End-user Computer Security/Main content/Passwords and digital keys
End-user Computer Security
Inexpensive security
for |
⦾ individuals |
|
Password securityedit |
|
Password security is a very important issue as nowadays, it is not at all uncommon for users to be maintaining many accounts, some of which may be providing extremely important functionality, and that each require their own security credentials. Additionally, another reason why it is important, is that it is often good practice, and sometimes even contractually required, that users change their passwords on a regular basis. All these things put together, can appear to constitute something of an ordeal when it is remembered that users somehow have to keep secret and ordinarily also be able to call to mind, all of their passwords, which could potentially be very many.
In these respects, it seems prudent that an overall password security strategy be developed.
General information from the National Cyber Security Centre (NCSC) on password security is available here. Information and guidance from the NCSC on what makes a good password is available here.
Password managersedit |
|
Google allows passwords to be stored in your Google account. A user can log into their Google account so that the account providing the settings of their Chrome internet browser, is the Google account. The Google account can then store very many different passwords, for different online accounts, that no one actually knows (it can be set so that even the user doesn’t know them). These passwords can also be randomly generated so as to create strong passwords, again, that no human being knows. When the user goes to the login screen for one of their accounts, where the password for the account has been saved in the manner just described, the Chrome browser automatically fills-in the password for the user, without the user having to call to mind the password or even to know it. In this way, a user can have different strong passwords for their different accounts, that can easily be changed, without any human being actually knowing any of the passwords.
There are other downloadable tools that also have this kind of password management functionality.
National Cyber Security Centre (NCSC) information and guidance on password managers (aka password vaults) is available here and here.
Multi-step authentication and multi-factor authenticationedit |
|
(multi-factor authentication is also known as MFA)
The security of passwords is ordinarily enhanced by using either multi-step authentication, or multi-factor authentication (MFA). The ‘multi’ aspect is often two (i.e. two-step authentication). MFA is a means for overcoming mind-reading attacks[1].
When Google’s two-step authentication is set for a Google account, so that two-step security is used every time the user logs into their Google account, it in a way, to some extent, translates to a two-step level of security for those online accounts of theirs, that exclusively have their passwords stored in the user’s Google account using the secret way outlined in the previous subsection. Google offers a variety of second steps in their two-step security authentication settings, including USB security key token[2] and text message[3].
The National Cyber Security Centre for the UK (NCSC) recommends that users set-up 2FA (two-factor authentication) on all their important accounts. More information and guidance from the NCSC on multi-factor authentication can be found here.
Non-Latin alphabetedit |
|
Computer password security can be enhanced by using an alphabet not so well known for the password. Non-latin alphabets will likely fit this description. It's probably best to mix several different alphabets together, for maximum security. This might be easier than initially thought, because within certain familiar domains such as mathematics and science, letters from foreign alphabets are often used (such as from the Greek alphabet). Choosing letters that have uncommon pronunciations may provide further security. Unicode non-verbal symbols and word symbols can also perhaps be used, including emojis, to increase security even more.
Concerning certain password attack vectorsedit |
|
Screen privacyedit |
|
The Chrome browser software unfortunately (at the moment) displays suggested strong passwords on the screen, which is open both to psychic attack and VDU signal interception attack. To overcome these attacks, simply move the Chrome window so that when Chrome tries to display the password, the displaying occurs outside the boundary of the screen, thereby preventing it from being displayed.
As detailed later in the subsection entitled “Privacy screens”, privacy screens can be used as a defence against the spying of the visual emanations emanating from your screen, which can have the knock-on effect of interfering with illicit password-capture attempts.
Keyboard privacyedit |
|
|
Complete occlusion |
|
A cardboard “restricted viewing enclosure”, with room for hands, can be constructed to go over keyboards[4]. Once placed over keyboards, the user must look through the two eye holes (like looking through goggles) or some other kind of narrow viewing port, to be able to see the keyboard. User then places hands through hand holes, and types their password. In such ways, casual onlookers as well as cameras (hidden or otherwise), cannot see what is being typed, because the cardboard construction prevents such seeing, through visual occlusion formed by the cardboard.
Example cardboard “restricted viewing enclosure” installed on Chromebook
Another way to provide a level of occlusion from spies relying on spying of the visible spectrum of light, is to move physically, your computer and/or its parts accordingly. In the case of a laptop, this might involve partially closing your laptop (moving the screen closer to the keyboard based on pivoting around the laptop’s hinge[s]) but not so much so as to trigger the automatic powering off of the laptop.
