LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices

Reply
 
Search this Thread
Old 10-17-2007, 09:51 AM   #1
kpachopoulos
Member
 
Registered: Feb 2004
Location: Athens, Greece
Distribution: Gentoo,FreeBSD, Debian
Posts: 704

Rep: Reputation: 30
create program and turn usb flash to usb token


Hi,
i am trying to create a program, which turns a usb flash into a usb token. The usb device will store certificates, passwords, and other security data. The user will plug it into a PC, enter a password for accessing the device and the PC will use (part of) the existing data for the user authentication.
It must run on Windows and i can code it with Java or C++. The problem is that i do not know where to start from... I have many questions...
This is what i am thinking of right now.
1/Setting up Public Key Infrastructure for Windows Server 2003 (don't know exactly how it works)
2/creating certificate and keys using the above platform
3/load them in the usb device
4/write an application, which
4.1/as soon as one inserts the usb, the application decides whether it is a security token or not
4.2/if it is, it either prompts for a password for the device, looks for it inside the token and afterwards searches for a valid certificate inside the token or just searches directly for the valid certificate.

Prompting for the password of course is a "cheat", since anyone is able to access the device and read it in the first place; the device is not actively protected; doesn't protect itself...


Any ideas, links, etc are welcome!
 
Old 10-18-2007, 07:47 AM   #2
ta0kira
Senior Member
 
Registered: Sep 2004
Distribution: FreeBSD 9.1, Kubuntu 12.10
Posts: 3,078

Rep: Reputation: Disabled
Notwithstanding the actual content of the device, this would be extremely easy to do on Linux. In fact, I already use something like this with my system on startup. The USB drive must be inserted in order for the user areas of the HD to be decrypted for use. It automatically mounts them using keys stored on the USB device when it's plugged into the machine and it doesn't matter at what point it's inserted. It would also be possible to unmount them when the device is removed. It's a standard part of modern Linux systems.

Unfortunately (AFAIK) Windows doesn't come with this functionality built in. Although a huge security risk, the simplest way to do this is probably to create an autorun on the device.

Are there any command line tools for the server? I'm not familiar with it. If not, you are probably out of luck.
ta0kira
 
Old 10-18-2007, 08:01 AM   #3
ta0kira
Senior Member
 
Registered: Sep 2004
Distribution: FreeBSD 9.1, Kubuntu 12.10
Posts: 3,078

Rep: Reputation: Disabled
Quote:
Originally Posted by ta0kira View Post
Notwithstanding the actual content of the device, this would be extremely easy to do on Linux. In fact, I already use something like this with my system on startup. The USB drive must be inserted in order for the user areas of the HD to be decrypted for use. It automatically mounts them using keys stored on the USB device when it's plugged into the machine and it doesn't matter at what point it's inserted. It would also be possible to unmount them when the device is removed. It's a standard part of modern Linux systems.

Unfortunately (AFAIK) Windows doesn't come with this functionality built in. Although a huge security risk, the simplest way to do this is probably to create an autorun on the device.

Are there any command line tools for the server? I'm not familiar with it. If not, you are probably out of luck.
ta0kira
PS Just my opinion, but I think automation of this sort isn't worth the risk it may introduce to your server. The furthest I would take automation is storing a privileged batch file on the machine itself which you will run after you insert the device. I don't think it's wise to have anything automatic happen upon insertion of a device into a server.

Last edited by ta0kira; 10-18-2007 at 08:04 AM. Reason: accidentally hit "quote" to post this! sorry
 
Old 10-19-2007, 02:57 AM   #4
gnashley
Amigo developer
 
Registered: Dec 2003
Location: Germany
Distribution: Slackware
Posts: 4,755

Rep: Reputation: 466Reputation: 466Reputation: 466Reputation: 466Reputation: 466
I once had a person who wanted me to create something similar and I concluded that using an autorun script would be the starting point for use under windows.

ta0kira, could you make any of your code available to me for edification or adaptation? Ma idea was to create an auto-installer on a USB stick which could be run under windows to install the grub bootloader so that the usb stick could booted into linux from the ntldr menu. I actually had most of it working and even distributed the distro for awhile. Lately I've been turning my attention to renewing the project. Your code and its' usage might help me to achieve more.
 
