"Urs Beeli" <usenet@CONCAT_MY_FIRST_AND_LAST_NAME.ch> wrote in message
news:slrne22tl9.7np.usenet@stinky.trash.net...
> On Wed, 22 Mar 2006 09:57:56 -0500 CBFalconer wrote:
>> Urs Beeli wrote:
>> >
>> > One of our devices is controlled from a PC using the serial
>> > interface. One of our customers has security concerns as the
>> > protocol used, though proprietary, is not encrypted.
>> >
We had a client who wanted security. Instead of encrypting the data we used
fibre optic links as those are much more difficult to break into.
Peter
Reply by Urs Beeli●March 23, 20062006-03-23
On Wed, 22 Mar 2006 14:32:47 +0000 (UTC) Urs Beeli wrote:
> One of our devices is controlled from a PC using the serial
> interface. One of our customers has security concerns as the
> protocol used, though proprietary, is not encrypted.
>
> As adding encryption to our - dated - device is not a viable
> option, I have gotten the task to find out if we can find
> some third party solution that plugs into the serial stream
> and encrypts/decrypts the data stream with a corresponding
> library to do the same on the PC.
>
> Does anyone know of a product that offers this? I have
> found a number of "port servers" with rs-232 on one side
> and TCP/IP on the other side but we need rs-232 on both
> sides.
Thanks for all the many answers. I'll try to answer some of the
suggestions in this one posting instead of following up each of
them.
- terminal server based solutions
this seems to be the most common solutions available, i found
quite a number of those. however, as we have rs232 cable runs
installed I don't see this as an option
- various ideas on how to "roll our own" are noted and would
probably be feasible. however, if we decided to do this
ourselves, we might as well integrate it into our own devices.
as we are tight on resources and our management would prefer
a "buy" solution I don't think we'll continue along this path.
still, thanks for all the ideas
- researching the net and from your suggestions I have put
together the following list of potential devices:
Simrex SimCrypt
http://www.simrex.com/site/products/special.htm
SEQUI EncryptorPak
http://www.sequi.com/SEQUI_Products.htm
DCB SE-660 Serial Data Encrypter
http://www.dcbnet.com/datasheet/se6600ds.html?overtureencryptor&OVRAW=rs232%20encryption&OVKEY=rs232%20encryption&OVMTC=standard
Selinc SEL-3021
http://www.selinc.com/sel-3021.htm
CE0058 RS-232/RS-485 PROTOCOL CONVERTER
http://www.pbjtech.com/products/index.html#CE0058_RS-232RS-485_PROTOCOL_CONVERTER
RS-232 to RS-232 adapter
http://www.wrenchman.com/products.htm
Thank you for all your input, we will have a look at these devices and
see which one fits our needs best.
Cheers
/urs
--
"Change is inevitable, except from a vending machine."
-- Urs Beeli, <usenet@CONCAT_MY_FIRST_AND_LAST_NAME.ch>
Reply by Jim Nagy●March 22, 20062006-03-22
>
> >On Wed, 22 Mar 2006 09:57:56 -0500 CBFalconer wrote:
> >> Urs Beeli wrote:
> >> >
> >> > One of our devices is controlled from a PC using the serial
> >> > interface. One of our customers has security concerns as the
> >> > protocol used, though proprietary, is not encrypted.
> >> >
Have you seen the SEL 3021 by Schweitzer Engineering? They make some
pretty good devices for the power electricity market:
http://www.selinc.com/sel-3021.htm
It says US$540 ea.
--
Jim Nagy
Elm Electronics
Reply by Andrew Reilly●March 22, 20062006-03-22
On Wed, 22 Mar 2006 15:32:47 +0000, Urs Beeli wrote:
> One of our devices is controlled from a PC using the serial
> interface. One of our customers has security concerns as the
> protocol used, though proprietary, is not encrypted.
>
> As adding encryption to our - dated - device is not a viable
> option, I have gotten the task to find out if we can find
> some third party solution that plugs into the serial stream
> and encrypts/decrypts the data stream with a corresponding
> library to do the same on the PC.
One of the amusing characteristics of RS-232 communication systems is that
since they're bi-directional and byte-oriented, even though the ultimate
bit-rate is not terribly high, by today's standards, the protocol-level
latency demands can be *very* high, compared to internet-oriented packet
protocols. I don't suppose that your device has any particular gotchas,
there?
The other (related) thing to consider is that most of the good encryption
protocols are block based, operating on 64 bits (8 bytes) or more at a
time. If your protocol is byte-based, then you might have to work out
some padding tricks, to make sure that individual bytes get through on
time. This is generally handled by the packetizers in network terminal
servers, but it's something that you'll have to think about, if you want
to roll your own solution.
[snip diagram]
>
> Does anyone know of a product that offers this? I have
> found a number of "port servers" with rs-232 on one side
> and TCP/IP on the other side but we need rs-232 on both
> sides.
