New Software Secures Data when Owners Walk Away

Makarand writes "Leave an operating laptop unattended on your desk and your sensitive data is accessible to anyone who gets hold of it. To limit this risk many users configure their systems to fall into a "sleep" mode after a period of inactivity and ask for a password before the system can be awakened. This constant re-authentication proves to be a headache for many users. Now a Professor and his graduate student at at the University of Michigan have come up with a system called Zero-Interaction Authentication (ZIA), described in this article in The Age, to protect data on mobile devices. The system works by starting to encrypt data the moment the owner walks away from the system. The owners wear a token with a encrypted wireless link with the laptop. If the token moves out of range the ZIA re-encrypts all data within 5 seconds. If the cryptographic token moves within range the system decrypts the information for the owner. The token, which could take many forms, is currently a wristwatch with a processor running Linux designed by IBM."

wouldn't it make more sense

[drDugan]

would it not be more sensible to make the token a passive device, like one with an RFID

I'm not an expert in encryption, but I have had serveral security related dongles and all of them were a pain in the arse.

it would seem that there are technologies (I've read about) that can return specific information passively when hit with specific radio frequencies. Wouldn't these be more easily used than a powered device like a watch?

Anyone else know more about these technologies?

Re:wouldn't it make more sense

[drDugan]

I think that my thought was that the
(hypothetical) passive device return a different
signal dependant on the signal recieved, not
simply the same one each time. ...

The more I think about it, the more it sounds
like such an action would require an
"active" (ie powered) device to accomplish
this.

but since I don't understand how RFIDs work
at all, the question still stands... could
it work with a passive (non-powered) device?

Re:wouldn't it make more sense

[cybermace5]

As the previous poster pointed out, RFID is relatively easy to snoop on.

One of my major peeves is the RFID card that gets me into work every morning. In certain stores, my RFID card returns a code that sets off their RF tag detectors at the door. Usually I remember, pull out my wallet, and hold it over my head while walking through. Once I forgot at Fleet Farm (basically a giant general store, like Home Depot with tractor parts) and I set off the alarm. Of course someone came to visit me, and it was especially embarrassing because I was wearing a big coat and didn't buy anything. She handed me a little piece of cardboard called a "Schlage Shield" and said to put it in my wallet. No more alarm.

Worked great, except that opening the door at work involved putting down my coffee, laptop, and lunch to get out the RF card (instead of conveniently pressing my butt against the door). So I took it out, and promptly set off a Barnes & Noble alarm. No one seemed to care, so I just pulled out my wallet and walked through with the wallet over my head again.

ANYWAY...the point is that RFID tags are barely more secure than keeping a post-it note with an access code.

I am curious exactly what my card claims to be on the store scanners....

And the whole article is a duplicate.

Re:wouldn't it make more sense

[Hubert_Shrump]

Anyone else know more about these technologies?

If I read you right, you're talking about passive RF stuff, like in those bigassed Honda keys.

They use RF generated from the car (ping!) to generate just enough electricity to de/encrypt a response (pong!). Viola! (sic)

I guess it's more like a transformer coil than RF, but what the hoo.

Re:wouldn't it make more sense

[Tony.Tang]

> [RFIDs are] useful for identity, but nonsense for encryption

I don't know much about RFID's, but I think you're probably right. Here's a question: wouldn't it be possible to capture someone else's EZ-Pass ID then and then replay it? If it is possible, how come no one has (apparently) done it?

I think the key take-away from this article is not so much its implementation as the idea: 1. the mobile device somehow identifies its owner, 2. when the owner is not around, then the mobile device becomes useless.

If RFID's aren't the way to accomplish (1), then people in the future just need to think about the way to accomplish it in a different way.

hmmm...

[jasno]

What about using some kind of biometric data, like key cadence, or a profile of typical mouse movement characteristics (like icon overshoot?) to do it? That way its totally seamless, although one could still do some damage as it would take a few input events to establish the identity.

Sure, its not foolproof, but who wants to wear an identifying token?

Something's missing

[Safety+Cap]

(from the article)

At the beginning of the process, the user enters a password on the watch~.

Isn't the point so that lazy people don't have to be bothered with remembering passwords? Doesn't this defeat the purpose? (sigh)

What happens if you take your watch off and leave it next to the computer? It never encrypts!

Worse yet---what happens if your watch gets stolen? Now you can't get at your data! Better make sure you get the Casio watch option instead of the Breitling. No one would want to steal a Casio POS, so you should be safe.

Re:Something's missing

[cicadia]

Isn't the point so that lazy people don't have to be bothered with remembering passwords? Doesn't this defeat the purpose? (sigh)

<sigh> No, that isn't the point at all. The technology is intended to stop the problem of people walking away from their computers ("I'm sure I'm only going to be away for a minute" -- gets dragged into a five hour meeting...) without locking them first.

The article even says that it was designed for use by people who are already using passwords, but are bothered by the inconvenience of having to lock the computer, and reenter the password every time they are called away for a few seconds. Not because they don't want to remember a password, but because it's a hassle to have to enter it all the time.

Use my technique

[ekrout]

I keep all mission-critical and government-classified information on portable USB Flash DRAM-based storage devices. They're incredibly portable and can be brought to the gym, in the car, to work, back home, swimming, hiking, biking, etc.

To be perfectly honest, I just can't bring myself to respect anyone who would leave a $4,000 laptop with supposedly top-secret information on it sitting out on a cafeteria table or something while they go sit in the bathroom and read the paper.

