I plan to create an encryption program for an embedded device with the following characteristics:
These are the requirements:
I'm far from being a crypto expert, but I spent some time reading Wikipedia on AES, block cipher modes and key derivation algorithms, and I also read "If You're Typing The Letters A-E-S Into Your Code, You're Doing It Wrong". All this has made me doubt whether I can succeed given to the limitations of the hardware and my superficial knowledge of the subject, but I'll try.
The following steps line out what I plan to do:
I'd be grateful for comments telling me which parts are wrong, unsecure or should be improved. Also, if there is a trusted AES-256 implementation for Intel 80186 I'd love to know about it. And finally, if you think it is hopeless, don't hesitate to tell me.
The security of this scheme depends on exactly what the attacker is able to read. Remember the embedded device is performing decryption, so it clearly has all the parts needed to do so (encrypted data, key, and algorithm)
If the attacker has any sort of debug connection to the system (e.g. JTAG) -- Game Over (immediately and effortlessly). Attacker can just read the decrypted content from RAM.
If he can read only your data files, and your AES key is one of them -- Game Over.
If he can read only your data files, and your AES key is embedded in code in a separate memory -- Ok (maybe).
If he can read both data files and code memory and the AES key is stored in the code -- Game Over. Attacker doesn't even need to reverse-engineer the key, he can just execute the code and let it dump decrypted content into memory. Finding virtual environments capable of executing x86 code is trivial.
If he can read both data files and code memory, but the code pulls the AES key from an on-die secure memory designed explicitly for tamper-proof key protection -- Should be ok. Unless the attacker can cause the microcontroller to execute modified code and copy the decrypted data from microcontroller memory.
If he can read data files, and the AES key is stored in a secure memory, but that memory is not on-die -- Not good. Attacker can steal the key as it is transmitted between secure storage and the processor core. More difficult than the software-only attacks, but still insecure.
Basically, protection of code and off-chip data requires a chip designed with fuses to burn out the debug interface, code stored on chip with all external access denied by those same fuses, encrypted data, and an on-board tamperproof key storage. It's very unlikely that an 80186-era chip would have these features (especially the latter), although based on the memory sizes and clockspeed, this is a modern 80186 clone which might.
because it means that I am slightly limited when it comes to the use of frameworks that might help with security. What I am currently doing is the following: The client has the password stored... the hashing algorithm and code from here and here. My assumptions: If I assume that the client itself has not been compromised, this should be secure. If someone gains access to the server's database, the users should still be safe because the passwords are hashed. I can transmit the passwords to the server in plaintext (Base64), because the transmission itself is secured via HTTPS. I'm only working
can see) advantages to using a "wacky" hash over a normal hash: Sure, your system should be secure if the attacker has the source code, but it's a very likely possibility that your attacker wont have...I'm afraid I'll have tomatoes thrown at me for asking this old question, but here goes. After reading that cooking up your own password hash out of existing hashing functions is dangerous over... if everything about the system is known. Agreed. This is basically the motivation for not storing your passwords as plaintext in the first place. But if my response to the first criticism stands
is posing a serious usability issue since we need to authenticate for 90% of the use cases in our application) Can we reduce the iteration count OR do without it since we have added an additional layer...As mentioned in this wonderful link, the way to get a PBKDF2 Hash of a user given password given a password (of course), a salt (generated Cryptographically Secure Random Number Generator... line of thinking. Please validate. Keep the salt argument to the method pbkdf2 (in the code snippet above) secret (obtain it from a highly secure HSM as opposed to storing it in the database alongside
username and password). I am using serpent 256 to encrypt the files, and I use a random key (created Crypto.Random in python) that is encrypted using GPG, with a 4k key. Side question: The key is sha256... data from my program to, let's say a browser text field or a terminal. I am concerned about keyloggers. So, clipboard is out, virtual typing is out. I don't know what to google, so search term suggestions are welcome too. I am working on linux (I don't care about other OSes) with python. The code so far: http://git.dzervas.gr/panman
I need your advice on the security of this design. I have a scenario whereby a server application and a smart card application need to share a value e.g. 52, which has been encoded in a long... that I need to be aware of? Any advice will be welcome. Thanks - - - EDIT (24-Apr-2013 14:45pm GMT) - - - It must have been a long day and a late night and after reading all the great responses (i.e. sanity checks) below, I seem to have come back to my senses and jettisoned the poorly thought out, home-made crypto idea. :) As a bit of background, this solution is meant to be used in rural
the EK's public key hash sufficient to identify a unique host/device? (Assuming all you want is a "fingerprint" and not to encrypt/decrypt with it.) And in fact, this is sort of suggested by the other answer to the question which suggests generating an AIK and using its public key. (But why do you need the extra step of generating an AIK when you can just use the EK's public key?) Update: @Andre, in a comment below, says that the EK can be reset and regenerated by the device. I didn't know this, thanks! Microsoft says "The endorsement key is an encryption key that is permanently embedded
. We are using AES-256 symmetric encryption, but the fundamental problem remains even for a PKI solution, as you still need to secure the private key. Note also that we could use a keystore instead.... So, what is the best practice for storing a secret on the cloud? How should a web app load such a secret? I would be particularly interested in a Java solution, but this is a general problem in any... users (scaling to millions). All user data will be encrypted on a per-user basis with standard encryption. The password-protected encryption keys will be stored on a remote secure keyserver, which
)) I've done some of my homework and so far I have: Smart cards (Basic cards, JCOP JAVA cards). Pros - have protected storage, can run code. Cons - firmware limits, every card need separate reader.... Device itself should be able to run program code of some kind and have some common connection interface (ex. usb). You must be able to burn code only once, or there must be assurance that no one can...I'm looking for some embedded device that will be able to store sensitive data like certificates, private keys, etc. It should comply with following requirements: Sensitive data, stored
An answer to a recent question has given me an idea for a school project (security CS program). Also, an active attacker (with a fake base station) can potentially force a mobile phone to use... limited research, but I have two main questions: What equipment would I need to buy and how much would it cost (this project is self-funded)? The article said $1,500, including the laptop (which I already have), but did not give any specific information on the antenna. What sort of APIs/libraries/etc., if any, exist for the communications protocols? If none, I can probably try to implement