Discussion:
Encryption password fail on install > internationalisation <
Mark Ballard
2014-07-22 20:14:16 UTC
Permalink
Hello

Two problems related to security and internationalisation have arisen
while attempting to install opensuse: one major, one merely
obstructive.

Both problems occur when setting the encryption password.

1.

The major problem concerns the keyboard layout.

The opensuse installer very helpfully asks which international
keyboard layout it should use during install. It does this before
asking for the user to set their passphrases. So the user gets to
formulate their password in their chosen international keyboard layout
- most likely the keyboard layout they are actually using: e.g. UK
keyboard layout.

But when install is complete, in my instance at least, the computer
goes to a command screen and says, before prompting for the just given
password to open the encrypted disk: "Note: only US keyboard layout is
supported".

The result is a failed install unless you happen to be in the US.
Perhaps the problem has not occured in other countries where language
differences have focused more attention on internationlisation?

It is nigh on impossible to enter your encryption password using a US
layout on a UK keyboard unless you use a password drawn from a limited
and therefore less secure set of characters; and only then if you
happen to know what characters are actually valid in both keyboard
layouts, and where they are.

I had a quick look. I'm not even sure it's actually possible to map
characters chosen from a UK keyboard layout into a US keymap and then
back onto a UK keyboard layout again without losing some. At least not
for a regular person who is simply trying to put their password in at
the prompt. Maybe not for anyone but Lou Gerstner himself.

if this problem cannot be corrected, it would at least save the people
time and frustration to tell them which characters are valid or not
when they create their password, and to remove the offer of a non-US
keyboard during install. I'm sure people would be happy not to choose
invalid characters if they were told what they were.

2.

The other problem is that the password itself recognises limited
punctuation characters in whatever character set. Characters it does
not recognise are recognised routinely by other password prompts. Some
other password prompts fail to recognise characters that the opensuse
password prompt does. Some password prompts have no limitations for a
given standard keyboard layout.

The result is that it becomes difficult to create a password system -
i.e. a method for choosing complex passwords for different situations
that can be remembered - because your system falls down as soon as you
come across a password screen that disallows certain characters your
system relies on.

This actually happens pretty regularly. And the rules about what is a
valid character or not seem always to be different. That doesn't make
it right. If only the base system could assure no limitations.

Hope this helps.

mb.
--
To unsubscribe, e-mail: opensuse-security+***@opensuse.org
To contact the owner, e-mail: opensuse-security+***@opensuse.org
Hans Schmidt
2014-07-23 07:04:26 UTC
Permalink
Post by Mark Ballard
But when install is complete, in my instance at least, the computer
goes to a command screen and says, before prompting for the just given
password to open the encrypted disk: "Note: only US keyboard layout is
supported".
Hello Mark,

I think that the issue is rather in this part. I don't know if it is
possible to change, but I think it would be much better to enable Non-US
keyboards in the boot loader as well.

Forcing a US keyboard is more difficult for some physical keyboards than
others. A keyboard like QWERTZ is still relatively similar, but AZERTY
is already quite different. Especially if one wants to use special
characters ($, +, [ etc) for the password, most keyboard layouts do not
match at all.

Also, partitions may be decrypted from an already running system, where
logically the keyboard layout is already set to the own keyboard.

Therefore, I think it would be more prudent to change the forcing of a
US keyboard in the boot loader rather than forcing everything else to
use US as well.
--
To unsubscribe, e-mail: opensuse-m17n+***@opensuse.org
To contact the owner, e-mail: opensuse-m17n+***@opensuse.org
Mark Ballard
2014-07-23 08:20:07 UTC
Permalink
Post by Hans Schmidt
Forcing a US keyboard is more difficult for some physical keyboards than
others. A keyboard like QWERTZ is still relatively similar, but AZERTY
is already quite different. Especially if one wants to use special
characters ($, +, [ etc) for the password, most keyboard layouts do not
match at all.
This is indeed the cause of the problem - complex passwords and disk
encryption. People are being encouraged to use both.
Post by Hans Schmidt
Also, partitions may be decrypted from an already running system, where
logically the keyboard layout is already set to the own keyboard.
One solution proposed more to illustrate the absurdity of the problem
is that encryption software and other password systems could warn
users, when they are creating their passwords, of any keypresses that
they will not be able to recreate when on reboot the o/s lays a US
keymap over their 'foreign' keyboard.
Post by Hans Schmidt
Therefore, I think it would be more prudent to change the forcing of a
US keyboard in the boot loader rather than forcing everything else to
use US as well.
Amen.
--
To unsubscribe, e-mail: opensuse-m17n+***@opensuse.org
To contact the owner, e-mail: opensuse-m17n+***@opensuse.org
Loading...