Reply to post: Re: The embedded gear is often based on very low-power hardware

Internet of crap (encryption): IoT gear is generating easy-to-crack keys

Michael Wojcik Silver badge

Re: The embedded gear is often based on very low-power hardware

So start out using a weak key and then replace it after it has been running long enough to generate a strong one

They're talking about the private half of a key pair with an associated certificate, are they not? So replacing the private key would mean requesting a new certificate from the CA and updating that. And that means the device would have to be able to create a CSR (or use some other, almost certainly worse, protocol for the certificate request), contact the CA, and install the new certificate; it's not simply a matter of replacing a single key.

And the CA would have to be able to verify the identity of the requesting device. It could counter-sign its CSR with its existing key, but the whole problem is the existing key is weak.

A simpler fix would be to add some better entropy-generating hardware to the device. I don't pay close attention to current research in HRNGs, but I'd bet that even traditional techniques such as Zener diode avalanche noise or reverse-bias transistor noise would improve whatever these weak-key devices are currently doing. These aren't expensive techniques and multiple instances can be run in parallel.

Of course, as someone else posted above, some of these devices may be getting keys burned in at manufacturing time, and it's simply a matter of better manufacturing.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2021