I've heard a lot about biometrics, but the durned things cost over $100 (consumer grade) and only seem to work for legacy software. The cost isn't such a big deal, but the software sure is.
But in the bigger picture, biometrics isn't enough. I know there'll be a couple of cocky jerks who'll tell you (and me) at great lengths how stupid the idea is, mostly because they've not looked down the road as far as I have. Remember the GPG keys on repos and how that wasn't suitable? :)
Keyfobs. These little USB droplets of cyberspace. How about we, as one of the largest collections of Linux people out there, standardize some software to fit into PAM to do this:
1. Upon insertion, ask for the passphrase a'la local-agent.
2. When validated, use these credentials for everything.
Sounds like a simple idea, but for some reason the powers that be can't seem to 'get off the pot' and placate hundreds of vendors to define a standard. Standards are what we're about. Let's make our own. When the money stops flying and things get tight, we'll allow'em to use our own.
Some issues:
1. Web browsing with the key: It needs to unlock the password storage there. I don't think this is a big deal, but I doubt anyone's written anything like it yet. I suppose this'll require help from the Mozilla team, mostly.
If a Linux guy with a key is browsing, how about the Linux server on the other side accepting this as authentication? (For existing accounts, of course)
2. GDM and logins: this might have to be modified, aye? It would have to be authenticated before the login. And the name given the login (username) would have to come from somewhere, no?)
Think of how messed up this whole thing is: every site you have another password to be lost, every machine on which you work you do too. People don't remember passwords- they get written down and never changed. That's why an internal test of the NYT staff was able to crack 70-80% of their passwords just by studying the office area.
It's getting to the point that passwords are meaningless, and we're only asking for more new ones. Let's change that direction.
What's it take? Do we start a group on Sourceforge? Is Redhat/et al interested in pushing this? I don't care if Debian, Suse or SCO doesn't support it; this is something _we_ can do, it's not hard- let's do it. Let the rest of the world catch up to us.
Gentlemen: Start your flamethrowers! :>
On Wed, 2004-10-13 at 15:36, Brian Fahrlander wrote:
I've heard a lot about biometrics, but the durned things cost over
$100 (consumer grade) and only seem to work for legacy software. The cost isn't such a big deal, but the software sure is.
But in the bigger picture, biometrics isn't enough. I know there'll
be a couple of cocky jerks who'll tell you (and me) at great lengths how stupid the idea is, mostly because they've not looked down the road as far as I have. Remember the GPG keys on repos and how that wasn't suitable? :)
Keyfobs. These little USB droplets of cyberspace. How about we, as
one of the largest collections of Linux people out there, standardize some software to fit into PAM to do this:
1. Upon insertion, ask for the passphrase a'la local-agent. 2. When validated, use these credentials for everything.
Sounds like you want something like Sun has with their Sunray systems. You walk up to one and plug in your badge (which has a chip on it) and the first time you login. When you are done you just pull your badge. You can then walk up to a different Sunray and insert your badge and the same environment shows up on the display.
Not quite what you described but close. The trick with what you want is getting a driver that sits and monitors the usb port looking for some kind of token on the flash. When it sees the token they you can probably use one of those agent programs to authenticate a pgp key. After that any systems you use pgp with would let you access it with no problem.
The big issue (you knew there was one!) is you need some process in place to recover when either your fob catastrophically fails or is lost. It also must be secure enough that if it is lost that no one else could use it. Which brings you back to using a highly secure password or pass phrase and encryption that would take the NSA at least a week to crack. :)
You are correct in that virtually everyone at one time or another uses insecure passwords or uses the same password across a large number of systems.
The best system I have seen uses a token card. I have used two forms of token cards, the first generated a new pass token every minute. The RSA server on the company LAN is synchronized so that when you enter your user id, token, and pin number it would authenticate you. The other token card actually had a keypad on it which you put your pin number into and then it generates a token that you use for the password.
Both of these were used to establish VPN access but could also be used for authentication to servers with the right PAM modules.
So a lot of what you want is already out there. The bigger issue is getting all the different systems you want to use this with to use the new scheme.