You seem to be prepared to hack up the PC-side application to suit the
solution. If you can't switch to ethernet because you have an installed
run of RS-232 cable, could you go as far as running a PPP link over your
RS-232 cable? That way you could use common off the shelf crypto
libraries/protocols, like SSL or SSH.
>
> I would appreciate any pointers.
I think that a fairly simple mostly off-the-shelf solution could be:
0) Get a Linux/BSD box (quite small ones can be had, like gumstix or one
of the little VIA Mini-ITX PC motherboards). Make at least one
interactive (shell) user account on it.
1) Set it up to boot up with a PPP server running on one COM port and plug
another com port into your device.
2) Put a PPP client on the PC, and have it "dial" the new box over the
main RS-232 link. Verify a working IP connection to the new box.
3) issue the command "ssh new-box cu -n -s 38400 -l /dev/tty00" (seasoned
to taste), and bingo: you've got an encrypted terminal session talking to
the original serial port on your device. Use public keys to avoid the
log-in dialog.
4) use popen("ssh new-box cu -n -s 38400 -l /dev/tty00", "r+") in your
application to give you a file descriptor open to read/write your device.
That should all pretty much "just work", for the cost of an embedded
system with two serial ports and a Linux or BSD installation, with no
actual coding, provided that the time-outs that the ssh session uses to
block up small packets doesn't interfere with your proprietary serial
protocol.
Neat, huh?
--
Andrew
Reply by Peter Jakacki●March 22, 20062006-03-22
Hi Urs,
I can't see why our standard RS-232 protocol converter can't be used.
http://www.pbjtech.com/products/index.html#CE0058_RS-232RS-485_PROTOCOL_CONVERTER
This has RS-232 on one side and RS-232/RS-485 on the other. The second
RS-232 is available off the same DB9 connector. The ARM7 controller has
plenty of grunt for more secure encryption schemes.
We have customers already that require encryption over serial. If you
can specify your requirements we can ship these to you with your
settings preloaded.
*Peter*
www.pbjtech.com
peter@pbjtech.com
Urs Beeli wrote:
> One of our devices is controlled from a PC using the serial
> interface. One of our customers has security concerns as the
> protocol used, though proprietary, is not encrypted.
>
> As adding encryption to our - dated - device is not a viable
> option, I have gotten the task to find out if we can find
> some third party solution that plugs into the serial stream
> and encrypts/decrypts the data stream with a corresponding
> library to do the same on the PC.
>
> Something along those lines:
>
> +--------+ +--------------------------+
> | device +-- rs232 open ---+ third party en/decryptor |
> +--------+ +-----------+--------------+
> |
> |
> rs232 encrypted
> |
> |
> |
> +-------------+-------+-----+-----------+
> | | | en/decryption |
> | PC | | library |
> | | +-----------------+
> | | |
> | | original app |
> | | |
> +-------------+-------------------------+
>
> Does anyone know of a product that offers this? I have
> found a number of "port servers" with rs-232 on one side
> and TCP/IP on the other side but we need rs-232 on both
> sides.
>
> I would appreciate any pointers.
>
> Cheers
> Urs
>
Reply by Allan Herriman●March 22, 20062006-03-22
On Wed, 22 Mar 2006 14:32:47 +0000 (UTC), Urs Beeli
<usenet@CONCAT_MY_FIRST_AND_LAST_NAME.ch> wrote:
>One of our devices is controlled from a PC using the serial
>interface. One of our customers has security concerns as the
>protocol used, though proprietary, is not encrypted.
>
>As adding encryption to our - dated - device is not a viable
>option, I have gotten the task to find out if we can find
>some third party solution that plugs into the serial stream
>and encrypts/decrypts the data stream with a corresponding
>library to do the same on the PC.
>
>Something along those lines:
>
> +--------+ +--------------------------+
> | device +-- rs232 open ---+ third party en/decryptor |
> +--------+ +-----------+--------------+
> |
> |
> rs232 encrypted
> |
> |
> |
> +-------------+-------+-----+-----------+
> | | | en/decryption |
> | PC | | library |
> | | +-----------------+
> | | |
> | | original app |
> | | |
> +-------------+-------------------------+
>
>Does anyone know of a product that offers this? I have
>found a number of "port servers" with rs-232 on one side
>and TCP/IP on the other side but we need rs-232 on both
>sides.
>
>I would appreciate any pointers.
Am Wed, 22 Mar 2006 14:32:47 +0000 (UTC) schrieb Urs Beeli:
> One of our devices is controlled from a PC using the serial
> interface. One of our customers has security concerns as the
> protocol used, though proprietary, is not encrypted.
>
> As adding encryption to our - dated - device is not a viable
> option, I have gotten the task to find out if we can find
> some third party solution that plugs into the serial stream
> and encrypts/decrypts the data stream with a corresponding
> library to do the same on the PC.
