Authenticating Puppy OS - Ironkey style

Antivirus, forensics, intrusion detection, cryptography, etc.
Post Reply
Message
Author
iamonsite
Posts: 8
Joined: Mon 03 Dec 2007, 05:49

Authenticating Puppy OS - Ironkey style

#1 Post by iamonsite »

I've been researching various USB authentication devices for use in a small business. I started with the inexpensive Yubikey as a domain authentication device.
http://www.yubico.com/overview
Then I realized what I really wanted was a secure password manager that is built into the USB key - And I found the Ironkey
http://www.ironprotector.com/Tech-Inter ... cation.asp
When I saw crackers even get through this device (youtube) I ran across the Lockheed Martin version of Puppy on a stick combined with the Ironkey.
They call it - http://www.lockheedmartin.com/products/ironclad/
So, they've got a bootable OS with all the Ironkey features, but they don't sell them to the public.
Granted - Bootable Puppy OS already has features that make it immune to many viruses, etc. But the Ironkey Enterprise version has features that enable an admin to restrict the opening of the device by IP or range of IP, remote revocation, a secure TOR network and a password manager. Features that let you give this to other users and you still have some control.
I haven't ordered an Ironkey to play with yet, but it has 1GB of storage.
It says it can work within Linux but I doubt it's bootable, Lockheed must have something the rest of us don't.

So, with all that said - I still have my yubikey ($25) and I'd like to know if there is any interest in making a device like the Ironclad - within Puppy, that you use the yubikey to authenticate against a server. Unless you could put a bootable Puppy OS on the Ironkey, this might be the next best thing.
Two USB keys (like a deabolt on your front door). One boots PuppyOS and the Ubikey in the other USB slot, with a press of the button, authenticates you against a server - before giving you access to an encrypted portion of the OS where you can safely keep your passwords and or applications.
A strong password that won't help you even if you write it down.

The One Time Password feature combined with a personal PIN is protection against loss of the key.
So to me this might at least silence any (most) critics about root access being the default in Puppy OS. You'd be root, because you have a strong authentication system - the data is encrypted, access to it is controlled by the presence of the Yubikey and a server verifying it. You can be root and trash the system ONLY if you have the Yubikey in place. And if my Puppy OS stick is ever lost, the local storage is unreadable unless you've got the Yubikey.
I recognize there are limitations once you're in the OS and subject to the security of the browser you're using once you're in the OS. But the Lockheed version (Ironclad) shows them using Windows XP - so there's got to be a benefit to controlling the OS/the encryption/authentication as a bundle.
I may end up with the Ironkey anyway, since the enterprise administration features make controlling my users more possible, and it can run under Linux. I just thought - a $25 Yubikey protecting an encrypted volume on Puppy OS might be worth a shot.
Thoughts?

SPYRUS
Posts: 1
Joined: Tue 12 Jul 2011, 01:19

Puppy OS - SPYRUS Style

#2 Post by SPYRUS »

SPYRUS is evaluating this market and I am soliciting comments. We currently sell the Secure Pocket Drive (SPD) which includes a license for and boots Windows or Novell SLED from an encrypting USB flash drive. We also sell a USB-connected smart card token called Rosetta.

We are looking at the market for a "Do it yourself" version that would let a user install the OS of their choice on the encrypting drive. Unlike the IronKey device which is primarily a secure flash drive, SPD was designed from the ground up to be bootable while protecting the installed OS until the device is unlocked by the rightful user.

For dual factor authentication, the Rosetta token can be required to be present for SPD to boot.

So if you could let me know if this fits your needs, and how much you think this functionality would be worth to you, I would really appreciate it.

Ron

iamonsite
Posts: 8
Joined: Mon 03 Dec 2007, 05:49

Authenticating Puppy OS - Ironkey style

#3 Post by iamonsite »

Thanks for the information on the SPYRUS products, I'd not heard of the company and it's helpful in making a comparison.
What your product is worth to me would be pretty much a direct comparison with the Ironkey product. Their enterprise administrative tools enhance their product by providing features that I don't yet see in the SPYRUS product line.
That doesn't mean I can't be convinced that I could make do with those products, but it's a cost comparison issue - and the SPYRUS products would have to give me a close price match.
My post was originally about authentication, against a remote server with a YUBIKEY. The Ironkey enterprise version allows the admin to require that opening of the device requires a "phone home" feature. Not required, but a setting you can enforce. It can also be locked to a specific IP or range of IP so I can roughly say - it has to be used at this workstation.
The second and I guess primary reason for wanting the device is to secure passwords - in a secured browser, that I can put in the hands of users so that that don't mix business with pleasure.
I'd like no other plugin's and as much isolation from the OS as possible.
Puppy Linux - as quoted from user Clam01
"To be secure we want to run as spot. The easy way to do this is to move our root to spot. To do this just open two file windows (one if you run one of those two-paner file managers), go up one level to /, in one and open the other to spot. Then drag root from the / window and drop it in the spot one. That's all there is to it. Our root is now safe in spot. We are all done. Literally. Everything we do from this point on that triggers a call to a file in root will stop for being unable to find root. Nothing can get instruction from root, now tucked safely away in spot, secure even from us and our own computer."

So - to me this fits the bill. I could save my favorites and passwords in a secure browser that my users can't modify. If I make it boot-able, and save it as a VM image, then all I have to do is secure the ability of someone to boot that image. So - authenticate against another server with something like the YUBIKEY - and I have now locked the image and the ability of anyone to change it once it's open.
This would primarily be for finance and accounting users where I'm trying to prevent keyloggers, insecure browser plugins, poor password management, and OS (windows) vulnerabilities.
They are SSL sites, with their own password policies, but as an admin - I would set the max length, max complexity, and make it easy (remembered by the browser) so my users don't write them down.
Changes to the passwords saved within that browser - I would administer from a secured (root - not woof user version) image, and then convert into a new image.
A link on the SPYRUS site http://www.spyrus.com/products/secure_pocket_drive.asp mentions this..
"Competing drives use a virtualized environment requiring two operating systems that leads to additional overhead and a larger attack surface. This approach is noticeably slower and possibly less secure."

I'd be interested to know - how my vision of using the VM approach with the woof user - in a 100MB OS - would be possibly less secure.
This is a very real project, and I'm interested in the most cost effective approach. Keep in mind this is to be put in the hands of users that have little to no experience in best practices in security. If there's something I'm overlooking, please let me know.
The biggest thorn in any of these ideas is the password requirement. Taking the password out of the hands of the user, so it can be complex enough or required that it be authenticated is a requirement.
So the Ironkey enterprise is $75 for the key, $40 for a yearly admin account, per key. Can SPYRUS offer two factor authentication for a comparable price - or any followers here have a way to roll this idea with a $25 YUBIKEY?

Post Reply