Testing Commercial 2-Factor Authentication Systems?

Fry-kun asks: "I recently became interested in setting up a 2-factor authentication system for my laptop. With that in mind, I bought a fairly inexpensive USB key. Although it seems to work, I can't bring myself to trust it completely: Kensington claims that the system is secure, but there is no independent security lab analysis of the product. In other words, for all I know, there may be a gaping hole in their security setup. Worse yet, there are apparently no reviews of the product, no mention of anyone trying to test it and no hardware hackers tried to make it work in Linux, even though it's been out for over 2 years. How would you go about making sure that a security product does what it claims to?"

why...

[MarcoAtWork]

..not just get a usb thumb drive and make it a big truecrypt volume?

RTFQ

[eklitzke]

How does this implement a two-factor security system?

Re:RTFQ

[MarcoAtWork]

having a physical USB token with a TC volume (esp. the kind that stores things in a steganographic way) is in my opinion practically equivalent security-wise to the article's 2-factor authentication if you're smart enough to have your token on your keychain or something (a lot more likely than somebody will steal your laptop than your token IMHO).

In any case if you want to increase the security of what I proposed nothing forbids you from getting TWO usb tokens, create truecrypt volumes on both of them, and then create an overlaid raid-0 striped partition on both of them: in this case an attacker would need to steal BOTH tokens and BOTH passwords to gain access to your files.

Schemes like these make it also very easy to mandatorily have multiple people there to open the files (say, all the directors, etc.). If you do things like RAID-5 you could also make it so that you could still access the information with N-1 USB tokens (in case one is lost).

I do think that these solutions are safer than trusting a random crypto vendor, also this is why I have all my sensitive things (tax returns etc.) strictly on TC volumes.

Re:

[mlts]

You could have one USB token have the Truecrypt keyfile on it, the other the drive with the data on it.

The one with the keyfile can just have the file on the disk, or if its one of the "secure" USB drives (JumpDrive Secure for example,) have it on the protected partition. The drive with the keyfile, you can keep locked up in a safe, only pulling it out to insert and unlock the other drive.

Of course, you have a couple decoy keyfiles on both the open and secure partitions so you can tell an adversary that yo

Re:

[TCM]

having a physical USB token with a TC volume (esp. the kind that stores things in a steganographic way) is in my opinion practically equivalent security-wise to the article's 2-factor authentication if you're smart enough to have your token on your keychain or something (a lot more likely than somebody will steal your laptop than your token IMHO).

No, it's not. Just because you have the data on a portable device and the data is fairly big or obscured, doesn't mean it's 2-factor. You are exposing the comple

Re:

[MarcoAtWork]

No, it's not. Just because you have the data on a portable device and the data is fairly big or obscured, doesn't mean it's 2-factor

create a 1 gig TC file on the HD of your laptop, create a 1 gig TC file on the usb token, make a raid-0 partition that spans both mounted TC volumes: here's your 2-factor, unless you have the laptop, the usb key and the two TC passwords there's no way you could get the stored files.

Re:

[TCM]

Sorry, but that's rubbish. This is just obscurity. The fact that you can get all the data without you knowing makes it 1-factor.

Data has the property that anyone can duplicate it without the owner knowing it was duplicated. You can neither prove that it was not duplicated nor that it was duplicated. A necessary property of 2-factor is having a component that you have to physically own. Data on a USB stick definitely does not meet this criterion.

An important part of 2-factor is that you can prove it's not co

Re:

[MarcoAtWork]

Sorry, but that's rubbish. This is just obscurity. The fact that you can get all the data without you knowing makes it 1-factor.

I think you ought to read up a bit more on what 1-factor, 2-factor, 3-factor etc. mean; from wikipedia for example:

Two-factor authentication (T-FA) (or dual factor authentication) is any authentication protocol that requires two independent ways to establish identity and privileges. This contrasts with traditional password authentication, which requires only one authentication fa

Re:

[TCM]

Two-factor authentication (T-FA) (or dual factor authentication) is any authentication protocol that requires two independent ways to establish identity and privileges.

Exactly, keyword being independent. Splitting one factor doesn't mean the thing is suddenly two-factor.

You can't just implement the concept of "something you have" by storing data on an external device instead of the computer, because the data is not bound to the external storage in any way. Something you have means something you must have.