Distance-dependent occlusion (privacy keyboard screen) |
|
Using the reflective material commonly found in the lenses of sunglasses, you can create a short table of sorts (perhaps 10cm to 20cm tall) to go over your computer keyboard. Hopefully, when you type with the table installed, you must move your eyes close to the table surface to see which keys you are pressing. The hope is that from too far away, all you see are reflections, due to the special material being used for the table’s surface. By installing such a feature, you will better prevent cameras from recording your keystrokes. This could be very useful if you travel and spend time using your computer in different hotels where secret cameras could easily be installed. It is not certain that this will work, but it appears likely that materials with such transparency and reflective properties really do exist; so far no information on them has been found through internet searching. Perhaps another way to achieve the same effect, is to use glass or see-through plastic, that has very high glare properties. It is suspected that old CDs and DVDs can possibly be recycled to create such privacy screens. It is also suspected that material that is polarised and transparent, could quite likely help in creating such privacy screens.
It should be noted that angle-dependent occlusion (rather than distance-dependent occlusion), as in restricting viewing angles, may also be helpful for establishing keyboard privacy. As such, the later section entitled “Privacy screens” is relevant to the subject of privacy keyboard screens.
In conclusion however, for simplicity and ease, probably the best way to devise such a screen is simply to use a kind of pinhole material. For example, pinhole glasses are used by optometrists for the keratoconus condition, to identify vision in spite of the condition. From far away, the glasses just appear as small holes in some plastic. However, from close-by, being worn on an individual, an individual can see through the pinholes. The principle appears to be relatively straight-forward, based on the geometry of light rays as they pass from objects ahead of a viewer, towards the viewer. It is strongly suspected, such "pinhole glasses" material can be created by simply poking several holes through a cardboard sheet (which could provide a "low cost and home made" based advantage[5]).
Using morse code |
|
One of the most straight-forward ways to counter the visual spying of the pressing of keys, is to resort to entering your password using morse code or some similar single-key password mechanism. A user can easily surreptitiously enter in their password using morse code whilst also having the appearance of writing something completely unrelated to entering a password. The user’s hands can additionally be placed so as to occlude the visual capture of the morse code being entered.
|
Using a keyscrambler software, seems wise and a sensible countermeasure against the key logging of the electronic signals generated by keyboards. As outlined later in the section entitled “Psychic spying of password“, it is also effective against certain psychic attacks. Basically, what you type, say for example, for a password, is not what gets entered as the password—it is encrypted. Without knowing how to encrypt the key presses, it is impossible to know the actual password used, by means of conventional keyloggers.
General visual spyingedit |
|
|
Hologram technology can be used for hiding passwords printed on paper, so that they can only be seen from certain viewing angles. Lenticular printing (which appears either to be related to holography or a type of holography) appears potentially capable of providing a cheap, mostly home-made, and DIY[6] way to make holograms or something like holograms, capable of hiding passwords in this manner. Perhaps lenticular-printing security can be achieved simply by using something like corrugated plastic placed over a print-out from a conventional printer. Alternatively, passwords can possibly be hidden by them being printed on paper using ink that has slightly different reflective properties to the rest of the paper. When viewed from a certain angle, the hidden text will possibly be revealed due to the greater reflection of light from the ink, such that from other viewing angles, the reflection is not strong enough to reveal the text. Instead of using reflections, using other optical effects based on the use of transparent materials, perhaps can be employed for roughly the same thing. A reflective effect used in an opposite way, such that higher degrees of reflection effectively blot out the password and lower degrees instead reveal the password, may also be effective. Perhaps an even more interesting effect can be obtained if passwords are only revealed when monitoring all frames in the movement of an object. This could perhaps be done by rotating an object containing the hidden password, where the containment was such that the first frame shows just the first letter, and the last frame, at which time 180° rotation is achieved, shows just the last letter of the password. These kinds of effects appear to be possibly achievable with certain kinds of moving hologram, and also with certain kinds of lenticular printing.
By using a UV pen, hidden things can be written that are not at all visible to the naked eye. Using an ultraviolet security lamp, ought to reveal such hidden things. But perhaps even more interesting, is that it seems UV protection glasses may also be able to see such hidden things. This effect appears to be widely accepted as a means for card players to cheat at card games like poker. To obtain such glasses, it might be best to order a pair of ordinary looking glasses (for the sight impaired), with the option chosen for them to undergo special treatment for protection against harmful UV rays; if you already use looking glasses, you may find that any extra expense incurred, ends up being inconsequential. Such invisible ink may be particularly handy for the paper-based keyboard scrambler mentioned in the “Protection using password encryption” section that shortly follows.
