LUKS Encryption and Fingerprint readers?

LUKS Encryption and Fingerprint readers?

[TJ]

I was searching for any hint that GRUB might support using a fingerprint reading device as input for unlocking encryption.

I found discussion on the mailing list from 2009 centred mostly around TPM which didn't seem to go anywhere, so I wondered what the current thoughts are on supporting one?

The use-case I have is a fleet of laptops equipped with fingerprint readers running Linux which need to be secure in the event of theft. BIOS passwords will be used. The hard disks will be using
full-disk LUKS encryption.  I'd like to avoid using pass-phrases since complex phrases inevitably end up being forgotten by users, which points to using a key-file.

I've been unsuccessful in determining if support for a key-file via an external USB device is supported, but that led me to thinking that using the built-in fingerprint reader as a source of the key
(via integration of the libfprint [1]) might also be possible.

So I'd like to know what support for key-files and/or fingerprint reading is/could be as input for LUKS unlocking?

My other thought, to keep things simple, is to encrypt the entire hard drive and install GRUB and the /boot/ files on the removable USB key. More clunky but maybe easier to achieve.

[1] http://www.freedesktop.org/wiki/Software/fprint/libfprint/

Re: LUKS Encryption and Fingerprint readers?

[Vladimir 'φ-coder/phcoder' Serbinenko]

On 15.08.2013 18:51, TJ wrote:
> I was searching for any hint that GRUB might support using a fingerprint reading device as input for unlocking encryption.

It's not possible to do securely as fingerprints are not secret. In 
fact, there are plenty of owner fingerprints on the laptop.
But encryption key has to be secret. You can't derive secret key from 
non-secret data only, it would be like writing encryption key on the 
laptop itself.
To retrieve the fingerprint from laptop and reply it into fingerprint 
reader is within a reach of computer security student with cheap equipment.
There is some research in using biometrics to derive keys. Best result 
is with handwriting: a person writes a secret word on special reader but 
even this is pretty weak as researches show.

Re: LUKS Encryption and Fingerprint readers?

[Glenn Washburn]

On Thu, 15 Aug 2013 17:51:03 +0100
TJ <grub-devel@iam.tj> wrote:

> So I'd like to know what support for key-files and/or fingerprint
> reading is/could be as input for LUKS unlocking?
> 
> My other thought, to keep things simple, is to encrypt the entire
> hard drive and install GRUB and the /boot/ files on the removable USB
> key. More clunky but maybe easier to achieve.

Based on this comment I assume you currently have an unencrypted boot
area on the harddrive and using an initrd.  In this case, grub need not
be in the picture at all.  Grub will load the kernel and initrd, who
will then attempt to unlock the rest of the drive.  Its at that stage
that you'll want to include your secret gathering mechanism.  So your
you prospects are much brighter because you have all of linux at your
disposal.

Currently, I have my drive fully encrypted (excepting the luks header)
and do a boot from USB.  I use grub to decrypt the drive to load the
encrypted kernel and initrd from there.  So in my case, I would need to
have grub support if I wanted to use some arbitrary auth mechanism.
However, this could be mitigated by having the kernel and initrd on the
USB.  I don't find it clunky, if you always keep the USB on your person
(eg on your keychain).

Re: LUKS Encryption and Fingerprint readers?

[TJ]

On 29/08/13 20:13, Glenn Washburn wrote:
> On Thu, 15 Aug 2013 17:51:03 +0100
> TJ <grub-devel@iam.tj> wrote:
> 
>> So I'd like to know what support for key-files and/or fingerprint
>> reading is/could be as input for LUKS unlocking?
>>
>> My other thought, to keep things simple, is to encrypt the entire
>> hard drive and install GRUB and the /boot/ files on the removable USB
>> key. More clunky but maybe easier to achieve.
> 
> Based on this comment I assume you currently have an unencrypted boot
> area on the harddrive and using an initrd.

I've been using a classical unencrypted boot-loader and kernel/initrd with LUKS key-file protected file-systems on the servers and desktops.

