Contents x
    Signing and encrypting update packets
    • 02 Oct 2024
    • Print
    • PDF
    Contents

    Signing and encrypting update packets

    • Updated on 02 Oct 2024
    • Print
    • PDF
    Article summary

    Update packets permit to upload different files such as firmware files, profiles, configurations or containers to the routers of INSYS icom. In order to ensure the integrity of this packets, it is possible to configure the router that it will only accept update packets that have been signed or encrypted and signed with their own PKI (public key infrastructure).

    Situation

    A security-sensitive application requires that update packets for the router will be encrypted and signed. This shall prevent the upload of compromised update packets to the router.

    Solution

    The following describes how to create the certificates necessary for encryption and signing, how to configure the router for validation and decryption of the update packets and how to encrypt and sign the update packets accordingly.

    How to create own update packets is described in this Configuration Guide.

    It is prerequisite that you have downloaded and installed the XCA tool to your computer. The installation of XCA will also install the OpenSSL package to your computer.

    Linux users, please note!

    The packet managers of various Linux distributions contain XCA. Running Ubuntu, XCA can be installed as follows for example:
    sudo apt-get install xca

    It is also prerequisite that time and date on the PC are correct.

    Please note!

    Certificates have a validity period. A wrong system time (time and date) is a frequent failure source. Therefore, ensure that the system time of the PC is correct when creating the certificate structure.

    Creating the certificates

    A database need to be generated prior to the creation of the certificate structure.

    1. To create a database, open XCA and select FileNew DataBase.

    2. Enter file name and specify an appropriate directory for the XCA database.

    3. Enter a password twice and click on OK to create the database.

      Protect your PKI database!

      We strongly recommend to specify a password. Keep this password in mind. It is necessary every time the database of this CA project will be opened.

    Creating a CA certificate and key

    1. In order to create a CA certificate and key, change to the Certificates tab and click on New Certificate.

    2. Select the CA template [default] CA under Template for the new certificate.

    3. Click on Apply extensions to take over the extensions from the template for the CA certificate.

    4. Change to the Extensions tab, specify the validity period of the certificate with a time range if necessary and click on OK.

    5. Change to the Subject tab, specify a suitable commonName and assign this as Internal Name as well.

    6. Complete the remaining fields in the section Distinguished name accordingly.

    7. Click on Generate a new key.

    8. Preferably use the commonName also as Name and click on Create.

    9. Confirm the key generation with OK.

    10. Click on OK and confirm with OK again to complete the creation of the CA certificate.

    Creating the certificate and key for signing/validating

    1. In order to create the certificate and key, change to the Certificates tab and click on New Certificate.

    2. Select in the Signing section the option Use this certificate for signing and select above created CA certificate.

    3. Select the template [default] HTTPS_client under Template for the new certificate.

    4. Click on Apply extensions to take over the extensions from the template for the certificate.

    5. Change to the Extensions tab, specify the validity period of the certificate with a time range if necessary and click on OK.

    6. Change to the Key usage tab, highlight the entry Digital Signature and un-highlight all other entries.

    7. Change to the Subject tab, specify the commonName as trust and assign this as Internal Name as well.

    8. Click on Generate a new key.

    9. Use the commonName trust also as Name and click on Create.

    10. Confirm the key generation with OK.

    11. Click on OK and confirm with OK again to complete the creation of the certificate.

    Creating the certificate and key for encrypting/decrypting

    1. In order to create the certificate and key, change to the Certificates tab and click on New Certificate.

    2. Select in the Signing section the option Use this certificate for signing and select above created CA certificate.

    3. Select the template [default] HTTPS_client under Template for the new certificate.

    4. Click on Apply extensions to take over the extensions from the template for the certificate.

    5. Change to the Extensions tab, specify the validity period of the certificate with a time range if necessary and click on OK.

    6. Change to the Key usage tab, highlight the entry Data Encipherment and un-highlight all other entries.

    7. Change to the Subject tab, specify the commonName as crypt and assign this as Internal Name as well.

    8. Click on Generate a new key.

    9. Use the commonName crypt also as Name and click on Create.

    10. Confirm the key generation with OK.

    11. Click on OK and confirm with OK again to complete the creation of the certificate.

    2.2. Exporting the certificates and keys

    The certificates and keys created with XCA are stored in the respective XCA database. In order to upload the certificates and keys to the router end sign/encrypt the update packets, these must be exported. XCA offers different file formats for export. The following describes the export to the file format PEM, which is suitable for all INSYS routers.

