[Cryptography] Help with Raspberry Pi IoT initialization...

Phillip Hallam-Baker phill at hallambaker.com
Wed Mar 9 23:58:52 EST 2016 

So here is the deal, I have a draw full of Raspberry Pi devices. I would like to be able to take create a variation of the Raspberry Pi boot media that provides the Pi with the ability to securely boot into my cryptographic environment (aka Mesh Profile) and provide SSH access, TLS cert chained to my root, etc. etc.
The idea is that I take a RPi out of one draw, I take an SD boot card out of another drawer that has my personal boot media image. The machine boots and creates a set of machine specific private keys for SSH, TLS, IPSec, applications, etc. I can now interact with the device using secure credentials unique to that device.
As evidence that the device is now securely bound to my Mesh profile and time source, the device blinks its status LED to publish the UDF fingerprint of the axiom of trust that it is bound to. [Thanks to Natanael for that suggestion]

The way I propose to do this is as follows:
The boot media has the following additional information:
* My Mesh profile fingerprint and account identifier* A temporary device profile that contains a signature key pair* A run once configuration tool* A digital signature of the boot partition excluding itself
When run, the run once tool does the following:
? Verifies the boot media signature* Creates a unique device profile for the device [forget the randomness issues, I have this covered other ways]* Requests connection to my Mesh profile using the temporary device profile authentication key.* On acceptance   * Creates all the necessary device application keys   ? Erases temporary device profile key(s)   * Starts the blinkenlights display to confirm that the device    * Waits for further commands authenticated by  a key authorized under my Mesh profile
The bits I am having a little difficulty with are the ones marked ?
What is the best way to gurantee that I am authenticating the device boot media?What is the best way to guarantee that the temporary key is erased from the boot media?

I am assuming that on a UNIX build, this is going to mean manipulating the RAW devices in some form. But what makes me a little nervous is the possibility that I 'delete' the data by creating a new entry in the log file that supersedes the old rather than overwriting the original storage cells on the chip.

Sent from Outlook Mobile
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160310/5ef5bb7d/attachment.html>

More information about the cryptography mailing list