From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from tansi.org (ns.km10532-04.keymachine.de [87.118.102.195]) by mail.saout.de (Postfix) with ESMTP for ; Thu, 15 Apr 2010 01:28:11 +0200 (CEST) Received: from gatewagner.dyndns.org (84-74-164-239.dclient.hispeed.ch [84.74.164.239]) by tansi.org (Postfix) with ESMTPA id 33C01212804A for ; Thu, 15 Apr 2010 01:28:11 +0200 (CEST) Date: Thu, 15 Apr 2010 01:30:54 +0200 From: Arno Wagner Message-ID: <20100414233054.GC9776@tansi.org> References: <20100412171540.GA3138@tansi.org> <20100412175856.GA12353@fancy-poultry.org> <20100413154850.GA19142@tansi.org> <20100413193831.GA8772@fancy-poultry.org> <4BC4CC14.6080408@redhat.com> <20100414153050.GA3966@tansi.org> <4BC60CB2.8030902@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4BC60CB2.8030902@gmail.com> Subject: Re: [dm-crypt] avoid keyloggers: enter password with mouse (virtual keyboard) List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de On Wed, Apr 14, 2010 at 08:42:58PM +0200, Olivier Sessink wrote: > Arno Wagner wrote: > > > Maybe tell us a bit more about your scenario? > > - the hardware is not under our control, Ok, I see your problem. > - the users are only slightly security aware > - a bootable USB stick is provided to the users, which has everything > encrypted (except for /boot for obvious reasons) Ok, so basically open, but it takes a bit of effort to get it open, namely to capture the passphrase. > because the hardware is not under our control we won't get 100% security > (I don't believe in 100% security anyway). So we try to avoid the most > common threats (most of them cybercrime related). Software botnets, > trojans etc. on the computer are defeated because we boot the hardware > from our own image. I think most of our users are enough security aware > that they should keep the USB stick secured (but I'm afraid not all of > them, so modifications to /boot is an issue). And a modified /boot will basically result in a broken system. > But physical attacks like security camera's, keyloggers etc. are still > possible. So we try to make them harder. I don't think our users are > enough security aware to detect a hardware keylogger (they won't even > notice that the usb plug is slightly larger than normal). That's why a > virtual keyboard would make things harder. Well, while I do not really think the virtual keyboard will help to a larger degree, it may still raise security a bit. In order to implement it, implement a virtual keyboard (e.g. using TK with Perl/Python) and have it give the passphrase to cryptsetup. Integrating a virtual keyboard into cryptsetup is really not the UNIX way and very bad software design, as it increases complexity significantly without need. The virtual keyboard should be a separate tool. What I do not see in the current cryptsetup though, is an option to read the passphrase from stdin, file or named pipe. That would be a reasonable extension IMO. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier