Adding Biometric Security to an Existing Laptop?

008 asks: "My work requires me to travel to some harsh climes with my laptop and other equipment, and the data I collect there is potentially very sensitive. Currently I use the PGP family to secure my drives, but my paranoia always demands more. IBM's biometric-ready Thinkpad really piques my interest, but getting one isn't feasible for me because it's too wimpy for the physical stress I'd inflict on it. I'd much prefer a way to biometrically lock a computer I already have. What options are out there?"

TrueCrypt

[Futurepower(R)]

People say good things about TrueCrypt. I've just begun using it.

Not biometric, but a good way to keep information safe.

Re:TrueCrypt

[RMH101]

try http://www.pointsec.com/. it's not biometrics, it's a username/password, but it encrypts the whole drive in 256 DES. works great, we have it on thousands of machines at work. it'll slow down a borderline-spec laptop though.
it gives a logon prompt before windows boots, and supports single-sign on, too, so it can log you into your domain as well.

A few places

[Hikaru79]

I'm pretty sure Targus and Digital Persona both produce the kind of addon you're looking for. Also, there's a biometric flash key available. Hope this helps :)

Thinkpads aren't that delicate.

[darkjedi521]

I've trucked a thinkpad through campus for 5 years now, dropping, abusing, subjecting it to 110dB concerts, etc and it takes it very well. Some damage, but i haven't broken anything major. I've currently got one of the biometric machines.

Re:Thinkpads aren't that delicate.

[WgT2]

With all due respect, there's a reason they make Toughbooks/Extreme-Condition-Notebooks differently than IBM makes Thinkpads. Stuff like sealing off the electronics from the elements.

Although, I heard back in the day that IBM laptops use to be designed to withstand a 6 foot drop.

Quite impressive.

Re:Thinkpads aren't that delicate.

[darkjedi521]

Never said they were that tough, just that they weren't that delicate.

Re:Thinkpads aren't that delicate.

[WgT2]

...that delicate.

Thus, implying as tough as the notebook mentioned by the previous poster.

Throw a blanket over it (the laptop)

[gabraham]

Security through obscurity.

Biometrics Not Security Device

[Undefined+Parameter]

As any IBM, Microsoft (hardware), or APC rep could tell you, Biometric devices are not security devices. If you want more security, look somewhere else.

~UP

Biometric scanners are a sales gimmick.

[mellon]

You can't use them to protect your hard drive. All it takes to get the data off is for someone to pull the hard drive out and put it in a different system. You are better off sticking with PGP, which actually encrypts the data.

Re:Biometric scanners are a sales gimmick.

[Aeiri]

You can't use them to protect your hard drive. All it takes to get the data off is for someone to pull the hard drive out and put it in a different system. You are better off sticking with PGP, which actually encrypts the data.

In Windows maybe, but I'm sure in *nix you could set it up to read the data off the finger print device as if it were a hash, then decrypt an encrypted partition with that.

Example (/dev/fpd1 being finger print device 1, /dev/XdXX being the drive type, drive identification, and partition number, and fphash_prog being the program to access the fingerprint hash from the biometric device):

fphash_prog | losetup -e aes-256 -C 123 -S whateverblah /dev/loop0 /dev/XdXX
mount /dev/loop0 /secured_data_mount_point

Re:Biometric scanners are a sales gimmick.

[pdabbadabba]

Well, I would assume that such systems would use the biometric factor as the key with which it encrypts the data. But I could be wrong...

Re:Biometric scanners are a sales gimmick.

LOL... biometrics don't work like that. The "hash" (template) you get is different, even with the same finger. That's why there are complicated algorithms that try to detect if it's "close enough" to match. You wouldn't get the same hash every time so this would not work for what you suggest.

Re:Biometric scanners are a sales gimmick.

[JediTrainer]

Actually, IBM has partnered with another firm and software is available that'll encrypt every byte on the drive.

I own a T42 and I must say, it's quite handy to have. You can set the fingerprint scan in one of three ways (or a combination):

1 - on boot

2 - Windows login, locally attached to your profile

3 - Windows login, profile fed from a server

Naturally, the encryption only works with method #1, but it will protect from having the drive moved to a different machine. What I haven't figured out is what happens if the machine is toast but the drive is fine. I guess that's what backups are for.

