Symmetric Key Management and Distribution
Hi, I am working on a project involving distributed radio nodes connected over a wireless network. We are using symmetric key cryptography for ciphering (AES-256). The radio nodes are running Linux on a 250MHz processor. I need a solution to manage the symmetric keys in this network of nodes, written in C/C++. The solution should be able to manage the life cycle of the keys. It should be able to auto-generate a new key (upon expiry or when manually instructed by the user) and securely disseminate it in the network and archive the old key after activation of the new key. I have looked at Key Management Interoperability Protocol (KMIP). It provides all of these features but sadly there is no open-source implementation available in C. Does anyone know a solution for symmetric key management that can provide these features and implemented in the open-source domain? Thanks, Usman
On 17 Oct 2018 7:00 pm, "Usman Saeed via luv-main" <luv-main@luv.asn.au> wrote: Hi, I am working on a project involving distributed radio nodes connected over a wireless network. We are using symmetric key cryptography for ciphering (AES-256). The radio nodes are running Linux on a 250MHz processor. I need a solution to manage the symmetric keys in this network of nodes, written in C/C++. The solution should be able to manage the life cycle of the keys. It should be able to auto-generate a new key (upon expiry or when manually instructed by the user) and securely disseminate it in the network and archive the old key after activation of the new key. I have looked at Key Management Interoperability Protocol (KMIP). It provides all of these features but sadly there is no open-source implementation available in C. Does anyone know a solution for symmetric key management that can provide these features and implemented in the open-source domain? Thanks, Usman If you are not wedded to AES have a look at wireguard. https://lwn.net/Articles/761939/ It's available on many distributions are automatically handles updating session keys once you have registered each nodes public key. I found the lkms package very easy get under Debian Stretch. It's light weight, simple and just works without complex Daemon needed. If you want to support many nodes with arbitrary linkage you will need to run some more complex routing system I guess. Andrew
On 17/10/2018 7:44 PM, Andrew Worsley wrote:
On 17 Oct 2018 7:00 pm, "Usman Saeed via luv-main" <luv-main@luv.asn.au <mailto:luv-main@luv.asn.au>> wrote:
Hi,
I am working on a project involving distributed radio nodes connected over a wireless network. We are using symmetric key cryptography for ciphering (AES-256). The radio nodes are running Linux on a 250MHz processor. I need a solution to manage the symmetric keys in this network of nodes, written in C/C++. The solution should be able to manage the life cycle of the keys. It should be able to auto-generate a new key (upon expiry or when manually instructed by the user) and securely disseminate it in the network and archive the old key after activation of the new key. I have looked at Key Management Interoperability Protocol (KMIP). It provides all of these features but sadly there is no open-source implementation available in C. Does anyone know a solution for symmetric key management that can provide these features and implemented in the open-source domain?
Thanks, Usman
If you are not wedded to AES have a look at wireguard. https://lwn.net/Articles/761939/
It's available on many distributions are automatically handles updating session keys once you have registered each nodes public key. I found the lkms package very easy get under Debian Stretch.
It's light weight, simple and just works without complex Daemon needed. If you want to support many nodes with arbitrary linkage you will need to run some more complex routing system I guess.
Andrew
Hi, I second the idea of using a schema along the lines implemented in WireGuard. You might be able re-purpose the WireGuard kernel module for your communications. Your talk about 'securely dissemination' of the keys, WireGuard does initially need the keys to be shared but from there is its all automatic. Cheers Mike
Hi Mike and Andrew, Thank you for pointing this out. After reading https://www.wireguard.com/ and https://lwn.net/Articles/761939/, it seems like WireGuard offers a secure transport and not the key management features. Unless I missed something? Regards, Usman On Wed, Oct 17, 2018 at 8:55 PM Mike O'Connor <mike@pineview.net> wrote:
On 17/10/2018 7:44 PM, Andrew Worsley wrote:
On 17 Oct 2018 7:00 pm, "Usman Saeed via luv-main" <luv-main@luv.asn.au <mailto:luv-main@luv.asn.au>> wrote:
Hi,
I am working on a project involving distributed radio nodes connected over a wireless network. We are using symmetric key cryptography for ciphering (AES-256). The radio nodes are running Linux on a 250MHz processor. I need a solution to manage the symmetric keys in this network of nodes, written in C/C++. The solution should be able to manage the life cycle of the keys. It should be able to auto-generate a new key (upon expiry or when manually instructed by the user) and securely disseminate it in the network and archive the old key after activation of the new key. I have looked at Key Management Interoperability Protocol (KMIP). It provides all of these features but sadly there is no open-source implementation available in C. Does anyone know a solution for symmetric key management that can provide these features and implemented in the open-source domain?
