Hi,
i am trying to create a program, which turns a usb flash into a usb token. The usb device will store certificates, passwords, and other security data. The user will plug it into a PC, enter a password for accessing the device and the PC will use (part of) the existing data for the user authentication.
It must run on Windows and i can code it with Java or C++. The problem is that i do not know where to start from... I have many questions...
This is what i am thinking of right now.
1/Setting up Public Key Infrastructure for Windows Server 2003 (don't know exactly how it works)
2/creating certificate and keys using the above platform
3/load them in the usb device
4/write an application, which
4.1/as soon as one inserts the usb, the application decides whether it is a security token or not
4.2/if it is, it either prompts for a password for the device, looks for it inside the token and afterwards searches for a valid certificate inside the token or just searches directly for the valid certificate.

Prompting for the password of course is a "cheat", since anyone is able to access the device and read it in the first place; the device is not actively protected; doesn't protect itself...


Any ideas, links, etc are welcome!

Notwithstanding the actual content of the device, this would be extremely easy to do on Linux. In fact, I already use something like this with my system on startup. The USB drive must be inserted in order for the user areas of the HD to be decrypted for use. It automatically mounts them using keys stored on the USB device when it's plugged into the machine and it doesn't matter at what point it's inserted. It would also be possible to unmount them when the device is removed. It's a standard part of modern Linux systems.

Unfortunately (AFAIK) Windows doesn't come with this functionality built in. Although a huge security risk, the simplest way to do this is probably to create an autorun on the device.

Are there any command line tools for the server? I'm not familiar with it. If not, you are probably out of luck.
ta0kira

PS Just my opinion, but I think automation of this sort isn't worth the risk it may introduce to your server. The furthest I would take automation is storing a privileged batch file on the machine itself which you will run after you insert the device. I don't think it's wise to have anything automatic happen upon insertion of a device into a server.

I once had a person who wanted me to create something similar and I concluded that using an autorun script would be the starting point for use under windows.

ta0kira, could you make any of your code available to me for edification or adaptation? Ma idea was to create an auto-installer on a USB stick which could be run under windows to install the grub bootloader so that the usb stick could booted into linux from the ntldr menu. I actually had most of it working and even distributed the distro for awhile. Lately I've been turning my attention to renewing the project. Your code and its' usage might help me to achieve more.

I'm not sure they would be of any help to you. The first part is a udev rule (single line) which verifies the USB drive's serial number and calls a short script which makes a few calls to another set of scripts to loop and mount a few encrypted images. The scripts for mounting the encrypted images aren't really applicable because nothing they do can be done on Windows. Here is what they do, essentially:

• mount a small encrypted file system (1MB or so)
• use a set of encryption keys from that file system to mount real file systems
• set up encrypted loopbacks
• set up encryption key tables (the 1MB~ file systems) and encrypted file systems

All of this is done with dmsetup, losetup, and a lot of sed and grep.

I'll go through the encrypted volume scripts tonight and post them on SF. I'll post a direct link when I put it up (it will be on my random script project page.) The udev rule won't really help, but I should note that nothing on the device itself gets executed during this process. Everything being executed is on the machine itself and root-owned.
ta0kira

Thanks very much. I'm sure I can get some ideas from your work anyway.

Here is the current version:
http://sourceforge.net/project/showf...roup_id=141925

It's under key-scripts-19oct07. I've sort of been using one of my old, dead script project pages on SF to post random scripts I've come up with. It isn't really a project anymore so much as a script repository. Even though the project page is a mess, I spent a lot of time on the scripts themselves and I rely on them every single time I turn on one of my Linux boxes. They never fail me.
ta0kira

Hi

I was actually thinking about doing something like that but never get to create correct udev rule It seems like you already know how to do that so maybe you could help me with that udev rule???

Next question I have is: Is it possible to tun a script that is located on the device itself with root privilages? I need that to mount my truecrypt drive image that is on the computer hard drive.

Thanks,
Ralph

Here is where I learned to write udev rules:
http://www.reactivated.net/writing_u...l#external-run

Just remember that the more criteria you put the less likely it is it will work. I just stick with the device serial number and nothing else:This is my rule. It makes a symlink /dev/keys to /dev/sd?1 when the device is plugged in, then runs /etc/rc.d/rc.secure which is a script I wrote to perform the actions in my previous post.

By default, mount will mount devices with "noexec" if /etc/fstab gives any user other than root privileges to mount it. If you don't mess with that then you should be able to execute things from the device unless you specify the "noexec" option explicitly. Just to make sure, use the "exec" option when mounting. If I were you I wouldn't automatically run a script located on the device with the udev rule. I'd limit its automatic interaction capability to passive data.
ta0kira