Just stick with portable USB drives. They're cheap, efficient, fast, and more secure than any fly-by-night research project out there right now.

Is it really so hard?

[NineNine]

When you stand up, hit ctrl+alt+del. When you sit down, type in your password. I had to do it at one company, and now it's just habit. Not exactly a tough thing to do. I think that these guys are trying to solve a non-problem.

Re:Is it really so hard?

[NineNine]

True, but then you have to factor in the physical cost of these doohickeys, and the support time when one dies, is lost, or malfunctions. I dunno. Seems like it's making things more complicated and expensive for no really good reason. In most businesses, a LOT more time and money can be saved by doing something as simple as making sure that no non-developers or non-admins have full control of their box, limiting the damage they can do. Most companies that I've seen make each user admin of their own box, when really if they're just doing work, they'd never need.

Encrypts the data?

[dagg]

The system protects data by automatically scrambling it the moment users walk away...

What does it actually encrypt? All sensitive data? I doubt it could do that in 5-6 seconds. Also, how do you decrypt the data if you lose your key? Or what if you fire the employee and don't get the key back? How will you get the data, then? Is there a back door for sysadmins?

Re:repeat article

[Ack_OZ]

> The repeat mania continues ... amazing.

This is why I like slashdot... an interesting story comes along, & I miss it...

A few days, weeks, or sometimes hours later it's reposted and I catch it on its second run.

Makes me wonder how many interesting articles I really do miss...

Erm...brute force?

[BSDevil]

I'd say why not brute force the thing, but here's something easier...Make a device that constantly scans for the signal of a token (there has to be some characteristic fingerprint to the signal). When it finds one, remember the signal and indicate to the user. User then goes and mugs target, takes laptop, uses stored signal. We've shown that man-in-the-middle attacks are do-able for a system like this, so why not keep with what works? If one knows how the system works, and can get a long enough string of interactions between the token and the server, then the key is vaunerable. Maybe this means that you have to tail the guy for a while, but let's be honest - if he's using one of these systems (I don't imagine they come cheap) then there's probably somehting worth stealing on that machine, if that's what you're up to. Make a scanner that tracks the signature of packets, walk around the financial centers of the world, and then the device goes off you know which laptops to take.

On another note, this reminds me of the plan to put RFIDs in the new high-denomination Euro-notes. Something like takes all the effort of guesing who to mug: emit the signal, and anytime you get a response, you know the guys's packing a high-value Eruo-note.

Re:Interesting article/research project

[Waffle+Iron]

It's also a lot easier to steal a watch than a finger...

Not necessarily.

How does it know...

...which files to encrypt? On the average heavily used laptop there are documents and other encryptables all over the place. How does this magic software figure out which things to encrypt? If it's done by location (e.g. everything in and under this directory), then that's not good enough.

A question

[uradu]

As others have already mentioned, unless the article had it all wrong, it seems that you're going about this the hard way. Why not create an encrypting FS driver along the lines of Scramdisk or DriveCrypt that always stores the disk data in encrypted form and only decrypts it upon reading? The token would then simply provide the key, and when it's not present, you simply can't decrypt the data, without requiring a lengthy de/encryption process each time you leave and return? In addition, you could make the driver smart enough to let you encrypt only certain directories, plus you could still keep the cache encryption functionality as it is now.

Lost tokens?

[MyHair]

What happens when the decryption key device fails or is lost or stolen?

I'm a netadmin for some not-very-savvy users, and if I couldn't restore access to their data just by resetting their password then they are all in trouble.

This is an issue for a lot of encryption solutions, not just this one. Is there a master key list somewhere than can be used to recover encrypted files or volumes or at least recreate the encryption key device? How long would that take? (This opens another discussion over security of the master list and key-changing and reencryption procedures for lost and stolen tokens.)

And what if the device gets stolen? I have a security token that requires a PIN in conjunction with its security (both the PIN and device are needed for access), but in the case of this article the whole point seems to be to avoid entering a password or PIN.

Biometrics are flawed

[jpmorgan]

The whole 'something you are' rule is really dangerous. Almost every application I've seen of biometrics gets it wrong, and then there's the question of whether or not it's even practical at all.

The fundamental problem with biometrics is that you can't change your keys. You have a set of fingerprints, retinal patterns, DNA sequences that are really pretty damn hard to change.

Biometrics can only work with strong physical security to ensure that the tests aren't being compromised (i.e., someone hacking the device).

To steal your password I have to look over your shoulder, and once done you can change it. To steal your authentication token, I have to pick your pockets, and once done you can get a new one. But I can pull your fingerprints from anything you touch, and you'll have a much, much harder time changing those.

Biometrics are often portrayed as the panacea for authentication, but of the three 'seomthing you X', it's really the weakest. Haven't we learned yet that there's no such thing as a silver bullet?

Been here before

[AlecC]

I remember reading an article about a system like this years ago - running somewhere like ARM's labs in Cambridge. They were using it for desktops rather than laptops, but that is a detail. More importantly, they had hooked a load of other systems up to the ID. It provided the security access to the building - no more fiddling for cards, the door unlocks as you approach. Rather than just blanking off the screen as you waked away from one workstation, as you moved towards another workstation, it moved your "desktop" to that station, so that your work could "follow" you round the building. And, by detecting which room you were in, the phone system could route calls to you wherever you were.

There are a lot of questions (privacy etc) about those other uses, but a system which gives you multiple returns from the single cost of wearing some kind of ID is much more likely to be adopted than a single dongle for a single job.