A (not) new security idea

Wed Oct 13 23:22:48 UTC 2004

On Wed, 2004-10-13 at 15:36, Brian Fahrlander wrote:
>     I've heard a lot about biometrics, but the durned things cost over
> $100 (consumer grade) and only seem to work for legacy software.  The
> cost isn't such a big deal, but the software sure is.
> 
>     But in the bigger picture, biometrics isn't enough.  I know there'll
> be a couple of cocky jerks who'll tell you (and me) at great lengths how
> stupid the idea is, mostly because they've not looked down the road as
> far as I have.  Remember the GPG keys on repos and how that wasn't
> suitable?  :)
> 
>     Keyfobs.  These little USB droplets of cyberspace.  How about we, as
> one of the largest collections of Linux people out there, standardize
> some software to fit into PAM to do this:
> 
>     1. Upon insertion, ask for the passphrase a'la local-agent.
> 
>     2. When validated, use these credentials for everything.

Sounds like you want something like Sun has with their Sunray systems. 
You walk up to one and plug in your badge (which has a chip on it) and
the first time you login.  When you are done you just pull your badge. 
You can then walk up to a different Sunray and insert your badge and the
same environment shows up on the display.  

Not quite what you described but close.  The trick with what you want is
getting a driver that sits and monitors the usb port looking for some
kind of token on the flash.  When it sees the token they you can
probably use one of those agent programs to authenticate a pgp key. 
After that any systems you use pgp with would let you access it with no
problem.  

The big issue (you knew there was one!) is you need some process in
place to recover when either your fob catastrophically fails or is
lost.  It also must be secure enough that if it is lost that no one else
could use it.  Which brings you back to using a highly secure password
or pass phrase and encryption that would take the NSA at least a week to
crack.  :)

You are correct in that virtually everyone at one time or another uses
insecure passwords or uses the same password across a large number of
systems.  

The best system I have seen uses a token card.  I have used two forms of
token cards, the first generated a new pass token every minute.  The RSA
server on the company LAN is synchronized so that when you enter your
user id, token, and pin number it would authenticate you.  The other
token card actually had a keypad on it which you put your pin number
into and then it generates a token that you use for the password.  

Both of these were used to establish VPN access but could also be used
for authentication to servers with the right PAM modules.  

So a lot of what you want is already out there.  The bigger issue is
getting all the different systems you want to use this with to use the
new scheme.

-- 
Scot L. Harris
webid at cfl.rr.com

My pants just went to high school in the Carlsbad Caverns!!! 