One of our devices is controlled from a PC using the serial
interface. One of our customers has security concerns as the
protocol used, though proprietary, is not encrypted.
As adding encryption to our - dated - device is not a viable
option, I have gotten the task to find out if we can find
some third party solution that plugs into the serial stream
and encrypts/decrypts the data stream with a corresponding
library to do the same on the PC.
Something along those lines:
+--------+ +--------------------------+
| device +-- rs232 open ---+ third party en/decryptor |
+--------+ +-----------+--------------+
|
|
rs232 encrypted
|
|
|
+-------------+-------+-----+-----------+
| | | en/decryption |
| PC | | library |
| | +-----------------+
| | |
| | original app |
| | |
+-------------+-------------------------+
Does anyone know of a product that offers this? I have
found a number of "port servers" with rs-232 on one side
and TCP/IP on the other side but we need rs-232 on both
sides.
I would appreciate any pointers.
Cheers
Urs
--
"Change is inevitable, except from a vending machine."
-- Urs Beeli, <usenet@CONCAT_MY_FIRST_AND_LAST_NAME.ch>
Encrypting an RS-232 stream
Started by ●March 22, 2006
Reply by ●March 22, 20062006-03-22
Urs Beeli wrote:> > One of our devices is controlled from a PC using the serial > interface. One of our customers has security concerns as the > protocol used, though proprietary, is not encrypted. > > As adding encryption to our - dated - device is not a viable > option, I have gotten the task to find out if we can find > some third party solution that plugs into the serial stream > and encrypts/decrypts the data stream with a corresponding > library to do the same on the PC. > > Something along those lines: > > +--------+ +--------------------------+ > | device +-- rs232 open ---+ third party en/decryptor | > +--------+ +-----------+--------------+ > | > | > rs232 encrypted > | > | > | > +-------------+-------+-----+-----------+ > | | | en/decryption | > | PC | | library | > | | +-----------------+ > | | | > | | original app | > | | | > +-------------+-------------------------+ > > Does anyone know of a product that offers this? I have > found a number of "port servers" with rs-232 on one side > and TCP/IP on the other side but we need rs-232 on both > sides. > > I would appreciate any pointers.A lot depends on the strength of encryption required. It sounds as if not much is needed, so xor'ing with the output of pseudo-random generator should do. All you have to do is arrange to sync with the generator. The result should protect against idle eavesdropping, but not against determined attack. You could build the unit out of a PIC. -- "If you want to post a followup via groups.google.com, don't use the broken "Reply" link at the bottom of the article. Click on "show options" at the top of the article, then click on the "Reply" at the bottom of the article headers." - Keith Thompson More details at: <http://cfaj.freeshell.org/google/> Also see <http://www.safalra.com/special/googlegroupsreply/>
Reply by ●March 22, 20062006-03-22
> One of our devices is controlled from a PC using the serial > interface. One of our customers has security concerns as the > protocol used, though proprietary, is not encrypted.Who is the anticipated attacker? Your scenario still has data in the clear between device and encryptor box. Anyone could insert a wedge here and get cleartext.