Re:Biometric scanners are a sales gimmick.

[mellon]

Tragically, you are mistaken in this case. Biometric data is analog. All the scanner can say is "yes, that looks like the right fingerprint," or "no, that doesn't look like the right fingerprint." It can't produce a consistent digital value that is derived from the fingerprint. It is possible to make a fingerprint scanner that's self-contained and emits a key whenever it gets a match, but that's probably not what IBM is doing, because that would require putting a fairly expensive CPU in the fingerprint scanner.

Re:Biometric scanners are a sales gimmick.

[AuMatar]

It would also make it easy to hack. The fingerprint scanner would need the key, either in ROM or flash memory. Grab the code the scanner runs, decompile and find where it accesses the data from. You can now get the key from any of their scanners.

Keys and hashes are only safe as long as they do not exist on the hardware you want to hack. If there's a copy in your hardware, its comprimisable.

Re:Biometric scanners are a sales gimmick.

[swillden]

All the scanner can say is "yes, that looks like the right fingerprint," or "no, that doesn't look like the right fingerprint."

Actually, it's even worse than that. The scanner typically doesn't do anything like that. All it does is deliver a grayscale digital image (called the "livescan") over USB or whatever to your laptop. Software running on your laptop then must extract the interesting features, producing a livescan template, which it then compares against the stored template. The template comparison is fuzzy, as you said, and succeeds or fails based on a configured threshold of "closeness".

The reason it matters that the matching is done on the laptop not in the scanner itself is because the fact that it's done on the laptop opens up a variety of additional attacks, ranging from replay attacks (attacker snarfs your livescan when you authenticate then just replays it to your machine -- no need to mess with trying to create a fake finger, and completely bypassing any liveness detection, etc.) to exploiting weaknesses in the software (buffer overflows, etc.) to all sorts of attacks on the software and templates stored on the machine. If all of this were done in the scanner, and if the scanner were hardened against attack, and if provided crypto services to the host after a successful authentication, it could be very valuable (though not without avenues of attack).

Actually, a smart card that could do biometric matching on card fills would get fairly close. Unfortunetly smart cards have so little processing power that match-on-card implementations have to choose between unusably lousy and unusably slow.

Re:Biometric scanners are a sales gimmick.

[mellon]

Just to be clear here, if you type in the key, that's even easier to hack than the biometric scan, if only because the amount of data is smaller. If someone has physical access to your machine while you're authenticating, you're screwed whether you're using a biometric scan or a memorized access code.

The difference is that in the case of a biometric scan, the decryption key to your data is stored as plaintext on your computer, if they even bother to encrypt the data at all. So if I can steal your computer, I can decrypt your data, and there's no need for any clever Spy vs Spy tricks like USB sniffing or replay attacks. You just get the key and use it.

So this is another case of a "protection mechanism" that makes you feel safe, and actually makes you less safe, because that feeling of safety allows you to think you don't need to take precautions, when in fact you do.

Re:Biometric scanners are a sales gimmick.

[smindinvern]

While we're on this subject, I was wondering, since it's possible to encrypt folders in Windows, is it possible to use a biometric device to indirectly encrypt data?

Re:Biometric scanners are a sales gimmick.

[Aeiri]

That's why there are complicated algorithms that try to detect if it's "close enough" to match.

I'm sure it's possible to create a specialized hash algorithm that based on the fingerprint information given, will be "close enough" to generate the same hash.

Graph y=int(x), or y=round(x,0), and you'll see what I mean. From 1-2 the output is 1, from 2-3 the output is 2, from 3-4 the output is 3, etc. You can cause inaccuracies in the fingerprint to output the same letter in the hash value.

Don't bother

[swillden]

From a security perspective, it's probably not worth the effort. The circumstances in which a biometric authentication actually adds to your security are surprisingly restricted. Mostly, biometrics increase security by providing a convenient but weak authentication tool for situations in which the alternative is no authentication at all. The old saw about "something you know, something you have and something you are" presumes that the attacker actually has to "be" the "something you are" and can't simply bypass the authentication. That's hard to achieve in the real world.

