Thursday, November 26, 2009

Low cost computer security device to replace passwords

Greetings from the famous room N101 at the School of Computer Science at ANU. Bob Edwards is presenting on "Yubikey Authentication in a Mid-sized Organisation". This is a preview of paper for Linux Conference of Australia 2010 (LCA2010) in January.

The Yubikey is a low cost ($10) security token designed to replace passwords for computer access. It is a small USB unit designed to be attached to a key ring and inserted into a computer when access is needed. The device generates a 44 character pseudo random number when a button on the unit is pressed. It emulates a keyboard to send the number to an application. The device uses AES-128 bit encryption.

One use which has been poposed is Yubikey identifying airline pilots on the U.S. Department of Homeland Security Transportation Security Administration blog.

Yubikey provide an online authentication server, which can be used. However, as Bob points out, this requires you to trust the security and reliability of Yubikey's system. Yubico allow for the device to be reprogrammed with a new 128 bit key so that an organisation can run its own authentication server.

One limitation of the device is that it has no internal battery and so cannot keep track of time. As a result the tokens generated never expire. Also as with any token, it must be kept physically secure. If left in a computer (as happens with sensitive devices), it will provide access for the next person who happens along (although an additional user entered id and password could be used).

Other limitations of the device are that it requires a USB port. Allowing USB devices to emulate a keyboard creates a security problem, but if disabled would stop the Yubikey working. Also, because it emulates a keyboard, any application on the host computer can read random numbers generated by the Yubikey.

One option which might be interesting for Yubico to make a credit card sized Yubikey. This would have sufficient space to overprint as identity card and have a conventional magnetic stripe. This could then be used with existing standard identity card printers and magnetic stripe security systems for student and staff ID cards. There are a number of designs available which have a USB interface on the edge of the card, or in a flexible cutout or with a folding card. These may seem cumbersome and subject to failure, but I have had a SanDisk Ultra SD Card for some years, which folds in the middle to covert to a USB drive.

Yubico might like to market the devices for green ICT power saving. The host computers could be programmed to switch to low power mode unit the device is inserted. It could also be used with thin client devices where the user's application run on a server. When the device was inserted in a different client, the applications would be restored as they were when suspended.
The Swedish company Yubico manufacture the Yubikey One-Time-Password (OTP) USB device and have released all protocol and other relevant details which makes the Yubikey particularly attractive as a low-cost and non-vendor-lock-in authentication solution.

Bob will demonstrate the Yubikey for the purposes of secure authentication on untrusted end-user systems (eg. PCs at an Internet Cafe or a friends house etc.) and will discuss some of the advantages as well as some of the weaknesses of the Yubikey system. He will then go on to describe the development of an authentication server written in C and based on a PostgreSQL database and implementing LDAP and other authentication protocols. This will include some technical details of how to use the APIs for connection to the database, parsing the ASN1 LDAP queries, dealing with denial-of-service attacks etc. He will also discuss some of the code he has written to implement the Yubikey protocol on devices with no USB port (eg. a PDA or mobile phone etc.).

This talk is a prelude to a paper Bob will present at the Linux Conference of Australia in 2010 (LCA2010) in Wellington, NZ in January.

Bob Edwards is the Chief IT Officer in the School of Computer Science at the ANU. He also teaches into the Computer Networks course and the Free and Open Source Software Development (FOSSD) course, amongst others.

From: Yubikey Authentication in a Mid-sized Organisation, ANU 2009

Labels: , ,

Wednesday, September 02, 2009

Getting 9 Volts from USB

USB Adaptor 5 Volt to 9 VoltThe "USB Mobile Phone Adaptor Kit" I ordered from Swamp Industries turned up in the mail the next day. The kit is impressive, with both car and mains USB adaptors to supply power and assorted plugs for differnet phones . However, the USB Adaptor, which boosts 5 Volts from a USB socket to 9 Volts, does not supply sufficient current to run my Huawei D100 3G Router and HUAWEI E169 3G USB modem.

The modem with the US wireless 3G modem plugged in uses about 270 mA, which should be just within what the USB adaptor supplies (300 mA +-5% at 9 Volts). However, the router uses up to 500 mA for a few seconds when it first starts up. When I turn the router on it starts to boot, then the green light on the USB adaptor turns red (presumably to indicate it is overloaded) and the modem goes off.

