10

I'm developing some software for schools. I've found severe flaws with the current popular school LAN protection that I feel needs fixing so I plan on releasing my own software. One the those problems was that if a student managed to log onto a teachers computer, they would have access to all of the teachers tools in most School LAN protection software.

Instead, for mine, I would like every computer to have the teacher tools installed, BUT, instead, it will require you to entire a password before being able to use it. These seemed like a good idea, but what if a student managed to get a teachers password? My next idea was to have a file put onto every teachers flash drive that would probably contain (among other things) a salted hash of their password. They would be required to insert the flash drive and use the password associated with the flash drive.

My Questions

  • Is this safe practice?
  • Is there any kind of UID associated with flash drives that I could use to make sure the file wasn't copied to another device incorrectly?
  • Is there a better way to handle this?
Community
  • 1
Freesnöw
  • 256
  • 1
  • 11
  • 1
    I think you awarded this too quickly. The answer you accepted is not necessarily accurate, and is very limited in scope. – rook Dec 12 '11 at 03:33
  • @Rook Well, I waited a good day before marking one as the answer. I'll go back and possibly reconsider. – Freesnöw Dec 12 '11 at 12:37
  • @DadeLamkins - If a student gets the teachers password then its the teacher's fault. Instead of a flash device that could in theory fail, just require the password be changed every 60 days, that should resolve most situations where this is a problem. Of course I don't consider a student logging into a teacher's network domain account a security threat. That account also should be protected by a strong 15 character password. The real solution is to use smart cards to access the teacher's computer. This would require both proven physical security device and the teacher's secured pin. – Ramhound Dec 12 '11 at 14:46
  • @Ramhound - Are you serious? We've gotten over the point of every [N-day password changes](http://security.stackexchange.com/questions/4704/how-does-changing-your-password-every-90-days-increase-security). It doesn't make you safer; it makes the user forgetting the password much more likely, using the simplest password that satisfies the criteria (e.g., Jan2011PW!, Mar2011PW!, etc.) or simply writing down the password nearby. – dr jimbob Dec 12 '11 at 21:35
  • @DadeLamkins - if you pop your additional questions up as separate questions, they will be able to be answered. Having them as extra sections on the original question doesn't make it answerable in a straightforward way here. – Rory Alsop Dec 13 '11 at 09:30
  • @drjimbob - Please read my entire comment. I suggested proven physical security device and a personal pin, that combined with the physical security of the computer itself, should be enough. It sounds the real security hole is with the tools, they should require seperate authentication, and confirmation for any changes. There is nothing wrong with Jan2011PW! as a password, students are not going to have the ability to brute force these passwords, and if they do then there are bigger security concerns. Of course I think the author is also selling snake oil by "writting" his own software. – Ramhound Dec 13 '11 at 13:16
  • Ramhound: avoid frequent forced password changes, it weakens security. Can't exclude users for making too many bad attempts (normal users will forget their ever-changing password). Users will develop bad practices (incremented date in their password; written on post-it on desk), and easier to socially engineer a password reset. `Jan2011PW!` is low entropy (~30bits) assuming month/year in there, so a modern GPU could crack in under a second (~10^9 SHA1/s). And once you find out `Jan2011PW!` was the password in January, you've found future passwords with very little guesswork. – dr jimbob Dec 13 '11 at 15:55
  • @Ramhound - I read your full comment; and was commenting on the part where you suggested a bad practice that would somehow solve issues. I wasn't commenting on your security card+pin solution that was reasonable (though unlikely to happen in cash-strapped public schools with administrators who put computer security as a low priority). I also agree, that its generally best for people who aren't experts in security to write their own security routines. Its very easy to inadvertently leave yourself vulnerable to major attacks. – dr jimbob Dec 13 '11 at 16:00

4 Answers4

12

No, your solution isn't safe, no there is no ID associated with flash drives, and yes, there is a better way to do this.

There are several hardware crypto-token devices in the same form-factor as flash drives that you can use for this purpose.

The first that comes to mind is the Yubikey. This device is generally pretty easy to integrate into existing authentication frameworks, as well as building on popular standards such as OAUTH.

Devices in this category (including this one) generally have the following features:

  • tamper-resistant
  • non-copyable
  • able to utilize public-key crypto with an undisclosed private key
  • able to behave as a USB keyboard to interface with legacy applications (i.e. outputting a secure password)
user1
  • 441
  • 4
  • 10
tylerl
  • 82,665
  • 26
  • 149
  • 230
  • The problem I'm seeing with something like this is that it isn't exactly cost efficient. I want to sell software, not the key object as well for something so simple... – Freesnöw Dec 12 '11 at 12:39
  • @DadeLamkins - You might want to sell software but what you plan doesn't add any additional security. Your still limited to passwords, and your software is not proven to be secure, so your plan on selling snake oil. We don't blame you, snake oil salesman has to make money, but your current plan adds no additional worth while security. As I suggested in another comment, the real solution is to require a Smart Card to access the school's network. – Ramhound Dec 12 '11 at 15:07
4

I have not implemented a solution like this, so take it with a grain of salt, but what would happen if you SMS-texted a one-time password to the teacher when they login for a pseudo-2-factor implementation?

