On 2009-10-11 at 23:41 -0400, Edward Ned Harvey wrote: > In openvpn, each individual client gets a private key or a private > certificate. If that key or cert were acquired by anyone other than the > intended end user, it would be possible for someone unauthorized to get in. > > Basically, this is a one-stage authentication, and I don't think openvpn > supports two or more. Ideally, authentication will require both something > physical and something known. (A preshared key or a certificate which is > too large for a human to be expected to memorize or type it in, can be used > as a substitute for something physical as a key.) Ideally, no user could > even receive the password prompt unless they've already passed the physical > authentication.
You can combine the something physical + something known in one step, by subverting the DRM capabilities of a laptop to do what DRM was actually advertised to do -- support the users, not the OS vendors. :) ipsec using http://sourceforge.net/projects/opencryptoki/ as the pkcs11module to access a Thinkpad's DRM chip. I've not been involved in the setup/admin so can't help beyond pointing out that it's possible and works; it does impose limits on which vendors you buy laptop hardware from for Linux users, though. The "something you have" is, theoretically, then tied to the actual laptop as a physical item rather than just some data; if someone can get hold of the laptop for long enough to open it up and shove probes onto the DRM chip then there are probably various attacks to extract the data from it (Cambridge University has done lots of work there) but AFAIK the attacks involve triggering authentications, proving that it's difficult to defend against a malicious holder of the item. But in this case, there's also the "something you know", the account password to sudo/whatever to get access to the chip. So you're still vulnerable if your employee leaks their password to the people with the laptop, or the employee is malicious and wants to let lots of other people in using their account, with audit trails pointing to ... them. So really, you're still vulnerable to rubber-hose cryptanalysis. But otherwise, it should be fairly solid, barring attacks where an OS compromise can use some undocumented DRM chip backdoor to subvert the DRM and get the signing key out. -Phil _______________________________________________ Tech mailing list Tech@lopsa.org http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/