Testing Commercial 2-Factor Authentication Systems?

Fry-kun asks: "I recently became interested in setting up a 2-factor authentication system for my laptop. With that in mind, I bought a fairly inexpensive USB key. Although it seems to work, I can't bring myself to trust it completely: Kensington claims that the system is secure, but there is no independent security lab analysis of the product. In other words, for all I know, there may be a gaping hole in their security setup. Worse yet, there are apparently no reviews of the product, no mention of anyone trying to test it and no hardware hackers tried to make it work in Linux, even though it's been out for over 2 years. How would you go about making sure that a security product does what it claims to?"

You don't

I am posting this as AC because I do this for a living for a large government agency.

You are not sure, which is the problem. I will give a nod to Kensington here, though. They are about to make a lot of money because they are serious about security, unlike a lot of other companies that peddle USB devices (Kangaroo, I am looking your way).

While it is commendable you are looking for two-factor authentication, a USB key is not the way to go here. The goal here is to not be able to break your encryption if you are forced or influenced to give up your password. Any system you can set up yourself will be breakable by you unless you take extreme measures. For the sake of argument, we will assume that there are no extreme measures in place, but your encryption can still be cracked by you.

Your best bet here is to go with full disk encryption. For further security, use truecrypt with a file on a CD or USB device as part of the key, as was referenced above.

For further security, encrypt again.

As you can see, this goes on. The weak point is you. If you can break it, you can be forced to break it.

If you want complete deniability, triple encrypt all of you regular data, then quadruple encrypt your sensitive data somewhere else. Use files, passwords, obfuscation, etc.

You will still be better off than most people. Including the government, according to plenty of stolen laptop press reports.

Suppose it does exactly what it says

[Beryllium+Sphere(tm)]

Is that enough to provide confidentiality?

Give it a realistic test. Create a Word document with the file name "Arson Confession" and type out something about how you set fire to an orphanage. Make a few revisions. Run Firefox with an extension that leaks memory, leave it up for a day or two so that it forces everything else to be swapped out. Simulate a crash by doing an End Process on Word from the task manager once.

Then boot from a Linux live CD and do something like "strings /dev/hda | fgrep -e Arson Confession orphanage > leaks.txt".

Document names in MRU lists in the registry, temp files, and the swap file might not be covered by the encryption. A file name could be a pretty damaging thing to leak. Consider also that Windows may store the file name as Unicode in some places that wouldn't show on fgrep.

It's good thinking and sound practice to wonder whether the gadget does what it claims, but a huge number of security problems come from threats that were outside what the security designers were thinking about. "Security is like an analogy. It only works up until the point that someone considers an angle or aspect that you haven't previously considered and accounted for."