Reply by ●March 22, 20062006-03-22
On 22 Mar 2006 07:52:31 -0800 larwe wrote:> > > One of our devices is controlled from a PC using the serial > > interface. One of our customers has security concerns as the > > protocol used, though proprietary, is not encrypted. > > Who is the anticipated attacker? Your scenario still has data in the > clear between device and encryptor box. Anyone could insert a wedge > here and get cleartext.I realise that. Personally I do not see that we even need such a device. However, the customer cannot be talked out of it and the suits in management now have a new buzzword, so here I am looking for encryption solutions :-) Cheers /urs -- "Change is inevitable, except from a vending machine." -- Urs Beeli, <usenet@CONCAT_MY_FIRST_AND_LAST_NAME.ch>
Reply by ●March 22, 20062006-03-22
On Wed, 22 Mar 2006 09:57:56 -0500 CBFalconer wrote:> Urs Beeli wrote: > > > > One of our devices is controlled from a PC using the serial > > interface. One of our customers has security concerns as the > > protocol used, though proprietary, is not encrypted. > > > > As adding encryption to our - dated - device is not a viable > > option, I have gotten the task to find out if we can find > > some third party solution that plugs into the serial stream > > and encrypts/decrypts the data stream with a corresponding > > library to do the same on the PC. > > > > Does anyone know of a product that offers this? I have > > found a number of "port servers" with rs-232 on one side > > and TCP/IP on the other side but we need rs-232 on both > > sides. > > > > I would appreciate any pointers. > > A lot depends on the strength of encryption required. It sounds as > if not much is needed, so xor'ing with the output of pseudo-random > generator should do. All you have to do is arrange to sync with > the generator. The result should protect against idle > eavesdropping, but not against determined attack. You could build > the unit out of a PIC.That would certainly be a technically viable solution. However, I don't think that for the few cases where a customer insists on enrcypted communication we will build a solution ourselves. I was hoping that someone could point me to a ready-to-buy-third-party- product. I have found some on the web but thought some of you here may have experience with such products and could recommend (or disrecommend :-) certain products. In any case, thanks for your answer. Cheers /urs -- "Change is inevitable, except from a vending machine." -- Urs Beeli, <usenet@CONCAT_MY_FIRST_AND_LAST_NAME.ch>
Reply by ●March 22, 20062006-03-22
Urs Beeli wrote:> > Who is the anticipated attacker? Your scenario still has data in the > > clear between device and encryptor box. Anyone could insert a wedge > > here and get cleartext. > > I realise that. Personally I do not see that we even need such a device. > However, the customer cannot be talked out of it and the suits in management > now have a new buzzword, so here I am looking for encryption solutions :-)They exist. http://www.simrex.com/site/products/special.htm for instance. There are also Ethernet to serial gateways that have 3DES support. Google for that and you'll find products such as <http://www.networktechinc.com/srvsw-term-ssh.html>. Of course it means rewiring the main cable run for Ethernet instead of RS232. Expect to spend a LOT. For simple Mickey Mouse protection, which is all you seem to need, an 8-bit micro with two UARTS could implement what you need in a weekend's programming.
Reply by ●March 22, 20062006-03-22
On Wed, 22 Mar 2006 16:13:34 +0000 (UTC), Urs Beeli <usenet@CONCAT_MY_FIRST_AND_LAST_NAME.ch> wrote:>On Wed, 22 Mar 2006 09:57:56 -0500 CBFalconer wrote: >> Urs Beeli wrote: >> > >> > One of our devices is controlled from a PC using the serial >> > interface. One of our customers has security concerns as the >> > protocol used, though proprietary, is not encrypted. >> > >> > As adding encryption to our - dated - device is not a viable >> > option, I have gotten the task to find out if we can find >> > some third party solution that plugs into the serial stream >> > and encrypts/decrypts the data stream with a corresponding >> > library to do the same on the PC. >> > >> > Does anyone know of a product that offers this? I have >> > found a number of "port servers" with rs-232 on one side >> > and TCP/IP on the other side but we need rs-232 on both >> > sides. >> > >> > I would appreciate any pointers. >> >> A lot depends on the strength of encryption required. It sounds as >> if not much is needed, so xor'ing with the output of pseudo-random >> generator should do. All you have to do is arrange to sync with >> the generator. The result should protect against idle >> eavesdropping, but not against determined attack. You could build >> the unit out of a PIC. > >That would certainly be a technically viable solution. However, I don't >think that for the few cases where a customer insists on enrcypted >communication we will build a solution ourselves. > >I was hoping that someone could point me to a ready-to-buy-third-party- >product. I have found some on the web but thought some of you here may have >experience with such products and could recommend (or disrecommend :-) >certain products. > >In any case, thanks for your answer. > >Cheers >/ursHow about using a USB to Serial cable. Using virtual COM port drivers at the PC end would make the difficulty of interception at the PC similar to any other software based solution, and the far end would be no less vulnerable than with an encryptor box. Put a 'super encryptor (TM)' label on it - if the customer doesn't understand that the current proposed scheme is pointless are they likely to know the difference...?