This way, you aren't introducing new hardware (not even a USB stick), it's totally software-based, and makes sure that you can uniquely identify the user.

It could also mean that you don't have to leave your USB ports open ...

schroeder
  • 125,553
  • 55
  • 289
  • 326
  • This is actually an interesting idea. While I would love to make it as simple as possible for teachers to quickly log in to the system from any computer, a one time password system (most likely) given at the beginning of every new day (or something similar) could be implemented to make it nearly impossible for smarty pants students from getting any access. – Freesnöw Dec 13 '11 at 01:40
4

Requiring a flash drive in addition to a password could provide more security. Your method doesn't seem particularly sensible - flash drive with "salted hash" that is used for authentication. A student could find the flash drive (or software), reverse engineer it, modify the salted hash to work with a password they know on the flash drive. Or if you have the password on a remote server + the flash drive (and the application requires that the same password works for both), they could just take the salted password and just apply their gpu to try and brute force it; making it much easier than repeated login attempts on a remote server. Some teacher at some point will leave their flash drive out, and a student will steal it and copy it at some point.

A slightly better implementation of your idea, would be require a public key-private key authentication with the private key on the flash drive being encrypted with a strong passphrase.

Also from user experience perspective, having to have a flash drive may be very inconvenient (e.g., lose the drive, forget it in a computer, attach it to their keychain and leave their keychain in a computer, etc.).

Or you could just use two-factor authentication. Before each login, the teacher gets a text message to their cell phone with a one-time password, then types it in, and only then the teacher can type in their full password to fully login. (This solution may get teacher resistance if they aren't familiar with text messaging or have a unlimited text messaging plan).

As an aside, I'd be very hesitent of allowing students to be able to access the computer and/or reboot it. The hard drive should be encrypted. (Data on an unencrypted drive can be easily stolen; say booting into a linux live cd/usb; or taking out the hard drive; mounting it as an external drive in their computer). The teacher should be wary of student's intercepting their passwords/passphrases by hardware keylogger (insert between USB keyboard and computer).

Furthermore, I'd recommend putting some sanity checks that could be put into a teacher's tools. List last login time and actions of the teacher on every login (and have a very trackable audit log). Most of the time, grade books are write grades once and never change; or only changed the day the quiz/exam was handed back to students. Have all grading changes be clearly timestamped, version controlled and stand out (e.g., changes appear in bright red) so you can easily see if there is a pattern of students grades increasing that the teacher doesn't recall. Have off-site backups. Maybe install webcams and snap a picture of the teacher on each login and have the photo next to the audit log and shown every time you attempt to type a password (so even if the webcam was blocked when a student found their way in; something appears odd when the photo is of a hand rather than a teacher).

dr jimbob
  • 38,936
  • 8
  • 92
  • 162
3
  1. It is safe, but it is cumbersome, and it will probable require a self-extracting executable (axcrypt, and probably many other tools can do this).
  2. Nope. The closest there is is a PID or a VID, but for two devices of the same type from the same manufacturer, there is no difference.
  3. It depends. Depending on how much inconvenience you are willing to put teachers through, you could make the system more secure (an example would be setting up a separate server that used the portable RSA keys in addition to all of this) but since breaking this system would require having two separate pieces of information, it will probably be secure enough for your purposes.
soandos
  • 533
  • 3
  • 14
  • 1
    Thanks so much for the feedback! I'll wait probably another little while, just to see if anybody else has anything to add. Assuming something better hasn't been posted, I'll mark yours as the answer :) Thanks again! – Freesnöw Dec 11 '11 at 01:16
  • Could I, as a student, write a script to download the contents of a USB drive when it is plugged in? In general, I think you need something a little more 'hand's off' – schroeder Dec 12 '11 at 20:08
  • 1
    No reason why not. [This](http://superuser.com/questions/22766/automatically-copy-files-to-usb-drive-when-connected) post shows you how to do what you want. – soandos Dec 12 '11 at 20:49
  • @schroeder, good call. I was planning including in the file a PID or VID check through a hash check so unless they had the same kind of USB drive, that would be foiled. Also, even if they have the file, they must still have the password to do anything with it. – Freesnöw Dec 13 '11 at 01:35