The problem:

Are you a security aware person ?

Do you ever check you email outside of your house in a public computer ?

Aren't you afraid that your password might be stolen ?

You know, the only computer you can REALLY trust is the one in your protected home.

Can you feel safe when type your password in a public computer, where who-knows what evils run on it ?

In this article we will show a way to solve this problem. A way to access your email, without typing your password even once!

You will be able to access your gmail\yahoo\anything else without even typing your password!

What's the catch ? no catch! you will need:

• A good understanding in computers.
• A computer that you can trust. Probably, your home computer.
• A stable Internet connection, as your home computer must be on line.
• Couple of hours of installing and configuring software.
• A cellular phone, with the ability to run j2me apps (It's a really simple app!), that you can trust.
• A basic understanding in Ubuntu Linux, and Virtual Machines.

Well, There is one catch - It's not easy to setup and understand. But don't worry, It's not too complicated!

The solution

I will describe how I built a system that solved this problem, and enabled me to access my email in a foreign country, without typing my password. All this can be done using the computer and cellphone that you already have, and free of charge.

requirements

When thinking of a solution that is used to athenticate us remotly, it is important that it will be:

• Simple to use.
• Portable - so we can carry it with us.
• Secure
  • Over the network (network sniffers)
  • On the local computer (i.e key-loggers)

outline

Let's review the facts:

1. The only computer we trust enough to have our password, is our home computer. Therefore, When we go out-side, we don't want to type our password anywhere but at home.

2. We must use our password to access our web-email (that's because the email provider does not offer alternatives).

What can we do then ? Well, in our home computer, we will save our password in the browser. Then, we will remote log-in to our computer, and surf from there. Our password is saved in the browser - So we will not type it anywhere. so, the outline for now, is:

1. save our email password in the browser of the computer in our home (that's the computer we trust)
2. remote log-in to our computer at home (the trusted computer)
3. surf from there, with no password typing, and therefore, no password stealing

That's almost good. The problem is with step number 2. How can we make sure, that we are the only ones who can log-in to our home computer ?

Well, we will use a password, of course!

But, wait. How will we protect this password ? Can't it be stolen!?

In order to protected our remote log-in password, we will implement a mechanism that will create for us one time disposable passwords. We will implement something that's call a challenge-response authentication. This is the part where the cellphone comes in:

We will have a secret (a random number, known only to us), stored on the phone and on the computer (a shared secret). When we will remote log-in to the computer, it will ask us a question that can only be answered if you know the secret (a challenge). The phone will use the secret, to produce an answer (a response), thus proving that he know the secret (but, without revealing the secret). If the answer is correct, the computer will grant you access to your email, with your pre-stored password.

So, the final outline, looks like this

• save our email password in the browser of the computer in our home (that's the computer we trust)
• share a secret between our cell-phone and the computer.
• remote log-in to our computer at home (the trusted computer)
• the home-computer will display a challenge (a random number), waiting for our response
• we type the challenge in the cell-phone. The cell-phone will calculate and display the response
• we input the response to the home-computer
• the computer will grant us access
• surf from there, with no password typing, and therefore, no password stealing

Details follow.

Step one - Setting up a trusted computer

Setup

We need to store our email passwords in the browser, so we don't have to type them, when we will remote log-in. You can do this in your own computer, but this is not recommend:

People will be able to try and remote log-in to this computer (as we will see later, they will have minimal shell access to this computer), so we don't want any data on it, that we don't need.

To create a clean-from-data fresh computer without further cost, we will use a virtual machine and a free operating system. I used VirtualBox and Ubuntu gnu\linux distribution. There are tutorials on how to do this. here is a tutorial I found with a lot of pictures!

Note that: The actions that are done in this article, were tested only on Ubuntu.

Surf & Save

Ok,

The first thing to do, is to use the user you created for yourself, surf the web with firefox, and make firefox save all the passwords you will need.

Summary

So, for now we have:

• A trusted computer (virtual machine) with Ubuntu on
• A user in the machine. Let's say, that the user name is good_user.
• The Firefox of that user saved you email passwords.

Step two - Setup the challenge-response remote log-in

I hope you've read about challenge-response, and why is it good. We will now implement a challenge-response authentication mechanism for our own private use. Well, actually I made the implementation for you, but it's a python script - so you can do with it what ever you want....

This part is a little tricky, because we want to do it with minimal effort. What we don't want to change the regular authentication methods, as this is not an easy task. What we can do, is add another layer of authentication.

The scheme:

We create another user on the computer. A dumb user. A user whose all purpose, is to run our challenge-response authentication, without breaking compatibility with remote-log-in programs. To access the good_user log-in, we will first log-in to the dumb user. once logged-in, we use a challenge-response authentication program to log-in to the good_user.

Let's Get To It

First, we create the shared secret. This secret will be in the computer and the cell-phone, so remember it. Let's say the shared secret is "0123456789". Note, that your shared secret MUST BE a random number. If someone knows the shared secret, he can login to the computer!! Use random.org to get a decent random number. We only use a non-random number here for simplicity.

We will store this secret in a file inside the good_user's home directory. Type the following commands in the good_user shell:

good_user$ echo "0123456789" > ~/.secret
good_user$ chmod 400 secret-file

Create a dumb user. It's simply another user in the system - we just call it dumb. I googled a tutorial on how to do it...

Now, download the python script from the bottom of this page and place it in /usr/bin (inside the VM, of course). This script is the new authentication system. It's like sudo, but with our authentication system, used instead of the standard one. Also, it won't give root permissions, but only good_user permissions (we will take care of that next, using the standard sudo mechanism).

