project idea: portable password safe

Bas Wijnen wijnen at debian.org
Fri Sep 6 16:21:16 EDT 2013


On Fri, Sep 06, 2013 at 02:18:03PM -0300, Werner Almesberger wrote:
> I've been thinking for a long time about making a portable password
> safe device.

Nice!  It has come up on this list several times before, but so far, nobody
worked on it I think.

> I originally thought of using the Ben for such a purpose,
> but it has some properties that would be undesirable for such a role.
...
> The device would have a small display, a (tiny) keyboard, USB host
> and USB device, and RF (802.15.4, to keep things simple and cheap).

The Ben has all that (RF with your board), except for the USB host.

But the only thing you seem to need USB host for is the keyboard, which
the Ben has, too.

So why do you think the Ben is not suitable?

I think having it run Linux might not be the best idea, because Linux
is too complex; you couldn't really be sure that it doesn't do things you
don't want.

Iris (my kernel/OS) would probably work really well for it, but it needs
quite a bit of polishing before it can be used.  I've been thinking of
doing that lately, but haven't worked much on it.  If anyone is interested,
I'm happy to spend some time working with that person to make it ready for
hacking.

> - password safe content (memory card) is easily hidden and can be
>   quickly destroyed,

If you use the sd-slot for RF, you lose this benefit, of course (unless you
sacrifice the Ben, but that doesn't sound like a reasonable thing to me).

> - could be the basis for more sophisticated authentication schemes,
>   e.g., an end-to-end challenge-response system that can be used
>   also if intermediate systems are compromised.

Additionally, the Ben would be able to present itself as a pgp token, doing
the encryption and signing and never providing the keys, so it would even
be secure if the PC itself was compromised.  But only for systems which
support it, of course.

> - lacks integration with Web browser (i.e., browser selects which
>   account record to use based on URL visited).

It would probably be possible to write a firefox plugin which would
communicate this information to the device somehow.

> Does that sound useful ?

Yes.

Thanks,
Bas



More information about the discussion mailing list


interactive