<< | Thread Index | >> ]    [ << | Date Index | >> ]

Subject: Re: Additional security for laptops...
From: Damion Wilson <dwilson,AT,ibl,DOT,bm>
Date: Fri, 17 Jan 2003 21:19:07 +0100
In-reply-to: <CJELIEBEFNCJAOMOOMNNIEBOCKAA.les@futuresource.com>

They can, and it's not a bad idea. The javaring approach uses an embedded 
microprocessor (running Java) which can run any code you like.

However, whenever you use a password, it requires a stored representation of 
the password to compare against such as the crypt()'ed passwd field of the 
/etc/passwd file. This representation provides an opportunity to 'crack' the 
mechanism if it can be obtained. One way hash functions help a lot but 
physically preventing keys from being obtained, hashed or not, is a better 
approach. Encrypting the key using the password directly requires that the 
password be a large and unique enough value to prevent easy cracking. Using 
the password as an accessor to a larger decryption key (PGP approach) still 
leaves the problem  that the means to decrypt and the decryption key are in 
the same place. It's almost like hiding the house keys in the rain gutter 
when you go out. It's much better to take the keys with you (randomising 
their location with respect to the house).

In short, removing the key from the computer gives you the best opportunity 
to 
prevent both the facilitator (computer) and the accessor (static key) from 
being obtained at the same time and, IMHO, that's stronger security than 
reliance on passwords.

Bruce Schneier's writings explain these things far better than I ever could.

DKW 

On Friday 17 January 2003 02:41 pm, you wrote:
> > From: Damion Wilson
> >
> > Instead of all that, why not put the key on a USB solid state disk ($20)
> > or use something like a JavaRing ? Why not put the whole CIPE config on
> > the thing ? Run ciped-cb from inittab and it'll keep dying until the key
> > becomes accessible.
>
> Do those have a mechanism for getting a password from the
> user?  Someone stealing the laptop might get it with the
> device connected.
>
> ---
>   Les Mikesell
>    les,AT,futuresource,DOT,com





<< | Thread Index | >> ]    [ << | Date Index | >> ]