I’ve been getting more deeply involved in the cybersecurity and cryptography end of things in the last few weeks.
Did some serious work looking into current best practices for password management. Found that the bcrypt algorithm I had been familiar with has been long ago superseded (no surprise there) and that there is a hash iteration algorithm that can be used to bump up the work involved in computing an off the shelf HMAC to levels where it is suited for use as a password hash (PBKDF2 and here).
I’ve been looking at TLS and related technologies. In the past I’ve tended to treat them as black box components. I’m digging a bit deeper on a few fronts now.
I knew that elliptic curve algorithms were available in the TLS cypher suite but had not realized that they were in active use. Last time I looked at elliptic curve algorithms the community was viewing them with suspicion after the Dual_ED_DRBG fiasco. I think that the reduced computational complexity when processing them may have also lent an air of insecurity to them. At this point it sounds as if they’ve passed muster and are in serious use. I picked up a book (Modern Cryptography and Elliptic Curves, A Beginner’s Guide) to get a better handle on the underlying mathematics and will be taking a closer look on a broader scale.
I’m setting up my raspberry pi controllers (at least a few of them) as TLS/DTLS test endpoints. I’ve loaded and built OpenSSL on them over the weekend and will be coding up some samples to play with in the evenings this week. I’ve got machines ranging from pi-2 to pi-4 so they should provide a nice range of performance for testing.
TLS on TCP
I expect to initially put together some simple TLS over TCP code to make sure I’ve got everything working properly and that my certs are set up correctly.
DTLS on UDP
Once I’ve got TLS working I’ll likely try to transition to point-to-point DTLS as that is also a standardized protocol and a good stepping stone to the proposed multicast adaptation.
Multicast on UDP
I haven’t worked with multicast datagram traffic much (pretty much never) so I’ll likely move on to simple, un-encrypted multicast traffic from there. If I can get some of the machines to join a multicast group and ping traffic off of them, I’ll count that as a win.
Multicast over DTLS on UDP
The final step of this exercise will involve taking the multicast sample and the DTLS sample and attempting to implement the proposed approach to providing multicast support to DTLS. This isn’t a standards track proposal, but seems like the closest thing we’ve got to secure multicast traffic support.
Hoping this comes together. It seems like an interesting exercise. If I can get this work done entirely off hours, I’ll share the resulting code on my github account…