| 1 |
I haven't seen anything directly like this on the gentoo-hardened list |
| 2 |
yet. I have seen the loopback encrypted filesystems and distro |
| 3 |
discussions (nothing that isn't in the archives). |
| 4 |
|
| 5 |
That said, you asked for comments; I have a few ideas. |
| 6 |
|
| 7 |
NOT TRUSTING YOUR SYSTEM: |
| 8 |
Realizing more and more that encryption is a needed part of my working |
| 9 |
environment (I can't trust my administrators) this is of interest. I'd |
| 10 |
like to also see User Mode Linux encyption addressed; how do you encrypt |
| 11 |
your files if you DON'T want to trust your administrator? I've never |
| 12 |
seen the functional aspects of user security, including various levels |
| 13 |
of security risk (i.e., if you use UML encryption you could be exploited |
| 14 |
by X, X, and X in Y environment) explained to end users. |
| 15 |
|
| 16 |
RECOVERING YOUR SYSTEM: |
| 17 |
I do not know how the 'phone home' option available on some laptops |
| 18 |
works. I've never seen it explained (I'm assuming if it isn't done in |
| 19 |
hardware a low level format of the harddrive erases any capability of a |
| 20 |
ip locator being sent out). Perhaps rather than approaching the project |
| 21 |
from an 'absolute' security standpoint you could address how you could |
| 22 |
be more secure (various 'levels') and how you could address real |
| 23 |
problems (like someone stealing your laptop, taking it home and plugging |
| 24 |
it into broadband/dialup; having the previously mentioned 'phone home' |
| 25 |
ip packet being sent out could be considered 'more secure' in that you |
| 26 |
increase the likelyhood of either recovery or being able to remote |
| 27 |
connect and detonate your data). Perhaps a honeypot boot environment for |
| 28 |
the unwary that didn't provide a password would be useful - rather than |
| 29 |
completely disabling the laptop (which would encourage formatting) it |
| 30 |
allows use and sends out a packet of information with it's IP address to |
| 31 |
a specified server. |
| 32 |
|
| 33 |
USABILITY: |
| 34 |
Zero-Interaction Authentication (ZIA) from Univ. of Michigan is an |
| 35 |
interesting real workable solution for a proximity security token; it is |
| 36 |
a limited broadcast area radio that has an encryption key. The system |
| 37 |
encrypts when the user walks out of range and decrypts when the user |
| 38 |
comes back in range. Barring sniffing and replay issues it addresses the |
| 39 |
problems of user involvement in token keys. This isn't too different |
| 40 |
than say a memory device with a security token except you don't have to |
| 41 |
plug it in and it decreases the downtime during decryption. This general |
| 42 |
idea is really about usability (the concept of keys (the memory device |
| 43 |
or radiokey) and the concept of not 'interfering' with the use of the |
| 44 |
computer because of encryption). |
| 45 |
|
| 46 |
USABILITY and ENCODING: |
| 47 |
Part of the solution may to actually create a simplified encryption |
| 48 |
process. Rather than having the user memorize a strong key have a |
| 49 |
short-term key with defined lockdown based on time. In the situation |
| 50 |
where I'm going away from my desk I might just want a simple password to |
| 51 |
lock the computer, when I reboot I want a stronger password (in case *I* |
| 52 |
am not the one doing the rebooting!) and when I know I'm travelling I |
| 53 |
want to lock it with a password and keyed cdrom token. |
| 54 |
|
| 55 |
REDUNDANCY and NO BRAINER FALLBACK |
| 56 |
Part of the usability above also should consider that humans are |
| 57 |
imperfect beings. We sometimes forget things and loose our keys. |
| 58 |
Addressing the issues of forgetting your password through split keys |
| 59 |
(one you give to your friend, one you give to your mom, one you leave at |
| 60 |
home and only two are needed to decrypt and reset your password) is |
| 61 |
(pardon the pun) key. :) Also you should provide the information about |
| 62 |
who can partner to decrypt your data to the end-user in case they forget |
| 63 |
who they gave split keys to. |
| 64 |
|
| 65 |
Also consider that you might want to have different physical keys work |
| 66 |
on the same lock. I might have a USB memorystick with my key token(s) |
| 67 |
AND I might have a CDROM that has the same key. Please allow me to use |
| 68 |
one if the other isn't available. |
| 69 |
|
| 70 |
GIMP vs GEEK |
| 71 |
Consider that also you may want to remotely destroy your data - instead |
| 72 |
of a phone home msg from a stolen laptop you might want the laptop to |
| 73 |
also PULL from a location and if it finds a key phrase it detonates the |
| 74 |
data - completely wipes the harddrive. This pull prevents the various |
| 75 |
firewalls from blocking your initiation of destruction. Nothing saying |