Reply by ●March 22, 20062006-03-22
CBFalconer wrote:> A lot depends on the strength of encryption required. It sounds as > if not much is needed, so xor'ing with the output of pseudo-random > generator should do. All you have to do is arrange to sync with > the generator. The result should protect against idle > eavesdropping, but not against determined attack. You could build > the unit out of a PIC.This method you describe is a stream cipher, one example of which is RC4 which is efficient in software and industrial strength. The robustness here depends on the quality of the random data. You do, however, have to be careful never to rekey with the same value twice, or the two streams can be XORed together to get the XOR of the plaintexts. - Tim.
Reply by ●March 22, 20062006-03-22
Am Wed, 22 Mar 2006 14:32:47 +0000 (UTC) schrieb Urs Beeli:> One of our devices is controlled from a PC using the serial > interface. One of our customers has security concerns as the > protocol used, though proprietary, is not encrypted. > > As adding encryption to our - dated - device is not a viable > option, I have gotten the task to find out if we can find > some third party solution that plugs into the serial stream > and encrypts/decrypts the data stream with a corresponding > library to do the same on the PC. > > Something along those lines: > > +--------+ +--------------------------+ > | device +-- rs232 open ---+ third party en/decryptor | > +--------+ +-----------+--------------+ > | > | > rs232 encrypted > | > | > | > +-------------+-------+-----+-----------+ > | | | en/decryption | > | PC | | library | > | | +-----------------+ > | | | > | | original app | > | | | > +-------------+-------------------------+ > > Does anyone know of a product that offers this? I have > found a number of "port servers" with rs-232 on one side > and TCP/IP on the other side but we need rs-232 on both > sides. > > I would appreciate any pointers. > > Cheers > UrsHi Urs, I would use some kind of Ethernet serial converter and encript the Ethernet traffic with a common encrypting algorithm, SSL or whatever. I live in Switzerland too and can recommend something like a Serial-Server 1xDB25/f,1xRJ45 10Mbps which you will find on www.arp.ch Not shure if they allow encrypted Telnet but at least it's not so easy to have access to the plain protocol with a network monitor. This way, more secure than a serial connection. PS: Vieli Gr�ess us Luzern Lukas
Reply by ●March 22, 20062006-03-22
On Wed, 22 Mar 2006 14:32:47 +0000 (UTC), Urs Beeli <usenet@CONCAT_MY_FIRST_AND_LAST_NAME.ch> wrote:>One of our devices is controlled from a PC using the serial >interface. One of our customers has security concerns as the >protocol used, though proprietary, is not encrypted. > >As adding encryption to our - dated - device is not a viable >option, I have gotten the task to find out if we can find >some third party solution that plugs into the serial stream >and encrypts/decrypts the data stream with a corresponding >library to do the same on the PC. > >Something along those lines: > > +--------+ +--------------------------+ > | device +-- rs232 open ---+ third party en/decryptor | > +--------+ +-----------+--------------+ > | > | > rs232 encrypted > | > | > | > +-------------+-------+-----+-----------+ > | | | en/decryption | > | PC | | library | > | | +-----------------+ > | | | > | | original app | > | | | > +-------------+-------------------------+ > >Does anyone know of a product that offers this? I have >found a number of "port servers" with rs-232 on one side >and TCP/IP on the other side but we need rs-232 on both >sides. > >I would appreciate any pointers.This mob have them: http://www.senetas.com/default.cfm?subsection=11 (CypherNET Link Encryptor) Sold in the US as: http://www.safenet-inc.com/products/encryptors/link.asp This will be very expensive, but it will have the appropriate certifications that will be accepted by govts, banks and three letter agencies, etc. Regards, Allan