There are also ‘classic’ old-fashioned steganographic ways to hide passwords, such as in a completely unrelated document by very weakly pencil-underlining the letters making up your password.
|
The prevalence of camera technology likely means the very many types of visual encoding for passwords, can simply be recorded using camera technology with ease. Later computer analysis of captured images can assist in cracking passwords also perhaps with ease.
Encoding passwords as flavours on a strip of paper, might overcome these vulnerabilities. If the paper can be designed so that it can only be 'tasted' once, then you have the advantage of being able to detect whether the password has already been 'read'. Technology to taste small 'dots' of flavour on pieces of paper, is likely not prevalent and is likely very expensive if it is at all possible (it might be possible with the aid of machines like GC-MS machines, but such machines are normally very expensive and require highly specialised skills that only a small minority possess). Once a flavour-encoded password has been 'read' (tasted), it can be destroyed if it is still able to be 'read'.
Another potential way of encoding passwords to overcome sight-related vulnerabilities, is to use non-visible braille. The non-visibility aspect of the braille may be hidden by means of visual noise, or simply visual absence (of the specific markings used for the braille).
Psychic spying of passwordedit |
|
|
The password management features of Google accounts also constitute one way of overcoming psychic password spying (basically, mind reading). Because only the 'computer knows' the individual passwords, psychic attacks simply don't work here so long as the security for engaging the password manager is not compromised.
Protection by thinking little |
|
Passwords extremely well memorised, such that entering doesn't involve the conscious calling to mind of the password, is perhaps another way to prevent psychic attacks aimed at illicitly learning of passwords. If the password is called to mind merely as finger presses of keys, where exactly which key is pressed is hardly thought about by the key presser (where reliance is made on rote memory, rather than on conscious thoughts), probably it will be hard for those relying on psychic powers, to figure out what the password is.
|
With technology |
|
Another mechanism to protect against psychic attacks, is to have some piece of software on your local computer, that translates the password in your mind, into another one, where the other one is the one used to log-in (say to your Google account). Keyboard scrambling software is one such kind of software. Psychic attacks can get hold of the password in your mind, but because the real password for logging-in, is one derived from the software and your memory combined, the 'psychic attacker' can't get hold of the real password without also having the software. The software’s algorithm could perhaps be simply the concatenation of some never-known private key to the password called to mind by the user. In the case of any entity trying to force the account password out of you, destroying all the media on which the private key is stored, would effectively render recovery of the password ordinarily impossible. This kind of security feels like it might be aptly labelled as a kind of two-factor security system.
Without technology |
|
Using a paper-based keyboard scrambler is perhaps a good idea to mitigate against psychic attempts to obtain your password. What you do, is you simply create a paper-based overlay for your keyboard, where the key characters and symbols are scrambled. You type your password as you remember it, into the scrambled keyboard. You then pack away your keyboard scrambler, perhaps even locking it up till the next time you need to use it. In such fashion, whilst a psychic attack might obtain the password from your mind, they will not actually know the password, because that password in effect has been encrypted through the paper-based scrambler. In fact, if you don't memorise the paper-based scrambler, then not even you know the true password, which seems really good. It's important to block the photographing of the paper keyboard scrambler, which can happen by means of hidden cameras. In this regard, folding it up when you don't need to see it, seems like a worthwhile precaution. A paper-based keyboard scrambler is particularly useful because of how much it costs to create. It's entirely feasible and economical to use a new cipher encoded in the scrambler, each week, by simply discarding the last paper-based keyboard scrambler, and making a fresh one. Also, the fact that it is not based on computer hardware or software, is another attractive attribute of this security measure.
Example paper-based scrambler installed on a Chromebook
Based on password reuseedit |
|
For National Cyber Security Centre (NCSC) information on specific concrete passwords not to use (password blacklisting), see here.
For NCSC security guidance and information in relation to a user reusing one of their previously used passwords, see here.
For NCSC information on the password attack known as credential stuffing, that exploits the habit of users reusing passwords, see here.
