marrying a penguin: logging in and mounting encrypted partitions using a ring on linux
TRANSCRIPT
Marrying a Penguin
Logging in and mounting encrypted partitions using a ring on Linux
A look at NFC related technology and Arduino and how they can enhance security including user authentication and protecting encrypted data
By Ben Whorwood
Marrying a Penguin
● Welcome and introductions
● Personal project
● Work in progress (please be gentle)
● Been a while since have done much C programming, some is quite low level (bit slinging)
● Be great if anyone else with anything interesting to show would like to do a brief talk
Security enhancements
● Two-factor authentication for system login
● Can use simpler password for system login (change SSH access to public keys only)
● Some protection again key loggers
● Don't have to retype passwords for encrypted partitions
● Encrypted data can be protected with long passwords
RFID hardware
● Useful technology for transmitting data over short distances without wires
● Can be used for exchanging information (links, business cards, other text)
● Can be used for door entry systems
● Comes in many shapes and sizes
● Elechouse PN532 RFID reader
● NFC Ring is a wearable RFID tag
Arduino hardware
● Comes in many shapes and sizes
● In this project, used to build an interface to a custom RFID reader
● Can use industry standard encryption algorithms
● Lots of choice for adding other security enhancements (e.g. EEPROM or MicroSD for longer encryption keys)
Linux hardware
● Used as my choice of operating system for day to day tasks (too many reasons to discuss here)
● Cited as better security than Windows but all depends on implementation and users
● Open source and easy to build onto (e.g. PAM)
● This project can (and similar have) be applied to Windows
Bringing it all together
Software
● Variety of languages...
● Wiring (based on Processing) for Aurdino (set of C/C++)
● C used for serial client (used in PAM and for writing key file for LUKS)
● C for PAM
● BASH scripting to join pieces together
● LUKS / dm-crypt for encryption on *nix
User login demo
● RFID requested as part of user login
● If incorrect RFID, “incorrect password,” and must retry login
● Correct password and RFID allows login
● Not relying solely on RFID as would mean if ring lost someone could gain entry to system
Encrypted partitions demo
● Encrypted container file (encrypted file system within a file) prepared beforehand (could also be entire hard drive or partition)
● RFID requested as part of mounting process
● Incorrect RFID means key file mismatch and cannot mount
● Data is encrypted on fly
● Unmount using LUKS / dm-crypt
Future developments
● Use authentication or public key encryption for data over wire (serial communication)
● Use different AES keys on ring for login and mounting encrypted partitions
● Use key file (similar to LUKS) to open KeePass
● More testing on AES library currently used
● Build circuit board, case (3D print), etc
Next steps for project
● Develop further (see last slide)
● Refactor code used in project
● Publish code online for pier review
Questions
● Thanks for listening
● Any questions?
Website – http://mube.uk
Twitter (not used often) - @benwhorwood