I've recently decided to standardise on a single model laptop, the Dell XPS m1530, which includes a fingerprint reader. A primary reason for selecting this model is its 3 mini-PCIe internal slots and
good range of external interfaces, coupled with 8GB RAM, VDPAU-supporting Nvidia 8600M, 1920x1200 LCD, Blue-ray disc, proper MMC card reader, and ExpressCard/54. The laptops are easy to strip down and
repair and parts are cheap and easy to come-by.

The fingerprint reader is quite useful for trivial unlock and sudo authorisation and that made me think maybe more use could be made of it. The points about fingerprints being lifted from the keys to
unlock it hadn't occurred to me - that'd be silly so I'm now moving to whole-disc encryption with the boot-loader, kernel, and initrd on a key-fob USB.

I'd still like GRUB to be able to read a key-file rather than a typed pass-phrase, and have the key-file hidden on a (second) small (1GB) randomised-data USB flash device (no file-system) so even the
operator can't be sure where to find the bytes that unlock it.

If we can figure it out we'd like to be able to configure/unlock different LVM volumes based on which LUKS slot is used to unlock, too, and log the LUKS attempts from GRUB.

Tall order I know, but the technology is there - we just have to join it up!

RE: LUKS Encryption and Fingerprint readers?

[J.Witvliet]

-----Original Message-----
From: grub-devel-bounces+j.witvliet=mindef.nl@gnu.org [mailto:grub-devel-bounces+j.witvliet=mindef.nl@gnu.org] On Behalf Of TJ
Sent: Thursday, August 29, 2013 10:20 PM
To: grub-devel@gnu.org
Subject: Re: LUKS Encryption and Fingerprint readers?

On 29/08/13 20:13, Glenn Washburn wrote:
> On Thu, 15 Aug 2013 17:51:03 +0100
> TJ <grub-devel@iam.tj> wrote:
> 
>> So I'd like to know what support for key-files and/or fingerprint
>> reading is/could be as input for LUKS unlocking?
>>
>> My other thought, to keep things simple, is to encrypt the entire
>> hard drive and install GRUB and the /boot/ files on the removable USB
>> key. More clunky but maybe easier to achieve.
> 
> Based on this comment I assume you currently have an unencrypted boot
> area on the harddrive and using an initrd.

I've been using a classical unencrypted boot-loader and kernel/initrd with LUKS key-file protected file-systems on the servers and desktops.

I've recently decided to standardise on a single model laptop, the Dell XPS m1530, which includes a fingerprint reader. A primary reason for selecting this model is its 3 mini-PCIe internal slots and
good range of external interfaces, coupled with 8GB RAM, VDPAU-supporting Nvidia 8600M, 1920x1200 LCD, Blue-ray disc, proper MMC card reader, and ExpressCard/54. The laptops are easy to strip down and
repair and parts are cheap and easy to come-by.

The fingerprint reader is quite useful for trivial unlock and sudo authorisation and that made me think maybe more use could be made of it. The points about fingerprints being lifted from the keys to
unlock it hadn't occurred to me - that'd be silly so I'm now moving to whole-disc encryption with the boot-loader, kernel, and initrd on a key-fob USB.

I'd still like GRUB to be able to read a key-file rather than a typed pass-phrase, and have the key-file hidden on a (second) small (1GB) randomised-data USB flash device (no file-system) so even the
operator can't be sure where to find the bytes that unlock it.

If we can figure it out we'd like to be able to configure/unlock different LVM volumes based on which LUKS slot is used to unlock, too, and log the LUKS attempts from GRUB.

Tall order I know, but the technology is there - we just have to join it up!

-----Original Message-----

Hi TJ,

Are you very sure wanting this?
Some time ago i´ve been experimenting with fingerprints, and the result was not encouraging...
From security point of view no that many problems (besides all well known general issue´s with fingerprints).
I mean no false positive´s, but the huge amount of false-negatives:  nine times out of ten, I did not recognize correctly. Always glad I could still use  username & pwd.
As I was testing on IBM-Lenovo laptops, I think (hope) that those readers were of decent quality...