| 76 |
you can't delete your data and leave a broadcasting honeypot either! |
| 77 |
This situation also warrents mentioning of a dead-man's switch. If I |
| 78 |
don't provide a password token within 'X' minutes/hours/days the system |
| 79 |
initiates data destruction. I know it is all encrypted - but you can't |
| 80 |
decrypt what doesn't exist. I makes it so they have to have hardware and |
| 81 |
have imaged your data before they begin brute-forcing it. (ok, ok, they |
| 82 |
could just put you in a dark space and begin breaking your fingers...) |
| 83 |
|
| 84 |
Finally, if you are unfamiliar with the term you should look up TEMPEST. |
| 85 |
Although originally a method of blocking electronic transmissions that |
| 86 |
could be picked up by 'the enemy' by incasing computers in metal, there |
| 87 |
are several software methods, such as 'tempest fonts' that you may wish |
| 88 |
to consider in conjuntion with your efforts. |
| 89 |
http://216.239.37.104/search?q=cache:ucOb7yYGZasJ:www.cl.cam.ac.uk/~mgk25/ih98-tempest-slides.pdf+tempest+software+techniques&hl=en&ie=UTF-8 |
| 90 |
|
| 91 |
NO LAPTOP's AN ISLAND: |
| 92 |
We also need to address how you get your data off of your system and |
| 93 |
onto a new system securely. This includes backup. Once your data is |
| 94 |
encrypted you can of course copy the filesystem but you need to copy the |
| 95 |
ENTIRE filesystem. And you should be able to log in, and copy the system |
| 96 |
from within the system (which would in this scenario be an unencrypted |
| 97 |
system) to another computer. Yes, yes, easy enough to say use SSH, SCP, |
| 98 |
etc. but address this rather than having a gaping hole in your security |
| 99 |
plan (that hole being an uninformed end-user that is *ignorant*). Having |
| 100 |
a solution doesn't mean that you prevent another solution from being |
| 101 |
used, just that you've already thought it out and made it a no-brainer. |
| 102 |
|
| 103 |
That's all my comments :) |
| 104 |
|
| 105 |
Warm encrypted regards, |
| 106 |
|
| 107 |
Norman |
| 108 |
|
| 109 |
|
| 110 |
mike@××××.org wrote: |
| 111 |
|
| 112 |
>I am interested in working on a secure laptop meta-project. Laptop |
| 113 |
>security is interesting because some amount of physical security must |
| 114 |
>be addressed. Laptop theft is big buisiness, after all. |
| 115 |
> |
| 116 |
>A well designed laptop operating system would be centered around encrypted |
| 117 |
>filesystems and would have many applications: |
| 118 |
> |
| 119 |
>1. People who want to protect their personal data from theft. |
| 120 |
> |
| 121 |
>2. Buisinesses that want to protect secrets stored on their fleet |
| 122 |
>of laptops. |
| 123 |
> |
| 124 |
>3. Military applications -- laptops are all over today's battlefield |
| 125 |
>and a lucky ambush could easily reap classified information. |
| 126 |
> |
| 127 |
>4. Etc... |
| 128 |
> |
| 129 |
>A company named NAH6 (http://www.nah6.com) has a product like this. |
| 130 |
>They use Linux in order to boot Windows from an encrypted volume. |
| 131 |
>I would like to focus on a Linux environment as an end. The idea is that a |
| 132 |
>lost or stolen laptop will not give up any sensitive information. |
| 133 |
> |
| 134 |
>Here are the components I envision including their current status: |
| 135 |
> |
| 136 |
>1. Encrypted root filesystem. The 2.6 Linux kernel and util-linux 2.12 |
| 137 |
>will provide this using an encrypted loopback interface. A speedier |
| 138 |
>compromise is to use encrypted home directories only. I maintain a PAM |
| 139 |
>module, pam_mount, that mounts encrypted home directories transparently. [ If |
| 140 |
>you don't mind a shameless plug, there is an article about pam_mount in the |
| 141 |
>August Linux Journal. ] |
| 142 |
> |
| 143 |
>2. Encrypted swap partition (or no swap at all). This is necessary because |
| 144 |
>otherwise programs could swap secrets to a plaintext disk. The 2.6 Linux |
| 145 |
>kernel's encrypted loopback interface can do this. |
| 146 |
> |
| 147 |
>3. An inproved authentication system. Encryption algorithms are useless |
| 148 |
>if a weak key is used. Therefore it may be desireable to authenticate |
| 149 |
>when booting and mounting an encrypted root filesystem (or mounting an |
| 150 |
>encrypted home directory) using a physical token or other strong means. |
| 151 |
> |
| 152 |
>4. An intrusion detection system. |
| 153 |
> |
| 154 |
>5. Obviously, otherwise hardened software. |
| 155 |
> |
| 156 |
>Comments? Has anyone else talked about this around here? |
| 157 |
> |
| 158 |
>-- |
| 159 |
>Mike |
| 160 |
> |
| 161 |
> |
| 162 |
>-- |
| 163 |
>gentoo-hardened@g.o mailing list |
| 164 |
> |
| 165 |
> |
| 166 |
> |
| 167 |
|
| 168 |
|
| 169 |
|
| 170 |
-- |
| 171 |
gentoo-hardened@g.o mailing list |
Archives