Old 10-19-2007, 06:56 AM   #5
ta0kira
Senior Member
 
Registered: Sep 2004
Distribution: FreeBSD 9.1, Kubuntu 12.10
Posts: 3,078

Rep: Reputation: Disabled
I'm not sure they would be of any help to you. The first part is a udev rule (single line) which verifies the USB drive's serial number and calls a short script which makes a few calls to another set of scripts to loop and mount a few encrypted images. The scripts for mounting the encrypted images aren't really applicable because nothing they do can be done on Windows. Here is what they do, essentially:
  • mount a small encrypted file system (1MB or so)
  • use a set of encryption keys from that file system to mount real file systems
  • set up encrypted loopbacks
  • set up encryption key tables (the 1MB~ file systems) and encrypted file systems
All of this is done with dmsetup, losetup, and a lot of sed and grep.

I'll go through the encrypted volume scripts tonight and post them on SF. I'll post a direct link when I put it up (it will be on my random script project page.) The udev rule won't really help, but I should note that nothing on the device itself gets executed during this process. Everything being executed is on the machine itself and root-owned.
ta0kira
 
Old 10-19-2007, 12:23 PM   #6
gnashley
Amigo developer
 
Registered: Dec 2003
Location: Germany
Distribution: Slackware
Posts: 4,755

Rep: Reputation: 466Reputation: 466Reputation: 466Reputation: 466Reputation: 466
Thanks very much. I'm sure I can get some ideas from your work anyway.
 
Old 10-19-2007, 05:06 PM   #7
ta0kira
Senior Member
 
Registered: Sep 2004
Distribution: FreeBSD 9.1, Kubuntu 12.10
Posts: 3,078

Rep: Reputation: Disabled
Here is the current version:
http://sourceforge.net/project/showf...roup_id=141925

It's under key-scripts-19oct07. I've sort of been using one of my old, dead script project pages on SF to post random scripts I've come up with. It isn't really a project anymore so much as a script repository. Even though the project page is a mess, I spent a lot of time on the scripts themselves and I rely on them every single time I turn on one of my Linux boxes. They never fail me.
ta0kira
 
Old 10-23-2007, 12:07 PM   #8
ralphz
LQ Newbie
 
Registered: Oct 2007
Posts: 1

Rep: Reputation: 0
Hi

I was actually thinking about doing something like that but never get to create correct udev rule It seems like you already know how to do that so maybe you could help me with that udev rule???

Next question I have is: Is it possible to tun a script that is located on the device itself with root privilages? I need that to mount my truecrypt drive image that is on the computer hard drive.

Thanks,
Ralph
 
Old 10-23-2007, 05:30 PM   #9
ta0kira
Senior Member
 
Registered: Sep 2004
Distribution: FreeBSD 9.1, Kubuntu 12.10
Posts: 3,078

Rep: Reputation: Disabled
Here is where I learned to write udev rules:
http://www.reactivated.net/writing_u...l#external-run

Just remember that the more criteria you put the less likely it is it will work. I just stick with the device serial number and nothing else:
Code:
KERNEL=="sd?1", SYSFS{serial}=="[removed]", symlink+="keys", run+="/bin/bash /etc/rc.d/rc.secure"
This is my rule. It makes a symlink /dev/keys to /dev/sd?1 when the device is plugged in, then runs /etc/rc.d/rc.secure which is a script I wrote to perform the actions in my previous post.

By default, mount will mount devices with "noexec" if /etc/fstab gives any user other than root privileges to mount it. If you don't mess with that then you should be able to execute things from the device unless you specify the "noexec" option explicitly. Just to make sure, use the "exec" option when mounting. If I were you I wouldn't automatically run a script located on the device with the udev rule. I'd limit its automatic interaction capability to passive data.
ta0kira
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Create Smaller USB Flash Drive Image? Githlar Linux - Software 3 09-25-2007 12:07 PM
USB flash drive not create driver node in /dev ? saq1980 Linux - Hardware 5 06-22-2007 03:01 AM
How to detect USB Flash drive in C program? kr123 Programming 1 12-06-2005 02:56 PM
How to create bootable USB flash drive EStester Linux - Enterprise 7 05-19-2005 06:35 PM


All times are GMT -5. The time now is 11:49 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration