17 Oct
2018
17 Oct
'18
7 p.m.
Hi,
I am working on a project involving distributed radio nodes connected over
a wireless network. We are using symmetric key cryptography for ciphering
(AES-256). The radio nodes are running Linux on a 250MHz processor.
I need a solution to manage the symmetric keys in this network of nodes,
written in C/C++. The solution should be able to manage the life cycle of
the keys. It should be able to auto-generate a new key (upon expiry or when
manually instructed by the user) and securely disseminate it in the network
and archive the old key after activation of the new key.
I have looked at Key Management Interoperability Protocol (KMIP). It
provides all of these features but sadly there is no open-source
implementation available in C.
Does anyone know a solution for symmetric key management that can provide
these features and implemented in the open-source domain?
Thanks,
Usman
17 Oct
17 Oct
8:14 p.m.
On 17 Oct 2018 7:00 pm, "Usman Saeed via luv-main" <luv-main(a)luv.asn.au>
wrote:
Hi,
I am working on a project involving distributed radio nodes connected over
a wireless network. We are using symmetric key cryptography for ciphering
(AES-256). The radio nodes are running Linux on a 250MHz processor.
I need a solution to manage the symmetric keys in this network of nodes,
written in C/C++. The solution should be able to manage the life cycle of
the keys. It should be able to auto-generate a new key (upon expiry or when
manually instructed by the user) and securely disseminate it in the network
and archive the old key after activation of the new key.
I have looked at Key Management Interoperability Protocol (KMIP). It
provides all of these features but sadly there is no open-source
implementation available in C.
Does anyone know a solution for symmetric key management that can provide
these features and implemented in the open-source domain?
Thanks,
Usman
If you are not wedded to AES have a look at wireguard.
https://lwn.net/Articles/761939/
It's available on many distributions are automatically handles updating
session keys once you have registered each nodes public key.
I found the lkms package very easy get under Debian Stretch.
It's light weight, simple and just works without complex Daemon needed.
If you want to support many nodes with arbitrary linkage you will need to
run some more complex routing system I guess.
Andrew
8:57 p.m.
On 17/10/2018 7:44 PM, Andrew Worsley wrote:
On 17 Oct 2018 7:00 pm, "Usman Saeed via luv-main"
<luv-main(a)luv.asn.au <mailto:luv-main@luv.asn.au>> wrote:
Hi,
I am working on a project involving distributed radio nodes
connected over a wireless network. We are using symmetric key
cryptography for ciphering (AES-256). The radio nodes are running
Linux on a 250MHz processor.
I need a solution to manage the symmetric keys in this network of
nodes, written in C/C++. The solution should be able to manage the
life cycle of the keys. It should be able to auto-generate a new
key (upon expiry or when manually instructed by the user) and
securely disseminate it in the network and archive the old key
after activation of the new key.
I have looked at Key Management Interoperability Protocol (KMIP).
It provides all of these features but sadly there is no
open-source implementation available in C.
Does anyone know a solution for symmetric key management that can
provide these features and implemented in the open-source domain?
Thanks,
Usman
If you are not wedded to AES have a look at wireguard.
https://lwn.net/Articles/761939/
It's available on many distributions are automatically handles
updating session keys once you have registered each nodes public key.
I found the lkms package very easy get under Debian Stretch.
It's light weight, simple and just works without complex Daemon needed.
If you want to support many nodes with arbitrary linkage you will
need to run some more complex routing system I guess.
Andrew
Hi,
I second the idea of using a schema along the lines implemented in
WireGuard. You might be able re-purpose the WireGuard kernel module for
your communications.
Your talk about 'securely dissemination' of the keys, WireGuard does
initially need the keys to be shared but from there is its all automatic.
Cheers
Mike
18 Oct
18 Oct
8:46 a.m.
Hi Mike and Andrew,
Thank you for pointing this out. After reading https://www.wireguard.com/
and https://lwn.net/Articles/761939/, it seems like WireGuard offers a
secure transport and not the key management features. Unless I
missed something?
