maemo.org - Talk - Data Privacy whilst Traveling with Mobile Computer

maemo.org - Talk (https://talk.maemo.org/index.php)

- General (https://talk.maemo.org/forumdisplay.php?f=7)

- - Data Privacy whilst Traveling with Mobile Computer (https://talk.maemo.org/showthread.php?t=33178)

Re: Data Privacy whilst Traveling with Mobile Computer

Quote:

Originally Posted by CrashandDie (Post 353780)

Considering the N900 doesn't support USB host mode, my initial thought of using a hardware token is going to be difficult.

...which is a shame. I had been looking forward to using Yubikey for authenticating to various services from the device.

Re: Data Privacy whilst Traveling with Mobile Computer

Only while traveling to and from Japan have I ever had a problem with any devices. Apparently an older law that's on the books explains that a certain level of encryption coming out of Japan - 128-bit or higher IIRC - could not be exported out of Japan without prior approval.

It was the MagicGate memory cards for my then PS2 that they were referring to. My very last trip, it was my N810. It was confused with a phone, and they thought I had purchased it while on my trip there. I pulled out my cheap phone - a Motorola F3 I travel with that nobody in their right mind would want to steal - and explained that I used the N810 for internet access when I didn't use my laptop.

They relented, but that was about the only time I've had to worry about anything encrypted on my gadgets. Came to the US, customs was going nuts about having the "internet in your pocket"... one customs official even knew enough to ask "Even Flash?" "Yes, even Flash content is rendered..."

Re: Data Privacy whilst Traveling with Mobile Computer

Quote:

Originally Posted by CrashandDie (Post 353780)

Encryption is not vulnerable, as long as the person who applies it takes the time to make sure it isn't.

At the time of writing, I don't believe there are any decent encryption suites for Maemo. I'm currently in the process of analysing all the use-cases and will write up a proposal in the not-too-distant future. I do attach a lot of importance to VPN access, but would also like to see some opportunities for the use of soft tokens and such.

Considering the N900 doesn't support USB host mode, my initial thought of using a hardware token is going to be difficult. In response to that, I've been working on getting information with regards to Bluetooth-enabled tokens. That being said, I believe a soft token would make more sense, as it would serve a greater purpose (the soft token could also be used to display the OTP and use that on your laptop, for example).

If you guys have the time, would you be able to write-up your use-cases? VPN access, encryption, etc. How would you see the encryption/decryption process? What about resident keys? Key caching? I'd love to have your input on these points.

Is your focus on a hardware token due to being able to avoid physically typing in something / something that can be separated from the main device? In which case, bantering with other people I've considered something related to automatically happening related to a particular SD card.

I would use a VPN on my phone right now but with traditional pptp it stores your password plain text, which bothers me. Also on the n800 it is quite tedious to enter passwords.

Re: Data Privacy whilst Traveling with Mobile Computer

Hmm let's see what I'd like as my use-case.

a) deniable encryption based on dm-crypt and luks - this would be enough to simply split the luks headers from the volume itself and keep them on a different volume(I've started looking for this option recently but am unable to find any info - can do it for keys only apparently - for now). Basically one would have an SD card that would store the headers and you would need both to actually mount. But once in memory one shouldn't need to keep the card in(store them in RAM?)

b) I'm not much for full device encryption or full home encryption. I tend to simply encrypt the things that are important to me. In this case this would be contacts, smses and such like. Of course having something like plain old GPG on this would work as well.

c) I should never be asked to decrypt when trying to access this data(it should fallback to an alternate store). Accessing the encrypted data should be a concious effort. Have an app that you open select the store you want to unlock - enter passphrase and any other tokens - and you have access.

Re: Data Privacy whilst Traveling with Mobile Computer

Quote:

Originally Posted by allnameswereout (Post 353805)

LUKS + dm-crypt also works fine. No need for TrueCrypt :)

If you're going to use such solution be sure to either enable encrypted swap or disable swap.

There is also the cold boot vector to keep in mind.

Consider to use PKI + password instead of either one, and consider OTP because every time you type a password there may be a camera recording your keystrokes.

Does LUKS+dm-crypt work out of the box on Diablo kernels or do we need to compile the module?

I haven't looked at truecrypt for a long while, but I never used it on my desk/laptop systems, because the Linux port seemed to be a kludgey bolt-on afterthought. Besides, with LUKS+dm-crypt, I found it was easy to set up LVM in an encrypted container, and have grow/shrink capability with full disk encryption.

Re: Data Privacy whilst Traveling with Mobile Computer

Quote:

Originally Posted by VulcanRidr (Post 356696)

Hmm, I was assuming Fremantle.

You need following:

dm-mod (required for dm-*)
dm-crypt
Devicemapper (userspace binaries for dm-mod)
dmsetup or cryptsetup-luks (frontends for dm-* API)

Should work on 2.6.21 kernels but you will not get XTS mode since requires Linux 2.6.24+

There are some folks who compiled dm-loop for Diablo. Excellent starting point.

For Maemo < 5.0 see also these legacy threads:

Re: Data Privacy whilst Traveling with Mobile Computer

Quote:

Originally Posted by sarahn (Post 356116)

PPTP bothers me ;)

Storing password encrypted only works with a salt (like /etc/shadow) else it makes no sense. This way the input (password) is compared and then authentication takes place.

Another disadvantage of password-based authentication is that input of the password may be recorded by third parties.

OpenVPN allows you to not save username/password. Same with OpenSSH via SSH keys, and OpenSSH supports VPN setup nowadays. Don't know about Maemo versions though.

OTP (one time password) solves the problem although it has its disadvantages. OpenSSH has supported this for a long time, which means you only need to implement server-side support. For that you need e.g. libpam-opie (on OSes using PAM such as Linux) s/key (on *BSD).

You can have your OpenVPN SSL certificates or SSH keys on your SD card, making the SD card the hardware token.

The advantage of a product such as SecurID is that it combines all the above in one simple hardware interface.

Quote:

Originally Posted by TA-t3 (Post 353829)

As for data security, you can be forced to reveal encryption keys, and it can be illegal not to do so. To get around that can be a complex process.

In UK, yes. Plausible deniability such as TrueCrypt provides is useful in such case.