Forgot your password?
typodupeerror
Security Hardware Hacking Open Source Build IT

Ask Slashdot: Open Hardware/Software-Based Security Token? 113

Posted by timothy
from the you-could-use-postcards-scanned-by-an-arduino dept.
Qbertino (265505) writes I've been musing about a security setup to allow my coworkers/users access to files from the outside. I want security to be a little safer than pure key- or password-based SSH access, and some super-expensive RSA Token setup is out of question. I've been wondering whether there are any feasible and working FOSS and open hardware-based security token generator projects out there. It'd be best with ready-made server-side scripts/daemons. Perhaps something Arduino or Raspberry Pi based? Has anybody tried something like this? What are your experiences? What do you use? How would you attempt an open hardware FOSS solution to this problem?
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Open Hardware/Software-Based Security Token?

Comments Filter:
  • yubikey (Score:3, Informative)

    by Anonymous Coward on Tuesday July 29, 2014 @12:00PM (#47558705)

    www.yubico.com ... not quite FOSS but its your ticket....

  • use SMS (Score:4, Informative)

    by rMortyH (40227) on Tuesday July 29, 2014 @12:00PM (#47558707)

    You can set up 2nd factor using SMS pretty easily, and have it text you a second password that's good for five minutes.
    Definitely the cheapest option.

    If you make your own token with an arduino and an LCD and a real time clock and a battery you've already paid for the RSA tokens.

    =Rich

    • I wouldn't say it's the "cheapest" option. If you want to go strictly software, you can use something like BitTorent Sync.

      Before anybody jumps on me: I wrote "something like". No, it's not open source. But using iCloud or Azure are proprietary solutions too!

      I don't "trust" BitTorrent Sync's security. But odds are it's fine for this kind of use. You can also control access to files by simply putting them in different folders, and giving different people access to them, or give out temporary authorizati
      • I use BtSync for syncing a collection of files between my desktop, laptop, and mobile phone. It only syncs on my own network (because that's what I want -- I have ssh if I need into my files remotely).

        In terms of general usefulness, it certainly works well. The security in terms of public facing networks appears to be decent. I don't know.

        I've heard of people using it with a remote instance of ownCloud to provide a simple iCloud-like solution.

      • If you want an open source "something like btsync," check out Syncthing.
    • by jon3k (691256)
      Can you suggest a particular piece of software that you've had luck with? I'd be interested in this.
      • by rMortyH (40227)

        We use custom scripts, that work very well. They're not very complex. We're SMSing through a third-party provider, which is not my first choice, but it is easy to manage.

        This is not, of course, extremely secure, but with all the SMS management credentials kept completely separate, it's pretty good.

        It gives us the 'something you have' and 'something you know' requirements. You need the phone. In a very well planned and determined attack they could probably get past this, but there are other measures in place

  • by bubulubugoth (896803) on Tuesday July 29, 2014 @12:01PM (#47558711) Homepage

    Yubikey is a USB OTP generator, it can be integrated quite easily and it has ssh and a little fast dig up I found this link about yubikey and openvpn..

    http://www.yubico.com/applicat... [yubico.com]
    http://forum.yubico.com/viewto... [yubico.com]

    • The submitter asked:

      "I've been wondering whether there are any feasible and working FOSS and open hardware-based security token generator projects out there"

      Is Yubikey open source software and hardware? Because it appears to be neither.

      RSA was in the NSA's back pocket. Why wouldn't these people? How can their hardware or software be audited?

  • OATH (Score:5, Informative)

    by Roadmaster (96317) <roadmr@tomechang ... m ['nan' in gap]> on Tuesday July 29, 2014 @12:02PM (#47558723) Homepage Journal

    My organization uses 2FA with a standard that's compatible with Google Authenticator and a Yubikey (OATH: http://en.wikipedia.org/wiki/I... [wikipedia.org] and http://www.nongnu.org/oath-too... [nongnu.org]). People with smartphones could use Google Authenticator to obtain auth tokens; an inexpensive ($25 per person) yubikey provides a very easy way to enter tokens without much hassle; and the open-source oathtool can generate tokens for other uses (i.e. add a "paper" authentication device with a long list of sequential tokens).

    • by mlts (1038732)

      I'm using OATH/TKIP as well for my remote access as a backup if I can't SSH in via my private RSA key:

      1: It is brain-deadly easy to implement. I use CentOS, so I can fetch the Google Authenticator code from EPEL.

      2: Many different OTP apps out there. There is Google's. Amazon has one for AWS. There are a number of third party ones. All are interchangeable. At a desktop computer, I just plug the Yubikey in a USB slot, mash the button when the password is asked. Done.

      3: The protocol is decently secur

      • Actually, combine the Yubikey with AuthLite, and you have 2FA for Windows AD environments. I just implemented for a customer; they use the OTP for the username and the normal password for the password. This has two benefits: first, you don't hit the arbitrary 48 character password length limit for things like VPNs (yeah - you can have a 128 character UTF16 password, just don't try to connect remotely) and secondly, there's no customisation of apps required. It Just Works.
  • SSH keys on read only SD Card?