Thanks, Usman
If you are not wedded to AES have a look at wireguard. https://lwn.net/Articles/761939/
It's available on many distributions are automatically handles updating session keys once you have registered each nodes public key. I found the lkms package very easy get under Debian Stretch.
It's light weight, simple and just works without complex Daemon needed.
If you want to support many nodes with arbitrary linkage you will need to run some more complex routing system I guess.
Andrew
Hi,
I second the idea of using a schema along the lines implemented in WireGuard. You might be able re-purpose the WireGuard kernel module for your communications.
Your talk about 'securely dissemination' of the keys, WireGuard does initially need the keys to be shared but from there is its all automatic.
Cheers Mike
On Thu, 18 Oct 2018, 8:47 am Usman Saeed, <usaeed1088@gmail.com> wrote:
Hi Mike and Andrew,
Thank you for pointing this out. After reading https://www.wireguard.com/ and https://lwn.net/Articles/761939/, it seems like WireGuard offers a secure transport and not the key management features. Unless I missed something?
Regards, Usman
Yes for the initial public keys but after that session key updating is taken care of as pointed out by Mike. The initial once off set up is always a problem no matter what scheme you use. Andrew
probably not directly applicable, but a parallel sort of approach for ssh keys... https://github.com/netflix/bless On Wed, 17 Oct 2018 at 19:00, Usman Saeed via luv-main <luv-main@luv.asn.au> wrote:
Hi,
I am working on a project involving distributed radio nodes connected over a wireless network. We are using symmetric key cryptography for ciphering (AES-256). The radio nodes are running Linux on a 250MHz processor. I need a solution to manage the symmetric keys in this network of nodes, written in C/C++. The solution should be able to manage the life cycle of the keys. It should be able to auto-generate a new key (upon expiry or when manually instructed by the user) and securely disseminate it in the network and archive the old key after activation of the new key. I have looked at Key Management Interoperability Protocol (KMIP). It provides all of these features but sadly there is no open-source implementation available in C. Does anyone know a solution for symmetric key management that can provide these features and implemented in the open-source domain?
Thanks, Usman _______________________________________________ luv-main mailing list luv-main@luv.asn.au https://lists.luv.asn.au/cgi-bin/mailman/listinfo/luv-main
-- Dr Paul van den Bergen
On Wednesday, 17 October 2018 7:00:11 PM AEDT Usman Saeed via luv-main wrote:
I have looked at Key Management Interoperability Protocol (KMIP). It provides all of these features but sadly there is no open-source implementation available in C.
Why is a C implmentation so important? C can call library code written in any language that allows compiling libraries. For languages which don't have a compiled form (Perl etc) then you can run a program in that language as a child process. As an aside, the last time I did any significant crypto coding in C I ran into some SEGVs that I couldn't fix. I called 2 different libraries that both called OpenSSL libraries and got a SEGV afterwards. I ended up changing the code to call the second OpenSSL using library in a child process as the only way of avoiding memory corruption and a later SEGV. So I wouldn't recommend planning on having a single C program to do it all. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
participants (5)
-
Andrew Worsley -
Mike O'Connor -
Paul van den Bergen -
Russell Coker -
Usman Saeed