Re:

[MarcoAtWork]

Exactly, keyword being independent. Splitting one factor doesn't mean the thing is suddenly two-factor.

exactly, *one* of the two factors is your disk image (split between the USB token and the computer HD), the *other* factor is the passwords that you need to actually mount those disk images via truecrypt (I wasn't assuming the disk image was in clear! or that it would be useable at all unless you have both pieces (since it's interleaved in raid-0))

I don't think you've really understood what I was proposin

Re:

[wuzzeb]

Rather than using RAID, much better to use ssss. Description here [debian-adm...ration.org]. An easy script can read the key files from each usb key inserted and pass the keys to ssss. The output from ssss can then be redirected into luks or whatever encryption/login system you want.

Re:

[TCM]

That's the same obscurity the parent presented.

All the keys would represent the one secret you know. There is no part in it that you have to own. Hence it's not 2-factor.

Re:

[RMH101]

this post is the perfect example of the type of signal/noise ratio we currently have on slashdot.

Easy

[doroshjt]

Throw away USB key, then try with all your might to get to your files, if you can, you got a crappy product, if you didn't congrats you won.

You don't work for the VA do you?

Mod parent up

[TCM]

Grand-parent's idea is stupid. Unless you're Bruce Schneier, you probably won't be able to judge a security system properly.

Does that mean everyone only needs security that he himself can't break? No, everyone needs security that noone can break.

Re:

[Fry-kun]

The idea with this key is that a backup is stored in a secure place. If you forget the password or lose the key, a backup key can be used to recover the data.
I don't agree with implementation, mind you - the company wants me to store that recovery key with them. I'd much rather store it in a safe deposit box. Maybe that's just me, though...

Re:

[mlts]

What you could do is use PGP and multiple users for its whole disk encryption, the users being keys on separate eTokens. Then, you can put one eToken away in a safe place and use another eToken for daily use for logging in. As a third safety net, you could use diceware, generate a long passphrase, and store that passphrase in a really safe location.

Testing commercial security

[mandelbr0t]

You can't. All security software needs to be OSS for this reason.

That being said, OSS had a 2-factor authentication mechanism available years ago. Encrypt your hard drive, save the key to a USB key and enter a passphrase. You'll need to both insert the USB key and type your passphrase for the root disk to get mounted. That's pretty much the entire system locked down.

This article [debian-adm...ration.org] appears to detail that process.

Re:

[Aladrin]

That's a neat read, and maybe something I'll actually try one day... But isn't using Kubuntu to set up the system to install Debian a bit like using Windows to set up the system to install DOS? I mean like, quite a step backwards? (I'm a huge Kubuntu fan, and Debian before that... But Debian's biggest complaint has always been how far behind it is on adding new stuff.)

Re:

[pasamio]

No Debian's complaint has been that their stable branch is usually rock solid and has few releases. For large scale implementations this is actually a good thing (e.g. I know some people who used to use Red Hat, got scared off by Fedora going "we'll release every six months!" and move to Debian Stable's more long term release cycle) because you don't have to keep doing major system upgrades, you just apply the patches. For those who want to be on the latest and greatest, Debian Testing or Unstable is normal

Re:

[swillden]

But Debian's biggest complaint has always been how far behind it is on adding new stuff.

That's the complaint people make about Debian stable, yes (and it's also the reason that many people love Debian stable). Debian unstable is usually (not always, but usually) quicker to add new stuff than Ubuntu.

But... you can copy the key file?!

[WoTG]

Wasn't the point of the 2nd factor to have a single device "key" that only you would carry? Using a file on a USB key means that anyone could copy the file or even post it on the web. That's hardly comparable to a RSA SecurID.

Re:

[mlts]

With storing a private key on a plain USB flash drive, someone can just borrow the drive for a couple seconds, copy the files or image the drive, put it back, and the drive's owner would not know. Then, all is needed is a successful password guess or success with installing a keylogger on the mark's machine to get full access.

This is why I like smartcards. Even if someone gets the smartcard, copying the private key data off (especially copying it without it being noticed) will require a lot of specialized

Re:

[Fry-kun]

Exactly right. That's why I was looking into these keys in the first place.

Re:

[armb]

> All security software needs to be OSS for this reason.

For serious 2-factor authentication, you're looking at security hardware, not just software. Which, for almost everybody, means trusting the manufacturer, supported by any independent certification that has been done, like NIST's Cryptographic Module Validation Program [nist.gov].

Testing doesn't matter, security is about blame

[Gothmolly]

Corporate security drives innovation in this area. Who else is going to place an order for 10,000 of these units?
Corporate security is more concerned with blame and 'due diligence' than actual security.
Thus, if CompanyX makes a "secure" product, CorporationY will buy it, and deal with a breach by suing CompanyX.

Re:

[Gothmolly]

No, Mr AC, "due dilligence" means ask what Gartner says about the product, then repeat over and over until it becomes fact.