    • by jon3k (691256)
      But if it's readable how does this help anything? It can be read by malware and reused, right?
      • by iluvcapra (782887)

        The certs on the card would be the thing you have, the passkey to decrypt the certs on the card would be the thing you know.

  • A self-selling token...
  • by heypete (60671) <pete@heypete.com> on Tuesday July 29, 2014 @12:10PM (#47558795) Homepage

    For software tokens, Google Authenticator has apps for Android, iOS, and BlackBerry. They implement the TOTP standard, so any compatible code-generating software (such as the J2ME app I have on my non-smartphone) will work with it.

    They also have a PAM module [google.com] that works with SSH (or anything else that uses PAM). I've used it before, and it works great.

    For reference, neither the apps nor the PAM module depend in any way on Google services, they don't send any data to Google, and will work perfectly happily in a totally offline environment (assuming all the servers and client apps have synchronized clocks).

  • A secnod for Yubikeys. We love them. You can load your own key onto them so there is no worries when a third party (like RSA) gets hacked. There are open souce tools to configure them and run authentication servers. Integrated with PAM, and can be used with radius servers. And they are about $25 each, with no expiry date.

  • Google Authenticator is an open source, RSA-soft-token-like system for two-factor authentication. Free applications exist for iPhone, Android, etc to act as your "key fob", and free, open-source PAM and Apache plug-in modules exist to allow you to require the tokens for SSH or web login.

    I'd include links - but there are a lot of them depending on what you want (Linux, PAM, Apache, Andoird, iOS, etc) - So, "Just Google it!"

  • FreeOTP and/or Google Authenticator may be exactly what you want from the client side.

    I made a server-side implemention to get started with a little while ago:

    https://github.com/adsllc/PHPO... [github.com]

  • by ledow (319597)

    I'd like something like this for a mixed Windows/Mac/Linux network but the costs are just prohibitive.

    Yubikeys are $25 each for the hardware, and $45 PER USER. That's just ridiculous when you scale up, and there's an awful lot of manually faffing about to get to the point that it works.

    To be honest, in my scenario (primary/secondary schools), I'm not looking for 2-factor as much as "I don't have to remember my password" login. If someone has the key, they have access (but only to another pupils account, w

    • by heypete (60671)

      I'd like something like this for a mixed Windows/Mac/Linux network but the costs are just prohibitive.

      Yubikeys are $25 each for the hardware, and $45 PER USER. That's just ridiculous when you scale up, and there's an awful lot of manually faffing about to get to the point that it works.

      Wait, what? Where do you get the $45 per user cost? I don't see that anywhere on their website.

      The "YubiCloud" (where Yubico hosts the authenticator servers) has two modes: free and premium. The free service is open to everyone, even commercial users. The premium service offers an SLA and monthly usage statistics, and costs $3/YubiKey/year (1000-unit minimum).

      You can also host your own local YubiKey authentication servers and keep things entirely in-house. Yubico has reference implementations for free on th

  • by carlhaagen (1021273) on Tuesday July 29, 2014 @12:28PM (#47558965)
  • by dremspider (562073) on Tuesday July 29, 2014 @12:36PM (#47559037)
    I have had a smart card setup for a little while. I use it for both OpenVPN and SSH access. I created the card by making my own CA and then using OpenSC to write to the card itself. There are some other cool things you can do like us it for PGP signing. I got a whole kit for about $100 bucks that came with a reader/writer, 2 cards and one USB thing. https://www.opensc-project.org... [opensc-project.org]
    • I am using ePass2003 and cryptoStick. They work ok, but they are a bit slow.

      When I run: time ssh localhost true

      It takes 1 second with with ePass2003 or cryptoStick. But with a key on disk (and ssh-agent), it takes I wonder if anyone know of a faster USB-token.

  • If you only want a semipublic file share, just stand up a free AWS Linux instance and lock it down to SSH/SFTP. You get a few GB of free cloud storage (I don't actually know the limit, but I have 8 online now and have never paid a dime), and can sleep well knowing that a breach just means standing up a new instance rather than the end of your career.

    You only really need to let people get onto your corporate network if you want to set up "real" remote access such as VPN or, as you mention, one of those cr
  • by jcochran (309950) on Tuesday July 29, 2014 @12:46PM (#47559113)

    It's not a two factor authentication, it's actually a means of generating one time passwords. In a nutshell, you can have a local device calculate the password based upon a challenge sent from the system you wish to log onto, or you can preprint a list of passwords that you can use to log onto the system.
    See http://en.wikipedia.org/wiki/O... [wikipedia.org] for a general description of the method. You ought to be able to find out more using that page as a starting point.

    • I print out a list of 100 passwords, fold it up, and keep it in my wallet. Each time I use one, I cross it out. It is small, flat, easy to carry, and always with me.
      Just don't let your users write the name of the server and their username on it. :)

  • I'm surprised no one has mentioned Mobile-OTP (http://motp.sourceforge.net/). Perhaps it's a bit older, but it's absolutely free assuming your users have a mobile phone. (It doesn't even necessarily have to be a smart phone). We use this to secure our SSH gateways and it's not bad to set up -- it uses PAM.

