[Tfug] Securing firmware deployments
Bexley Hall
bexley401 at yahoo.com
Wed Dec 30 21:26:21 MST 2009
Hi Chris,
> > I want to be able to TFTP (et al.) firmware updates to
> > appliances. *Often* (i.e., imagine deploying executables
> > "on demand" in this way).
> >
> > Since these appliances are often *not* just "computing
> > devices" (i.e., they may control your HVAC, home security,
> > etc.), the consequences of someone/thing tampering with
> > an executable -- or, illegitimately installing a bogus
> > executable -- can have serious financial or health
> > impacts.
> >
> > The obvious solution is to use an encrypted tunnel
> > for deployment. Or, to sign the binaries (and have
> > the appliance refuse to load binaries with incorrect
> > credentials).
> ...
> > I can't go the MS route and embed a private key in the executable
> > since that would be visible to anyone inspecting the sources.
>
> Bexley, why not consider public key encryption?
>
> (In case any readers are wondering, public key encryption
> lets you encrypt or sign data with a secret key,
> while a different, non-secret public key can be used
> to decrypt or verify the data. The secret key can
> be kept secret even though the public key is well-known.
> Often public key encryption is used in other ways,
> but this is a supported option.)
>
> You could put a public key in your device's code,
> without revealing the secret key that's needed to
> forge unauthorized updates.
Regardless of whether you encrypt with the public key and
decrypt with the private (or vice verse), *both* keys are
"widely known" -- i.e., "read the sources" (for the code
that signs the executable or the code that verifies the
executable.
I.e., *you* need a key that is different from your *neighbor's*
key.
The only way I can see of doing this "for free" is to use something
unique to each device (e.g., MAC address -- but that is too easy
to locate and use to compute the "secret" from... because the
mechanism for computing the secret is public).
I think there needs to be a magic button that you push that
allows the box and your "support host" to come up with their
shared secret (you can't count on having a keyboard/display
so this exchange probably has to happen over-the-wire -- at
a time when you *know* no one is eavesdropping).
> Enough of the early patents have expired
> that you should be able to use it
> without difficult intellectual property negotiations.
More information about the tfug
mailing list