One good point is that the adaptor doesn't seem to be harmed by the overoad and is able to protect itself. So I did a quick calculation and decided that a 80 uF capacitor would store sufficient power while the router boots (the calculation involves Amps, Volts, Watts, Jules, and Farads). So, in theory, if I connect the capacitor (which will cost about $2) across the power terminals of the DC supply from the USB adaptor and wait a few seconds before turning on the router, the capacitor will be charged up with enough power to supply the router when it starts and it should then run fine.

If there are no more postings for a few days, that will be because my netbook has blown up, while trying this. ;-)

Labels: , , ,

Monday, August 31, 2009

Powering a 12 Volt Router from USB

USB Adaptor 5 Volt to 9 VoltConnecting the HUAWEI E169 3G USB modem to the Kogan Agora Netbook is proving harder than expected. While there are descriptions on the web of simply plugging the modem in and restarting the computer, the Kogan does not seem to recognise the device. Some manual modifications of setting have not helped. So I decided to take a different approach: when plugged into the Huawei D100 3G Router the modem works fine with the Kogan. The settings for the modem are stored in the router. This has the added advantage of the firewall in the modem and that the device can be shared by several computers.

But the router runs on 12 Volts from and mains power supply. How would I use it when away from a power socket when the Netbook is running on batteries? My first thought was to run the router on the power from a USB plug of the computer. I found that the Kogan's USB sockets supply plenty of power, being able to run an external DVD drive or hard disk. With my previous laptop I had to use two USB sockets to get enough power for an external drive.

The catch is that no one seems to make a USB to 12 Volt adaptor (there are plenty of 12 Volt to USB adaptors). In fact there are numerous web postings saying this is not possible. It is possible, but needs extra electronics to turn the 5 Volts supply by the USB socket into 12 Volts.

Digital MultimeterNot being able to find a 12 Volt adaptor, I thought I would make the problem easier by trying a lower voltage. Most digital electronics actually run on 5 Volts or less. The 12 Volts supplied to equipment is converted down. So first I tried the router at 5 Volts, using the USB adaptor cable which came with the external DVD drive. This was after I checked the voltage and polarity of the power with a multimeter). This did not work, clearly more than 5 Volts was needed.

Previously I had run a router designed for 12 Volts on a 9 Volt supply, with no problems. So I tried this with the Huawei D100 3G Router and found it works fine on 9 Volts (it has been running for 12 hours this way).

So then I looked for a USB to 9 Volt adaptor. There were numerous queries about such devices on the web and replies saying it was not possible. But I found one about a "USB Power Supply for Video Sunglasses" which used a DC-DC converter (voltage converter) from a phone charger accessory kit described as a "9V Nokia Booster for Wireless Phone Charger".

The booster is a small black box with a USB plug on one end and a USB socket on the other. The device converts 5 Volts to 9 Volts at 300 mA and is designed for charging old Nokia mobile phones. The instructions warn this should only be used with a 9 Volt device: plugging a standard 5 Volt powered USB device into the unit could damage the device.

As I already had a USB adaptor from the DVD which plugs into the router, it should be a simple matter to plug the voltage booster into the Netbook, plug the USB adaptor cable into that and that into the router. But where in the world do I buy such an adaptor and how long will it take to get to Australia?

As the device was for a Nokia phone, I looked at the Nokia catalogue, which had a "Nokia Charger via USB port CA-100". However, this appeared to be for newer phones which use a lower voltage. I looked at Ryda, who sell a "Nokia CA-70 USB Data Cable with Intergrated Charger". This looked more than I needed and I was still not sure it would supply the needed voltage.

After more searching I found the "Charger Sony K750 W830c w958 Z558 M608 W300 J220 K310" offered on Ebay by Swamp Industries. This appeared to be the same adaptor kit as used for the video sunglasses. I checked to see the company details on the web to see how long this would take to import into Australia and found the company is based in Canberra (where I am). Also I found the kit includes an Australian mains to USB power adaptor, which would be handy. On the company's own web site the kit is described as "Universal USB Mobile Car Wall PC Charger Nokia, Blackberry" and was half the price on the company web site as on eBay. So I ordered one.

It will be interesting to see when it turns up. It is also curious that having searched the world online, I found the product I wanted offered by someone a few kilometres away. I was tempted to phone the company and ask to collect the unit in person, but this is probably a part time mail order company with no shop. I do have the satisfaction of having a name to put to the company, as when I paid via PayPal, the system gave me the person email address of who was getting the payment.