On Wed, 2004-10-13 at 18:22, Scot L. Harris wrote:
Sounds like you want something like Sun has with their Sunray systems. You walk up to one and plug in your badge (which has a chip on it) and the first time you login. When you are done you just pull your badge. You can then walk up to a different Sunray and insert your badge and the same environment shows up on the display.
Yep. With one exception: Sun's gonna want to license that technology to use it...but the idea _is_ very close. We own the code...we can do something like it.
The big issue (you knew there was one!) is you need some process in place to recover when either your fob catastrophically fails or is lost. It also must be secure enough that if it is lost that no one else could use it. Which brings you back to using a highly secure password or pass phrase and encryption that would take the NSA at least a week to crack. :)
Yeah, but with a fob, they might write down the passphrase at home, making it difficult to steal at work. Even this provides an amount of security not offered with current systems.
So a lot of what you want is already out there. The bigger issue is getting all the different systems you want to use this with to use the new scheme.
Yeah, all the parts are there. There's a daemon that'll watch and take-actions based on USB insertions. It shouldn't be a big deal. It's not like we're inventing the wheel from scratch.
And that's why I posted this here, not on Fedora-devel. I'm interested in mobilizing a desire for the system, not interrupting a bunch of guys working on other things to tackle another project. (Isn't it amazing? No one griped about that...)
I've watched a lot of projects spring to life; the only thing different about this one is that the parts are there, we just need to glue'em together. I think what we need most is a catchy name, then a press release, and eventually some programmers. :> At least, that's the way things like Samba, Sendmail, and Apache seemed to have come about. (J/K!)
On the web-side, we could introduce something in the browser strings that it normally sends the server. Just add a key. IIS and company can barf on it, but if a browser is sending that key, it's because a fob has been authenticated, and if a matching key is found, that user gets logged in.
This whole idea is made up of little things like that, which don't appear to be a big deal. I think the hardest thing is for Linux programmers and well-wishers to be creative; to not wait for everyone in the UN to sign on to the plan.
Make this system, bang out the initial problems, and make it part of the distro, and you'll see people everywhere picking it up. Even the legacy people.
What can I do to help?
On Wed, 2004-10-13 at 20:06, Brian Fahrlander wrote:
The big issue (you knew there was one!) is you need some process in place to recover when either your fob catastrophically fails or is lost. It also must be secure enough that if it is lost that no one else could use it. Which brings you back to using a highly secure password or pass phrase and encryption that would take the NSA at least a week to crack. :)
Yeah, but with a fob, they might write down the passphrase at home,
making it difficult to steal at work. Even this provides an amount of security not offered with current systems.
Security wise it is always a bad idea to write down passwords or passphrases. The reality is that almost everyone does just that. :)
Actually there are several different two factor authentication schemes out there. The idea of authenticating someone based on something they have and something they know is pretty much the standard for really secure systems.
And I think that may be the issue with wide spread adoption of such a system. Most people feel that a password provides enough security for their purposes. And from past experience dealing with users if you make a system to complex they won't use it. This includes issues with recovering from that catastrophic failure or lost passphrase.
I've watched a lot of projects spring to life; the only thing
different about this one is that the parts are there, we just need to glue'em together. I think what we need most is a catchy name, then a press release, and eventually some programmers. :> At least, that's the way things like Samba, Sendmail, and Apache seemed to have come about. (J/K!)
You must have a marketing background. :^D
Personally I think a proof of concept would be the first thing. Once you have that then you can sort out the silly stuff like names and such. :)
On the web-side, we could introduce something in the browser strings
that it normally sends the server. Just add a key. IIS and company can barf on it, but if a browser is sending that key, it's because a fob has been authenticated, and if a matching key is found, that user gets logged in.
Don't forget that you need to encrypt any thing you want to send like that. Probably you will want to consider using some kind of public key setup so that you never pass the real password info over the network.
Make this system, bang out the initial problems, and make it part of
the distro, and you'll see people everywhere picking it up. Even the legacy people.
Like I said before, getting wide spread adoption of something like this will be a problem. It will appeal to a select group at best. Take a look at selinux over the next year. If/when that is enabled by default I suspect you will see the most common question on the list is how to disable it.
