Slashdot Mirror
Testing Commercial 2-Factor Authentication Systems?
Fry-kun asks: "I recently became interested in setting up a 2-factor authentication system for my laptop. With that in mind, I bought a fairly inexpensive USB key. Although it seems to work, I can't bring myself to trust it completely: Kensington claims that the system is secure, but there is no independent security lab analysis of the product. In other words, for all I know, there may be a gaping hole in their security setup. Worse yet, there are apparently no reviews of the product, no mention of anyone trying to test it and no hardware hackers tried to make it work in Linux, even though it's been out for over 2 years. How would you go about making sure that a security product does what it claims to?"
..not just get a usb thumb drive and make it a big truecrypt volume?
-- the cake is a lie
Throw away USB key, then try with all your might to get to your files, if you can, you got a crappy product, if you didn't congrats you won.
You don't work for the VA do you?
You can't. All security software needs to be OSS for this reason.
That being said, OSS had a 2-factor authentication mechanism available years ago. Encrypt your hard drive, save the key to a USB key and enter a passphrase. You'll need to both insert the USB key and type your passphrase for the root disk to get mounted. That's pretty much the entire system locked down.
This article appears to detail that process.
"Please describe the scientific nature of the 'whammy'" - Agent Scully
Corporate security drives innovation in this area. Who else is going to place an order for 10,000 of these units?
Corporate security is more concerned with blame and 'due diligence' than actual security.
Thus, if CompanyX makes a "secure" product, CorporationY will buy it, and deal with a breach by suing CompanyX.
I want to delete my account but Slashdot doesn't allow it.
When I was at CES I remember seeing something for this. I'm trying to remember their name. Let's see, they had those hot girls wearing the revealing police uniforms... arg, I don't seem to remember much past that.
:(
Sorry
Mod me up, mod me down, do your worst you modding clown.
How does this implement a two-factor security system?
#include ".signature"
It's made by a US company so you can bet your first-born that there's a backdoor - probably "protected" with a password some idiot would have in their luggage. How many government agencies and People That Are Out To Get You know about this backdoor is anybody's guess. And its full protocol hasn't been disclosed so you can't be sure regardless of how many assurances you get from the company.
"We have an A-Bomb...what more do you want, mermaids?" --I.I. Rabi, speaking in defense of Robert Oppenheimer
I am posting this as AC because I do this for a living for a large government agency.
You are not sure, which is the problem. I will give a nod to Kensington here, though. They are about to make a lot of money because they are serious about security, unlike a lot of other companies that peddle USB devices (Kangaroo, I am looking your way).
While it is commendable you are looking for two-factor authentication, a USB key is not the way to go here. The goal here is to not be able to break your encryption if you are forced or influenced to give up your password. Any system you can set up yourself will be breakable by you unless you take extreme measures. For the sake of argument, we will assume that there are no extreme measures in place, but your encryption can still be cracked by you.
Your best bet here is to go with full disk encryption. For further security, use truecrypt with a file on a CD or USB device as part of the key, as was referenced above.
For further security, encrypt again.
As you can see, this goes on. The weak point is you. If you can break it, you can be forced to break it.
If you want complete deniability, triple encrypt all of you regular data, then quadruple encrypt your sensitive data somewhere else. Use files, passwords, obfuscation, etc.
You will still be better off than most people. Including the government, according to plenty of stolen laptop press reports.
I work as a secure systems designer and consultant, and I've had some opportunities to review the security of commercial systems of various sorts. What I've learned is (1) properly evaluating commercial security tools is nearly impossible and (2) much of it is lousy.
The most effective means I've found of evaluating tools is to have a client sitting on a really huge purchase order, so that the vendor will give me access to key security personnel on their design, development and testing teams in order to make the sale. The people in question won't actually answer my detailed questions, in most cases, but I can still get a feel for how they think, and what they consider important. That actually gives me a pretty good idea of how secure the stuff they build is, though it's not as good as actually doing a detailed analysis of the design and implementation. Ideally, I'd like to talk to their people, do a detailed analysis of their designs, perform a cursory review of their implementation and then really, deeply scrutinize their security design and QA processes.
What I've found when I start pushing to talk to the "security guys" is that in surprisingly many cases there are none! Or there was one, but he left. Or there is one everyone thinks is the security guy, but he's really just a developer with a basic understanding of security principles, no time to really focus on security, and no authority to get any security problems he finds fixed.
Note that this is not always true. I've found some companies that do a really good job, but they're definitely in the minority.
Assuming you can't actually force the vendor to let you talk to their security team, the only thing I can suggest is that you start looking at publicly-available information. Some things to look for are:
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
The Kensington solution is designed to be just what you're using it for - a simple personal two factor authentication system. It's stronger than using a bio screen lock, easier to use than a smart card (which requires a reader, not all that common yet except for Dells and IBMs), and it probably keeps out most of the garden variety hackers.
However, it is not the same as a USB key with a SIM card or smart chip, such as from ActivIdentity, Aladdin, VeriSign, among others. First off, these systems are based on a SIM chip with a PKI backing it up, so many enterprise-quality features are now available, such as separating the authentication key (in escrow) from the signing key. That Kensington device appears to just archive the key on its web site, making its ability to effectively escrow questionalble at best.
Other PKI-based functions include digital signatures, strong authentication to other applications besides the desktop, and real non-repudiation (because the device has to be issued to a verified person).
