I mentioned working on using SAR files and/or MCZ as a way to distribute device driver add-ons for Pi Scratch a while ago. The basics are working nicely and it’s time to ask for advice on securing the files. I’ve noticed assorted ssl/encryption/certificate checking related emails whizz by but never paid a lot of attention in the past.
An interesting additional issue for my use is that the file will need to be loadable/decryptable/checkable very fast, even on a Pi, since it will need to be reloaded (from file, not over the net) each time the user asks for a device needing one of these drivers. We don’t need to be utterly paranoid about the security since nobody is doing anything l crazy with this, like, oh, taking one up to the ISS…
Pointers to stuff to read, load, try, all appreciated from those with experience. No, I haven’t googled much about it since I know too little to be able to make a sensible start without advice.
tim -- tim Rowledge; tim@rowledge.org; http://www.rowledge.org/tim Strange OpCodes: CWB: Carry With Borrow
String new enigma2015: 'I mentioned working on using SAR files and/or MCZ as a way to distribute device driver add-ons for Pi Scratch a while ago. ‘
Gives
'LDxmF(f.Fm|D+.CXfF%D.FD9gfF%Dc''jDyf^mgD1F|B.CD$_ED1gD1D+1*D(.D|fg(Cf69(mD|m5fGmD|Cf5mCD1||z.FgDy.CDrfDcGC1(GODD1D+Of^mD1%.HD’
Having the input could be cracked, but if not ……. If like, i send private to you
On Sep 1, 2015, at 4:49 PM, tim Rowledge tim@rowledge.org wrote:
I mentioned working on using SAR files and/or MCZ as a way to distribute device driver add-ons for Pi Scratch a while ago. The basics are working nicely and it’s time to ask for advice on securing the files. I’ve noticed assorted ssl/encryption/certificate checking related emails whizz by but never paid a lot of attention in the past.
An interesting additional issue for my use is that the file will need to be loadable/decryptable/checkable very fast, even on a Pi, since it will need to be reloaded (from file, not over the net) each time the user asks for a device needing one of these drivers. We don’t need to be utterly paranoid about the security since nobody is doing anything l crazy with this, like, oh, taking one up to the ISS…
Pointers to stuff to read, load, try, all appreciated from those with experience. No, I haven’t googled much about it since I know too little to be able to make a sensible start without advice.
tim
tim Rowledge; tim@rowledge.org; http://www.rowledge.org/tim Strange OpCodes: CWB: Carry With Borrow
On 01-09-2015, at 1:04 PM, Edgar De Cleene edgardec2005@gmail.com wrote:
String new enigma2015: 'I mentioned working on using SAR files and/or MCZ as a way to distribute device driver add-ons for Pi Scratch a while ago. ‘
Gives
'LDxmF(f.Fm|D+.CXfF%D.FD9gfF%Dc''jDyf^mgD1F|B.CD$_ED1gD1D+1*D(.D|fg(Cf69(mD|m5fGmD|Cf5mCD1||z.FgDy.CDrfDcGC1(GODD1D+Of^mD1%.HD’
Having the input could be cracked, but if not ……. If like, i send private to you
Sounds interesting. I’d love to take a look!
tim -- tim Rowledge; tim@rowledge.org; http://www.rowledge.org/tim Useful random insult:- Couldn't find his way through a maze even if the rats helped him.
I assume you connect the raspberry to some another computer via TCP or via old serial cable . Which is so cook some more complete and not only the encoder. And if you was really paranoic, the encoder could change for each string.
On Sep 1, 2015, at 5:31 PM, tim Rowledge tim@rowledge.org wrote:
On 01-09-2015, at 1:04 PM, Edgar De Cleene edgardec2005@gmail.com wrote:
String new enigma2015: 'I mentioned working on using SAR files and/or MCZ as a way to distribute device driver add-ons for Pi Scratch a while ago. ‘
Gives
'LDxmF(f.Fm|D+.CXfF%D.FD9gfF%Dc''jDyf^mgD1F|B.CD$_ED1gD1D+1*D(.D|fg(Cf69(mD|m5fGmD|Cf5mCD1||z.FgDy.CDrfDcGC1(GODD1D+Of^mD1%.HD’
Having the input could be cracked, but if not ……. If like, i send private to you
Sounds interesting. I’d love to take a look!
tim
tim Rowledge; tim@rowledge.org; http://www.rowledge.org/tim Useful random insult:- Couldn't find his way through a maze even if the rats helped him.
Am 01.09.2015 21:49, schrieb tim Rowledge:
I mentioned working on using SAR files and/or MCZ as a way to distribute device driver add-ons for Pi Scratch a while ago. The basics are working nicely and it’s time to ask for advice on securing the files. I’ve noticed assorted ssl/encryption/certificate checking related emails whizz by but never paid a lot of attention in the past.
I'd go with the "industry standard" (read: Java) solution even if it's from Mordor. JAR files are just ZIP files with another extension, just as SAR and MCZ files (correct me if I'm wrong). So the jarsigner signature mechanisms should be applicable. We have a cryptography package which includes most functionality already (x.509 stuff and various algorithms). Don't know how much work it would be to implement signing ZIP files and checking their signatures, probably an evening or two for someone who's sufficiently fluent with crypto stuff. However, this would imply that the Pi Scratch images would need to have (a subset of) the Cryptography classes loaded.
Edgar, I don't know what the #enigma2015: method actually does. Is it an encryption algorithm? If yes, a standard one or homebrew? How does it relate to digital signatures? If this weren't a use case with pretty low security requirements, I'd put on my hobby cryptographer hat and shout at the top of my lungs "YOU MUST NEVER USE CRYPTO ALGORITHMS THAT HAVE NOT BEEN DESIGNED AND THOROUGHLY ANALYZED BY EXPERTS IN THE FIELD!!!11eleven!!"
Cheers, Hans-Martin
squeak-dev@lists.squeakfoundation.org
-
Edgar De Cleene -
Hans-Martin Mosner -
tim Rowledge