Reply
Thread Tools
bergie's Avatar
Posts: 381 | Thanked: 847 times | Joined on Jan 2007 @ Helsinki
#11
Originally Posted by CrashandDie View Post
Considering the N900 doesn't support USB host mode, my initial thought of using a hardware token is going to be difficult.
...which is a shame. I had been looking forward to using Yubikey for authenticating to various services from the device.
 

The Following User Says Thank You to bergie For This Useful Post:
Guest | Posts: n/a | Thanked: 0 times | Joined on
#12
Only while traveling to and from Japan have I ever had a problem with any devices. Apparently an older law that's on the books explains that a certain level of encryption coming out of Japan - 128-bit or higher IIRC - could not be exported out of Japan without prior approval.

It was the MagicGate memory cards for my then PS2 that they were referring to. My very last trip, it was my N810. It was confused with a phone, and they thought I had purchased it while on my trip there. I pulled out my cheap phone - a Motorola F3 I travel with that nobody in their right mind would want to steal - and explained that I used the N810 for internet access when I didn't use my laptop.

They relented, but that was about the only time I've had to worry about anything encrypted on my gadgets. Came to the US, customs was going nuts about having the "internet in your pocket"... one customs official even knew enough to ask "Even Flash?" "Yes, even Flash content is rendered..."
 
Posts: 243 | Thanked: 172 times | Joined on Sep 2007 @ silicon valley
#13
Originally Posted by CrashandDie View Post
Encryption is not vulnerable, as long as the person who applies it takes the time to make sure it isn't.

At the time of writing, I don't believe there are any decent encryption suites for Maemo. I'm currently in the process of analysing all the use-cases and will write up a proposal in the not-too-distant future. I do attach a lot of importance to VPN access, but would also like to see some opportunities for the use of soft tokens and such.

Considering the N900 doesn't support USB host mode, my initial thought of using a hardware token is going to be difficult. In response to that, I've been working on getting information with regards to Bluetooth-enabled tokens. That being said, I believe a soft token would make more sense, as it would serve a greater purpose (the soft token could also be used to display the OTP and use that on your laptop, for example).

If you guys have the time, would you be able to write-up your use-cases? VPN access, encryption, etc. How would you see the encryption/decryption process? What about resident keys? Key caching? I'd love to have your input on these points.
Is your focus on a hardware token due to being able to avoid physically typing in something / something that can be separated from the main device? In which case, bantering with other people I've considered something related to automatically happening related to a particular SD card.

I would use a VPN on my phone right now but with traditional pptp it stores your password plain text, which bothers me. Also on the n800 it is quite tedious to enter passwords.
 
Posts: 543 | Thanked: 181 times | Joined on Aug 2009 @ Universe,LocalCluster.MilkyWay.Sol.Earth.Europe.Slovenia.Ljubljana
#14
Hmm let's see what I'd like as my use-case.

a) deniable encryption based on dm-crypt and luks - this would be enough to simply split the luks headers from the volume itself and keep them on a different volume(I've started looking for this option recently but am unable to find any info - can do it for keys only apparently - for now). Basically one would have an SD card that would store the headers and you would need both to actually mount. But once in memory one shouldn't need to keep the card in(store them in RAM?)

b) I'm not much for full device encryption or full home encryption. I tend to simply encrypt the things that are important to me. In this case this would be contacts, smses and such like. Of course having something like plain old GPG on this would work as well.

c) I should never be asked to decrypt when trying to access this data(it should fallback to an alternate store). Accessing the encrypted data should be a concious effort. Have an app that you open select the store you want to unlock - enter passphrase and any other tokens - and you have access.
 

The Following User Says Thank You to ruskie For This Useful Post:
Posts: 473 | Thanked: 141 times | Joined on Jan 2009 @ Virginia, USA
#15
Originally Posted by allnameswereout View Post
LUKS + dm-crypt also works fine. No need for TrueCrypt

If you're going to use such solution be sure to either enable encrypted swap or disable swap.

There is also the cold boot vector to keep in mind.

Consider to use PKI + password instead of either one, and consider OTP because every time you type a password there may be a camera recording your keystrokes.
Does LUKS+dm-crypt work out of the box on Diablo kernels or do we need to compile the module?

I haven't looked at truecrypt for a long while, but I never used it on my desk/laptop systems, because the Linux port seemed to be a kludgey bolt-on afterthought. Besides, with LUKS+dm-crypt, I found it was easy to set up LVM in an encrypted container, and have grow/shrink capability with full disk encryption.

Last edited by VulcanRidr; 2009-10-23 at 18:24.
 
allnameswereout's Avatar
Posts: 3,397 | Thanked: 1,212 times | Joined on Jul 2008 @ Netherlands
#16
Originally Posted by VulcanRidr View Post
Does LUKS+dm-crypt work out of the box on Diablo kernels or do we need to compile the module?

I haven't looked at truecrypt for a long while, but I never used it on my desk/laptop systems, because the Linux port seemed to be a kludgey bolt-on afterthought. Besides, with LUKS+dm-crypt, I found it was easy to set up LVM in an encrypted container, and have grow/shrink capability with full disk encryption.
Hmm, I was assuming Fremantle.

You need following:
  • dm-mod (required for dm-*)
  • dm-crypt
  • Devicemapper (userspace binaries for dm-mod)
  • dmsetup or cryptsetup-luks (frontends for dm-* API)

Should work on 2.6.21 kernels but you will not get XTS mode since requires Linux 2.6.24+

There are some folks who compiled dm-loop for Diablo. Excellent starting point.

For Maemo < 5.0 see also these legacy threads:
__________________
Goosfraba! All text written by allnameswereout is public domain unless stated otherwise. Thank you for sharing your output!
 

The Following User Says Thank You to allnameswereout For This Useful Post:
allnameswereout's Avatar
Posts: 3,397 | Thanked: 1,212 times | Joined on Jul 2008 @ Netherlands
#17
Originally Posted by sarahn View Post
Is your focus on a hardware token due to being able to avoid physically typing in something / something that can be separated from the main device? In which case, bantering with other people I've considered something related to automatically happening related to a particular SD card.

I would use a VPN on my phone right now but with traditional pptp it stores your password plain text, which bothers me. Also on the n800 it is quite tedious to enter passwords.
PPTP bothers me

Storing password encrypted only works with a salt (like /etc/shadow) else it makes no sense. This way the input (password) is compared and then authentication takes place.

Another disadvantage of password-based authentication is that input of the password may be recorded by third parties.

OpenVPN allows you to not save username/password. Same with OpenSSH via SSH keys, and OpenSSH supports VPN setup nowadays. Don't know about Maemo versions though.

OTP (one time password) solves the problem although it has its disadvantages. OpenSSH has supported this for a long time, which means you only need to implement server-side support. For that you need e.g. libpam-opie (on OSes using PAM such as Linux) s/key (on *BSD).

You can have your OpenVPN SSL certificates or SSH keys on your SD card, making the SD card the hardware token.

The advantage of a product such as SecurID is that it combines all the above in one simple hardware interface.

Originally Posted by TA-t3 View Post
As for data security, you can be forced to reveal encryption keys, and it can be illegal not to do so. To get around that can be a complex process.
In UK, yes. Plausible deniability such as TrueCrypt provides is useful in such case.
__________________
Goosfraba! All text written by allnameswereout is public domain unless stated otherwise. Thank you for sharing your output!

Last edited by allnameswereout; 2009-10-24 at 04:30.
 
Reply

Tags
data hiding, privacy, security, travel, vpn, whole disk encryption

Thread Tools

 
Forum Jump


All times are GMT. The time now is 19:27.