Regards,
Usman
On Wed, Oct 17, 2018 at 8:55 PM Mike O'Connor <mike(a)pineview.net> wrote:
On 17/10/2018 7:44 PM, Andrew Worsley wrote:
On 17 Oct 2018 7:00 pm, "Usman Saeed via luv-main"
<luv-main(a)luv.asn.au <mailto:luv-main@luv.asn.au>> wrote:
Hi,
I am working on a project involving distributed radio nodes
connected over a wireless network. We are using symmetric key
cryptography for ciphering (AES-256). The radio nodes are running
Linux on a 250MHz processor.
I need a solution to manage the symmetric keys in this network of
nodes, written in C/C++. The solution should be able to manage the
life cycle of the keys. It should be able to auto-generate a new
key (upon expiry or when manually instructed by the user) and
securely disseminate it in the network and archive the old key
after activation of the new key.
I have looked at Key Management Interoperability Protocol (KMIP).
It provides all of these features but sadly there is no
open-source implementation available in C.
Does anyone know a solution for symmetric key management that can
provide these features and implemented in the open-source domain?
Thanks,
Usman
If you are not wedded to AES have a look at wireguard.
https://lwn.net/Articles/761939/
It's available on many distributions are automatically handles
updating session keys once you have registered each nodes public key.
I found the lkms package very easy get under Debian Stretch.
It's light weight, simple and just works without complex Daemon needed.
If you want to support many nodes with arbitrary linkage you will
need to run some more complex routing system I guess.
Andrew
Hi,
I second the idea of using a schema along the lines implemented in
WireGuard. You might be able re-purpose the WireGuard kernel module for
your communications.
Your talk about 'securely dissemination' of the keys, WireGuard does
initially need the keys to be shared but from there is its all automatic.
Cheers
Mike
4:54 p.m.
On Thu, 18 Oct 2018, 8:47 am Usman Saeed, <usaeed1088(a)gmail.com> wrote:
Hi Mike and Andrew,
Thank you for pointing this out. After reading https://www.wireguard.com/
and https://lwn.net/Articles/761939/, it seems like WireGuard offers a
secure transport and not the key management features. Unless I
missed something?
Regards,
Usman
Yes for the initial public keys but after that session key updating is
taken care of as pointed out by Mike.
The initial once off set up is always a problem no matter what scheme you
use.
Andrew
10:45 a.m.
probably not directly applicable, but a parallel sort of approach for ssh
keys...
https://github.com/netflix/bless
On Wed, 17 Oct 2018 at 19:00, Usman Saeed via luv-main <luv-main(a)luv.asn.au>
wrote:
Hi,
I am working on a project involving distributed radio nodes connected over
a wireless network. We are using symmetric key cryptography for ciphering
(AES-256). The radio nodes are running Linux on a 250MHz processor.
I need a solution to manage the symmetric keys in this network of nodes,
written in C/C++. The solution should be able to manage the life cycle of
the keys. It should be able to auto-generate a new key (upon expiry or when
manually instructed by the user) and securely disseminate it in the network
and archive the old key after activation of the new key.
I have looked at Key Management Interoperability Protocol (KMIP). It
provides all of these features but sadly there is no open-source
implementation available in C.
Does anyone know a solution for symmetric key management that can provide
these features and implemented in the open-source domain?
Thanks,
Usman
_______________________________________________
luv-main mailing list
luv-main(a)luv.asn.au
https://lists.luv.asn.au/cgi-bin/mailman/listinfo/luv-main
--
Dr Paul van den Bergen
28 Oct
28 Oct
11:08 a.m.
On Wednesday, 17 October 2018 7:00:11 PM AEDT Usman Saeed via luv-main wrote:
I have looked at Key Management Interoperability
Protocol (KMIP). It
provides all of these features but sadly there is no open-source
implementation available in C.
Why is a C implmentation so important? C can call library code written in any
language that allows compiling libraries. For languages which don't have a
compiled form (Perl etc) then you can run a program in that language as a
child process.
As an aside, the last time I did any significant crypto coding in C I ran into
some SEGVs that I couldn't fix. I called 2 different libraries that both
called OpenSSL libraries and got a SEGV afterwards. I ended up changing the
code to call the second OpenSSL using library in a child process as the only
way of avoiding memory corruption and a later SEGV. So I wouldn't recommend
planning on having a single C program to do it all.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
1613
days inactive
1624
days old
6 comments
5 participants
participants (5)
-
Andrew Worsley -
Mike O'Connor -
Paul van den Bergen -
Russell Coker -
Usman Saeed