    Maintain security!

    Never export the CA key, because this is essential for the security of the certificates.

    1. In order to export the CA certificate, change to the Certificates tab, highlight the CA certificate in the overview and click on Export.

    2. Specify a path and file name in the Certificate export window, select PEM as Export format and click on OK.

    3. In order to export the signing certificate, change to the Certificates tab, highlight the certificate trust in the overview and click on Export.

    4. Specify a path and file name in the Certificate export window, select PEM as Export format and click on OK.

    5. In order to export the encryption certificate, change to the Certificates tab, highlight the certificate crypt in the overview and click on Export.

    6. Specify a path and file name in the Certificate export window, select PEM as Export format and click on OK.

    7. In order to export the signing key, change to the Private keys tab, highlight the key trust in the overview and click on Export.

    8. Specify a path and file name in the Export private key window, select PEM as Export format and click on OK.

    9. In order to export the encryption key, change to the Private keys tab, highlight the key crypt in the overview and click on Export.

    10. Specify a path and file name in the Export private key window, select PEM as Export format and click on OK.

    Encrypting and signing the update packets

    All update packets can be signed or encrypted and signed. The following describes how to encrypt and sign an update packet. The OpenSSL commands are entered in a shell using the command line.

    The following procedure requires that the update packet to be encrypted and signed is in a directory together with above generated certificates and keys.
    The following commands are based on this naming conventions:

    • upacket.tar: File name of the update packet to be signed/encrypted

    • upacket.tar.enc: File name of the encrypted update packet

    • upacket.tar.enc.sign: File name of the update packet to be encrypted and signed

    • crypt.crt: Certificate for encrypting the packet

    • crypt.pem: Private key for encrypting the packet

    • trust.crt: Certificate for signing the packet

    • trust.pem: Private key for signing the packet

    The following procedure generates the encrypted and signed update packet upacket.tar.enc.sign:

    1. Open a shell on your computer (Windows Powershell or Linux Terminal).

    2. Navigate in the shell to the directory with the update packet and the certificates and keys.

    3. Encrypt the update packet using the command:
      openssl cms -encrypt -aes-256-cbc -in upacket.tar -binary -outform DER -out upacket.tar.enc crypt.crt

    4. Sign the update packet using the command:
      openssl cms -sign -nocerts -md sha256 -in upacket.tar.enc -nodetach -binary -signer trust.crt -inkey trust.pem -out upacket.tar.enc.sign -outform DER

    Configuring the router

    1. Open the user interface of the router: https://insys.icom

    2. Click in the AdministrationFirmware menu on and upload above generated CA certificate to the router.

    3. Click on SUBMIT.

    4. Click in the AdministrationFirmware menu on and upload above generated signing certificate trust.crt to the router.

    5. Click on SUBMIT.

    6. Click in the AdministrationFirmware menu on and upload above generated encrypting certificate crypt.crt to the router.

    7. Click on SUBMIT.

    8. Click in the AdministrationFirmware menu on and upload above generated encrypting key crypt.pem to the router.

    9. Click on SUBMIT.

    10. Activate in the AdministrationAutomatic update menu in the Allow only signed update packets the Enable features switch and read the related note.

    11. Click on ENABLE SIGNATURE CHECK .

    12. Click on ACTIVATE PROFILE .

    Uploading the update package to the router

    Please note!

    Depending on the type of update packet (e.g. firmware, configuration or container), the packet must be uploaded to different pages. The following example shows how to upload a firmware packet on the Firmware page.

    1. Click in the AdministrationFirmware menu on and upload the encrypted and signed update packet (here packet.tar.enc.sign) to the router.

    2. Click on SUBMIT.

    The encrypted and signed update packet will be validated and then encrypted and uploaded.

    Result testing

    Upon successful upload, the uploaded content of the update packet will appear on the respective page. A failure message will be issued in case of a failure.

    Troubleshooting

    • Check the system date of the computer to ensure that the certificates have been created with the actual date; otherwise, they may be invalid.

    Was this article helpful?
    What's Next