检查某些USB闪存是否已连接到我的系统 [英] Check if certain USB Flash memory is connected to my system
问题描述
我想要一个代码,它可以检查某些USB闪存是否已连接到我的系统.我的意思是我想从连接到基于linux的系统的USB闪存中获取诸如product ID和serial Number之类的内容,并检查这些数字是否与我的有效数字匹配.我也想知道有人可以伪造这个数字吗?我的意思是有人使用了无效的闪存设备并生成了这些数字以通过我的验证过程?
USB设备在/sys/bus/usb/devices/的内核伪文件层次结构中进行了描述.诸如lsusb之类的工具会检查此层次结构.此处列出了每台设备,包括计算机提供的USB集线器和端口,每个符号链接/目录一个设备.
每个设备目录可能包含以下有趣的文件:
idVendor (vendor code, four hexadecimal characters)
idProduct (product code, four hexadecimal characters)
manufacturer (vendor string as reported by the device)
product (product string as reported by the device)
serial (serial number string as reported by the device)
只有那些可区分为单独设备的文件才具有文件(确切的定义是我个人从来不曾想找出来的USB术语),因此并非所有目录都具有它们.
但是,如果使用idVendor和idProduct文件扫描所有/sys/bus/usb/devices/*/目录,则将获得当前计算机所连接的所有USB设备的列表;类似于lsusb提供的列表.
克隆USB设备供应商和产品代码以及制造商,产品和串行字符串很简单.它所需要的只是一个带有本地USB接口的微控制器,您可以以不到20美元的价格购买适合典型USB加密狗的微控制器板.这也很容易做到.您只需要在网络上调整一点免费可用的示例代码,即可完成此操作.不需要专家,只需一点好奇心,Google-Fu和基本的C技能就足够了.
因此,不能,出于安全目的,您不能依赖这些详细信息.
您可以改用USB记忆棒上的密钥文件"或许可证文件"来标识应用程序的USB记忆棒支架.但是,如果用户将其密钥文件复制到其他文件,那么绕开它就很容易了.他们经常这样做.
可以使用带有microSD接口的廉价微控制器兼作USB记忆棒,但也可以提供其他USB端点:一个物理芯片可以显示为多个USB设备.您可以通过以下方式验证微控制器/存储的真实性: HID消息(这些额外的USB端点之一是HID设备,例如键盘).这样的设备可以用现成的零件制造,价格不到30美元(零售,批量购买时价格要低得多);添加类似USB记忆棒的外壳和2-8 GB的microSD卡不会使它们变得太昂贵.这样可以避免密钥的复制,但是窃取物理密钥或对其进行反向工程(鉴于应用程序二进制文件或示例密钥),仍然不会那么困难:它所需要的只是可比的硬件,还有更多的工作要做
简而言之,对于用户来说,安全加密狗一直是一个麻烦,而不是希望破坏安全性的人真正的障碍.就像物理密钥一样,USB密钥也不难克隆.也许您应该重新考虑您的业务策略?
I want to have a code which it checks if certain USB flash memory is connected to my system. I mean I want to fetch something like product ID and serial Number from the usb flash memory which is connected to my linux based system and check if these numbers match my valid numbers. I also want to know is there a way that someone can fake this numbers? I mean someone uses a invalid flash memory device and generates these numbers to pass my validation process?
USB devices are described in the kernel pseudofile hierarchy at /sys/bus/usb/devices/. Tools like lsusb examine this hierarchy. Each device, including USB hubs and ports your computer provides, are listed here, one device per symlink/directory.
Each device directory may contain the following interesting files:
idVendor (vendor code, four hexadecimal characters)
idProduct (product code, four hexadecimal characters)
manufacturer (vendor string as reported by the device)
product (product string as reported by the device)
serial (serial number string as reported by the device)
Only those that are distinguishable as separate devices have the files (the exact definition is USB jargon I've personally never bothered to find out), so not all directories have them.
However, if you scan all /sys/bus/usb/devices/*/ directories with idVendor and idProduct files, you obtain the list of all USB devices attached to the current computer; similar to the list lsusb provides.
It is trivial to clone an USB device vendor and product codes, as well as manufacturer, product, and serial strings. All it requires is a microcontroller with a native USB interface, and you can buy suitable microcontroller boards that fit in a typical USB dongle, for under $20. It is quite easy to do, too; you only need to tweak a little bit of freely available example code on the net, to do exactly this. No expert needed, just a bit of curiosity, Google-Fu, and basic C skills suffice.
So no, you cannot rely on those details for security purposes.
You could instead use a "key file" or a "license file" on the USB stick to identify the USB stick holder to your application. However, that'd be trivial to bypass, if users copy their key files to others. They often do.
It is possible to use a cheap microcontroller with a microSD interface to double as an USB memory stick, but also provide other USB endpoints: one physical chip can show up as more than one USB device. You could verify the authenticity of the microcontroller/storage via e.g. HID messages (having one of those extra USB endpoints be a HID device, for example a keyboard). Such devices can be built from off-the-shelf parts for under $30 (retail, much less if bought in bulk); adding a USB-stick-like enclosure and a 2-8 GB microSD card would not make them too expensive. That would avoid key copying, but stealing the physical key, or reverse-engineering it (given either the application binaries, or an example key), would still not be that difficult: all it would need is comparable hardware, and a bit more work.
In short, security dongles have always been more of a nuisance to the users than a real hindrance to those who wish to break the security. Just like physical keys, USB keys are not that difficult to clone.
Perhaps you should rethink your business strategy instead?
这篇关于检查某些USB闪存是否已连接到我的系统的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
