I spent the last few years designing, documenting, implementing and releasing a secure multicast protocol with full key management and seamless key rotation for Draeger Healthcare.
That protocol is their property and I cannot go into great detail about its design here. That protocol was also severely constrained by the very old hardware it needed to run on and by the very out of date operating systems and cryptography libraries those systems used. While I cannot share that design, I can create the design I would have built if not for those limitations.
I intend to put together that design and share it here while I’m looking for my next job. I will be using this work to showcase my technical abilities and as a focus for refresher work in the various languages and coding environments I have available here at home.
I’m expecting to target C, C++, C#, Java and Python (probably in that order). I’ll likely use both OpenSSL and BCryptLib for cryptography support. At this point my OS targets are windows and Ubuntu Linux. If things run on I may look into other options including possibly Android and Kotlin (a language I’ve been interested in for some time but unlike Java haven’t found time to experiment with).
Initial goals for this are:
- Target fully capable OS and hardware environments that can support elliptic curve cryptography and X.509 certificates.
- Multiple root certs per device.
- Root cert, site cert (for authorization) and device cert
- Root cert(s) pre-installed on devices (out of band)
- Key management to add new root certs, site certs.
- Device generates CSR to sign device cert.
- RESTful TLS API for key management (or off the shelf standard, need to look into this)
- Seamless cert rotation to ensure no loss of functionality as certs expire.
- Elliptic curve cryptography to establish device keys.
- Send only for multicast activity.
- TLS side-channel for reliable communications between peers.
- Full library support in multiple languages on a range of operating systems.
There doesn’t seem to be any protocol out there similar to this at this time so I’m hoping this proves useful. It is pretty clear that TLS/SOAP based protocols do not scale as well as a multicast protocol for data dissemination and many application require a scalable and secure way to make information available in real-time.
I’ll keep posting as I move things forward. Currently I’m just getting this started and depending on what comes up I may divert into other areas along the way. I expect to share the code on my github repos at https://github.com/ninecrows