Marrying a Penguin

Logging in and mounting encrypted partitions using a ring on Linux

A look at NFC related technology and Arduino and how they can enhance security including user authentication and protecting encrypted data

By Ben Whorwood

Marrying a Penguin

● Welcome and introductions

● Personal project

● Work in progress (please be gentle)

● Been a while since have done much C programming, some is quite low level (bit slinging)

● Be great if anyone else with anything interesting to show would like to do a brief talk

Security enhancements

● Two-factor authentication for system login

● Can use simpler password for system login (change SSH access to public keys only)

● Some protection again key loggers

● Don't have to retype passwords for encrypted partitions

● Encrypted data can be protected with long passwords

RFID hardware

● Useful technology for transmitting data over short distances without wires

● Can be used for exchanging information (links, business cards, other text)

● Can be used for door entry systems

● Comes in many shapes and sizes

● Elechouse PN532 RFID reader

● NFC Ring is a wearable RFID tag

Arduino hardware

● Comes in many shapes and sizes

● In this project, used to build an interface to a custom RFID reader

● Can use industry standard encryption algorithms

● Lots of choice for adding other security enhancements (e.g. EEPROM or MicroSD for longer encryption keys)

Linux hardware

● Used as my choice of operating system for day to day tasks (too many reasons to discuss here)

● Cited as better security than Windows but all depends on implementation and users

● Open source and easy to build onto (e.g. PAM)

● This project can (and similar have) be applied to Windows

Bringing it all together

Software

● Variety of languages...

● Wiring (based on Processing) for Aurdino (set of C/C++)

● C used for serial client (used in PAM and for writing key file for LUKS)

● C for PAM

● BASH scripting to join pieces together

● LUKS / dm-crypt for encryption on *nix

User login demo

● RFID requested as part of user login

● If incorrect RFID, “incorrect password,” and must retry login

● Correct password and RFID allows login

● Not relying solely on RFID as would mean if ring lost someone could gain entry to system

Encrypted partitions demo

● Encrypted container file (encrypted file system within a file) prepared beforehand (could also be entire hard drive or partition)

● RFID requested as part of mounting process

● Incorrect RFID means key file mismatch and cannot mount

● Data is encrypted on fly

● Unmount using LUKS / dm-crypt

Future developments

● Use authentication or public key encryption for data over wire (serial communication)

● Use different AES keys on ring for login and mounting encrypted partitions

● Use key file (similar to LUKS) to open KeePass

● More testing on AES library currently used

● Build circuit board, case (3D print), etc

Next steps for project

● Develop further (see last slide)

● Refactor code used in project

● Publish code online for pier review

Questions

● Thanks for listening

● Any questions?

Website – http://mube.uk

Twitter (not used often) - @benwhorwood