No, if you want to protect sensitive data on your computer, the main thing you need to do is to encrypt it, and then store the keys somewhere an attacker can't get them. If the keys are stored on the computer, then an attacker can probably get them. Keys stored in your head are safe, and keys stored in an external device which stays with you, not with the laptop, are also safe. Best is to use both.

The best you can do presently, IMO, is to:

1. Use an encrypting file system that allows you to store the keys on an external security token -- a smart card. Note that Microsoft Windows provides smart card support and encrypted file system support, but you can't encrypt your files with keys on the card. That's supposed to be fixed in Vista. At present, Linux and the *BSDs are the only way I know of to fully achieve this, and it's non-trivial.
2. Use a boot password, and power your machine off whenever you're going to be separated from it. On most laptops today, the boot password is actually implemented by the hard drive firmware. Without the correct boot password, the drive will refuse to operate. To work around it, the attacker would actually have to replace the PCB on the hard drive -- a non-trivial operation. This is surprisingly good security. Getting it requires that you shut down your machine, though, not just suspend it.
3. For the times when you don't shut your machine down, use a smart card for login, disable password-based login (so the OS *requires* the card) and make sure that your screen saver will come on and lock whenever the card is removed -- requiring the card and PIN to unlock it. This ensures that an attacker will (probably) have to shut the machine down before he can try to get at the data, and he'll run right into your boot password. Oh, and never leave the smart card with the machine.
4. Finally, make sure that your machine isn't wide open to network-based attacks which would allow an attacker to trivially bypass all of the rest. Also, be very careful where you get software from to avoid trojans. Make sure USB devices and other peripherals don't get to run software upon insertion, either.

In practice, 2 and 3 are pretty easy to do, and the result is fairly decent security. 1 is very good, but as I said it's not really easy to implement. 4 is critical and pretty hard to be certain you've done unless you simply disable network, USB etc. devices.

If you have a laptop with a Trusted Computing TPM in it, there are some other options that may theoretically provide assurance levels that are almost as good as a smart card, but I'm not sure if the tools exist to make using those options practical, much less easy. I've been fiddling with using the TPM in my Thinkpad to bind the keys used for a dm_crypt encrypted file system.

Re:Don't bother

[AuMatar]

"Something you know, something you have, something you are" is a bad idea to actually use. In practice, all 3 reduce to the same thing- something you know. Need a smart card to log in? The smart card just knows a really long key. If you know the key on the card, making a forgery is trivial. Something you are? At some point, that something you are has an analog or digital signal representation sent into the computer. If you know the representation, you can fake it. Everything in security boils down to a combo of 1s and 0s you tell the computer to prove your identity. The only advantage of something like a smart card is that it can easily store very complex data.

Biometrics are a particularly weak secret. If my password is cracked, I can change it. If my smart card is reproduced, I can get a new code on it. If my fingerprint is copied (something trivial to do)... I'm screwed. I can't change my fingers. Once biometrics security is broken, its broken for all time. The other forms can at least be fixed.

Re:Don't bother

[swillden]

In practice, all 3 reduce to the same thing- something you know. Need a smart card to log in? The smart card just knows a really long key. If you know the key on the card, making a forgery is trivial.

Not really true.

While it certainly is true that the smart card just knows a key, the value such a token provides lies in the fact that the key never leaves the card, so no one can know it. Particularly for PKI-based authentication technologies, most smart cards can generate the key pair on the card so that the private key never, ever leaves the card. The card can be configured to refuse to ever divulge that key, no matter how you authenticate yourself to it. Even for symmetric key-based authentication, as long as key injection and auth validation are both done in secure environments, it's reasonable to consider the key completely tied to the token.

Of course, that assumes there's no way to bypass the authentication requirement.

Biometrics are a particularly weak secret.

Absolutely. That's why I say they're really only useful in circumstances where the alternative is no authentication at all. Well, they're also useful in extremely high security scenarios, where precautions can be taken to thwart all of the typical attacks. Those scenarios typically involve an armed guard scrutinizing the person who is authenticating themselves, authentication and matching systems that are under tight physical security, etc. The bottom line is that biometrics are much less useful than people naively think.

Re:Don't bother

[AuMatar]

While it certainly is true that the smart card just knows a key, the value such a token provides lies in the fact that the key never leaves the card, so no one can know it. Particularly for PKI-based authentication technologies, most smart cards can generate the key pair on the card so that the private key never, ever leaves the card.