Labels: , , ,

Saturday, July 04, 2009

USB standards for mobile phone chargers

USB ChargerThe use of USB for mobile phone chargers should reduce materials and energy use as well as costs to the consumer. Since 2007, China has required mobile phones to use a USB interface for the battery charger. As of 2010 the European Union will require a micro-USB connector on mobile phones for charging.
The Chinese and European requirements are different but compatible. The Chinese requirement is for a USB Type A socket on the charger. The EU requires a micro-USB connector on the phone. So to meet both requirements would require a charger with a USB Type A socket, a micro-USB to Type A USB Cable and a phone with a micro-USB socket. The Chinese requirement would slightly increase the cost, as an extra plug and socket is needed at the charger end of the cable.

Motorola U9 Cell PhoneThe EU requirement is only for data enabled phones, the ones which are likely to have a USB socket anyway. While this has been described as only applying to high cost smart phones, there are many low cost phones which have a USB interface. As an example the Motorola U9 sells in Australia for $99 and comes with a micro-USB socket. Unfortunately the U9 comes with the micro-USB plug permanently wired to the power adaptor. The Australian Motorola adaptor is not compatible with the Chinese standard as it does not have a Type A socket.

Instead of having to buy a charger with each phone, the one charger can be shared between different brands and models of phones. In a household were each person previously had a charger plugged in for each phone, instead one charger can be used. This will use less energy as only one charger will be consuming power.

These standards will also make it easier for consumers, with fewer different chargers and cables. The USB cables are low cost. A Type A to Micro USB cable from Paddy's Markets in Sydney, for example, is $12.

Harmonisation of a charging capability of common charger for mobile phones - frequently asked questions

(see also IP/09/1049 )

What's the issue?

Incompatibility of chargers for mobile phones is a major environmental problem and an inconvenience for users across the European Union. Currently specific chargers are sold together with specific mobile phones. A user who wants to change his/her mobile phone must usually acquire a new charger and dispose the current one, even if this is in perfect condition. This unnecessarily generates important amounts of electronic waste.

Which is the solution envisaged?

Harmonising mobile phone chargers will bring significant economic and environmental benefits. Following a request from the European Commission and in close co-operation with the Commission services, major producers of mobile phones have agreed in a Memorandum of Understanding (“MoU”) to harmonise chargers for data-enabled mobile phones sold in the EU. Industry commits to provide chargers compatibility on the basis of the Micro-USB connector. Once the commitment becomes effective, it will be possible to charge data-enabled mobile phones from any charger compatible with the common specifications.

Who will benefit and how?

Consumers will not need to buy a new charger together with every mobile phone, and they should also benefit from more efficient and cheaper stand-alone chargers. Consumers will be able to charge their mobile phone from the new common charger.

The environmental benefits of harmonising chargers are expected to be very important: reducing the number of chargers unnecessarily sold will reduce the associated generated electronic waste, which currently amounts to thousands of tons. Harmonised chargers are also expected to improve energy-efficiency, thus reducing energy consumption.

What will be the impact of the MoU on prices?

Consumers will be able to purchase mobile phones without a charger, thus logically reducing their cost. They will also be able to purchase much more cost-effective stand-alone chargers than it is currently the case

Are all mobile phones covered by the MoU?

The MoU covers data-enabled mobile phones. The MoU excludes mobile phones which do not support USB data exchange and also certain unusual formats of phone, for example phones worn as wristwatches.

Which is the agreed common interface?

On the basis of the Micro USB interface, the companies have agreed to develop a common specification in order to allow for full compatibility and safety of chargers and mobile phones

Why does the MoU only apply to data-enabled mobile phones/equipment?

Mobile phones are short-life products. It is expected that from 2010 onwards most future mobile phones will be data-enabled.

When is the proposal likely to come into effect?

It is expected that the first generation of new inter-chargeable mobile phones will reach the EU market from 2010 onwards. The Commission will closely work with industry in order to facilitate an implementation of the agreement on the market as soon as possible.

Which companies have signed the MoU?

The following 10 companies have signed the MoU:

  • Apple

  • LG

  • Motorola

  • NEC

  • Nokia

  • Qualcomm

  • Research In Motion

  • Samsung

  • Sony Ericsson

  • Texas Instruments

Where does the MoU apply?

