Find the answer to your Linux question:
Results 1 to 5 of 5
Hi, I'm in the process of setting up a laptop and I would like to secure the data on it with some kind of two-factor authentication. I have surfed around ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Apr 2008
    Posts
    3

    SmartCard Authentication


    Hi,

    I'm in the process of setting up a laptop and I would like to secure the data on it with some kind of two-factor authentication. I have surfed around for some days to get an idea of whats out there.

    Ideally I would like a contact-less authentication, i.e. the computer unlocks when I'm within 1-2 meters from the computer, using a Key fob of some kind.
    However I have not found a system suitable to do this.

    So, I'm planning for a SmartCard solution using an AES-256 challenge-response algorithm.

    Any recommendations for such a set-up? What should I look out for? Reader? Card?

    ~Per

  2. #2
    Linux Enthusiast
    Join Date
    Apr 2004
    Location
    UK
    Posts
    700
    Depending on your coding ability I saw a .Net example using something very like you are describing.

    Coding4Fun : Is that you? Writing Better Software for Cool USB Hardware

    There is also kbluelock which can lock and unlock the screen if a particular bluetooth device is visible. However it means leaving the device visible to all or I'd use it with my mobile.

    In my case both of these would require a dongle to be plugged into the laptop so a sim card sized smart card and a USB reader would give a lot more options for the same kind of interface.

    ACS : Pc-linked smart card reader

    I was looking at these guys when I looked into this before.

    This is all just random notes from the last time I researched this and it doesn't cover all the options. To get a bit more on track, can you give us more details on the effect you are trying to achieve?

    Chris...
    To be good, you must first be bad. "Newbie" is a rank, not a slight.

  3. #3
    Just Joined!
    Join Date
    Apr 2008
    Posts
    3
    Details, yes of course!

    The primary concern is data security - That only authenticated people (me), can gain access to certain data. Data-loss is a secondary issue.

    Once in a while the Laptop will get left behind without supervision. The risk of getting it stolen is acceptable, but unauthorized access to the data on it is not.
    I can accept the "burden" of keeping a SmartCard or a FOB with me.
    I would prefer a solution where I didn't have to leave the card in the Laptop while working with it (with the risk of forgetting to take it out when leaving it). If one of my "factors" could stay in my pocket at all times, the only thing I need to remember when leaving the Laptop is... me

    Laziness is of course a factor: The less I have to do, the more certain it is done... ehhh, right...

    ~Per

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Enthusiast
    Join Date
    Apr 2004
    Location
    UK
    Posts
    700
    First of all, how much data are you working with? One notion would be to get a USB memory watch. Use a short extension so you can plug it in without taking it off then it is always on you.

    To follow the original plan is going to be tricky but we'll see if we can bash something out.

    Once in a while the Laptop will get left behind without supervision. The risk of getting it stolen is acceptable, but unauthorized access to the data on it is not.
    That pretty much mandates encryption. If you build something on disk encryption then the key has to remain in the laptop's memory while the partition is mounted. Handily this means the smart card is only required when the partition is actually mounted so you can pull the card out and carry on working.

    The problem, as you implied earlier, is having the laptop become aware that it should unmount the partition automagically and correctly render all of the protected data unavailable. A particular problem would be if you were working on a document when this script fired. Simply unmounting the encrypted partition is not enough because the running app still has an unencrypted copy in memory that can be saved anywhere. (this affects the usb watch idea too)

    A relatively simple way to do this would be to hook the lid switch to a suspend script. Encrypting the resume partition will protect the key used to mount the data partition and the smart card can hold the key for the resume partition, preventing a recovery unless it was present.

    Whenever you leave the laptop you can close the lid and everything will lock down, then you plug in the card, switch it back on and then put the card back in your pocket once the system is running again. This suspension could probably be tied to the proximity keyfob from my previous post, but I don't think it gains much.

    The only remaining problem is the suspended system may be vulnerable to a cold boot attack up to several minutes after you close the lid.

    If you wanted a slicker approach then while researching this I found a really interesting app called cryopid that effectively suspends single processes. Instead of suspending the whole system you suspend any processes that have open files on the protected partition. Save the process images to the protected partition and then unmount it. Getting your work back simply means re-mounting the partition (with the smart card) and restoring the suspended processes. Something that, at least at first glance, looks scriptable too.

    This would be a very surgical approach, and restore time should be reduced, but I've never heard of this being tried so I don't know how robust the results would be and you'd have to do a lot more setup and coding yourself. On the other hand, explicitly unmounting the drive should discard the key from memory, protecting you from a cold boot attack.

    Personally I'd take the full suspend approach. It's built on standard features so you reduce the chance that something important will break during an update. Trade a little convenience for a lot of security and get into the habit of closing the lid when you leave it.

    The hard parts are setting up the encrypted partitions, which is covered in numerous howtos, and getting cryptsetup to look to your smartcard for a key which should be easy enough as long as the smartcard reader is supported.

    Let us know what you think,

    Chris...
    To be good, you must first be bad. "Newbie" is a rank, not a slight.

  6. #5
    Just Joined!
    Join Date
    Apr 2008
    Posts
    3
    I'm not too fond about the external USB gadget. Often the data is for an entire project with e-mails, source code, documentation, etc., which all have to be secured.
    I aim for a full HD-encryption, but I have not yet settled on that set-up, maybe I should start another thread with this issue...

    Just a thought: It would be perfectly ok (maybe even prefered) to run the secure system within a Virtual Box, and have the remaining system less secured!?! Will this make my situation less complicated?

    The leaving-the-system-behavior should be linked to a key-sequence, not the lid-switch, since I often use the system in a docking-station, but otherwise I agree. I will have a look at the tools you suggest.
    I will browse around a little further along these lines.

    In general, do you believe this is such a general problem/requirement, that Linux would benefit from a general solution on this?

    ~Per

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •