[Chugalug] LittleBlackBox -- Default SSL Keys for Embedded devices

Erik Hanson leprkhn at gmail.com
Wed Oct 17 21:50:02 UTC 2012


You could always try clock jitter, as per dakarand.
http://dankaminsky.com/2012/08/15/dakarand/

Kaminsky talked about it during his derbycon keynote.
http://www.irongeek.com/i.php?page=videos/derbycon2/1-1-3-dan-kaminsky-black-ops

On Wed, Oct 17, 2012 at 3:59 PM, Dan Lyke <danlyke at flutterby.com> wrote:

> On Wed, Oct 17, 2012 at 12:18 PM, Dave Brockman <dave at brockmans.com>
> wrote:
> > I was thinking in terms of configuring the default key (at the
> > factory) per-say, and I would assume *that* network would be secured.
>
> Scenario: you could insist on a private key that was the first
> external site that the network accessed, and have the device insist
> that the first thing it got was some entropy with which to generate
> its own new key pair.
>
> You couldn't MitM that, but unless you get entropy from another source
> (ping latency? Something else? It would have to be unmeasurable by a
> sniffing device) to generate the new key pair, you can sniff that
> connection and predict what the new key would be based on the sniffed
> data.
>
> You really want that entropy to come from multiple sources so that
> someone trying to compromise the device needs to compromise multiple
> vectors. One possibility we were talking about was a source of
> randomness as the final test phase in manufacture, but making sure
> that that was truly random was tough.
>
> For instance, if you design a device to sell a few thousand and it
> turns into a few hundred thousand device, then maybe someone will
> decide to put a robot on the "turn on the device and punch a few
> buttons to start the initialization and self-test sequence", and all
> of a sudden your entropy gets very constrained.
>
> Dan
> _______________________________________________
> Chugalug mailing list
> Chugalug at chugalug.org
> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://chugalug.org/pipermail/chugalug/attachments/20121017/799ffdd1/attachment.html>


More information about the Chugalug mailing list