I do have one idea that many people may find useful. Using your idea of a usb flash memory, figure out how to store your web browsers cache of passwords on the flash memory. Then no matter what machine you use you plug in the flash and your browser has all the passwords for all the sites you visit. Would need to modify the browser to look for the cache information on the flash memory. Once you get the proof of concept working then you need to add heavy duty encryption to the flash device and a method to unlock it for use by the web browser.
What can I do to help?
Release a proof of concept of course! :)
On Wed, 2004-10-13 at 20:58, Scot L. Harris wrote:
On Wed, 2004-10-13 at 20:06, Brian Fahrlander wrote:
Security wise it is always a bad idea to write down passwords or passphrases. The reality is that almost everyone does just that. :)
Oh, to be sure! But if they're GONNA do it due to human nature, it's better to have them do it off site...
Actually there are several different two factor authentication schemes out there. The idea of authenticating someone based on something they have and something they know is pretty much the standard for really secure systems.
And I think that may be the issue with wide spread adoption of such a system. Most people feel that a password provides enough security for their purposes. And from past experience dealing with users if you make a system to complex they won't use it. This includes issues with recovering from that catastrophic failure or lost passphrase.
Well, that may not be a problem. The way I see it, the initial (beta) would take place amongst the people who care about it the most, then as time goes on we point'em to a howto and let'em enter things into a form. Then, it becomes a convenience feature that people might actually adopt, especially since carrying a fob like this is, in some places considered to be a status symbol. "Sure, you've got one...but does it _do_ anything for you?"
Personally I think a proof of concept would be the first thing. Once you have that then you can sort out the silly stuff like names and such. :)
OK, is this formal- is there a section on the RFC library sites for this kinda thing? Are we talking about a working model, or a very rough draft?
Don't forget that you need to encrypt any thing you want to send like that. Probably you will want to consider using some kind of public key setup so that you never pass the real password info over the network.
Well, the indication that a fob is available for authentication could be "**KEYFOB**" in the browser line, then the server would switch to TLS/SSL/etc and interrogate it, if it supports it.
Like I said before, getting wide spread adoption of something like this will be a problem. It will appeal to a select group at best. Take a look at selinux over the next year. If/when that is enabled by default I suspect you will see the most common question on the list is how to disable it.
:) I've been waiting secretly for that day, knowing it'll be a LONG day for newbies.
I do have one idea that many people may find useful. Using your idea of a usb flash memory, figure out how to store your web browsers cache of passwords on the flash memory. Then no matter what machine you use you plug in the flash and your browser has all the passwords for all the sites you visit. Would need to modify the browser to look for the cache information on the flash memory. Once you get the proof of concept working then you need to add heavy duty encryption to the flash device and a method to unlock it for use by the web browser.
Yeah, that would also be a way to get it off the machine and make them portable, too. Is there a standard amongst Mozilla variants? Galeon, Epiphany, Firefox all using the same password file?
On Thu, 2004-10-14 at 07:26, Brian Fahrlander wrote:
I do have one idea that many people may find useful. Using your idea of a usb flash memory, figure out how to store your web browsers cache of passwords on the flash memory. Then no matter what machine you use you plug in the flash and your browser has all the passwords for all the sites you visit. Would need to modify the browser to look for the cache information on the flash memory. Once you get the proof of concept working then you need to add heavy duty encryption to the flash device and a method to unlock it for use by the web browser.
Yeah, that would also be a way to get it off the machine and make
them portable, too. Is there a standard amongst Mozilla variants? Galeon, Epiphany, Firefox all using the same password file?
I don't know the answer to that question. My guess is that they don't use the same files or scheme for storing that info. Would make it to easy if they did. :)
On Thu, Oct 14, 2004 at 06:26:20AM -0500, Brian Fahrlander wrote:
On Wed, 2004-10-13 at 20:58, Scot L. Harris wrote:
On Wed, 2004-10-13 at 20:06, Brian Fahrlander wrote:
Security wise it is always a bad idea to write down passwords or passphrases. The reality is that almost everyone does just that. :)
Oh, to be sure! But if they're GONNA do it due to human nature,
it's better to have them do it off site...
The issue is not writing down the pass phrases but "key management". I predict that there is a potential for the single largest cause of lost data in the next ten years to be lost keys to encrypted data.
