[Cryptography] OpenSSL and random

Jason Cooper cryptography at lakedaemon.net
Mon Dec 5 08:50:09 EST 2016


Hi Peter,

On Mon, Dec 05, 2016 at 02:14:46AM +0000, Peter Gutmann wrote:
> Jason Cooper <cryptography at lakedaemon.net> writes:
> 
> >It's worth noting here that this will work for individual users with a simple
> >threat model.  However, this is *not* an acceptable solution for an OS to
> >ship.
> 
> Oh, I wasn't intending it for that use, my interest was SCADA/embedded,
> devices that are notoriously short of entropy.  So you have a per-device
> unique value (MAC address) and varying value (IP address or time) to ensure
> that you get unique keys per device, and if you recreate the keys you get
> different ones each time.  That's also why it used very low-level information
> rather than kernel stats, routing info, network statistics, and so on - there
> won't be any.

mm, SCADA devices usually run for very long periods of time without
reboot (years).  Getting the uptime in that case would be catastrophic
for your scenario.

For scada systems in particular, the most likely attack vector is
through the (typically) ethernet network connecting the HMIs to the
scada devices.  So the current IP address and MAC address are easily
discoverable.

> Random number generation is very situation-specific.  In this case you know
> that the attackers don't have physical access, are unlikely to get remote
> access (the devices are typically running a custom RTOS, there's not much to
> attack and even if you can find a vuln, it's quite hard to exploit since
> there's no room for anything but the RTOS in memory), and the manufacturer
> controls the fixed secret.

I presume you're thinking of putting ssh or TLS around the traditional
TCP/modbus connection?  Because that's where the real weakness is.
There's no need to try to exploit anything if the protocol includes a
"force_{out,in}put_to" that the ladder logic then can't override.  :-)

Perhaps a better option is to include a "Cert Generation and
Installation" step for the scada system rollout.  After all, rolling out
a scada network is an activity conducted over several weeks (at least)
by trained engineers.  It's not like you buy one at
$home_improvement_store and plug it in.

If random numbers are still needed for DHE or other purposes, you could
always pull some bits from the ADCs.

thx,

Jason.


More information about the cryptography mailing list