Wednesday, September 21, 2011

of tokens, car keys and security

Lots of concern recently on the net about secure token storage - especially since googleauthenticator hit the ground for google apps. One great write up of the issue can be found here:

http://code.google.com/p/cuteauthenticator/issues/detail?id=1

I do have to say that "cuteauthenticator" is way more flash than my reference proof of concept implementation they did a great job! At some point we ought build a nicer java GUI for my quick lash up!

So, anyway long story short albeit you can grab the HTOP keys from a decent QR reader for your google auth key for gmail, or generate your own if you are using the libpam module for ssh or drupal auth you will end up with:
otpauth://totp/mail@gmail.com?secret=stringofnumbersaandchars

or a file by default it is copied to:

~/.google_authenticator

You basically have a simple 16 character string that defines the key. That's it nothing else is needed. Clearly time to put this little string of letters and numbers on a more secure system:
toofan:~ jcuff$ hdiutil create -encryption -size 10m secure.dmg -fs HFS+J -volname Secure

Enter a new password to secure "secure.dmg": 
Re-enter new password: 
.....................................................................................................
created: /Users/jcuff/secure.dmg

Now you can open up the dmg it automatically prompts you for a password:
toofan:~ jcuff$ open secure.dmg

toofan:~ jcuff$ df -H /Volumes/Secure/
Filesystem     Size   Used  Avail Capacity  Mounted on
/dev/disk4s1    10M   774k   9.7M     8%    /Volumes/Secure


Simple - then you can write your token file in there, and you favorite desktop client, copy the dmg to a flash stick and you are golden - nice simple and fairly secure. As you can see one nice thing about using the OSX DMG files is they integrate nicely with your keychain.

Compile:
jcuff@srv:/Volumes/Secure $ javac -cp ./ Authenticator/*.java

Run (point at your auth file):
jcuff@srv:/Volumes/Secure $ java -classpath ./ Authenticator.Main /Volumes/Secure/.google_authenticator

Example:
Authenticator Started!
:----------------------------:--------:
:       Code Wait Time       :  Code  :
:----------------------------:--------:
+++++++++++++++++++++++++++++: 964323 :
..............+++++++++++++++: 523907 :
.............................: 867553 :
.............................: 053547 :

Remember DMG encryption can be a little sketchy. If you need a platform independent way to do this there is always the most awesome truecrypt!

However, if you take a really quick look at the current most popular comercial way to store tokens that use a desktop client code for tokens...
/Users/jcuff/.RSA/RSA SecurID Software Token Library:
-rw-------  1 jcuff  staff  3072 Sep 20 16:13 RSASecurIDStorage

bash-3.2$ file RSASecurIDStorage 
RSASecurIDStorage: SQLite 3.x database

Ohh I remember that file type, in another life I found they were really quite popular inside the iPhone *ahem* ;-)
bash-3.2$ sqlite3 RSASecurIDStorage

SQLite version 3.6.12
Enter ".help" for instructions
Enter SQL statements terminated with a ";"

sqlite> .schema
CREATE TABLE TOKENS (SERIALNUMBER TEXT PRIMARY KEY, SEED BLOB, INTERVAL INTEGER, DIGITS INTEGER, PINREQUIRED INTEGER, URL TEXT, USERID TEXT, FIRSTNAME TEXT, LASTNAME TEXT, LABEL TEXT, DEATHDATE TEXT, ALGORITHM INTEGER, EVENTCOUNT INTEGER, FOBSTYLE INTEGER, ICONDATA BLOB, ICONTYPE INTEGER, BIRTHDATE TEXT, EXTENDEDATTS TEXT, APPDERIVEDSEED INTEGER, TIMEDERIVEDSEED INTEGER, MODE INTEGER, FORMFACTOR INTEGER, CRYPTOCHECKSUM BLOB, MAC BLOB);

sqlite> select FIRSTNAME,LASTNAME,USERID,SEED from TOKENS;

James|Cuff|jcuff|"ahem cough"

Oh hello there!

The rest I'll leave as an exercise to the reader as to how to "move" this token file around, but suffice to say, let us use this analogy as a working hypothesis for all token activities:

"If you leave the keys to your car on a table in a public place be they for a Ferrari or a Skoda; someone will eventually come along and "borrow" them if they get a chance to!"

NOTE: It also *really* helps if the keys you leave around have the equivalent of the registration number and on which floor of the car park you left the car (uid, firstname, lastname) attached to the little keyring.

So clearly token files need to be looked after more seriously - luckily there are all sorts of "flash" ways to do this so you can keep your keys in your pocket and not out on the table ;-)



[any opinions here are all mine, and have absolutely nothing to do with my employer]
(c) 2011 James Cuff