HC1 - automount encrypted disk, but only in correct network

Moderators: mdrjr, odroid

HC1 - automount encrypted disk, but only in correct network

Unread postby fvolk » Fri Nov 10, 2017 7:50 pm

Due to its small size the HC1 is unfortunately a candidate for theft.
I do not fear intrusions coming in from the network, I consider good old stealing of
1) whole HC1 with disk 2) just removing disk a potential problem.

While the loss of the hardware hurts, the privacy of the data is more important.
Consequently the disk should be encrypted.
Manually typing in an encryption key every time at boot is naturally possible, but uncomfortable to do at every boot.

So the question is:
Can it automount an encrypted disk with data (or even whole root), but only when the HC1 is connected to the correct network cable?

Ideas:
Key depends on some HC1 hardware serial, so only decrypts when disk is attached to correct HC1 hardware - binds disk to hardware.
Key depends on correct network:
a) Runs DHCP on boot and key depends on obtained IP plus MAC address of DHCP server?
b) Key depends on some additional data field/nonce other DHCP servers do not send?
c) Advanced: Connected by Wifi, key depends on availability of other online stations (hash of all MACs of certain stations?).
d) Or there is an explicit key server on the network that is queried on boot and returns the key.
Ultimately this has to be patched into the HC1 boot process, and the more complex the approach is the more difficult it is.

Anyone ever thought about or implemented something like this?
Obviously, there is no perfect security, but a non-manual automount crypted disk solution that keeps the data away from basic thiefs that just steal the whole HC1 hardware in a moment where nobody is looking would be nice.

Just thinking loudly :-)
fvolk
 
Posts: 125
Joined: Sun Jun 05, 2016 11:04 pm
languages_spoken: english
ODROIDs: C2, HC1

Re: HC1 - automount encrypted disk, but only in correct netw

Unread postby memeka » Fri Nov 10, 2017 8:31 pm

1) boot odroid from network
2) modified kernel contains a simple /dev/encryption-key that contains the ... encryption key
3) no network boot, no decryption...
User avatar
memeka
 
Posts: 3732
Joined: Mon May 20, 2013 10:22 am
languages_spoken: english
ODROIDs: XU rev2 + eMMC + UART
U3 + eMMC + IO Shield + UART

Re: HC1 - automount encrypted disk, but only in correct netw

Unread postby mad_ady » Sat Nov 11, 2017 5:17 am

encrypted rootfs and an initrd that brings up networking and ries to query and get the key from a https server (wget). You would need valid certificates and valid time. Certificate validation as well issuer CA)
By the way - where do you keep your HC1 and when are you not paying attention? :)
User avatar
mad_ady
 
Posts: 2787
Joined: Wed Jul 15, 2015 5:00 pm
Location: Bucharest, Romania
languages_spoken: english
ODROIDs: XU4, C1+, C2

Re: HC1 - automount encrypted disk, but only in correct netw

Unread postby dchang0 » Wed Nov 15, 2017 1:41 am

How about these other possible solutions?

1) mechanically secure the HC1 to something, such as with a hole drilled for a cable lock or security bolt

2) fingerprint sensor so that you can easily decrypt/unlock the unit when it is powered on; if a person steals the unit, presumably it would lose power, and then when they power it back up, it would need to be decrypted with your fingerprint again
dchang0
 
Posts: 103
Joined: Tue Dec 22, 2015 1:29 pm
languages_spoken: english
ODROIDs: C1+, XU4Q

Re: HC1 - automount encrypted disk, but only in correct netw

Unread postby mad_ady » Wed Nov 15, 2017 3:50 am

I'm curious - are there fingerprint sensors working on linux?
User avatar
mad_ady
 
Posts: 2787
Joined: Wed Jul 15, 2015 5:00 pm
Location: Bucharest, Romania
languages_spoken: english
ODROIDs: XU4, C1+, C2

Re: HC1 - automount encrypted disk, but only in correct netw

Unread postby fvolk » Wed Nov 15, 2017 5:01 am

Use cases e.g.
a) Shared server hosting facility. Cheap, but too many people have access and a HC1 is easier to pickpocket than a PC.
b) Portable server at events. During longer (lunch) breaks I take laptop with me, but HC1 playing server keeps running, and depending on event location may be unwatched for some time.
fvolk
 
Posts: 125
Joined: Sun Jun 05, 2016 11:04 pm
languages_spoken: english
ODROIDs: C2, HC1

Re: HC1 - automount encrypted disk, but only in correct netw

Unread postby mad_ady » Wed Nov 15, 2017 5:29 am

You can probably use full disk encryption with the key stored on a thumb drive attached to your keychain. You boot the HC1 with the stick attached and remove it after boot.
User avatar
mad_ady
 
Posts: 2787
Joined: Wed Jul 15, 2015 5:00 pm
Location: Bucharest, Romania
languages_spoken: english
ODROIDs: XU4, C1+, C2

