Re: [dm-crypt] avoid keyloggers: enter password with mouse (virtual keyboard)

[Arno Wagner <arno@wagner.name>]

On Wed, Apr 14, 2010 at 08:42:58PM +0200, Olivier Sessink wrote:
> Arno Wagner wrote:
> 
> > Maybe tell us a bit more about your scenario?
> 
> - the hardware is not under our control,

Ok, I see your problem.

> - the users are only slightly security aware
> - a bootable USB stick is provided to the users, which has everything
> encrypted (except for /boot for obvious reasons)

Ok, so basically open, but it takes a bit of effort to 
get it open, namely to capture the passphrase.

> because the hardware is not under our control we won't get 100% security
> (I don't believe in 100% security anyway). So we try to avoid the most
> common threats (most of them cybercrime related). Software botnets,
> trojans etc. on the computer are defeated because we boot the hardware
> from our own image. I think most of our users are enough security aware
> that they should keep the USB stick secured (but I'm afraid not all of
> them, so modifications to /boot is an issue).

And a modified /boot will basically result in a broken system.

> But physical attacks like security camera's, keyloggers etc. are still
> possible. So we try to make them harder. I don't think our users are
> enough security aware to detect a hardware keylogger (they won't even
> notice that the usb plug is slightly larger than normal). That's why a
> virtual keyboard would make things harder.

Well, while I do not really think the virtual keyboard will help
to a larger degree, it may still raise security a bit. 

In order to implement it, implement a virtual keyboard (e.g.
using TK with Perl/Python) and have it give the passphrase
to cryptsetup. Integrating a virtual keyboard into cryptsetup
is really not the UNIX way and very bad software design, as it
increases complexity significantly without need. The virtual 
keyboard should be a separate tool.

What I do not see in the current cryptsetup though, is an 
option to read the passphrase from stdin, file or named pipe. 
That would be a reasonable extension IMO.

Arno
-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier