Keylock E-Keys and Tripwire Security

1. Keylock.

An access technology for limiting the PC usage of office workers, public terminal users, and children.

Take an ordinary lock/key combination and build it into a 3.5" PC bay unit. The device is powered by a lithium cell in the part of the key you hold. The lock is connected to one of the USB ports of the computer. This trickle recharges the lithium cell as required.

The barrel of the key contains an SMD microcontroller and PROM. On installation the software chooses two random PGP-style public/private code-pairings that allow the software and the microcontroller to talk to each other. The code for the microcontroller is burnt into the PROM on the key. The code permits authentication, but cannot be directly accessed. The codes are unknown to the vendor or the user, unique to the installation, and cannot be recreated. Once burnt, the burning routines erase themselves, and the keys (using PROMs) cannot be reprogrammed.

The key does still function as a physical key, but when turned it engages a simple data connection protocol. A 1-key unit would allow the PC to be used if the authentication procedure succeeded. A 2-key unit would allow for 'Off' (with either key), 'full access' (with the master key), or 'controlled access' (with the slave key). The 2-key unit would have 2 keys cut the same (as physical keys) but with different unique codes burned into their PROMs during installation.

Sale to PC producers like Dell would allow the key unit to replace the ordinary case keylock, and the keys to be supplied ready-programmed. To the user, they would simply be ordinary keys-there is no password to remember.

Once the software is installed, you turn the PC on with the master key as an authenticator, allowing the PC to be set up to censor the use of some software, some features within software, or access to certain domains or content when surfing. Power down and remove the master key. You may then start the PC with the slave key and it will boot to offer limited functionality.

Note that authentication is not based upon the position of the key or a simple voltage level on a wire, but on communication between the PC-hosted software and the microcontroller, paired with a PGP-style encryption algorithm.

Ideally the software should be in BIOS (possible with OEMs) and work under Windows or alongside Windows, but a user-installation might look for a Windows component fundamental to booting and replace it with a fully-working copy that also runs the keylock authentication and user-configuration set-up as a part of the boot procedure. This would make it impossible to block the keylock software by simply removing a file as the PC would no longer boot. During operation, regular checks would ensure that features chosen for a limited functionality system had not been changed and the software had not been tampered with. If they were, the changes would be detected, and PC use suspended. Only insertion of the master key would allow the PC to be used again (a hard reboot alone would not work).

An OEM need not use a USB port, BIOS-based operation could be enabled with a direct, dedicated mobo link. Sale to Microsoft as a Windows enhancement is feasible: supplying a key/lock set with each Windows CD and linking set-up with Windows authorisation would be an option.

The use of a simple key makes it easy for a person with low computer literacy to operate the technology. There is no password to forget or let slip. The installation routine for the software should contain some simple default set-ups (setting browser child-protection features etc) and may offer bundleware options with NetNanny style products, and online services that restrict access to certain domains. An example implementation would permit access online only to a single pre-configured URL within any browser. This would be a portal dynamically controlling and logging all access to other sites, the URL containing the ID for the machine/user (supported by a MAC or other check). For networks, a customised function-limited environment could be automatically migrated across an entire network. An option of 'one master key, many slave keys' for a network would match managers/sysadmins with master keys and employees with slave keys. Unique keys would permit auto-logging of PC usage in an enterprise edition across a network, but a slave key would enable limited access anywhere across the LAN.

Potential patent issues: USB Dongles; Dallas/Maxim iButtons.

It is important that this techonology looks and works like a key and is intended for ordinary user environments. iButtons do not, and have been targetted not at standard PC use, but as part of embedded control systems.

2. Tripwire.

A data protection technology that looks like a simple keylock.

Using a similar technology to that outlined above, your computer (once the software is installed) must be turned on with the key inserted, turned, and retained in situ for normal operation. If the PC is booted without the key being in the lock (ie. hotwiring), although the PC will seem to work, under the guise of a normal boot, specific data on the hard disk will be erased to a military level in the background. By the time the system has booted, secure data has been erased. This level of operation may require the use of the software operating virus-like within the boot sector of the drive, or simply the use of a DR-DOS (or similar) based application booting before Windows.

A Tripwire protected drive may also encrypt specific data at shut-down, unencrypting it at boot using the unique keycode, or even hold HDD data in an SRAM cache in the key barrel, in a mobo chip, or on a USB attached removable HDD when the PC is not on (ie. off the HDD). Tripwire may also covertly log booting and usage.

Tripwire may be sold as a unit that replaces a normal keylock on a PC case.

Note. With regard to RIP legislation, neither the user nor the software publisher can know the authentication codes used by the software and microcontroller. If the key is damaged, you are stuffed. If the key is lost or destroyed, encrypted data reliant upon the code contained within it for decryption cannot be accessed. It is a physical key with digital operation. For military markets, the SMD microcontroller and the BIOS-embedded software may be made tamper proof.

An alternate, but less effective method would be to include a virtual drive in SMD SRAM within the key and boot to this first. This drive may then allow access to a second drive that is otherwise inaccessible or encrypted. The use of a key that looks like a key would in all cases be culturally preferable.

Back to Stig's Dump.