Good biometric hooks to encryption break if the employee is in jail, dead, skips town, changes jobs,.... looses a 'bio' part.
If you are a manager and walk an employee out, expect a hefty fee to recover data not unlocked in the exit interview process ;-)
It is not silly to have a locked firesafe with keys written down for many.
On Thu, 2004-10-14 at 13:25, Nifty Hat Mitch wrote:
On Thu, Oct 14, 2004 at 06:26:20AM -0500, Brian Fahrlander wrote:
On Wed, 2004-10-13 at 20:58, Scot L. Harris wrote:
On Wed, 2004-10-13 at 20:06, Brian Fahrlander wrote:
Security wise it is always a bad idea to write down passwords or passphrases. The reality is that almost everyone does just that. :)
Oh, to be sure! But if they're GONNA do it due to human nature,
it's better to have them do it off site...
The issue is not writing down the pass phrases but "key management". I predict that there is a potential for the single largest cause of lost data in the next ten years to be lost keys to encrypted data.
Good biometric hooks to encryption break if the employee is in jail, dead, skips town, changes jobs,.... looses a 'bio' part.
If you are a manager and walk an employee out, expect a hefty fee to recover data not unlocked in the exit interview process ;-)
It is not silly to have a locked firesafe with keys written down for many.
I think we were talking about regular users that stick postit notes under their keyboards (or on the face of the monitor) with their passwords on them.
In a production environment I kept a log book with passwords for all systems. That book was kept in a lock box inside a limited access room (actually the telco room). Very few people had access to the room and even fewer had keys to the lock box.
But a good point. And one I tried to make earlier is when a device that contains all your keys is lost or destroyed there needs to be some process in place to replicate or replace it. And as you pointed out if people are going to start encrypting data all over a loss of the keys is going to result in lost data. How much do you think the NSA would charge to break the encryption on a companies books or source code for their products? :)
On Thu, Oct 14, 2004 at 13:56:32 -0400, "Scot L. Harris" webid@cfl.rr.com wrote:
I think we were talking about regular users that stick postit notes under their keyboards (or on the face of the monitor) with their passwords on them.
Even in this it isn't necessarily a bad procedure. It depends on what your threats are. It may very well be that the people who can get a look at your post it note passwords are the same people that have unmonitored physical access to your computer. In that case the post it note only make it slightly easier to steal your passwords. If the people with such access aren't the people you are worried about, then this might be a reasonable tradeoff for convenience. (However, I think if you really want to write passwords down, a wallet is a better place for most people to keep them, than stuck to a monitor.)
On Fri, 2004-10-15 at 12:01, Bruno Wolff III wrote:
On Thu, Oct 14, 2004 at 13:56:32 -0400, "Scot L. Harris" webid@cfl.rr.com wrote:
I think we were talking about regular users that stick postit notes under their keyboards (or on the face of the monitor) with their passwords on them.
Even in this it isn't necessarily a bad procedure. It depends on what your threats are. It may very well be that the people who can get a look at your post it note passwords are the same people that have unmonitored physical access to your computer. In that case the post it note only make it slightly easier to steal your passwords. If the people with such access aren't the people you are worried about, then this might be a reasonable tradeoff for convenience. (However, I think if you really want to write passwords down, a wallet is a better place for most people to keep them, than stuck to a monitor.)
Locks are there to keep honest people honest.
Leaving your password posted on your monitor (or around your desk) is the same as leaving the key to your home hanging on a string on the front door. A really bad idea.
The main problem with this kind of behavior is in an office environment where you don't know who is going to take advantage of easy access to a system given a password. They may not have the skill set, few probably would, to break the passwords on a system even given physical access. But to advertise your password in plain view is inviting someone to take advantage of it. So in general I feel it is a bad procedure under any circumstance since it puts the person who's password is compromised in jeopardy as well as placing all those on the network in jeopardy. Being a good netcitizen means protecting your systems to prevent them from being used as a springboard for an attack on other systems.
Even in a home environment you don't know if your child's friends may be over and happen to see your password then use it later that night for who knows what.
IMHO, it is never a good idea to leave your passwords exposed like that.