Digital cryptography:
edit
|
|
Disabling TLS security certificatesedit |
|
Why not turn off certain security certificates? This seems like a prudent measure. Not all certificates are to be trusted with the same level of trust. Also, it's likely that not all certificates are actually generally needed; in fact, perhaps only a small number of security certificates are in reality needed.
How about disabling all TLS security certificates by default, and then selectively turning them on as and when they are required? Can even turn them off once they have been used. This should help to detect attempts at fraud and/or spying over the HTTPS protocol (and other like systems).
Making sure certificates are genuineedit |
|
Ensuring security certificates are not compromised, seems very important. To this end, multiple checks on them, perhaps in an automated fashion, seems like a good idea. Simply doing spot-checking to make sure that TLS security certificates on a particular device have the correct keys, by comparing them with the keys from another computer or source, may be enough.
A user could export security certificates to an SD card and then when using a different system (such as a different WiFi network or different telecom provider), the user could then obtain differently sourced certificates, and check they are the same to the ones the user already has. Could be particularly applicable when in another country, as well as when visiting friends, etc. For example, in China, the government may tamper with security certificates, but users can then visit other countries, re-obtain the certificates, and figure out that the government is tampering with their security certificates.
Key serversedit |
|
The notion of key servers seems very much applicable here—they can probably be used for verifying TLS security certificates, and generally speaking, they probably ought to be used for this and other types of digital key. Use of software such as GPG can be used perhaps to automate the task of key-server-based verification of keys. GPG apparently is available in the Heads firmware boot verification system (Heads was mentioned earlier in the section entitled “Custom BIOS/UEFI and which one to use”)—running GPG as hardware firmware may be best to minimise the risk of the software being compromised.
Cross authenticationedit |
|
Is there a way to get certification authorities to cross-authenticate certificates from other such authorities? Does it happen automatically? If not, it sounds like a good idea to have such a mechanism in place. For example, you may be able to discover that one certificate has been compromised on your computer, through the signed message of another trusted certification authority revealing what the compromised certificate’s key should have been. Relevant information on this subject might be found here.
Non-compromised communication of public keysedit |
|
Communicating public authentication keys simply through website publishing might be considered as being not secure enough. The additional use of a key server, or maybe multiple key servers, may be useful for increasing trust in keys (which is touched upon above in the “Key servers” subsection). The novel Bitcoin-related method for increasing trust in public keys, described in the Appendix, may also be useful for improving user trust in published keys.
However, what other ways can be used for communication of public keys?
|
|
One possible solution is to get the organisation represented by the website, to send the key to a trusted recipient who can then hand it over to the end-user where in the handover there is no or virtually no possibility of man-in-the-middle (MITM) attacks. It might be ideal that the trusted recipient prints out the key, rather than for them to hand it over to the user as a computer file, in order to mitigate against security risks associated with computing technology. The user can physically travel to the recipient, rather than have the key posted or sent on to the end-user (thereby reducing transit risks associated with MITM attacks). A perhaps novel solution, that might be ideal, is for the trusted recipient to be an online printing business, such as Tesco’s, Kodak’s, or Boots’s photo printing. Several trusted recipients can be used to detect better, compromises in such communications.
Publishing public keys in a “gazette”edit |
|
There is still the chance that an end-user’s request for such transmission to a trusted recipient is compromised through MITM attacks. To mitigate against this, instead of organisations doing such sending of keys on a per-end-user-request basis, the organisations can periodically do such key sending to key locations in the geographic areas of their markets. Doing such sending, is similar to simply periodically publishing the public keys in a well-known gazette.
Piggy-backing over bank transactions and systemsedit |
|
|
Another method of communication, that might be quite secure, is to piggy-back over the financial system's banking system. For example, the organisation can do a bank transfer for a nominal, trivial, and negligible amount to the end-user, with the bank reference being a public key to be sent. The end user can then visit a local bank branch, where the security is likely to be very high, and find out the bank reference used, and consequently the public key. Not only will the security at the branch be high, the security of the overall banking system is likely to be very high, thereby perhaps ensuring quite secure communication of the public key. To ensure that the transaction is genuinely from the organisation, perhaps your local branch can offer a service where they can give you useful company details of the account that paid you (such as possibly the company registration number, address of the registered office, etc.) You can then possibly authenticate that the source of the financial transaction was indeed the organisation. By ramping up the value of the transaction, perhaps further trust can be attained through the relatively high amount of money spent in the transaction.
|
If it is believed that the bank transaction reference may be compromised, then reliance can instead possibly be made on the monetary amounts of transactions. For example, to send the key 1735 8513, a sender can make a series of 8 financial transactions: the first being for 1 pence, the second for 7 pence, the third for 3 pence, and so on. Because banks invest heavily in the financial integrity of transactions, this could be quite a secure way to communicate such information.
|
Interestingly, using a weak currency could be better for such transactions, to bring down overall costs—perhaps a suitable cryptocurrency demonimination might be available in order to bring down the overall costs.