Doesn't matter if it doesn't leave the card- it can still be read from the card. In the end, the card is emitting a particular digital signal to a reader (the computer). That signal can be duplicated. The smart card can always be read- it may take a few minutes alone with the card, but you can always crack it open, remove all memory, and copy it if nothing else.

Not saying smart cards are useless- they aren't. I'm saying that its not really any different than a password- its a long series of digits that if you feed to the other computer, it will grant you access. It has some advantages passwords don't (length), and some weaknesses (easier theft, easier duplication).

That's why I say they're really only useful in circumstances where the alternative is no authentication at all

One place I have seen it and liked it is lockers at amusement parks. It can be easy to lose a key on a ride- if you lose a finger, you have more to worry about than your wallet. :)

Re:Don't bother

[mellon]

No, the card has a small on-board computer. You hand it something, it encodes it, and then you present that to another device that also knows the secret. The other device verifies that you have the thing that knows the secret, but you never find out the secret. So it's not just "a signal" - it's a mechanism. That's what makes it "secure". I say "secure" because you are right that in theory you can always get the secret out.

The deal is that it should be more expensive to get the secret out than to just not have whatever the secret is protecting. Then there's no reason to try to get the secret - it's not worth having. All security systems essentially boil down to that tradeoff - even physical security systems.

Re:Don't bother

[swillden]

Doesn't matter if it doesn't leave the card- it can still be read from the card. In the end, the card is emitting a particular digital signal to a reader (the computer). That signal can be duplicated.

Doesn't matter if you can replay the "signal" (which is actually a sequence of bits over a 9600 baud serial line) because the value is only good once. Cryptography is very good at solving some problems, and securely authenticating without revealing the key is one of them.

The smart card can always be read- it may take a few minutes alone with the card, but you can always crack it open, remove all memory, and copy it if nothing else.

Nothing is perfect, of course, but, no, you can't just crack it open and retrieve the memory. Smart card chips are designed to be secure devices and the industry has spent the better part of 20 years developing new ways to crack smart cards and new ways to secure them. Modern smart card chips are as secure as we know how to make an externally-powered device. The silicon is layered so that the sensitive data is at the innermost regions, then the silicon is sealed with metallized layers. All debugging interfaces are removed, or simply designed out, so the only way of communicating with the little computer is through it's primary interface, which is specifically designed to provide very limited access. Early on (15 years ago) it was discovered that overheating the chips could induce glitches in their calculations, which allowed an attacker to glean information. Extreme cold also facilitated a range of attacks, so chips now incorporate temperature sensors and refuse to operate outside of their known-good range. Side channel attacks were developed, like thermal and power analysis, and clever statistical methods created that allowed key bits to be discovered based on heat generated and power consumed. Various countermeasures were developed, modern chips do their crypto in dedicated hardware coprocessors, not because their main CPUs aren't fast enough, but because by doing it in hardware the operation can be fully completed in microseconds, too fast for thermal changes to propagate and with such a tiny amount of power draw that it can be perfectly smoothed by a miniscule capacitor. Someone discovered that you could detect and decipher the tiny electromagnetic fields generated by the bus inside the chip, and effectively read the bits right off of it, so shielding was added to smear the emitted signal and software tricks were used to mask the values with randomness.

You can disassemble a smart card chip and read the contents of its memory, but doing so requires hours of painstaking effort with an electron force microscope, peeling back layer after layer of protection and silicon, then the expertise to read the data out by examining the physical structure of the EEPROM cells.

Nothing's perfect, of course, but smart cards are damned good. New attacks will come out, and new countermeasures will be developed in a continual arms race, but, like all good security, the trick is that there are lots of very smart, well-funded "white hats" looking into how to break them. Odds are good that they stay well ahead of the black hats.

Not saying smart cards are useless- they aren't. I'm saying that its not really any different than a password- its a long series of digits that if you feed to the other computer, it will grant you access. It has some advantages passwords don't (length), and some weaknesses (easier theft, easier duplication).