The Kensington device appears proprietary too, which makes it questionable how deep into the boot process it can protect. On the other hand, open standard devices with PKI are being implemented into protecting the system from boot.
In other words - I bet it's a good personal solution, but not good enough for government work.
Wasn't the point of the 2nd factor to have a single device "key" that only you would carry? Using a file on a USB key means that anyone could copy the file or even post it on the web. That's hardly comparable to a RSA SecurID.
Is that enough to provide confidentiality?
/dev/hda | fgrep -e Arson Confession orphanage > leaks.txt".
Give it a realistic test. Create a Word document with the file name "Arson Confession" and type out something about how you set fire to an orphanage. Make a few revisions. Run Firefox with an extension that leaks memory, leave it up for a day or two so that it forces everything else to be swapped out. Simulate a crash by doing an End Process on Word from the task manager once.
Then boot from a Linux live CD and do something like "strings
Document names in MRU lists in the registry, temp files, and the swap file might not be covered by the encryption. A file name could be a pretty damaging thing to leak. Consider also that Windows may store the file name as Unicode in some places that wouldn't show on fgrep.
It's good thinking and sound practice to wonder whether the gadget does what it claims, but a huge number of security problems come from threats that were outside what the security designers were thinking about. "Security is like an analogy. It only works up until the point that someone considers an angle or aspect that you haven't previously considered and accounted for."
Get a hold of the Russian Mafia, enquire if there is any cracks for the software you're interested in.
If you can buy a crack, it's not secure enough.
If you cannot source a crack, put a $5k bounty on it and use the product while blackhats do the work. Discard product immediately once blackhats come up with a solution. Do pay the blackhats/Mafia - consider the $5k money well spent, and it saves an awful lot of trouble later on.
You are in a twisty maze of processor lines, all alike.
There is a lot of hype here.
The Kensington token looks OK, but if I'm recommending a whole disk encryption system, I would use something that has been battle tested in corporate environments, and where the physical token meets FIPS 140-1 level 1 or 2 standards. Standards don't mean something is free of security holes, but it means that peoples' eyes have looked the software and hardware over and the company stands behind their product enough to pay for it to be validated. Its similar to the Sold Secure Gold rating on physical locks -- it doesn't mean they are 100% secure, but locks certified with it will be tough for most thieves to break.
There are a number of WDE utilities which are solid, certified, and proven over time. I have personally have excellent results with SafeBoot, WinMagic, DriveCrypt Plus Pack, CompuSec, and PGP Whole Disk Encryption. For hardware tokens, Aladdin's eToken PRO 64k.
Snake oil encryption is common, one who is deciding on a solution for themselves or a company needs to do their homework and know the basics of cryptography as well as what certification levels mean what.
PGP Whole Disk costs $49.99 for a year license, and $119.99 for an unlimited length license. This, plus the cost of an Aladdin eToken (about $70-80) gives a person a known good security setup where each major link is certified by an independant security agency. Yes, $200 is more expensive than the $50-$70 for the Kensington token, but the price premium pays for a product that has been around for a long time and security issues are found and fixed.
Worse yet, there are apparently no reviews of the product, no mention of anyone trying to test it and no hardware hackers tried to make it work in Linux, even though it's been out for over 2 years. So nobody knows it exists? Security through obscurity then...
The DOD, depending on which shop you're in, uses built in Dell products. IE: Dell Lattitude 620. Comes with a built in smart card reader. I personally have one sitting next to me right now. Put in my card, enter the Pin and go.
Depending on how you have it setup, you can cache your card certs to allow logging in without a connection to your network (ie: smart card without a network connection), but thats more of a windows feature. Built in wireless, core duo, etc. I hate to say this, but I can't get enough of this thing.
But, a quick note: Your security is not only based upon your authentication, but you should spend an equal amount of time securing the operating system. I honestly thought I new a decent amount of info about Windows, but I've been thrown into the world of security and my jaw drops about 3 times a day from what I learn. So I'll offer this - encrypt your hard drive with your authentication factor (the gov is testing this right now and the info is public), use 2-3 form authentication (most of the time, we use 2 - something we have (card), something we know (pin)), encrypt anything internally that MAY seem important to someone else - this means files, email, VPN connections for remote workers.
I'd love to go into more, but nope....
Grand-parent's idea is stupid. Unless you're Bruce Schneier, you probably won't be able to judge a security system properly.
Does that mean everyone only needs security that he himself can't break? No, everyone needs security that noone can break.
Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6
Remember that the true motive behind most companies is to make you give them your money, and in many companies quality isn't a priority. It's no surprise that many security products have bugs. I would trust more a security method or tool released by the security community itself, without the involvement of PHBs.
If the source code isn't available, it's not secure. Simple as that.
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
Two (or more) factor security sounds good, but is designed for independant control of the factors. A USB flashdrive can be cloned and really can't claim independant control.
see http://getindi.com/
Send me your laptop, and I'll let you know.
https://www.eff.org/https-everywhere
Aint it wunnerful that a security company wants me to run THEIR code on MY machine. A simple menu of hyper-linked images would have done the same job without exposing me the the programming vagaries of the marketing directors inept nephew. Their lack of interest in my security translates in my lack of interest in their product as it probably suffers from a similar inattention to details.
There is no right to feel safe thru security vaudeville at the expense of everyone's freedom, privacy and tax money.
Yet you bought it anyway. Why are you now complaining, instead of having done some proper research before you put your money down?
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."