Update packets permit to upload different files such as firmware files, profiles, configurations or containers to the routers of INSYS icom. In order to ensure the integrity of this packets, it is possible to configure the router that it will only accept update packets that have been signed or encrypted and signed with their own PKI (public key infrastructure).

Situation

A security-sensitive application requires that update packets for the router will be encrypted and signed. This shall prevent the upload of compromised update packets to the router.

Solution

The following describes how to create the certificates necessary for encryption and signing, how to configure the router for validation and decryption of the update packets and how to encrypt and sign the update packets accordingly.

How to create own update packets is described in this Configuration Guide.

It is prerequisite that you have downloaded and installed the XCA tool to your computer. The installation of XCA will also install the OpenSSL package to your computer.

Linux users, please note!
The packet managers of various Linux distributions contain XCA. Running Ubuntu, XCA can be installed as follows for example:
sudo apt-get install xca

It is also prerequisite that time and date on the PC are correct.

Please note!
Certificates have a validity period. A wrong system time (time and date) is a frequent failure source. Therefore, ensure that the system time of the PC is correct when creating the certificate structure.

Creating the certificates

A database need to be generated prior to the creation of the certificate structure.

To create a database, open XCA and select File → New DataBase.
Enter file name and specify an appropriate directory for the XCA database.
Enter a password twice and click on OK to create the database.
Protect your PKI database!
We strongly recommend to specify a password. Keep this password in mind. It is necessary every time the database of this CA project will be opened.

Creating a CA certificate and key

In order to create a CA certificate and key, change to the Certificates tab and click on New Certificate.
Select the CA template [default] CA under Template for the new certificate.
Click on Apply extensions to take over the extensions from the template for the CA certificate.
Change to the Extensions tab, specify the validity period of the certificate with a time range if necessary and click on OK.
Change to the Subject tab, specify a suitable commonName and assign this as Internal Name as well.
Complete the remaining fields in the section Distinguished name accordingly.
Click on Generate a new key.
Preferably use the commonName also as Name and click on Create.
Confirm the key generation with OK.
Click on OK and confirm with OK again to complete the creation of the CA certificate.

Creating the certificate and key for signing/validating

In order to create the certificate and key, change to the Certificates tab and click on New Certificate.
Select in the Signing section the option Use this certificate for signing and select above created CA certificate.
Select the template [default] HTTPS_client under Template for the new certificate.
Click on Apply extensions to take over the extensions from the template for the certificate.
Change to the Extensions tab, specify the validity period of the certificate with a time range if necessary and click on OK.
Change to the Key usage tab, highlight the entry Digital Signature and un-highlight all other entries.
Change to the Subject tab, specify the commonName as trust and assign this as Internal Name as well.
Click on Generate a new key.
Use the commonName trust also as Name and click on Create.
Confirm the key generation with OK.
Click on OK and confirm with OK again to complete the creation of the certificate.

Creating the certificate and key for encrypting/decrypting

In order to create the certificate and key, change to the Certificates tab and click on New Certificate.
Select in the Signing section the option Use this certificate for signing and select above created CA certificate.
Select the template [default] HTTPS_client under Template for the new certificate.
Click on Apply extensions to take over the extensions from the template for the certificate.
Change to the Extensions tab, specify the validity period of the certificate with a time range if necessary and click on OK.
Change to the Key usage tab, highlight the entry Data Encipherment and un-highlight all other entries.
Change to the Subject tab, specify the commonName as crypt and assign this as Internal Name as well.
Click on Generate a new key.
Use the commonName crypt also as Name and click on Create.
Confirm the key generation with OK.
Click on OK and confirm with OK again to complete the creation of the certificate.

2.2. Exporting the certificates and keys

The certificates and keys created with XCA are stored in the respective XCA database. In order to upload the certificates and keys to the router end sign/encrypt the update packets, these must be exported. XCA offers different file formats for export. The following describes the export to the file format PEM, which is suitable for all INSYS routers.

Maintain security!
Never export the CA key, because this is essential for the security of the certificates.

In order to export the CA certificate, change to the Certificates tab, highlight the CA certificate in the overview and click on Export.
Specify a path and file name in the Certificate export window, select PEM as Export format and click on OK.
In order to export the signing certificate, change to the Certificates tab, highlight the certificate trust in the overview and click on Export.
Specify a path and file name in the Certificate export window, select PEM as Export format and click on OK.
In order to export the encryption certificate, change to the Certificates tab, highlight the certificate crypt in the overview and click on Export.
Specify a path and file name in the Certificate export window, select PEM as Export format and click on OK.
In order to export the signing key, change to the Private keys tab, highlight the key trust in the overview and click on Export.
Specify a path and file name in the Export private key window, select PEM as Export format and click on OK.
In order to export the encryption key, change to the Private keys tab, highlight the key crypt in the overview and click on Export.
Specify a path and file name in the Export private key window, select PEM as Export format and click on OK.

Encrypting and signing the update packets

All update packets can be signed or encrypted and signed. The following describes how to encrypt and sign an update packet. The OpenSSL commands are entered in a shell using the command line.

The following procedure requires that the update packet to be encrypted and signed is in a directory together with above generated certificates and keys.
The following commands are based on this naming conventions:

upacket.tar: File name of the update packet to be signed/encrypted
upacket.tar.enc: File name of the encrypted update packet
upacket.tar.enc.sign: File name of the update packet to be encrypted and signed
crypt.crt: Certificate for encrypting the packet
crypt.pem: Private key for encrypting the packet
trust.crt: Certificate for signing the packet
trust.pem: Private key for signing the packet

The following procedure generates the encrypted and signed update packet upacket.tar.enc.sign:

Open a shell on your computer (Windows Powershell or Linux Terminal).
Navigate in the shell to the directory with the update packet and the certificates and keys.
Encrypt the update packet using the command:
openssl cms -encrypt -aes-256-cbc -in upacket.tar -binary -outform DER -out upacket.tar.enc crypt.crt
Sign the update packet using the command:
openssl cms -sign -nocerts -md sha256 -in upacket.tar.enc -nodetach -binary -signer trust.crt -inkey trust.pem -out upacket.tar.enc.sign -outform DER

Configuring the router

Open the user interface of the router: https://insys.icom
Click in the Administration → Firmware menu on and upload above generated CA certificate to the router.
Click on SUBMIT.
Click in the Administration → Firmware menu on and upload above generated signing certificate trust.crt to the router.
Click on SUBMIT.
Click in the Administration → Firmware menu on and upload above generated encrypting certificate crypt.crt to the router.
Click on SUBMIT.
Click in the Administration → Firmware menu on and upload above generated encrypting key crypt.pem to the router.
Click on SUBMIT.
Activate in the Administration → Automatic update menu in the Allow only signed update packets the Enable features switch and read the related note.
Click on ENABLE SIGNATURE CHECK .
Click on ACTIVATE PROFILE .

Uploading the update package to the router

Please note!
Depending on the type of update packet (e.g. firmware, configuration or container), the packet must be uploaded to different pages. The following example shows how to upload a firmware packet on the Firmware page.

Click in the Administration → Firmware menu on and upload the encrypted and signed update packet (here packet.tar.enc.sign) to the router.
Click on SUBMIT.

The encrypted and signed update packet will be validated and then encrypted and uploaded.

Result testing

Upon successful upload, the uploaded content of the update packet will appear on the respective page. A failure message will be issued in case of a failure.

Troubleshooting

Check the system date of the computer to ensure that the certificates have been created with the actual date; otherwise, they may be invalid.