Ah, I'm bored, so here, I'll describe the typical symmetric mutual authentication protocol and you tell me how you'd break it. Without looking at some code, I'll get this wrong, but it should be close enough to give you the idea:

• Computer sends a "get challenge" command to the card, which contains a random nonce generated by the computer.
• The card responds with a random number of its own (generated with a hardware RNG, usually).
• The computer combines its rando

Re:Don't bother

[swillden]

One place I have seen it and liked it is lockers at amusement parks.

That's a terrible place to use biometrics. The false reject rate has to be very low or the customers will complain, which means that the false accept rate will be high. Combine that with the typically poor resolution of fingerprint matchers, throw in the effect of the Birthday Problem, and I guarantee that if you get a significant number of people who try to get into multiple lockers, you'll have some of them get into lockers that aren't theirs.

Better make sure there's someone watching the lockers to catch people who go stick their thumb on every one. Or the system could lock out any finger that was presented to more than n lockers within a short time frame... assuming that could be done, I guess the system would be adequate.

I'd still prefer a key safety-pinned inside my pocket, though. That can be broken, too, especially by the employees with the master key, but I'd trust it more than a biometric solution.

how? or why would you?

[gl4ss]

how is easy, just buy a usb dongle reader.

but making it into a good use in the system, now that's a whole another issue. would you use the biometric data as a password for that pgp drive or what?

Biometrics have an inevitable risk

[joelparker]

Are you *sure* you want biometrics? If someone gets a hold of your data then what do you do-- change your body?

For example, your thumbprint can be lifted from a water glass.

And your retinal scan can be lifted any time you go to the eye doctor.

Or even worse...

[HotNeedleOfInquiry]

Would you be willing to loose your finger to a determined thief? It's happened already.

Re:Or even worse...

[LinuxGeekMobile]

Please provide a link to a reputable news source. Without verification, this should be considered "urban legend". That said, I agree wholeheartedly with you, and so does the company I work for.

Double standard on slashdot

[HumanCarbonUnit]

Now this is interesting: I apologize if people see this as a flame or insulting post : When I posted a question on ask.slashdot.org. about WEP encryption problems in windows XP. (see article in ask.slashdot) I got flamed big-time about how dumb I was or how stupid windows and WEP are. Here we have a topic that really should be in the general ask.slashdot.org section and not out in the main slashdot site and what's more, there isn't anyone flaming him about googling the topic first or other nasty things. BTW: alot of information and answers to this question could have been gotten from google. Well, this is my opinion, let the flames begin.

Re:Double standard on slashdot

Look at all the posts giving detailed recommendations. This post is promoting discussion.

In contrast, your post was just assinine. It promoted very little real discussion, and could have been solved by calling someone who knows what they're doing. I'm sure you know someone like that.

Re:Double standard on slashdot

Quit your bitching and just accept that you suck at life.

Darn, why...

[joto]

Biometric scanners, PGP encryption, What's next? While undoubtedly fancy, I don't think they make your data that much more secure. While it probably makes it a bit more difficult to access you data, as soon as your data is stolen, it is stolen, and unless you get it back fast, the blackhats will have all the time in the world to try to access it. And chances are, they will. Also, these security solutions are brittle. In case something bad happens, you might not be able to access your data yourself!

No, if you want to secure your data, you do it by using physical security. Lock your laptop in a briefcase that takes some time to break into. Add some sort of signalling device in case it gets stolen (it already exists for cars, so why not laptops? In any case, it doesn't need to be much harder than putting a cellphone in there, they can be traced...).

And follow the same procedures as, say, the cash transportation people. Your locked briefcase will be transported inside a locked safe in your car. The safe could be of the kind that needs two keys, one that's your personal key, and one that's either your companions personal key, or that is distributed to your customers and someone at your main office.

When the car is parked, it is either in a secure garage, you have a guard (i.e. the receptionist at your customer location) watching it, or you bring your laptop with you (in the locked briefcase). When travelling with your laptop, make sure you are not alone (i.e have the customer meet you at the parking lot, or bring some company). Be on constant alert for suspicious people. If someone is loitering at the parking lot, don't go there untill they are gone, and make sure to tell your customer why. Always park with the rear end towards a hindrance, in case you need to escape quickly. Make a deal with a security company to provide you with assistance in case anything happens, or if you have to enter an area that you feel is "risky".

