A (not) new security idea

Brian Fahrlander brian at fahrlander.net
Thu Oct 14 00:06:15 UTC 2004


On Wed, 2004-10-13 at 18:22, Scot L. Harris wrote:

> Sounds like you want something like Sun has with their Sunray systems. 
> You walk up to one and plug in your badge (which has a chip on it) and
> the first time you login.  When you are done you just pull your badge. 
> You can then walk up to a different Sunray and insert your badge and the
> same environment shows up on the display.  

    Yep. With one exception: Sun's gonna want to license that technology
to use it...but the idea _is_ very close.  We own the code...we can do
something like it.

> The big issue (you knew there was one!) is you need some process in
> place to recover when either your fob catastrophically fails or is
> lost.  It also must be secure enough that if it is lost that no one else
> could use it.  Which brings you back to using a highly secure password
> or pass phrase and encryption that would take the NSA at least a week to
> crack.  :)

    Yeah, but with a fob, they might write down the passphrase at home,
making it difficult to steal at work.  Even this provides an amount of
security not offered with current systems.

> So a lot of what you want is already out there.  The bigger issue is
> getting all the different systems you want to use this with to use the
> new scheme.

    Yeah, all the parts are there.  There's a daemon that'll watch and
take-actions based on USB insertions.  It shouldn't be a big deal. It's
not like we're inventing the wheel from scratch.

    And that's why I posted this here, not on Fedora-devel. I'm
interested in mobilizing a desire for the system, not interrupting a
bunch of guys working on other things to tackle another project. (Isn't
it amazing?  No one griped about that...)

    I've watched a lot of projects spring to life; the only thing
different about this one is that the parts are there, we just need to
glue'em together.  I think what we need most is a catchy name, then a
press release, and eventually some programmers.  :>  At least, that's
the way things like Samba, Sendmail, and Apache seemed to have come
about.  (J/K!)

    On the web-side, we could introduce something in the browser strings
that it normally sends the server.  Just add a key.  IIS and company can
barf on it, but if a browser is sending that key, it's because a fob has
been authenticated, and if a matching key is found, that user gets
logged in.

    This whole idea is made up of little things like that, which don't
appear to be a big deal.  I think the hardest thing is for Linux
programmers and well-wishers to be creative; to not wait for everyone in
the UN to sign on to the plan.

    Make this system, bang out the initial problems, and make it part of
the distro, and you'll see people everywhere picking it up.  Even the
legacy people.

    What can I do to help?

-- 
------------------------------------------------------------------------
Brian Fahrländer                  Christian, Conservative, and Technomad
Evansville, IN                                 http://www.fahrlander.net
ICQ 5119262
AIM: WheelDweller
------------------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20041013/3491065e/attachment-0001.sig>


More information about the fedora-list mailing list