From owner-freebsd-security Tue Mar 13 6:51: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from tiger.thinksec.com (tiger.thinksec.com [193.212.248.18]) by hub.freebsd.org (Postfix) with ESMTP id 3D19237B72C for ; Tue, 13 Mar 2001 06:50:51 -0800 (PST) (envelope-from terje@thinksec.no) Received: by tiger.thinksec.com (Postfix, from userid 1001) id 970C5106042; Tue, 13 Mar 2001 15:50:47 +0100 (CET) Date: Tue, 13 Mar 2001 15:50:46 +0100 From: Terje Elde To: Daniel Hagan Cc: freebsd-security@freebsd.org Subject: Re: iButton Development Message-ID: <20010313155046.E9762@thinksec.com> References: <3AADB1D3.C70E00C@colltech.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Oiv9uiLrevHtW1RS" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3AADB1D3.C70E00C@colltech.com>; from dhagan@colltech.com on Tue, Mar 13, 2001 at 12:36:19AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --Oiv9uiLrevHtW1RS Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Mar 13, 2001 at 12:36:19AM -0500, Daniel Hagan wrote: > There was some discussion regarding iButtons in mid-Jan on this list.=20 > I'm interested in getting one or more of these things to play with, with > the goal of: For reasons I don't quite know I missed that thread... However I'm the coordinator of the iButton project, which aims to define a set of API's to communicate with iButtons, or the 1-wire bus in general, as well as making a daemon to handle the actual communication with the 1-wire bus, as well as multiplexing between users and applications where desired. I must admit the project has been idle for a little while now, though I'm s= ure a cooperation could be mutually beneficial. > o Authenticating myself to my home workstations (pam module?). Our plans include making pam module which uses the API's(/sdk) for either simple authentication using the serial number on the iButtons (yuck) or my favorite, full public key authentication using the java iButtons. > o Storing PGP & ssh keys. Also a obvious extension. One idea we've been playing with is to not only keep the keys on the button, but never to let them be anywhere else. The j= ava iButton for example, could handle the cryptographic functions for you. It features cool things like rapid destroying of the content should you try to tamper with it. > Since I assume these are tasks of interest to more people than just > myself, I was wondering: >=20 > o Does anyone have existing code bases to support these tasks? We've done very basic coding and design of the API's, though we don't have = any of the code working with the actual buttons up and running yet. > o Is there any support (in the political sense) for getting the pam > module and/or other code incorporated into the base system or as a port? Strong cryptographic authentication system and secure storage with possible extension of cheap industrial chips with everything from temp sensors to AD= /DA converters and whatnot. Who wouldn't want it? > o Does anyone have any recommendations on what hardware to procure for > these tasks? I was looking at getting a serial port BlueDot (possibly > two or three, I have some laptops I may want to use this with too) and a > DS1996L-F5 64-kbit Memory iButton. I would also think about getting a > Java-powered iButton, Model 96, Release 1.1 (or 2.2) if I understood > exactly what I'd be getting for the money. Does anyone have any > information/examples on how these Java iButtons are used? You probably want the following (in the order they're listed in the dalsemi shop online): * DS1921L-F52 - Thermochron (-20=B0C to +85=B0C) It'll allow you to play more with the bus, making sure the knowledge sticks. Not really required for these tasks, but it's so cute. * DS19550-401 - Java-powered iButton, Model 96, Release 1.1 * DS1957B-406 - Java-powered iButton, Model 96, Release 1.1 =20 You want both, because if you're going to do development on these, you'll probably want to make sure your software will work properly on both. As for what you'll get... =20 * JVM These babies actually run Java code, as long as they're docked and have power. As soon as you rip out the power, the applications are still i= n a running state, but they're execution speed is frozen so to speak. =20 * PRNG Perfect to both feed your Java code, and perhaps also relay to a FreeB= SD box to help feed it's PRNG. * Crypto * SHA-1 * RSA * DES * 3DES The math accelerator for RSA operations handles them with a less than 1 sec worst-case. At least the 2.2 release has 134kbytes of RAM, which makes it the iBut= ton with the biggest storage. * DS1963S-F5 - SHA-1 iButton You'll want this so you can do keyed hashes for authentication. It's mu= ch better than the java iButtons for this task, due to it's lower price. In addition to those you'll want some of the other memory iButtons, a nice selection to fit your taste. I recommend you get at least two or so of the bigger ones, and as many as you feel like of the cheaper. For connectivity I would like to suggest that you get one or several serial adaptors, with matching bluedots. Let me remind you that there are differences between them, but which you'd want is perhaps a matter of taste. Getting some of each might not be a bad idea. I would recommend you stick with serial, as they're supposedly easier to use, and has some software already available (hint: ports/comms/mlan, though it's not up to date (hint= )). You might also want to look at the TINI, as it's got a 1-wire device, and would be pretty nice to integrate with everything. Terje "delta" Elde ThinkSec AS --Oiv9uiLrevHtW1RS Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6rjPGtO3jfBe8qO0RAjK3AJ9t+VS+teR9jzyqkq5Vn0V9B1x2RQCfXbG4 rdCFa/r/9xjfdth83VbHeKo= =mDuZ -----END PGP SIGNATURE----- --Oiv9uiLrevHtW1RS-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message