:1;fill-opacity:1" />
<path
id="path7116"
d="M -1.2866832,-3.9585227 L 3.0617053,0"
style="fill:#000000;fill-rule:evenodd;stroke:#000000;stroke-width:0.8;stroke-linecap:round;stroke-opacity:1;fill-opacity:1" />
<path
id="path7118"
d="M 1.3053582,-3.9585227 L 5.6537466,0"
style="fill:#000000;fill-rule:evenodd;stroke:#000000;stroke-width:0.8;stroke-linecap:round;stroke-opacity:1;fill-opacity:1" />
<path
id="path7120"
d="M -3.8048674,4.1775838 L 0.54352094,0.21974226"
style="fill:#000000;fill-rule:evenodd;stroke:#000000;stroke-width:0.8;stroke-linecap:round;stroke-opacity:1;fill-opacity:1" />
<path
id="path7122"
d="M -1.2866832,4.1775838 L 3.0617053,0.21974226"
style="fill:#000000;fill-rule:evenodd;stroke:#000000;stroke-width:0.8;stroke-linecap:round;stroke-opacity:1;fill-opacity:1" />
<path
id="path7124"
d="M 1.3053582,4.1775838 L 5.6537466,0.21974226"
style="fill:#000000;fill-rule:evenodd;stroke:#000000;stroke-width:0.8;stroke-linecap:round;stroke-opacity:1;fill-opacity:1" />
</g>
</marker>
</defs>
id="defs2">
<marker
inkscape:stockid="Arrow1Lstart"
orient="auto"
refY="0.0"
refX="0.0"
id="Arrow1Lstart"
style="overflow:visible"
inkscape:isstock="true">
<path
id="path7078"
d="M 0.0,0.0 L 5.0,-5.0 L -12.5,0.0 L 5.0,5.0 L 0.0,0.0 z "
style="fill-rule:evenodd;stroke:#000000;stroke-width:1pt;stroke-opacity:1;fill:#000000;fill-opacity:1"
transform="scale(0.8) translate(12.5,0)" />
</marker>
<marker
inkscape:stockid="Tail"
orient="auto"
refY="0.0"
refX="0.0"
id="Tail"
style="overflow:visible"
inkscape:isstock="true">
<g
id="g7126"
transform="scale(-1.2)"
style="stroke:#000000;stroke-opacity:1;fill:#000000;fill-opacity:1">
<path
id="path7114"
d="M -3.8048674,-3.9585227 L 0.54352094,0"
style="fill:#000000;fill-rule:evenodd;stroke:#000000;stroke-width:0.8;stroke-linecap:round;stroke-opacity:1;fill-opacity:1" />
<path
id="path7116"
d="M -1.2866832,-3.9585227 L 3.0617053,0"
style="fill:#000000;fill-rule:evenodd;stroke:#000000;stroke-width:0.8;stroke-linecap:round;stroke-opacity:1;fill-opacity:1" />
<path
id="path7118"
d="M 1.3053582,-3.9585227 L 5.6537466,0"
style="fill:#000000;fill-rule:evenodd;stroke:#000000;stroke-width:0.8;stroke-linecap:round;stroke-opacity:1;fill-opacity:1" />
<path
id="path7120"
d="M -3.8048674,4.1775838 L 0.54352094,0.21974226"
style="fill:#000000;fill-rule:evenodd;stroke:#000000;stroke-width:0.8;stroke-linecap:round;stroke-opacity:1;fill-opacity:1" />
<path
id="path7122"
d="M -1.2866832,4.1775838 L 3.0617053,0.21974226"
style="fill:#000000;fill-rule:evenodd;stroke:#000000;stroke-width:0.8;stroke-linecap:round;stroke-opacity:1;fill-opacity:1" />
<path
id="path7124"
d="M 1.3053582,4.1775838 L 5.6537466,0.21974226"
style="fill:#000000;fill-rule:evenodd;stroke:#000000;stroke-width:0.8;stroke-linecap:round;stroke-opacity:1;fill-opacity:1" />
</g>
</marker>
</defs>
<sodipodi:namedview
id="base"
pagecolor="#ffffff"
@ -82,16 +79,16 @@
borderopacity="1.0"
inkscape:pageopacity="0.0"
inkscape:pageshadow="2"
inkscape:zoom="4"
inkscape:cx="92.961299"
inkscape:cy="419.65814"
inkscape:zoom="0.70710678"
inkscape:cx="278.67425"
inkscape:cy="376.64745"
inkscape:document-units="mm"
inkscape:current-layer="layer2"
showgrid="false"
inkscape:snap-global="false"
inkscape:window-width="1920"
inkscape:window-height="1030"
inkscape:window-x="0"
inkscape:window-x="6"
inkscape:window-y="50"
inkscape:window-maximized="0"
inkscape:measure-start="0,0"
@ -104,7 +101,7 @@
<dc:format>image/svg+xml</dc:format>
<dc:type
rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
<dc:title></dc:title>
<dc:title />
</cc:Work>
</rdf:RDF>
</metadata>
@ -5472,13 +5469,10 @@
id="g5245"
class="st1"
style="opacity:0.2;fill:#cc0000"
transform="matrix(0.26458333,0,0,0.26458333,145.6944,119.77935)">
</g>
transform="matrix(0.26458333,0,0,0.26458333,145.6944,119.77935)" />
<g
id="Layer_2"
transform="matrix(0.26458333,0,0,0.26458333,145.6944,119.77935)">
</g>
transform="matrix(0.26458333,0,0,0.26458333,145.6944,119.77935)" />
<flowRoot
style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:16px;line-height:125%;font-family:'Source Serif Pro';-inkscape-font-specification:'Source Serif Pro Bold';text-align:start;letter-spacing:0px;word-spacing:0px;text-anchor:start;opacity:1;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
id="flowRoot2440-9-8-4-5-2"

Side by side Swipe Overlay

Before

Width:  |  Height:  |  Size: 479 KiB

After

Width:  |  Height:  |  Size: 479 KiB

Before After
Before After