<< | Thread Index | >> ]    [ << | Date Index | >> ]

Subject: Re: Additional security for laptops...
From: Eric Hopper <hopper,AT,omnifarious,DOT,org>
Date: Fri, 17 Jan 2003 22:24:51 +0100
In-reply-to: <CJELIEBEFNCJAOMOOMNNIEBOCKAA.les@futuresource.com>

On Fri, 2003-01-17 at 14:07, Damion Wilson wrote: 
> In short, removing the key from the computer gives you the best opportunity 
>to 
> prevent both the facilitator (computer) and the accessor (static key) from 
> being obtained at the same time and, IMHO, that's stronger security than 
> reliance on passwords.

It depends on your purpose.  If the information on your laptop is
intrinsically valuable, making sure that an attacker cannot run a
password guessing attack in the privacy of their own laboratory is good.

If the information is CIPE keys, or some such, then it doesn't matter so
much.  The real goal of encrypting CIPE keys using a password is to
prevent an attacker from gaining privileged access to your network.

Presumably, if the person on the road's laptop is stolen, they will
report it fairly quickly.  If they're also kidnapped (or worse), you
will lose contact with them, and presume the laptop is stolen.  Then,
you can arrange it so none of the information on the laptop will give
privileged access to your network.  This means that the laptop's keys
only have to resist attack for a few days.  A decent password is fine
for this.

If the information on the laptop is intrinsically valuable, then you
have a somewhat different situation.  Then, you need a strong secret
protecting that information, one that cannot be guessed until the
information is no longer valuable.

One way of accomplishing this that doesn't require any special device of
any kind is to arrange it so that the strong secret can only be gotten
by first gaining privileged access to your network.  You store the key
protecting the filesystem with the sensitive data on a server on your
network that can only be gotten to through the VPN.  You can even make
this server require the another password before it will give up the
strong secret.  This requires no special device, and is of comparable
security.

Another way is to have an external device that normally is not left
connected to the computer to have the strong secret on it.  This could
be enforced by having the computer refuse to respond to user input as
long as the device was connected.  Or, you could have the device spit
out the strong secret as a long hex string the person had to type on the
keyboard.

In order for the external device to work well, it should internally
protect the strong secret with a weak secret, like a password.  It
should be highly resistant to physical attack (tampering).  And, it
should scramble the strong secret after a certain largish number (say
30) wrong guesses of the weak secret.

Have fun (if at all possible),
-- 
Eric Hopper <hopper,AT,omnifarious,DOT,org>
Omnifarious Software

Attachment: pgp00000.pgp
Description: "This is a digitally signed message part"


<< | Thread Index | >> ]    [ << | Date Index | >> ]