But you are right in that each person has to assess the risk they are willing to take. There was some discussion a while back on this list where someone wanted to have no password on their system. Their choice.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wednesday 13 October 2004 20:36, Brian Fahrlander wrote:
Keyfobs. These little USB droplets of cyberspace. How about we, as
one of the largest collections of Linux people out there, standardize some software to fit into PAM to do this:
1. Upon insertion, ask for the passphrase a'la local-agent. 2. When validated, use these credentials for everything. Sounds like a simple idea, but for some reason the powers that be
can't seem to 'get off the pot' and placate hundreds of vendors to define a standard. Standards are what we're about. Let's make our own.
As a starting point, you might want to look at pam_usb, "a PAM module that enables authentication using a USB storage device through DSA private/public keys."
http://freshmeat.net/projects/pam_usb/
HTH
Jude
On Wed, 2004-10-13 at 22:46, Jude wrote:
As a starting point, you might want to look at pam_usb, "a PAM module that enables authentication using a USB storage device through DSA private/public keys."
Ooh! That sounds like a hot tip. Thanks so much!
On Thu, 14 Oct 2004 04:46:43 +0100, Jude fedora@wastedtimes.net wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wednesday 13 October 2004 20:36, Brian Fahrlander wrote:
Keyfobs. These little USB droplets of cyberspace. How about we, as
one of the largest collections of Linux people out there, standardize some software to fit into PAM to do this:
1. Upon insertion, ask for the passphrase a'la local-agent. 2. When validated, use these credentials for everything. Sounds like a simple idea, but for some reason the powers that be
can't seem to 'get off the pot' and placate hundreds of vendors to define a standard. Standards are what we're about. Let's make our own.
As a starting point, you might want to look at pam_usb, "a PAM module that enables authentication using a USB storage device through DSA private/public keys."
Sorry to be late on this thread, but I'm interested in using pam_usb with FC 2 and 3 and was wondering if anyone has it working? The Quickstart documentation seems pretty straight forward, but I'm a little reluctant to try it as I've never done anything with PAM before.
Can anyone offer any advice on using pam_usb?
Thanks, Kevin
Brian Fahrlander wrote:
Keyfobs. These little USB droplets of cyberspace. How about we, as
one of the largest collections of Linux people out there, standardize some software to fit into PAM to do this:
1. Upon insertion, ask for the passphrase a'la local-agent. 2. When validated, use these credentials for everything.
So you'd have some kind of identification on the USB memory, and if the passphrase you type matches that identification, you're logged in. And you'd use this on all the computers you use?
What if you don't fully trust one of these computers? Maybe you're a user on a big campus, and you don't know who the administrators are. You don't even know how many people have root access. If just one of them isn't completely honest, they could install a piece of software that copies your ID from the keyfob and sniffs your passphrase as you type it. Then they can pose as you everywhere.
Or maybe the administrators at work don't trust the security of your home computer. Maybe they're worried that someone might break into your home computer and thereby gain access to the corporate network.
What do you do to solve these problems? You start using a different ID at every site. And then you're back to the same situation, with more and more passwords to remember. See, your scheme isn't really any different from just using the same password everywhere.
What we need is a way to identify yourself to a computer without at the same time giving the computer the ability to pose as you. This requires a "personal identity gadget" with its own processor and a way to interact directly with you.
Björn Persson
On Thu, 2004-10-14 at 11:43, Björn Persson wrote:
[Sorry for the delay; I work third shift (2200-0600 local time]
So you'd have some kind of identification on the USB memory, and if the passphrase you type matches that identification, you're logged in. And you'd use this on all the computers you use?
Well, whatever it is keeping them from doing it now, I suppose. We'd have to exchange key data in a hash format a'la SSH; I'm sure there's a way to keep it from being easy to sniff/steal. If not, SSL/SSH/etc would have been routinely hacked on a widespread basis a long time ago, no?
What if you don't fully trust one of these computers? Maybe you're a user on a big campus, and you don't know who the administrators are. You don't even know how many people have root access. If just one of them isn't completely honest, they could install a piece of software that copies your ID from the keyfob and sniffs your passphrase as you type it. Then they can pose as you everywhere.
Well, I understand the concern; but if anyone can work this out, we can....we don't have to beg and borrow from people holding patents, etc. Aye?