Re:

[Watson Ladd]

And of course the contract won't have a remedy worth a damn. This is why organizations make bad descions:Managers assume incorrectly that blaming someone fixes a problem. Appendix F should be required reading for all MBA's.

Re:

[thsths]

Good point. The warranty says:

> Repair or replacement, as provided under this warranty, is your exclusive remedy. KENSINGTON shall not be liable for any incidental or consequential damages. Implied warranties of merchantability and fitness for a particular purpose on this product are limited in duration to the duration of this warranty.

Translated into plain English this means: we will not even promise that the product does what we say it does, but some evil courts have interpreted this promise to be impl

At CES

[GiovanniZero]

When I was at CES I remember seeing something for this. I'm trying to remember their name. Let's see, they had those hot girls wearing the revealing police uniforms... arg, I don't seem to remember much past that.

Sorry :(

Backdoors and disclosure

[MotorMachineMercenar]

It's made by a US company so you can bet your first-born that there's a backdoor - probably "protected" with a password some idiot would have in their luggage. How many government agencies and People That Are Out To Get You know about this backdoor is anybody's guess. And its full protocol hasn't been disclosed so you can't be sure regardless of how many assurances you get from the company.

Re:

[Aaton]

Jack Bauer or surely Chloe O'Brian would know the backdoor password by heart...

You don't

[Anonymous Coward]

I am posting this as AC because I do this for a living for a large government agency.

You are not sure, which is the problem. I will give a nod to Kensington here, though. They are about to make a lot of money because they are serious about security, unlike a lot of other companies that peddle USB devices (Kangaroo, I am looking your way).

While it is commendable you are looking for two-factor authentication, a USB key is not the way to go here. The goal here is to not be able to break your encryption if you are forced or influenced to give up your password. Any system you can set up yourself will be breakable by you unless you take extreme measures. For the sake of argument, we will assume that there are no extreme measures in place, but your encryption can still be cracked by you.

Your best bet here is to go with full disk encryption. For further security, use truecrypt with a file on a CD or USB device as part of the key, as was referenced above.

For further security, encrypt again.

As you can see, this goes on. The weak point is you. If you can break it, you can be forced to break it.

If you want complete deniability, triple encrypt all of you regular data, then quadruple encrypt your sensitive data somewhere else. Use files, passwords, obfuscation, etc.

You will still be better off than most people. Including the government, according to plenty of stolen laptop press reports.

Re:

[Fry-kun]

Thank you for your advice, but I think you're taking it a tad too far. I'm not encrypting child pornography, I'm encrypting my company's sensitive files. In other words, I don't want deniability, I just don't want to be liable if my laptop is stolen or somesuch.

Security is a vector, not a scalar

[redelm]

Security means different things to different people. Paramount is the threat being defended against. Often, one angle can be secured only at the cost of another. Data destruction [authorized users not being able to decode data] is a frequently overlooked risk.

Two (or more) factor security sounds good, but is designed for independant control of the factors. A USB flashdrive can be cloned and really can't claim independant control.

You can't evaluate it, and it probably sucks

[swillden]

I work as a secure systems designer and consultant, and I've had some opportunities to review the security of commercial systems of various sorts. What I've learned is (1) properly evaluating commercial security tools is nearly impossible and (2) much of it is lousy.

The most effective means I've found of evaluating tools is to have a client sitting on a really huge purchase order, so that the vendor will give me access to key security personnel on their design, development and testing teams in order to make the sale. The people in question won't actually answer my detailed questions, in most cases, but I can still get a feel for how they think, and what they consider important. That actually gives me a pretty good idea of how secure the stuff they build is, though it's not as good as actually doing a detailed analysis of the design and implementation. Ideally, I'd like to talk to their people, do a detailed analysis of their designs, perform a cursory review of their implementation and then really, deeply scrutinize their security design and QA processes.

What I've found when I start pushing to talk to the "security guys" is that in surprisingly many cases there are none! Or there was one, but he left. Or there is one everyone thinks is the security guy, but he's really just a developer with a basic understanding of security principles, no time to really focus on security, and no authority to get any security problems he finds fixed.

Note that this is not always true. I've found some companies that do a really good job, but they're definitely in the minority.