  • by ramriot (1354111)

    See:- https://www.grc.com/sqrl/sqrl.... [grc.com]

    Using a smartphone as your token, and if that is not secure enough for you, I am for my sins presently building an HSM that will interface over NFC with the smartphone to keep all the cryptography parts and master key outside of the potentially vulnerable computing platform. Further I promise as do many of us working on this project to make everything we can public domain or at the least open licensed.

    Before making comment on this please do read and digest all the refe

  • by decsnake (6658)

    https://www.authy.com/ [authy.com]

    Its the easy button for 2FA

  • RSA did implement their scheme as an iPhone app. If you're willing to consider something that might work as a smart-phone app, think about S/Key. It's supported as a PAM module for the *nixes. (Of course, that assumes you're willing to trust the smart-phone apps.)

    I recall using S/key ages ago (1990s) back in the days of Telnet (before ssh.) Back then, if you didn't have an S/key calculator, you could also use a paper list of one-time passwords. Ever so often, we had to re-seed our s/key (because we li

  • Do you consider the TPM acceptable? I have sort-of-working but woefully incomplete code [google.com] for this. There's also the work-in-progress OpenCryptoChip [cryptech.is].
  • by dissy (172727) on Tuesday July 29, 2014 @03:35PM (#47560533)

    TOTP (time-based one time keys), HOTP (hmac? one time keys), and RFC6238 are todays friendly search terms.

    TOTP is what the traditional RSA tokens use, in which the time is a component of the encryption used so the code generated from the private key changes (usually every 30 or 60 seconds)

    HOTP is the latest in one time pads, where each code generated is good until used but only once.
    It differs from true OTPs in that the data is procedurally generated from a private key instead of all the keys/data being generated in bulk ahead of time. One hopes the private key is smaller than a crap-ton of bulk keys or binary data needed for a true OTP.

    Google Authenticator is one pre-made generic solution, and you don't need to use Google to utilize it.
    The encryption it uses is open and has an RFC, and their own software lets you input the private key via QR code for the user if you wish, and utilize multiple profiles/keys.

    Google released an open source PAM module for all your Linux authentication needs, including SSH.
    I use this myself for access to my home network (ssh + port forwards)

    There are also tons of programs that run the identical encryption methods, lots being open source.
    I've seen them available for every OS commonly used (and then some) plus every smartphone out there.

    I've also recently purchased a Yubico key, which is a hardware version of the RSA token.
    The basic model runs $25 each if you buy single keys, and they can be loaded with up to two profiles using various encryption methods and keys.

    Instead of an LCD display with a rolling code, they are USB devices that show up as USB keyboard HIDs. You plug it in and once the OS has it powered and ready, there is a touch-sensitive "button" you touch and the dongle types in the code valid for that 30 second period.
    It also takes into account how long it needs to type the codes (sha256 with serial can be 158 characters and takes ~3-4 seconds to type in at the default key rate)
    It will always type the key that will be valid at the time its about to hit enter.

    Yubico is RFC6238 compatible, and also can utilize OpenRADIUS which then makes it compatible with pretty much everything.

    A third option, though more for Windows login / Active Directory, and definitely not open source, is EIDVirtual.
    It basically lets you reformat a USB flash drive to contain a 4k private key and special header so along with its smartcard driver extension, the keys show up as smart cards and USB flash (technically you can still store data on the drive if you want)

    The software is very cheap (7 euro if I recall), works flawlessly in AD setups (tested on XP, 7, and 8), and uses any old flash drive with 1mb of storage.
    The downside of course is you don't get any of the fancy (or even required) hardware protection of the private key. I believe it uses the USB drives serial and model/make as part of its formula so blind copying isn't trivial, but the hardware exists to easily fake that info for anyone intent on doing so.
    Not nearly as secure as the other options, but it is at least priced accordingly, and doesn't try to add 2-3 zeros to the pricetag for the "enterprise" label.

  • There are smart cards at affordable price. The biggest problem is to find some that can run without a binary blob driver (would you trust it?).

  • Getting open hardware is not that easy. The only real open hardware I know is the crypto stick. http://shop.crypto-stick.com/e... [crypto-stick.com] Of course you can buy it but all plans are open. But it is relativle expensive. You can use this as a smartcard to do certificate/public-private-Keypair authentication. You could however use the Yubikey. Please note, that the Yubkey Neo (wich is about 50€) can also work as a smartcard. If you want to use one time passwords you can use the standard yubikey (~25€). Yubi
  • If your users are being equipped with 2FA client devices (or apps), an easy way to apply this security to a website is with the mod-authn-otp [google.com] Apache module (disclaimer, I wrote it).
  • Check out LinOTP which works with just about any soft tokens like Google Authenticator and the Red Hat FreeOTP token app. Also works with the awesome Yubikey. I like how the tokens are user managed which drastically eases support.

There is no royal road to geometry. -- Euclid

Working...