Google Authenticator “key and time”-based app for securityedit |
|
A security method to mitigate against a certain type of evil-maid attack, involving the Google Authenticator time-based app system to ensure a computer has not been secretly replaced with another potentially compromised one, is described by Trammell Hudson in his 33c3 talk[7] (it was previously described by Matthew Garrett). It is as follows. The key stored in the Trusted Platform Module (TPM) can be a private key only shared with Google. Then once you log into your system, the TPM essentially 'signs' the current time (rounded, perhaps to the nearest five minutes) with the key. Google then does the same through the 'Google Authenticator' system at their remote servers. In both instances of signing, the key is already with the respective party (so no transmission takes place, at that time, of the private key). The message digest created using the TPM is displayed on the computer screen; the digest created by Google, is displayed on the user's smartphone through the 'Google Authenticator' app. The user compares to make sure the message digests are the same. If they are the same, the user can be sure that an evil-maid attack hasn't occurred where the entire computer was secretly and deceptively replaced with another.
Tokens for keysedit |
|
It looks like USB-Neo tokens and -Neo-N tokens, in the Yubikey product family (produced by Yubico) can have their keys changed from a computer (like the Nitrokey product) {see here for info on this}, which meets a requirement of having keys in such tokens different to those set when the tokens are sold off-the-shelf. Additionally and fortuitously, because the Yubico brand appears to be more popular than the Nitrokey brand, it appears that there's an increased chance that it will be found on the shelves of popular computer stores (such as PC World, etc.) {could be handy if employing principle detailed later on in the section entitled “User randomly selecting unit from off physical shelves”}. Also, they seem to be considered as being secure, with Google having mandated that all their employees use them for security. So it seems likely that generally, instead of opting for the less available Nitrokey product, one should instead get a Yubikey product that has the facility to have new keys assigned to it by the transference of them from a standard PC. If, for some user, it becomes or is such that the availability of Nitrokey products is the same or better than that of the Yubikey products, then it may well be better for that user, to opt for Nitrokey products instead, since in other more conventional respects, Nitrokey products do appear to be more secure.
External links for further information on security certificatesedit |
|
For National Cyber Security Centre (NCSC) guidance describing how certificates should be initially provisioned, and how supporting infrastructure should be securely operated, see here.
Backing-up security keys and passwordsedit |
|
Shamir's Secret Sharingedit |
|
The developer of the Heads firmware boot verification system (Heads was mentioned earlier in the section entitled “Custom BIOS/UEFI and which one to use”) has provided a potentially useful way to backup keys and passwords. He suggests splitting a key (or password) into say five different sections, and backing-up each section in a different way (perhaps by sending each section to a different friend). If recovery of the key is then needed, a threshold number of the sections can then be retrieved, and put together to recover the full key (perhaps in an automated way using specialised software.) The idea of splitting the key into several sections is apparently the basis of a cryptography algorithm known as Shamir's Secret Sharing. An interesting thought, is that Bitcoin wealth could potentially be backed-up this way, like creating a treasure map—perhaps it doesn't matter if it takes a year to trace the treasure using the treasure map, because the wealth is such that it doesn't need to be obtained straight away.
Footnotes
- ↑ This principle is somewhat related to the later “Protection using password encryption” subsection.
- ↑ For guidance on the security of USB key-based security tokens, please see the later section entitled ‘Tokens for keys’.
- ↑ Google's account security is also good because it detects whenever a person has logged into your account from an unfamiliar computer (not one of your usual computers); users receive security warnings informing them of such happenings, which can be an easy way to identify whether you are being hacked, and can also ward off hackers.
- ↑ Using commonly-available cardboard for such construction could be advantageous. See the section entitled “DIY security principle” for more information on this.
- ↑ See the section entitled “DIY security principle” for more information about this kind of advantage.
- ↑ See the section entitled “DIY security principle” for information on the potential security advantage of DIY security set-ups.
- ↑ A video of the 33c3 talk is hosted here.
Chapter 3 Wireless Communications |