Assuming you can't actually force the vendor to let you talk to their security team, the only thing I can suggest is that you start looking at publicly-available information. Some things to look for are:

1. Do they have any serious, well-regarded security researchers with solid publication histories? If so, then you know that at least someone at the company has a clue. Then if you can determine whether or not the clueful people are allowed anywhere near the product you're interested in, you may learn something useful.
2. How open are they about their product designs, especially the security features? The more detailed technical information they provide, the better. The more they hide behind secrecy and buzzword bingo, the more you want to steer clear.
3. What kind of a company is it? I like companies whose whole focus is security and are relatively large (for security companies) and well-established. Big companies that can (and do) have large security-focused groups are good too.
4. Have there been any published analyses of the products? I'd rather use a product that has had significant scrutiny and a few security defects identified (and fixed), than one that no one has ever bothered to look at. This actually goes back to the previous point. Products from established companies with a focus on security tend to get scrutiny.

Re:

[Fry-kun]

Thanks for staying on topic and answering my question in great detail.

Not all USB Tokens are the same

[joeflies]

The Kensington solution is designed to be just what you're using it for - a simple personal two factor authentication system. It's stronger than using a bio screen lock, easier to use than a smart card (which requires a reader, not all that common yet except for Dells and IBMs), and it probably keeps out most of the garden variety hackers.

However, it is not the same as a USB key with a SIM card or smart chip, such as from ActivIdentity, Aladdin, VeriSign, among others. First off, these systems are based o

Suppose it does exactly what it says

[Beryllium Sphere(tm)]

Is that enough to provide confidentiality?

Give it a realistic test. Create a Word document with the file name "Arson Confession" and type out something about how you set fire to an orphanage. Make a few revisions. Run Firefox with an extension that leaks memory, leave it up for a day or two so that it forces everything else to be swapped out. Simulate a crash by doing an End Process on Word from the task manager once.

Then boot from a Linux live CD and do something like "strings /dev/hda | fgrep -e Arson Confession orphanage > leaks.txt".

Document names in MRU lists in the registry, temp files, and the swap file might not be covered by the encryption. A file name could be a pretty damaging thing to leak. Consider also that Windows may store the file name as Unicode in some places that wouldn't show on fgrep.

It's good thinking and sound practice to wonder whether the gadget does what it claims, but a huge number of security problems come from threats that were outside what the security designers were thinking about. "Security is like an analogy. It only works up until the point that someone considers an angle or aspect that you haven't previously considered and accounted for." [blogspot.com]

Re:

[cerberusss]

Create a Word document with the file name "Arson Confession" and type out something about how you set fire to an orphanage.

And if you don't feel like creating it, send me an e-mail because I typed that out yesterday.

Use money

[ColaMan]

Get a hold of the Russian Mafia, enquire if there is any cracks for the software you're interested in.
If you can buy a crack, it's not secure enough.

If you cannot source a crack, put a $5k bounty on it and use the product while blackhats do the work. Discard product immediately once blackhats come up with a solution. Do pay the blackhats/Mafia - consider the $5k money well spent, and it saves an awful lot of trouble later on.

I ended up going PGP and eToken

[mlts]

The Kensington token looks OK, but if I'm recommending a whole disk encryption system, I would use something that has been battle tested in corporate environments, and where the physical token meets FIPS 140-1 level 1 or 2 standards. Standards don't mean something is free of security holes, but it means that peoples' eyes have looked the software and hardware over and the company stands behind their product enough to pay for it to be validated. Its similar to the Sold Secure Gold rating on physical locks

...but...

[skinfitz]

Worse yet, there are apparently no reviews of the product, no mention of anyone trying to test it and no hardware hackers tried to make it work in Linux, even though it's been out for over 2 years. So nobody knows it exists? Security through obscurity then...

commercial security products

[wikinerd]

Remember that the true motive behind most companies is to make you give them your money, and in many companies quality isn't a priority. It's no surprise that many security products have bugs. I would trust more a security method or tool released by the security community itself, without the involvement of PHBs.

Look at the source code

[metamatic]

If the source code isn't available, it's not secure. Simple as that.

get indi

[drDugan]

see http://getindi.com/ [getindi.com]

Re:

[drDugan]

there is a "more info" button at the top which goes to
http://www.getindi.com/index2.html [getindi.com]
with all the details

Re:get indi (requires javescript)

[Anomalyst]

Aint it wunnerful that a security company wants me to run THEIR code on MY machine. A simple menu of hyper-linked images would have done the same job without exposing me the the programming vagaries of the marketing directors inept nephew. Their lack of interest in my security translates in my lack of interest in their product as it probably suffers from a similar inattention to details.

Easy.

[StikyPad]

Send me your laptop, and I'll let you know.

Taking Responsibility Here

[Nom du Keyboard]

there are apparently no reviews of the product, no mention of anyone trying to test it and no hardware hackers tried to make it work in Linux, even though it's been out for over 2 years.

Yet you bought it anyway. Why are you now complaining, instead of having done some proper research before you put your money down?