So unless the quality of the readers has improved drastically last five years, you better think twice before embarking on such trip...

Hw




______________________________________________________________________
Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het electronisch verzenden van berichten.

This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.

Re: LUKS Encryption and Fingerprint readers?

[Lennart Sorensen]

On Fri, Aug 30, 2013 at 11:10:39AM +0200, J.Witvliet@mindef.nl wrote:
> -----Original Message-----
> From: grub-devel-bounces+j.witvliet=mindef.nl@gnu.org [mailto:grub-devel-bounces+j.witvliet=mindef.nl@gnu.org] On Behalf Of TJ
> Sent: Thursday, August 29, 2013 10:20 PM
> To: grub-devel@gnu.org
> Subject: Re: LUKS Encryption and Fingerprint readers?
> 
> On 29/08/13 20:13, Glenn Washburn wrote:
> > On Thu, 15 Aug 2013 17:51:03 +0100
> > TJ <grub-devel@iam.tj> wrote:
> > 
> >> So I'd like to know what support for key-files and/or fingerprint
> >> reading is/could be as input for LUKS unlocking?
> >>
> >> My other thought, to keep things simple, is to encrypt the entire
> >> hard drive and install GRUB and the /boot/ files on the removable USB
> >> key. More clunky but maybe easier to achieve.
> > 
> > Based on this comment I assume you currently have an unencrypted boot
> > area on the harddrive and using an initrd.
> 
> I've been using a classical unencrypted boot-loader and kernel/initrd with LUKS key-file protected file-systems on the servers and desktops.
> 
> I've recently decided to standardise on a single model laptop, the Dell XPS m1530, which includes a fingerprint reader. A primary reason for selecting this model is its 3 mini-PCIe internal slots and
> good range of external interfaces, coupled with 8GB RAM, VDPAU-supporting Nvidia 8600M, 1920x1200 LCD, Blue-ray disc, proper MMC card reader, and ExpressCard/54. The laptops are easy to strip down and
> repair and parts are cheap and easy to come-by.
> 
> The fingerprint reader is quite useful for trivial unlock and sudo authorisation and that made me think maybe more use could be made of it. The points about fingerprints being lifted from the keys to
> unlock it hadn't occurred to me - that'd be silly so I'm now moving to whole-disc encryption with the boot-loader, kernel, and initrd on a key-fob USB.
> 
> I'd still like GRUB to be able to read a key-file rather than a typed pass-phrase, and have the key-file hidden on a (second) small (1GB) randomised-data USB flash device (no file-system) so even the
> operator can't be sure where to find the bytes that unlock it.
> 
> If we can figure it out we'd like to be able to configure/unlock different LVM volumes based on which LUKS slot is used to unlock, too, and log the LUKS attempts from GRUB.
> 
> Tall order I know, but the technology is there - we just have to join it up!
> 
> -----Original Message-----
> 
> Hi TJ,
> 
> Are you very sure wanting this?
> Some time ago i´ve been experimenting with fingerprints, and the result was not encouraging...
> From security point of view no that many problems (besides all well known general issue´s with fingerprints).
> I mean no false positive´s, but the huge amount of false-negatives:  nine times out of ten, I did not recognize correctly. Always glad I could still use  username & pwd.
> As I was testing on IBM-Lenovo laptops, I think (hope) that those readers were of decent quality...
> 
> So unless the quality of the readers has improved drastically last five years, you better think twice before embarking on such trip...

They have improved.  The one on my W530 which is about 9 months old
works very well.  Even swiping on a slight angle is no longer a problem.
I would say it only fails to recognize a swipe 1 in 20 times.  Given how
well it worked I was wondering if perhaps it was just letting everything
through, but using fingers I didn't register has never worked any time
I have tried, so it does seem they really have gotten better.

-- 
Len Sorensen

Re: LUKS Encryption and Fingerprint readers?

[TJ]

On 30/08/13 10:10, J.Witvliet@mindef.nl wrote:
> Some time ago i´ve been experimenting with fingerprints, and the result was not encouraging...
> From security point of view no that many problems (besides all well known general issue´s with fingerprints).
> I mean no false positive´s, but the huge amount of false-negatives:  nine times out of ten, I did not recognize correctly. 

