Replace checksum with asymetric hash

Adarwoo

1/9/24, 3:07 PM

The purpose is for a server to ensure the content of the flash memory of a slave IoT contains a good known firmware.

The server does not have a copy of the IoT firmware code - but only a hash or equivalent.
The server transmits a nonce/seed random key to the IoT to perform the hash computation.
The IoT computes a new hash using the nonce/seed - it cannot predict the answer.
The IoT transmits the computed hash result.
The server, using the nonce/seed and reference hash is able to compute the expected value.

Would anyone have a lead to the crypto function to do this? The challenge is for the server to compute a random HASH or MAC based on a digest only, which the client cannot guess.

1 + 3

hmac

crc

Martin Bonner supports Monica

1/9/24, 4:38 PM

I presume the server does not trust the IoT device. As stated, I think this is impossible. The IoT device can repeat the calculation that the server is going to perform, and send back the value of _that_ calculation (rather than performing a MAC of the firmware).

knaccc

1/9/24, 5:55 PM

If the IoT firmware has been patched with malware, the malware can just keep a copy of the pre-patched parts of the firmware, and perform any necessary calculation on an emulation of the unpatched version of its firmware.

fgrieu

1/9/24, 6:19 PM

Even if the server has the full firmware, this is still impossible securely. It's feasible that the IoT has a rogue firmware, and a diff of the original and real firmware, perhaps compressed. Using data compression, that can fit the original.

Score:1

Crypto

poncho

1/9/24, 6:43 PM

Would anyone have a lead to the crypto function to do this? The challenge is for the server to compute a random HASH or MAC based on a digest only, which the client cannot guess.

Well, as some of the comments point out, the best we can do is prove that the firmware knows the correct image; not that it is actually running it.

However, I'll proceed ignoring that detail.

It doesn't look doable using symmetric crypto; the value $MAC(key, image)$ can only be computed with knowledge of the image, hence the server (who doesn't know the image) cannot verify it. I suppose that the server could have a number of precomputed $key, MAC(key, image)$ pairs; however that works only so many times (depending on the number of precomputed pairs).

On the other hand, it is a solvable problem using asymmetric crypto; here is a protocol that solves it (albeit in a way that is likely too expensive to be usable in practice) - this will show that this is a solvable problem (with the above caveat):

The IoT and the server share a value $n$, which is an integer of secret factorization.
The server transmit a challenge value $g$
The IoT translates the image into a (large) integer $i$ (so that if the image consists of 10kbyte = 80kbits, we have $i$ as an 80,000 bit integer); he computes $g^i \bmod n$ and sends that value to the server
The server has a precomputed $j = i \bmod \phi(n)$ stored; he computes $g^j \bmod n$ and compares that to the value that the IoT sends

The trick this uses is that the server has a summarized version of the image $i \bmod \phi(n)$; however the IoT cannot compute that summarized version (because he doesn't know the factorization of $n$); so he needs the entire image to compute it.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Replace checksum with asymetric hash

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.