Testing Commercial 2-Factor Authentication Systems?

Fry-kun asks: "I recently became interested in setting up a 2-factor authentication system for my laptop. With that in mind, I bought a fairly inexpensive USB key. Although it seems to work, I can't bring myself to trust it completely: Kensington claims that the system is secure, but there is no independent security lab analysis of the product. In other words, for all I know, there may be a gaping hole in their security setup. Worse yet, there are apparently no reviews of the product, no mention of anyone trying to test it and no hardware hackers tried to make it work in Linux, even though it's been out for over 2 years. How would you go about making sure that a security product does what it claims to?"

why...

[MarcoAtWork]

..not just get a usb thumb drive and make it a big truecrypt volume?

Testing commercial security

[mandelbr0t]

You can't. All security software needs to be OSS for this reason.

That being said, OSS had a 2-factor authentication mechanism available years ago. Encrypt your hard drive, save the key to a USB key and enter a passphrase. You'll need to both insert the USB key and type your passphrase for the root disk to get mounted. That's pretty much the entire system locked down.

This article appears to detail that process.

You can't evaluate it, and it probably sucks

[swillden]

I work as a secure systems designer and consultant, and I've had some opportunities to review the security of commercial systems of various sorts. What I've learned is (1) properly evaluating commercial security tools is nearly impossible and (2) much of it is lousy.

The most effective means I've found of evaluating tools is to have a client sitting on a really huge purchase order, so that the vendor will give me access to key security personnel on their design, development and testing teams in order to make the sale. The people in question won't actually answer my detailed questions, in most cases, but I can still get a feel for how they think, and what they consider important. That actually gives me a pretty good idea of how secure the stuff they build is, though it's not as good as actually doing a detailed analysis of the design and implementation. Ideally, I'd like to talk to their people, do a detailed analysis of their designs, perform a cursory review of their implementation and then really, deeply scrutinize their security design and QA processes.

What I've found when I start pushing to talk to the "security guys" is that in surprisingly many cases there are none! Or there was one, but he left. Or there is one everyone thinks is the security guy, but he's really just a developer with a basic understanding of security principles, no time to really focus on security, and no authority to get any security problems he finds fixed.

Note that this is not always true. I've found some companies that do a really good job, but they're definitely in the minority.

Assuming you can't actually force the vendor to let you talk to their security team, the only thing I can suggest is that you start looking at publicly-available information. Some things to look for are:

1. Do they have any serious, well-regarded security researchers with solid publication histories? If so, then you know that at least someone at the company has a clue. Then if you can determine whether or not the clueful people are allowed anywhere near the product you're interested in, you may learn something useful.
2. How open are they about their product designs, especially the security features? The more detailed technical information they provide, the better. The more they hide behind secrecy and buzzword bingo, the more you want to steer clear.
3. What kind of a company is it? I like companies whose whole focus is security and are relatively large (for security companies) and well-established. Big companies that can (and do) have large security-focused groups are good too.
4. Have there been any published analyses of the products? I'd rather use a product that has had significant scrutiny and a few security defects identified (and fixed), than one that no one has ever bothered to look at. This actually goes back to the previous point. Products from established companies with a focus on security tend to get scrutiny.

I ended up going PGP and eToken

[mlts]

The Kensington token looks OK, but if I'm recommending a whole disk encryption system, I would use something that has been battle tested in corporate environments, and where the physical token meets FIPS 140-1 level 1 or 2 standards. Standards don't mean something is free of security holes, but it means that peoples' eyes have looked the software and hardware over and the company stands behind their product enough to pay for it to be validated. Its similar to the Sold Secure Gold rating on physical locks -- it doesn't mean they are 100% secure, but locks certified with it will be tough for most thieves to break.

There are a number of WDE utilities which are solid, certified, and proven over time. I have personally have excellent results with SafeBoot, WinMagic, DriveCrypt Plus Pack, CompuSec, and PGP Whole Disk Encryption. For hardware tokens, Aladdin's eToken PRO 64k.

Snake oil encryption is common, one who is deciding on a solution for themselves or a company needs to do their homework and know the basics of cryptography as well as what certification levels mean what.

PGP Whole Disk costs $49.99 for a year license, and $119.99 for an unlimited length license. This, plus the cost of an Aladdin eToken (about $70-80) gives a person a known good security setup where each major link is certified by an independant security agency. Yes, $200 is more expensive than the $50-$70 for the Kensington token, but the price premium pays for a product that has been around for a long time and security issues are found and fixed.