I've been using fingerprint-scanning for a year now over successive releases of Ubuntu on these XPS m1530 models (SGS Thompson reader) with libfprint. I've found it reliable. I think there are two
things that lead to low false-negatives:

1) a good initial scan of the finger(s)
2) consistent conditions for reading

For example, a usable but short scan or slightly contrived flexing of the finger during the initial scan will cause consistency problems later when the finger becomes more familiar with the action and
changes the way it passes over the reader.

Also, scans originally in bright light will not work well if reading is done in low-light conditions such as overnight when a room may only be lit by the LCD screen.

I also found that an original scan done when the finger is moist will cause problems with reading when the finger is dry, dusty or dirty.

The best conditions for the initial scan I've found are:

1. Do the scan in medium to low-light conditions
2. No excessively bright or directional lighting (avoid strong sunshine from windows, or desk-lamps)
3. Wash the finger(s) in hot water with soap and dry them well, which gives clean well-raised profiles
4. Glide the finger above the sensor with some flexing at the leading/trailing edge of the scan so the pad of the finger stays in contact with the centre of the reader

I've also found that, for me, the middle and ring fingers of my right hand are more reliable than index or little.

Re: LUKS Encryption and Fingerprint readers?

[Glenn Washburn]

On Thu, 29 Aug 2013 21:20:14 +0100
TJ <grub-devel@iam.tj> wrote:

> that'd be silly so I'm now moving to whole-disc encryption with the
> boot-loader, kernel, and initrd on a key-fob USB.
> 
> I'd still like GRUB to be able to read a key-file rather than a typed
> pass-phrase, and have the key-file hidden on a (second) small (1GB)
> randomised-data USB flash device (no file-system) so even the
> operator can't be sure where to find the bytes that unlock it.

Again.  If your initrd and kernel are unencrypted on the USB, then you
don't need keyfile support or any encryption support in grub.  Grub can
just load your linux environment and then you can have linux do all the
heavy lifting.

> If we can figure it out we'd like to be able to configure/unlock
> different LVM volumes based on which LUKS slot is used to unlock,
> too, and log the LUKS attempts from GRUB.

This really doesn't make sense.  LVM volumes aren't "unlocked", LUKS
volumes sure.  And restricting access based on what key was used
doesn't make much sense either.  LUKS key slots are for getting the
single master key.  So regardless of which key slot used, you get back
the master key that can decrypt the _whole_ luks container, yes all the
LVs.  So in this hypothetical system, for any key slot used root will
be able to access all the LVs.

Why exactly are you wanting to activate an LV based on LUKS keyslot?
Is it because you want to prevent other users from accessing the other
LVs?  or is it merely to provide a mechanism for booting different
OSes (with no security implications)?

And I see no reason why you're needlessly trying to use grub, unless
your initrd or kernel are encrypted on the USB.  Linux would be a much
more capable environment to work in.

Re: LUKS Encryption and Fingerprint readers?

[TJ]

On 30/08/13 20:22, Glenn Washburn wrote:
>> I'd still like GRUB to be able to read a key-file rather than a typed
>> pass-phrase, and have the key-file hidden on a (second) small (1GB)
>> randomised-data USB flash device (no file-system) so even the
>> operator can't be sure where to find the bytes that unlock it.
> 
> Again.  If your initrd and kernel are unencrypted on the USB, then you
> don't need keyfile support or any encryption support in grub. 

The USB device(s) will be encrypted.

>> If we can figure it out we'd like to be able to configure/unlock
>> different LVM volumes based on which LUKS slot is used to unlock,
>> too, and log the LUKS attempts from GRUB.
> 
> This really doesn't make sense.  LVM volumes aren't "unlocked", LUKS
> volumes sure.

There will be multiple layers of encryption using different keys. The LVMs within the whole-disk encryption will have different keys. Not all users will have access to the same collection of keys.

It doesn't look too difficult to add patches to achieve what I'm aiming for.