If you follow these procedures (you have to weight cost against benefit here, but the most basic procedures: screening parking lots, a locked briefcase, a locked safe, a cellphone, and some caution, is very cheap), my guess is that unless your data is some sort of government top secret stuff, most insurance companies would be happy. But if it really is that valuable, you can increase your security with more guards, and one or more extra cars that will follow your car around and screen any areas you are entering before you are leaving your car...

Biometric PC-Card

[JackAsh]

Identix makes a Biometric PC-Card:

http://www.identix.com/products/pro_info_fp_biotou ch_pc.html

Others:

http://www.secure-it.com/products/umatch/via253.ht m
http://www.thinkgeek.com/gadgets/security/6518/

That would seem to be what you're looking for for a laptop. The Biometric sensor slides in and out of the card leaving it perfectly flush with the side of the laptop. This should help avoid accidental breakage.

My experience comes mostly from the Identix Optical sensors. Problems:
-Optical Biometrics can be bypassed via simple gummibear technology ;). Google it up if you don't believe it :).

-Optical sensors are notoriously finicky. People with poor fingerprint definition - people who work with their hands, as in a garden (earth is abrasive) or workout with weights (sometimes the weight bars can be abrasive) might have problems getting their fingerprints read. Same goes for dry skin, and for some reason, black people. Not trying to be racist here or anything, we did a pilot at work a few years back and 9/10 black people had problems getting their prints read by the system.

-Anything that messes with your Windows GINA authentication system can cause problems. I've seen the Identix product freak out if it couldn't find an internet connection, or a domain controller, or the internet connection was half baked, etc. It was very very random. May have been solved with their latest service packs.

Finally, you're still best off applying some form of encryption to your files.

Good luck,

-Jack Ash

MPC, or something like that

[dethwulf]

I know it's not ruggedized, like you want, but MPC offers a line of laptops that have biometric fingerprint scanners installed factory. The software included is quite nice, including a secure place to store files once you've logged in. I haven't locked my system down completely with the software, but it does offer a BIOS-level scan (and password if you fail the scan).

Through MPC, our company managed to obtain a few small-business products, including ruggedized laptops. If you give their sales people a call and explain what you're looking for, they may be able to track something down for you.

IBM has an external device

The IBM laptop with built-in fingerprint reader is nice, but IBM also sells a keyboard with biometric and a simple USB biometric device. You could hook one of those up to any laptop.

BBC? Reputable?

[way2trivial]

http://news.bbc.co.uk/2/hi/asia-pacific/4396831.st m

I'd get one of these instead

[chivo243]

LICENSE TO KILL

I'm scared of proprietary encryption.

[Futurepower(R)]

I'm scared of proprietary encryption. It is very difficult to implement encryption well. Proprietary software asks you to believe claims made by marketing people who probably don't understand any of the issues.

TrueCrypt seems quite fast.

Re:I'm scared of proprietary encryption.

[Intron]

Perhaps you are unaware that NIST certifies encryption libraries so you don't have to believe marketing people. I would not use a product that can't show NIST certs.

How do you know...?

[Futurepower(R)]

How do you know if they are using the library unmodified? How do you know if they are using the library correctly?

From the link you cited: "However, due to the possibility of changes made within individual companies, NIST cannot guarantee that this document reflects the current status of each product. It is the responsibility of the vendor to notify NIST of any necessary changes to its entry in the following list."

Why accept this weasel-worded statement when you can have open source TrueCrypt?

Re:How do you know...?

[RMH101]

it's all about enterprise readiness. i don't have any personal experience of truecrypt, but I do of pointsec, and i'd trust pointsec enterprise-wide. it does decent recovery by authorised users, it can be installed silently when pushed out via SMS or login scripts, and it encrypts in the background. it just kind of works. truecrypt may be just as good, but as i say, i don't have confidence through experience with it yet.

Use a TPM trusted platform module

[skswave]

one of the best solution is to use a laptop that has a TPM like the thinkpad. This technology provides the strong key protection that is state of the art and most machines come with File and folder encryption that can use these keys. A pin or Biometric is used to release the use of the keys that are then used to decrypt or encrypt the data. The newer thinkpads have both the Sensor and the TPM.