|Subject:||Re: Additional security for laptops...|
|From:||Eric Hopper <hopper,AT,omnifarious,DOT,org>|
|Date:||Fri, 17 Jan 2003 22:24:51 +0100|
On Fri, 2003-01-17 at 14:07, Damion Wilson wrote: > In short, removing the key from the computer gives you the best opportunity >to > prevent both the facilitator (computer) and the accessor (static key) from > being obtained at the same time and, IMHO, that's stronger security than > reliance on passwords. It depends on your purpose. If the information on your laptop is intrinsically valuable, making sure that an attacker cannot run a password guessing attack in the privacy of their own laboratory is good. If the information is CIPE keys, or some such, then it doesn't matter so much. The real goal of encrypting CIPE keys using a password is to prevent an attacker from gaining privileged access to your network. Presumably, if the person on the road's laptop is stolen, they will report it fairly quickly. If they're also kidnapped (or worse), you will lose contact with them, and presume the laptop is stolen. Then, you can arrange it so none of the information on the laptop will give privileged access to your network. This means that the laptop's keys only have to resist attack for a few days. A decent password is fine for this. If the information on the laptop is intrinsically valuable, then you have a somewhat different situation. Then, you need a strong secret protecting that information, one that cannot be guessed until the information is no longer valuable. One way of accomplishing this that doesn't require any special device of any kind is to arrange it so that the strong secret can only be gotten by first gaining privileged access to your network. You store the key protecting the filesystem with the sensitive data on a server on your network that can only be gotten to through the VPN. You can even make this server require the another password before it will give up the strong secret. This requires no special device, and is of comparable security. Another way is to have an external device that normally is not left connected to the computer to have the strong secret on it. This could be enforced by having the computer refuse to respond to user input as long as the device was connected. Or, you could have the device spit out the strong secret as a long hex string the person had to type on the keyboard. In order for the external device to work well, it should internally protect the strong secret with a weak secret, like a password. It should be highly resistant to physical attack (tampering). And, it should scramble the strong secret after a certain largish number (say 30) wrong guesses of the weak secret. Have fun (if at all possible), -- Eric Hopper <hopper,AT,omnifarious,DOT,org> Omnifarious Software
Description: "This is a digitally signed message part"