>
> Something along those lines:
>
> +--------+ +--------------------------+
> | device +-- rs232 open ---+ third party en/decryptor |
> +--------+ +-----------+--------------+
> |
> |
> rs232 encrypted
> |
> |
> |
> +-------------+-------+-----+-----------+
> | | | en/decryption |
> | PC | | library |
> | | +-----------------+
> | | |
> | | original app |
> | | |
> +-------------+-------------------------+
>
> Does anyone know of a product that offers this? I have
> found a number of "port servers" with rs-232 on one side
> and TCP/IP on the other side but we need rs-232 on both
> sides.
>
> I would appreciate any pointers.
>
> Cheers
> Urs
Hi Urs,
I would use some kind of Ethernet serial converter and encript the Ethernet
traffic with a common encrypting algorithm, SSL or whatever.
I live in Switzerland too and can recommend something like a
Serial-Server 1xDB25/f,1xRJ45 10Mbps which you will find on www.arp.ch
Not shure if they allow encrypted Telnet but at least it's not so easy to
have access to the plain protocol with a network monitor. This way, more
secure than a serial connection.
PS: Vieli Gr�ess us Luzern
Lukas
Reply by tbro...@hifn.com●March 22, 20062006-03-22
CBFalconer wrote:
> A lot depends on the strength of encryption required. It sounds as
> if not much is needed, so xor'ing with the output of pseudo-random
> generator should do. All you have to do is arrange to sync with
> the generator. The result should protect against idle
> eavesdropping, but not against determined attack. You could build
> the unit out of a PIC.
This method you describe is a stream cipher, one example of which is
RC4 which is efficient in software and industrial strength.
The robustness here depends on the quality of the random data.
You do, however, have to be careful never to rekey with the same value
twice, or the two streams can be XORed together to get the XOR of the
plaintexts.
- Tim.
Reply by Mike Harrison●March 22, 20062006-03-22
On Wed, 22 Mar 2006 16:13:34 +0000 (UTC), Urs Beeli <usenet@CONCAT_MY_FIRST_AND_LAST_NAME.ch> wrote:
>On Wed, 22 Mar 2006 09:57:56 -0500 CBFalconer wrote:
>> Urs Beeli wrote:
>> >
>> > One of our devices is controlled from a PC using the serial
>> > interface. One of our customers has security concerns as the
>> > protocol used, though proprietary, is not encrypted.
>> >
>> > As adding encryption to our - dated - device is not a viable
>> > option, I have gotten the task to find out if we can find
>> > some third party solution that plugs into the serial stream
>> > and encrypts/decrypts the data stream with a corresponding
>> > library to do the same on the PC.
>> >
>> > Does anyone know of a product that offers this? I have
>> > found a number of "port servers" with rs-232 on one side
>> > and TCP/IP on the other side but we need rs-232 on both
>> > sides.
>> >
>> > I would appreciate any pointers.
>>
>> A lot depends on the strength of encryption required. It sounds as
>> if not much is needed, so xor'ing with the output of pseudo-random
>> generator should do. All you have to do is arrange to sync with
>> the generator. The result should protect against idle
>> eavesdropping, but not against determined attack. You could build
>> the unit out of a PIC.
>
>That would certainly be a technically viable solution. However, I don't
>think that for the few cases where a customer insists on enrcypted
>communication we will build a solution ourselves.
>
>I was hoping that someone could point me to a ready-to-buy-third-party-
>product. I have found some on the web but thought some of you here may have
>experience with such products and could recommend (or disrecommend :-)
>certain products.
>
>In any case, thanks for your answer.
>
>Cheers
>/urs
How about using a USB to Serial cable. Using virtual COM port drivers at the PC end would make the
difficulty of interception at the PC similar to any other software based solution, and the far end
would be no less vulnerable than with an encryptor box.
Put a 'super encryptor (TM)' label on it - if the customer doesn't understand that the current
proposed scheme is pointless are they likely to know the difference...?
Reply by larwe●March 22, 20062006-03-22
Urs Beeli wrote:
> > Who is the anticipated attacker? Your scenario still has data in the
> > clear between device and encryptor box. Anyone could insert a wedge
> > here and get cleartext.
>
> I realise that. Personally I do not see that we even need such a device.
> However, the customer cannot be talked out of it and the suits in management
> now have a new buzzword, so here I am looking for encryption solutions :-)
They exist. http://www.simrex.com/site/products/special.htm for
instance.
There are also Ethernet to serial gateways that have 3DES support.
Google for that and you'll find products such as
<http://www.networktechinc.com/srvsw-term-ssh.html>. Of course it means
rewiring the main cable run for Ethernet instead of RS232.
Expect to spend a LOT. For simple Mickey Mouse protection, which is all
you seem to need, an 8-bit micro with two UARTS could implement what
you need in a weekend's programming.