[ltp] using fingerprint reader for encryption or ssh login?

Jan Kundrát linux-thinkpad@linux-thinkpad.org
Tue, 20 Nov 2007 02:09:40 +0100 

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigDCE0D9E106745E537DC6E703
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Jiang Qian wrote:
> 	I'm among the paranoid people out there who encrypt things but=20
> still fear key stroke logger to steal my passwords.

If there was a keylogger on your machine, the attacker might have
modified your kernel with exactly zero effort in such a way that it
would sent all your private data to her computer system.

If you're really that paranoid, you might want to try a HW crypto device
(maybe the TPM chip in recent Thinkpads is good for it, provided you
trust a Chinese company making them, maybe it isn't suitable, I haven't
bothered to check) that does all crypto stuff for you. But note that
when any decrypted data touches your kernel (which you don't trust. as
you stated), you are compromised.

> 	1) Authenticate me and decrypt my master password file on disk,=20

You can't do that. PAM talks to your reader like "hey reader, please
verify whether user is sweeping a finger described by following data:
fooBar". You can't use that in a secure way for encryption.

> 	2) Use fingerprint for all the web logins. I know this is=20
> possible via software under windows. Why can't we have this under linux=
?

That should be possible, but isn't secure at all. Anyone who can get a
copy of your HDD's raw data can read those files.

> 	3) Related to 1, use fingerprint reader to decrypt the ssh key=20
> when adding it to ssh-agent.

Exactly same as in 1).

Cheers,
-jkt

--=20
cd /local/pub && more beer > /dev/mouth


--------------enigDCE0D9E106745E537DC6E703
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHQjPZamXfqERyJRcRAunAAJ0bIRkMYq9tk+UbqAsx1xVs1hpAJwCfYAZ+
BCQPf3X9Bs5PyyuQo7Oib1Y=
=bpSE
-----END PGP SIGNATURE-----

--------------enigDCE0D9E106745E537DC6E703--