The MoU covers the territory of the EU. However, as the market for mobile phones is essentially global, the MoU should be seen as a good model for other geographical markets. The Commission is committed to sharing this approach with its trading partners, in order to extend its benefits world-wide.

From: Harmonisation of a charging capability of common charger for mobile phones - frequently asked questions, Media Release, European Union, Reference: MEMO/09/301, 29/06/2009

Labels: , ,

Friday, January 30, 2009

EcoButton Energy Saver Gets Mixed Reviews

EcoButton Energy SaverThe EcoButton is a large backlight button which you plug into a computer via USB. Press the button and the computer is put in a low power suspended mode, press it again and the computer wakes up. This idea has got mixed reviews. On the one hand the device doesn't do any more than can be done with built in functions in the computer (my laptop has a suspend/resume button already or you can do the same thing with a few mouse clicks). The device will use extra resoruces to make and use. On the other hand having a dedicated on/off switch, by being simple and convenient, might be used by people who would otherwise leave their computer on. At least this is better for the environment than a USB cup warmer.

Labels: , ,

Saturday, August 23, 2008

UK Government Data Missing on Memory Stick

Retractor LanyardA USB flash drive with tens of thousands of prison and police records on it is missing in the UK. Perhaps Jacqui Smith, the government minister responsible, should have the contractor (PA Consulting) purchase some heavy duty retractable reel lanyards to secure the flash drives.

When a similar incident happened in Australia with a military officer leaving important data behind, I jokingly suggested that military personnel should be issued with a retractable cable clipped to their uniform. The officer could then clip the flash drive to the other end of the cable. If they forgot the flash drive, the cable would pull it out of the computer and retract when they got up.

Reels with nylon cable are commonly issued to staff with security swipe cards, but the clips and cables on most are flimsy. So I found on a stainless steel lanyard sold to sailors for attaching then penknives to. These are much stronger than the nylon cables and they have a secure steel clip on each end. While this started off as a joke, I found that people were ordering batches of these lanyards, presumably to hold flash drives. So I created an store for lanyards.

Coil LanyardFor those needing more security there are coiled plastic cable lanyards. Smaller ones of these are designed for divers and have a stainless steel clip on each end. Even stronger units are pistol lanyards. Some of these are actually a steel cable coated with plastic. One end of the cable has a wide nylon loop for attaching to a belt and the other a thin loop or a clip. They are designed for military and police handguns. One manufacturer claims that the cable is so strong it can help stop an attacker turning the gun on the owner. Because the lanyard is attached to the butt of the gun, the tension of the cable makes it naturally point away from the holder. As a result it is difficult for someone to point the gun at themselves or for anyone else to do that.

The military lanyards are more than would be needed for holding a flash drive, but then for security personnel, this sort of lanyard might fit better with their uniform than a shiny stainless steel reel. To complement this, there are also
Waterproof USB Flash Drives.

See the store:
  1. Retractable Lanyards
  2. Coiled Lanyards
  3. Pistol Lanyards
  4. USB Flash Drive
  5. Waterproof USB Flash Drives

Labels: , ,

Monday, March 05, 2007

Real uses for flash drive lanyards

Retractor LanyardIt was reported May 17, 2006 that a senior military officer left a CD containing a confidential report in a computer in the at an airport lounge:

... today it emerged Brigadier ... left the results of her investigation in a computer in the Qantas Club lounge at Melbourne Airport on Monday.

Defence Minister Brendan Nelson told reporters he was "angry and disappointed" by the latest bungle, and said he had not seen a copy of the report. ...

In response I wrote a spoof press release about a fictional product:
Coil Lanyard
"... reinforced military specification lanyard which can be attached to a flash drive, or other removable electronic memory device. The other end of the FlashHard is secured to the uniform of the personnel responsible for the information. The FlashHard will first provide a warning if the user attempts to leave their workstation without removing the flash drive. If the user ignores the warning, the FlashHard will automatically eject the flash drive from the workstation and retract it onto the user's uniform. ...".
It turns out that this is a real use. My brother, Dr. John Worthington, is an Educational Consultant and Psychologist, dealing with children. One problem is with some children leaving flash drives in PCs at school. So he suggested they be attached to a retractable reel, as used by staff for swipe cards. As in my spoof release, the drive is tethered to the child. After a few weeks of reminders from the device, the child gets into the habit of checking the flash drive before getting up.

Perhaps this would also work on military personnel, but they may still want a more military looking unit. ;-)

Labels: , ,