most secure USB key package

Discussion in 'privacy technology' started by pigsteezy, Jan 26, 2013.

Thread Status:
Not open for further replies.
  1. pigsteezy

    pigsteezy Registered Member

    Joined:
    Jan 26, 2013
    Posts:
    1
    I want to require the presence of a usb dongle for my devices to operate. I have heard of some software solutions like Predator, for windows. I'm really looking for something more secure. I want my machine to be a total brick without the usb stick. I understand such a product may not be available to consumers, but the features I am really looking for are:
    - disable power on/boot without usb stick
    - log unauthorized access
    - power off machine if usb stick is removed
    - requires presence of usb AND a password
    - require usb to decrypt and use harddrive
    I'm really looking for something that is enterprise/government/military class and runs UNDER the operating system, so that the machine is totally bricked without the usb.
     
  2. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    That's really specialized software, I have no idea. The 'poor man's' way would be to TrueCrypt the whole system, and put half of the pass phrase (32 random, unknowable characters) on a Yubikey in Static Mode for Slot 1. No logging or power off though.

    PD
     
    Last edited: Jan 29, 2013
  3. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,424
    Yeah A YubiKey is the answer.
     
  4. EncryptedBytes

    EncryptedBytes Registered Member

    Joined:
    Feb 20, 2011
    Posts:
    449
    Location:
    N/A
    The thing with Yubikey and TrueCrypt is you cannot achieve true two factor pre-boot authentication. The end user can still log into the system with or without the Yubikey present.

    With regards to pigsteezy's requirements.

    In my opinion you will be perfectly fine encrypting your hard drive(s) with an open source solution such as Truecrypt or Window’s native variant. If you still require two-factor you can then implement that at the OS level.

    A more extreme suggestion would be creating a Live DVD/Live USB version of your windows system and storing the saved information onto an encrypted hard drive or some other medium you wish to use. That would meet most of your requirements.

    Other than those two solutions there really is no safe way to achieve this without going the enterprise route and also upgrading your hardware to support such solutions, which in my opinion are not worth the costs involved.
     
  5. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    Correct, I believe they call it pseudo-two factor.

    You are 100% correct, not disagreeing, but I do see it as one step above straight memorization.

    JMHO.

    PD
     
  6. anniew

    anniew Registered Member

    Joined:
    Mar 15, 2013
    Posts:
    92
    I know what you mean, in terms of how the technology works. You are quite right.

    While it does not provide a separate / independent validation, effectively leaving anyone in physical possession of the hard drive with only a single hurdle to overcome, it does eliminate some level of exposure (by less sophisticated adversaries) by requiring a second object to complete the log on. Secondly, if the initial user password is strong, the Yubikey addition would make it impenetrable.

    The price is reasonable. However, for anonymity, I don't know how one gets around the payment process.

    While this is about USB key package...what about usb fingerprint readers for a second factor?
     
    Last edited: May 15, 2013
  7. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    If you're talking the inexpensive consumer readers - no. Two words: Silly Putty.
     
  8. anniew

    anniew Registered Member

    Joined:
    Mar 15, 2013
    Posts:
    92
    Thanks for today's best laugh! :thumb:
     
  9. Creer

    Creer Registered Member

    Joined:
    Jun 29, 2008
    Posts:
    1,345
    Also in Jetico BestCrypt Volume Encryption is TFA feature.
    You can move encryption key from encrypted volume into removable drive and vice versa.
    Without this key on USB, even if you enter valid password (you can set multiple passwords eg. one for admin, additional for other user) - volume won't be mounted.
    Unauthorized access is logged and you will get notification (with no. of attemps) when you log in on encrypted system volume after start BCVE executable file.
    Power off machine if usb stick is removed is not supported however Jetico BCVE introduced Alarm Crash Hotkey to prevent Cold Boot Attack so if instead of turning off the computer the user presses Alarm Crash Hotkey, BestCrypt Volume Encryption will not only restart the computer immediately, but will also wipe all encryption keys from memory.
    Full help file online documentation is available here:
    http://www.jetico.com/bcve_web_help/
     
Loading...
Thread Status:
Not open for further replies.