[Cryptography] Secure software update protocol?

Ray Dillinger bear at sonic.net
Mon Feb 22 20:02:54 EST 2016


Drifting back on topic and away from the business/politics
of the Apple/FBI situation , we do have a valid crypto question
here.

How can software updates be secured so the distributor knows
which customers have which updates, not permitting cloned
devices, and not permitting the distributors to choose a
particular customer to get a special "joejob" update?

I propose the following: each device would need one
tamper-proof chip.  The chip would contain two keys baked
in: one for its series and one for its particular device
identity.

The chip can be fairly secure, because the keys never
need to leave the chip.  It just checks signatures, does
it on exactly two keys which are baked in at the factory,
and does *no* other crypto operations.

At one point the customer's side needs to *make* a
signature, but that's with a customer key, which is
presumably a different entity from the device keys which
would be on the chip.

---------------------------------------------
So, the first protocol (software download) goes
---------------------------------------------


I am an Iphone 5c. Here are twenty nonces. ---->

(checks to make sure no nonce has been previously used)
(randomly signs some nonces and mis-signs others)
<---- which of these nonce signatures is valid?

(checks signatures)
The twelfth, fifteenth, and seventeenth signatures
match the third, nineteenth, and sixth nonces. --->

(good, that's a real iPhone 5c)
(signs software_update+nonces using series counterkey)
<---- Here's your signed iPhone 5c software update.

(checks signature using iPhone 5c series ident key)
(good, that was the real server)




---------------------------------------------
The second protocol (customer download authentication) goes
---------------------------------------------

I am an apple customer with a valid account
and I want to install/start this software ------->

<------- What was our signature of our software plus
         your nonces?

(takes signature received with software)
(countersigns it with customer key)
software signature and customer countersignature --->

   (checks signature: yes, it's a real customer)
   (looks up own signature among download logs)
   (updates log to show x customer got y update)
   (looks up device-specific key owned by customer)
   (signs update+nonces using device counterkey)
   (encrypts with customer counterkey)
<----- Here is a signature on the software update
    plus your set of nonces, for your device.

(decrypts with customer key)
(puts signature + nonces where software can find it)
(starts/installs software)
(software checks signature using device key and nonces)
(software immediately bails if !check. otherwise,
software or installer runs.)

------------------------------------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160222/b9658726/attachment.sig>


More information about the cryptography mailing list