Slashdot Mirror
New Software Secures Data when Owners Walk Away
Makarand writes "Leave an operating laptop unattended on your desk and your sensitive data
is accessible to anyone who gets hold of it. To limit this risk many users
configure their systems to fall into a "sleep" mode after a period of inactivity
and ask for a password before the system can be awakened. This constant re-authentication
proves to be a headache for many users. Now a Professor and his
graduate student at at the University of Michigan have come up with a system
called
Zero-Interaction Authentication (ZIA),
described in this article in The Age,
to protect data on mobile devices.
The system works by starting to encrypt data
the moment the owner walks away from the system. The owners wear a token with
a encrypted wireless link with the laptop. If the token moves out of range the ZIA
re-encrypts all data within 5 seconds.
If the cryptographic token moves within range the system decrypts the information for the
owner.
The token, which could take many forms, is currently a wristwatch with a processor
running Linux designed by IBM."
I think the problem with rfids in a security environment is that anyone with a reader could query the device as you walked by, and would have your encryption keys (or token id, or whatever), and could probably reproduce them without too much grief...rf tags can't perform authentication, as far as I'm aware..
The original is here. At least they waited some weeks before reposting it.
A token can be easily misplaced, duplicated, or bypassed. A password is NOT a big deal to enter when you sit at your desk. If they're too lazy/clueless to enter a password, they shouldn't be responsible for any secret information.
Use a program like Scramdisk or the commercial version Drivecrypt. Keep all of your critical files on the encrypted partition. When you leave your desk, activate the screenserver with a keystroke.
Unless someone knows your password, you're safe. If they reboot, the encrypted disk is inaccessible.
What's the big deal?
RFIDs are "dumb" devices. They're like your EZ-Pass in your car, when a radio beam passes through them, they alter the beam to add their "signature" which is uniquely identifyable. This is useful for identity, but nonsense for encryption. The problem is that if you are within range to "hear" the signal, you get the ID and enough to make a duplicate token. Tardly the model for security. There's no place for encryption here... whatever value is broadcast is the key value. By requring the token to have a microprocessor, the key never gets broadcast. It's an encrypted conversation between the station and the token, which if properly implemented makes it impossible to have a duplicate token take its place.
As much as I enjoy the free publicity, this has been posted on slashdot before.
To correct a serious error that appears in this article and in the nytimes article this was cribbed from: The system was NEVER run on the IBM watch. We mentioned it as a possibility and somehow it was taken as fact.
I welcome the comments on the work, however remember that the world of university research is often more forward looking than the commercial world. That is our job!
"Why should I fork out cash for this?"
Here is one possible reason.
If this device (or a similar device) is able to encrypt your hard drive then it would be an effective combat against some of the more intrusive aspects of the patriot act. In that legislation there are clauses that allow the FBI to enter your home when you are not in and bug your place and place trojans in your computer while you are not home and without letting you know about it.
My point is that automatically encrypting your hard drive is more effective then having a password protected system especially if that encryption is done with huge keys that are stored on the watch.
War is necrophilia.