Place it in the home directory of the dumb user. Make sure that it's owner is the good_user, and that only execution and read permissions are set. To do this, execute to following commands:

good_user$ sudo chown good_user /usr/bin/su-do.py
good_user$ chmod a=rx /usr/bin/su-do.py

To make this script usable, we need to use the sudo mechanism. That way, when the dumb user activates it, it will have the permissions of the good_user, and it will not require the good_user password.
Add this to /etc/sudoers (edit sudoers with sudoedit):

User_Alias DUMB = dumb
Cmnd_Alias RUNPROGS = /usr/bin/su-do.py
DUMB ALL = (good_user) NOPASSWD: RUNPROGS

Make sure all is in place

Now, lets just test that all is ok up to here. In the dumb-user, Open a terminal, and type:

$ /usr/bin/su-do.py bash

Let's say, the the challenge "6365476576" was displayed. To calculate the response, open a python terminal, and type the following:

from hashlib import md5
md5("0123456789" + "6365476576").hexdigest()[:10]

In red is the secret, and in blue is the challenge. The result is the response. Type-it in as an answer to the su-do.py script. It should work. Now you can run good_user's firefox, and access your mail.

NOTE: You type the secret here only for the TEST, and your doing it on a trusted computer. Don't type the secret on a device you do not trust, or reveal your secret to anyone.
Infact, after updating the secret in the cellphone (see in the next step) and in the computer, you won't see or type the secret ever again!

Step Three - Setting up the cellular phone

Now all that left do is to make phone help us in the authentication process.

I used Netbeans + J2ME to accomplish this. Download this J2ME app I did. This app asks for the challenge as input, and output the response to write back. The secret key is embedded in the source - This is not good practice, but I was in a hurry when I wrote it...

You need to modify the source, so it will contain your shared secret. To do this, open src/Authenticator.java. In there, you will find an array called secret. Change its values to your shared secret.

If you write a better version, let me know, and I'll post it here.

Step Four - Setting up remote login

Setting up remote access in Ubuntu is quite easy. What you basically need to do is:

• Configure auto-login to the dumb user ( Here is a googled post on how to do it)
• Configure remote access to the dumb user. (Here is a googled tutorial)

Don't forget to set a strong password!

Now, We are done. The nex tstep is to test that everything works!

Step Five - Putting it all together

Were All Done! What should happen now:

• Turn on the Ubuntu in the VM, and let it auto login to the dumb-user.
• you a vnc client to login to your remote system
• execute sudo -u good_user /usr/bin/su-do.py firefox
• The script just displayed a challenge. Type it in to your cellphone
• Type the result from the cellphone back to the script
• Firefox should now open, containing the saved passwords of the good_user.
• You can now access your Email in a public place, without typing your password!

To login from an Internet cafe, all you need is a VNC-client on your disk-on-key, and the ip-address of your trusted computer.

Fine tuning

Dynamic DNS

This is relevant if you don't like IP-address, or have a dynamic IP. You can set-up a dynamic DNS for your Virtual Machine, so you can access it easily when you are not at home. I used no-ip.com. Use their Linux client to constantly update your real address. Or, if you have a router, you may be able to set-it-up to do this for you.

This gives you an easy to remember address that is mapped to your IP.

NAT Port forwarding

If you are behind a NAT, you should use port forwarding, and forward the port of the remote login. Otherwise, you won't be able to login.

Limiting The Dumb User

The dumb user's role, is to activate the authentication system. It should be as limited as possible to do other things. We assume that someone will steal the remote login password. That someone will have shell access to the Virtual Machine. That's not a good thing to start-with. So limiting the dumb user as much as possible is very important.

Conclusion

Discussion

Right now, we have system that we trust, you access our mail without a password. We can use this system outdoors securely, without compromising our passwords.

The requirements

As you recall, we want our solution to be simple, portable and secure.

Simple: The solution is not that simple to setup, but relatively easy to operate, once the setup is done.

Portable: The solution is portable - all you need is a cellphone and a Disk-On-Key.

Secure: This solution is very secure both locally and on the network. No one can ever reveal your password.

Pro's and Con's

Pros:

• Secure - Our email password is never revealed
• Simple to use: In the end, all you need is VNC-client, a cellphone, and your IP address. You can set-up this system in your home computer
• Little time to set-up.
• We read our email without typing it's password. No keyboard sniffer can pick it up.
• Free

Cons:

• Hard to understand & setup. Though all this setup is only several hours.
• We need to make sure that our computer will always be on

I am sure that you can implement good solutions to this problem. But implementing better solutions will take more time. As I said, this system can be set-up in less than a day.

Other solutions

Another solution for this type of problem involves a security token. The main problem with this type of solution, is that it's expensive, and not suited for personal use.

How to contact

If I missed anything, if you have comments about the article, if you think the article is not clear enough, feel free to contact me directly, or post a comment.

Appendix - What does the code do ?

In the python script called su-do.py We ask the user to answer a random challenge. The random challenge is generated from /dev/urandom. Then the script compares the user's response with MD5(secret + challenge). Why MD5 and not HMAC-MD5 ? Because I didn't find a HMAC cellphone implementation that would be easy to integrate. You are welcome to change that.

If the response is correct (the user has authenticated) - The script activates the program given in the arguments.

The script should run with the good_user as the owner of the process. That's why we changed /etc/sudoers and use sudo to change the owner of the process without a password.

Another important note about the script - It is important that it will be kept away from home folder of the dumb user. If it is placed there, the dumb user can easily replace this file with any other, thus easily escalating to the good_user privileges, and stealing the saved passwords.

Licenses and Liability

All source code you downloaded from this page, is Under GPL version 3 or later and without any warranty. see http://www.gnu.org/licenses for details.

Also, I am not liable In any event to any damages arising out of this article. In other words - if you mess up, or after all the efforts someone is still able to break-in, it's not my fault :-)