Re: HC1 - automount encrypted disk, but only in correct netw

Unread postby fvolk » Wed Nov 15, 2017 7:07 am

Hmmm...
a) wired network, attached to my home network (=e.g. known DHCP MAC) --> obtain key from a fixed address on network
b) wired network, network unknown --> try to get key from USB stick; if no USB stick, wait for key being explicitly sent
c) no wired connection detected --> Wifi stick in USB slot opens up own AP to play server. Wait for key being explicitly sent, e.g. from phone with an app.
And make all this cases automagically work :-)
fvolk
 
Posts: 125
Joined: Sun Jun 05, 2016 11:04 pm
languages_spoken: english
ODROIDs: C2, HC1

Re: HC1 - automount encrypted disk, but only in correct netw

Unread postby mad_ady » Wed Nov 15, 2017 3:59 pm

Well I don't want to sound paranoid (though I probably am), but assuming that somebody steals your odroid and has the interest to crack it, steps a and c will be unsafe because the attacker can reverse your initrd and extract the decryption key and can find out which is the correct mac of your DHCP server and impersonate it (unless you compare hashes of the mac instead).
You can replace a and c with retriving the key from a https resource after completing a challenge/response authentication.
Even if the attacker has your hardware he still would need the key from your stick/https server. Most likely he hasn't got it in advance and by the time he learns how to get it (the server url) you can disable it on your side.
Keeping the encryption key in any form on the odroid is not secure.
An alternative to the https server is to use custom dhcp attributes on your server that get passed to the client with the ip and having a client-side script scrape the dhcp log to extract the parameter and use its value as key. Though I'm not sure if dhcp options can have 4KB values and you'd be vulnerable to somebody sniffing your network/wifi (dhcp is unencrypted).
You need to determine your threat level.
User avatar
mad_ady
 
Posts: 2787
Joined: Wed Jul 15, 2015 5:00 pm
Location: Bucharest, Romania
languages_spoken: english
ODROIDs: XU4, C1+, C2

Re: HC1 - automount encrypted disk, but only in correct netw

Unread postby fvolk » Sat Nov 18, 2017 6:59 am

I consider the main threat that someone pockets the HC1 and the thief should not be able to decrypt the data on the HD without also having some access to additional external information.

Consequently that means the complete key cannot be on the microSD. Of course nothing is perfect, if the environment provides some input to a key this can be replicated if the thief is smart, but I'm optimistic that the theft can be noticed in time so the environment can be changed that reconstructing the key no longer works.

I'm leaning on my original idea b). At home my DHCP provides some extra info for key generation, and my home DHCP is not accessible from outside. For events/travel I have to explicitly provide the key on bootup - e.g. USB stick.
fvolk
 
Posts: 125
Joined: Sun Jun 05, 2016 11:04 pm
languages_spoken: english
ODROIDs: C2, HC1

Re: HC1 - automount encrypted disk, but only in correct netw

Unread postby mad_ady » Sat Nov 18, 2017 2:12 pm

I can see it now - a linux guru gray bearded thief swiping your device while attaching external power to prevent reboot/preserve state :D
It would work for all other odroids because they can be powered through gpio.
User avatar
mad_ady
 
Posts: 2787
Joined: Wed Jul 15, 2015 5:00 pm
Location: Bucharest, Romania
languages_spoken: english
ODROIDs: XU4, C1+, C2

Re: HC1 - automount encrypted disk, but only in correct netw

Unread postby dchang0 » Sun Nov 19, 2017 2:48 pm

mad_ady wrote:I'm curious - are there fingerprint sensors working on linux?


I haven't tried this two-year old solution, but apparently some fingerprint readers were supported by this method:

https://askubuntu.com/questions/442838/ ... nt-scanner


Alternately, how about UART fingerprint sensor?

https://www.waveshare.com/wiki/UART_Fingerprint_Reader

From what I can tell, the fingerprint processing is contained within the unit, so the HC1 would only have to concern itself with getting an OK from the fingerprint reader over UART. (I suppose this means a really clever hacker could spoof it.)
Last edited by dchang0 on Sun Nov 19, 2017 2:56 pm, edited 2 times in total.
dchang0
 
Posts: 103
Joined: Tue Dec 22, 2015 1:29 pm
languages_spoken: english
ODROIDs: C1+, XU4Q

Re: HC1 - automount encrypted disk, but only in correct netw

Unread postby dchang0 » Sun Nov 19, 2017 2:50 pm

fvolk wrote:I'm leaning on my original idea b). At home my DHCP provides some extra info for key generation, and my home DHCP is not accessible from outside. For events/travel I have to explicitly provide the key on bootup - e.g. USB stick.


USB stick is probably the simpler solution to actually implement. If it were me, I'd use the USB stick approach both at home and while out and about.

The simplest way is probably to record a bunch of keystrokes on the USB device (not a flash drive, but a microcontroller).

It would do the following:

1) log in
2) run some command to decrypt the drive
3) type a long string

Basically, you could do all the same steps with a USB keyboard, but it does it for you super-fast. Here is an article about something similar that gave me the idea--they used a Teensy microcontroller.

http://www.securityweek.com/usbdriveby- ... -computers
dchang0
 
Posts: 103
Joined: Tue Dec 22, 2015 1:29 pm
languages_spoken: english
ODROIDs: C1+, XU4Q


Return to General Chat

Who is online

Users browsing this forum: No registered users and 3 guests