1 |
I haven't seen anything directly like this on the gentoo-hardened list |
2 |
yet. I have seen the loopback encrypted filesystems and distro |
3 |
discussions (nothing that isn't in the archives). |
4 |
|
5 |
That said, you asked for comments; I have a few ideas. |
6 |
|
7 |
NOT TRUSTING YOUR SYSTEM: |
8 |
Realizing more and more that encryption is a needed part of my working |
9 |
environment (I can't trust my administrators) this is of interest. I'd |
10 |
like to also see User Mode Linux encyption addressed; how do you encrypt |
11 |
your files if you DON'T want to trust your administrator? I've never |
12 |
seen the functional aspects of user security, including various levels |
13 |
of security risk (i.e., if you use UML encryption you could be exploited |
14 |
by X, X, and X in Y environment) explained to end users. |
15 |
|
16 |
RECOVERING YOUR SYSTEM: |
17 |
I do not know how the 'phone home' option available on some laptops |
18 |
works. I've never seen it explained (I'm assuming if it isn't done in |
19 |
hardware a low level format of the harddrive erases any capability of a |
20 |
ip locator being sent out). Perhaps rather than approaching the project |
21 |
from an 'absolute' security standpoint you could address how you could |
22 |
be more secure (various 'levels') and how you could address real |
23 |
problems (like someone stealing your laptop, taking it home and plugging |
24 |
it into broadband/dialup; having the previously mentioned 'phone home' |
25 |
ip packet being sent out could be considered 'more secure' in that you |
26 |
increase the likelyhood of either recovery or being able to remote |
27 |
connect and detonate your data). Perhaps a honeypot boot environment for |
28 |
the unwary that didn't provide a password would be useful - rather than |
29 |
completely disabling the laptop (which would encourage formatting) it |
30 |
allows use and sends out a packet of information with it's IP address to |
31 |
a specified server. |
32 |
|
33 |
USABILITY: |
34 |
Zero-Interaction Authentication (ZIA) from Univ. of Michigan is an |
35 |
interesting real workable solution for a proximity security token; it is |
36 |
a limited broadcast area radio that has an encryption key. The system |
37 |
encrypts when the user walks out of range and decrypts when the user |
38 |
comes back in range. Barring sniffing and replay issues it addresses the |
39 |
problems of user involvement in token keys. This isn't too different |
40 |
than say a memory device with a security token except you don't have to |
41 |
plug it in and it decreases the downtime during decryption. This general |
42 |
idea is really about usability (the concept of keys (the memory device |
43 |
or radiokey) and the concept of not 'interfering' with the use of the |
44 |
computer because of encryption). |
45 |
|
46 |
USABILITY and ENCODING: |
47 |
Part of the solution may to actually create a simplified encryption |
48 |
process. Rather than having the user memorize a strong key have a |
49 |
short-term key with defined lockdown based on time. In the situation |
50 |
where I'm going away from my desk I might just want a simple password to |
51 |
lock the computer, when I reboot I want a stronger password (in case *I* |
52 |
am not the one doing the rebooting!) and when I know I'm travelling I |
53 |
want to lock it with a password and keyed cdrom token. |
54 |
|
55 |
REDUNDANCY and NO BRAINER FALLBACK |
56 |
Part of the usability above also should consider that humans are |
57 |
imperfect beings. We sometimes forget things and loose our keys. |
58 |
Addressing the issues of forgetting your password through split keys |
59 |
(one you give to your friend, one you give to your mom, one you leave at |
60 |
home and only two are needed to decrypt and reset your password) is |
61 |
(pardon the pun) key. :) Also you should provide the information about |
62 |
who can partner to decrypt your data to the end-user in case they forget |
63 |
who they gave split keys to. |
64 |
|
65 |
Also consider that you might want to have different physical keys work |
66 |
on the same lock. I might have a USB memorystick with my key token(s) |
67 |
AND I might have a CDROM that has the same key. Please allow me to use |
68 |
one if the other isn't available. |
69 |
|
70 |
GIMP vs GEEK |
71 |
Consider that also you may want to remotely destroy your data - instead |
72 |
of a phone home msg from a stolen laptop you might want the laptop to |
73 |
also PULL from a location and if it finds a key phrase it detonates the |
74 |
data - completely wipes the harddrive. This pull prevents the various |
75 |
