[Blabber] Encryption questions

Konstantin Avdashchenko konsgn at hotmail.com
Thu Dec 10 16:34:24 UTC 2015


Say that the server/host/whatever sends out a token that is valid for 2 seconds(to reduce the chance of replay attacks), the device/ sensor takes that token and does a aes encryption of the sensor data using a hash of it's secret key+token. Then the server can see that data and there is no chance of an attacker understanding the data sent without gaining physical access to the device and it's secret. If you want additional security you could hash against the devices unique id so that any compromised key only compromises that unique device.


What is wrong with the above setup? Is there anything wrong with it?



Science!


________________________________
From: Blabber <blabber-bounces at list.hackmanhattan.com> on behalf of Guan Yang <guan at yang.dk>
Sent: Thursday, December 10, 2015 11:06 AM
To: Hack Manhattan!
Subject: Re: [Blabber] Encryption questions

I would use NaCl, or rather, the easier to compile libsodium distribution: https://github.com/jedisct1/libsodium
[https://avatars2.githubusercontent.com/u/124872?v=3&s=400]<https://github.com/jedisct1/libsodium>

jedisct1/libsodium ยท GitHub
README.markdown Sodium is a new, easy-to-use software library for encryption, decryption, signatures, password hashing and more. It is a portable, cross-compilable ...
Read more...<https://github.com/jedisct1/libsodium>


It's a really easy to use API and there are bindings for most languages. Treat every packet as a new message, which will have a 24-byte nonce (used as IV) and a 16-byte authentication tag. So the overhead is  40 bytes per message.

The only way to stop a man-in-the-middle attack is to have some way of verifying that the other party's public key is correct. If you can't do that, at least you know with authenticated encryption that you are talking to the same person you were talking to at the beginning of the conversation. There is no need to do anything special yourself.

On Dec 10, 2015, at 11:00, Ian Harris <imharris at gmail.com<mailto:imharris at gmail.com>> wrote:

Okay, so for discussion purposes, here's the scenario.

We're implementing a series of COAP devices.  COAP is a (relatively) simple protocol that allows simple devices to exchange, for example, sensor data. It's not as simple as we would like, but at least it's a standard and there are libraries to test against etc.

It runs over UDP and our objective is to use at most hundreds of bytes per message (packet).  We are also aiming to use the same protocol over LORA.

COAP suggests DTLS as a way of securing it.  I've looked at various implementations of DTLS, and the spec itself.

DTLS is really TLS, but with some bludgeoning of UDP so that it can handle dropped packets.

This means it has certificates and the whole 9 yards, and takes thousands of bytes exchanged just to set up a connection. On LORA this is going to take a long time.

It seems to me that we need the guts of (D)TLS without all the other bits.

EG, DH key exchange, followed by symmetric encryption of each packet with a plaintext salt (or IV) and random filler up to the minimum block size.

That doesn't stop a man-in-the-middle attack, so a compromise would be to send a token on first contact, and send a hash of that token + salt on each new session.

Thoughts?

Ian.


On 10 December 2015 at 10:16, Guan Yang <guan at yang.dk<mailto:guan at yang.dk>> wrote:
There is something called Datagram TLS which isn't well regarded because nobody can implement it securely.

But the easy solution is to just use and attach a new IV with every packet. Treat them all as separate messages.

On Dec 10, 2015, at 10:02, Barry Anderson <grandbander at gmail.com<mailto:grandbander at gmail.com>> wrote:

Interesting problem.  What is the state of encryption if you miss a packet?  Of course you could put state information in the packet but it might be a security hole.  How secure do you need it?

On Thu, Dec 10, 2015 at 9:43 AM, Ian Harris <imharris at gmail.com<mailto:imharris at gmail.com>> wrote:
Hi guys,

I have some questions about encryption over UDP, is there someone in the group that has a good knowledge of encryption that I can talk to about this? Email discussion is fine too, I'm happy to pay for your time, especially with beer.

kind regards
Ian.

_______________________________________________
Blabber mailing list Blabber at list.hackmanhattan.com<mailto:Blabber at list.hackmanhattan.com>
https://list.hackmanhattan.com/listinfo/blabber



--
Barry Anderson
cell 917-922-4823<tel:917-922-4823>

_______________________________________________
Blabber mailing list Blabber at list.hackmanhattan.com<mailto:Blabber at list.hackmanhattan.com>
https://list.hackmanhattan.com/listinfo/blabber

_______________________________________________
Blabber mailing list Blabber at list.hackmanhattan.com<mailto:Blabber at list.hackmanhattan.com>
https://list.hackmanhattan.com/listinfo/blabber

_______________________________________________
Blabber mailing list Blabber at list.hackmanhattan.com<mailto:Blabber at list.hackmanhattan.com>
https://list.hackmanhattan.com/listinfo/blabber

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://list.hackmanhattan.com/pipermail/blabber/attachments/20151210/00743d16/attachment.html>


More information about the Blabber mailing list