sec theory

[MrLinus]

Ok. So then sky's the limit to ideas (cost won't be a factor) and it's a singular system. The reason I ask this is because many of the retina/iris scanners out there require a machine to host the database of the biometric info. I went back to re-read your idea again and have some comments/questions:

1. For the biometric scanner: since this is done before the before the bootloader is done but after system check (I'm assuming it does diagnotics to see that everything is there), the database of the biometric is kept in another chip (?) and is unique to the single person using it (or is it a multi-use system). If it's a multiuse system, then there may need to be a seperate CPU/mini-HD to pull this info for each user. (keeping in mind that the biometric used can vary in size from biometric to biometric and that harddrive size is now reaching super miniscule -- about the size of a quarter IIRC Toshiba's claim last year).

2. This login process seems fine and I think it's in use in some places. Rather than fingerprints, perhaps a more "reliable" biometric should be considered or a multiple fingerprint option with live human detection.

3. Again, makes sense. Cost of CPUs, Memory, etc are low so this can be even part of the viable option. What encryption scheme/algorithm to be used between password and OS?

4. Why only terminal access (and by terminal access, do you mean text mode UI or GUI with dumb terminal?) If it's a singluar high level system and you're referring to dumb terminal access then aren't we talking about server/client setup rather than a single user machine? (just for clarification so I know what setup you're thinking of).

[mohaughn]

I don't really understand the point of securing the boot up of the system if we are going to make an assumption that the physical security of the computer room cannot be broken.

The only reason you would want to secure the bootup of a system is so that the system cannot be booted if it is stolen. You would also not allow for all system users to be able to boot the system. I would imagine that you would instead have a very small group of system administrators that have access to the physical room, and have the ability to start the system through biometric scans. This would get rid of the need to have a huge database of users and biometric data to check against. If the administrators change, the bios chip itself would have to be changed to get rid of the invalid biometric data, and add the new biometric data.. This is really getting outside of the scope of creating a secure login, we are instead talking about total system security(which takes computer theft into consideration), not just login security.

I don't really see that this is part of the login process as a computer system that has to be booted everytime it has to be used would kind of be a pain, and would be extremely limited. For the machine to be useful it has to be connected to other machines, so that the data can be shared in some useful fashion. If you can guarantee the security of the room completely, I could make a DOS machine 100% secure by using a direct crossover cable that runs between the dumb terminal in another room and the DOS machine and a password hashing algorithm such as kerberos combined with a long/complex password requirement. If the only thing you can do at the dumb terminal is enter a login ID and a password there is no possibility of hacking the login other than to bruteforce a password. If you lock out the ID, or lockout(shutdown) the entire system after 3 failed logins why bother with all of the other security as it is not necessary. You can't turn the machine back on after it has been shutdown, so somebody with access to the room has to go boot it back up before you can make more attempts at guessing passwords.

If the physical security of the computer can be guaranteed completely, again, just for the sake of this discussion, there really is no need to secure the bootup. We would just assume that the system is up and running, and as the physical security of the box cannot be violated, there is no possibility of anybody changing the bootup of the system. If you are going to go through the trouble of securing the bootup, you would also probably have to address the issue of how to protect against hardware tampering as protecting the bootup implies that you are trying to protect the machine against theft.

For the reasons above I think assuming that the physical security of the box cannot be compromised is a bad idea, and really limits the spirit of this discussion. Cacosapo's comment about how to secure the bios from tampering is legitimate and you must take it into consideration that the box can be stolen. That doesn't automatically mean that you have to throw your hands up and say that the box cannot be secured just because you can't guarantee that it can't be stolen. As this idea would obviously require that custom hardware be created for this machine it would be a rather trivial task to have the processer run a CRC check against the BIOS code. If the BIOS has been altered in any fashion at all, it would fail the CRC check, and the processor would stop all processing. Since the CPU itself is hardwired, it would require somebody with the technology and know-how to create 65nm chips(the smallest intel makes) to be able to bypass your BIOS bootup routine. Not 100% secure, but pretty damn tough to bypass. And that would just get you past check #1.