firewalls from blocking your initiation of destruction. Nothing saying |
76 |
you can't delete your data and leave a broadcasting honeypot either! |
77 |
This situation also warrents mentioning of a dead-man's switch. If I |
78 |
don't provide a password token within 'X' minutes/hours/days the system |
79 |
initiates data destruction. I know it is all encrypted - but you can't |
80 |
decrypt what doesn't exist. I makes it so they have to have hardware and |
81 |
have imaged your data before they begin brute-forcing it. (ok, ok, they |
82 |
could just put you in a dark space and begin breaking your fingers...) |
83 |
|
84 |
Finally, if you are unfamiliar with the term you should look up TEMPEST. |
85 |
Although originally a method of blocking electronic transmissions that |
86 |
could be picked up by 'the enemy' by incasing computers in metal, there |
87 |
are several software methods, such as 'tempest fonts' that you may wish |
88 |
to consider in conjuntion with your efforts. |
89 |
http://216.239.37.104/search?q=cache:ucOb7yYGZasJ:www.cl.cam.ac.uk/~mgk25/ih98-tempest-slides.pdf+tempest+software+techniques&hl=en&ie=UTF-8 |
90 |
|
91 |
NO LAPTOP's AN ISLAND: |
92 |
We also need to address how you get your data off of your system and |
93 |
onto a new system securely. This includes backup. Once your data is |
94 |
encrypted you can of course copy the filesystem but you need to copy the |
95 |
ENTIRE filesystem. And you should be able to log in, and copy the system |
96 |
from within the system (which would in this scenario be an unencrypted |
97 |
system) to another computer. Yes, yes, easy enough to say use SSH, SCP, |
98 |
etc. but address this rather than having a gaping hole in your security |
99 |
plan (that hole being an uninformed end-user that is *ignorant*). Having |
100 |
a solution doesn't mean that you prevent another solution from being |
101 |
used, just that you've already thought it out and made it a no-brainer. |
102 |
|
103 |
That's all my comments :) |
104 |
|
105 |
Warm encrypted regards, |
106 |
|
107 |
Norman |
108 |
|
109 |
|
110 |
mike@××××.org wrote: |
111 |
|
112 |
>I am interested in working on a secure laptop meta-project. Laptop |
113 |
>security is interesting because some amount of physical security must |
114 |
>be addressed. Laptop theft is big buisiness, after all. |
115 |
> |
116 |
>A well designed laptop operating system would be centered around encrypted |
117 |
>filesystems and would have many applications: |
118 |
> |
119 |
>1. People who want to protect their personal data from theft. |
120 |
> |
121 |
>2. Buisinesses that want to protect secrets stored on their fleet |
122 |
>of laptops. |
123 |
> |
124 |
>3. Military applications -- laptops are all over today's battlefield |
125 |
>and a lucky ambush could easily reap classified information. |
126 |
> |
127 |
>4. Etc... |
128 |
> |
129 |
>A company named NAH6 (http://www.nah6.com) has a product like this. |
130 |
>They use Linux in order to boot Windows from an encrypted volume. |
131 |
>I would like to focus on a Linux environment as an end. The idea is that a |
132 |
>lost or stolen laptop will not give up any sensitive information. |
133 |
> |
134 |
>Here are the components I envision including their current status: |
135 |
> |
136 |
>1. Encrypted root filesystem. The 2.6 Linux kernel and util-linux 2.12 |
137 |
>will provide this using an encrypted loopback interface. A speedier |
138 |
>compromise is to use encrypted home directories only. I maintain a PAM |
139 |
>module, pam_mount, that mounts encrypted home directories transparently. [ If |
140 |
>you don't mind a shameless plug, there is an article about pam_mount in the |
141 |
>August Linux Journal. ] |
142 |
> |
143 |
>2. Encrypted swap partition (or no swap at all). This is necessary because |
144 |
>otherwise programs could swap secrets to a plaintext disk. The 2.6 Linux |
145 |
>kernel's encrypted loopback interface can do this. |
146 |
> |
147 |
>3. An inproved authentication system. Encryption algorithms are useless |
148 |
>if a weak key is used. Therefore it may be desireable to authenticate |
149 |
>when booting and mounting an encrypted root filesystem (or mounting an |
150 |
>encrypted home directory) using a physical token or other strong means. |
151 |
> |
152 |
>4. An intrusion detection system. |
153 |
> |
154 |
>5. Obviously, otherwise hardened software. |
155 |
> |
156 |
>Comments? Has anyone else talked about this around here? |
157 |
> |
158 |
>-- |
159 |
>Mike |
160 |
> |
161 |
> |
162 |
>-- |
163 |
>gentoo-hardened@g.o mailing list |
164 |
> |
165 |
> |
166 |
> |
167 |
|
168 |
|
169 |
|
170 |
-- |
171 |
gentoo-hardened@g.o mailing list |