securing SAR/MCZ files, certificates, etc

I mentioned working on using SAR files and/or MCZ as a way to distribute device driver add-ons for Pi Scratch  a while ago. The basics are working nicely and it’s time to ask for advice on securing the files. I’ve noticed assorted ssl/encryption/certificate checking related emails whizz by but never paid a lot of attention in the past.

An interesting additional issue for my use is that the file will need to be loadable/decryptable/checkable very fast, even on a Pi, since it will need to be reloaded (from file, not over the net) each time the user asks for a device needing one of these drivers. We don’t need to be utterly paranoid about the security since nobody is doing anything l crazy with this, like, oh, taking one up to the ISS…

Pointers to stuff to read, load, try, all appreciated from those with experience. No, I haven’t googled much about it since I know too little to be able to make a sensible start without advice.

tim
--
tim Rowledge; [hidden email]; http://www.rowledge.org/tim
Strange OpCodes: CWB: Carry With Borrow

String new enigma2015:
'I mentioned working on using SAR files and/or MCZ as a way to distribute device driver add-ons for Pi Scratch  a while ago. ‘

Gives

'LDxmF(f.Fm|D+.CXfF%D.FD9gfF%Dc''jDyf^mgD1F|B.CD$_ED1gD1D+1*D(.D|fg(Cf69(mD|m5fGmD|Cf5mCD1||z.FgDy.CDrfDcGC1(GODD1D+Of^mD1%.HD’

Having the input could be cracked, but if not …….
If like, i send private to you

On 01-09-2015, at 1:04 PM, Edgar De Cleene <[hidden email]> wrote:

> String new enigma2015:
> 'I mentioned working on using SAR files and/or MCZ as a way to distribute device driver add-ons for Pi Scratch  a while ago. ‘
>
> Gives
>
> 'LDxmF(f.Fm|D+.CXfF%D.FD9gfF%Dc''jDyf^mgD1F|B.CD$_ED1gD1D+1*D(.D|fg(Cf69(mD|m5fGmD|Cf5mCD1||z.FgDy.CDrfDcGC1(GODD1D+Of^mD1%.HD’
>
> Having the input could be cracked, but if not …….
> If like, i send private to you

Sounds interesting. I’d love to take a look!

tim
--
tim Rowledge; [hidden email]; http://www.rowledge.org/tim
Useful random insult:- Couldn't find his way through a maze even if the rats helped him.

I assume you connect the raspberry to some another computer via TCP or via old serial cable .
Which is so cook some more complete and not only the encoder.
And if you was really paranoic, the encoder could change for each string.

Am 01.09.2015 21:49, schrieb tim Rowledge:
> I mentioned working on using SAR files and/or MCZ as a way to
> distribute device driver add-ons for Pi Scratch  a while ago. The
> basics are working nicely and it’s time to ask for advice on securing
> the files. I’ve noticed assorted ssl/encryption/certificate checking
> related emails whizz by but never paid a lot of attention in the past.
>
I'd go with the "industry standard" (read: Java) solution even if it's
from Mordor.
JAR files are just ZIP files with another extension, just as SAR and MCZ
files (correct me if I'm wrong).
So the jarsigner signature mechanisms should be applicable. We have a
cryptography package which includes most functionality already (x.509
stuff and various algorithms).
Don't know how much work it would be to implement signing ZIP files and
checking their signatures, probably an evening or two for someone who's
sufficiently fluent with crypto stuff.
However, this would imply that the Pi Scratch images would need to have
(a subset of) the Cryptography classes loaded.

Edgar, I don't know what the #enigma2015: method actually does. Is it an
encryption algorithm? If yes, a standard one or homebrew? How does it
relate to digital signatures?
If this weren't a use case with pretty low security requirements, I'd
put on my hobby cryptographer hat and shout at the top of my lungs
"YOU MUST NEVER USE CRYPTO ALGORITHMS THAT HAVE NOT BEEN DESIGNED AND
THOROUGHLY ANALYZED BY EXPERTS IN THE FIELD!!!11eleven!!"

Cheers,
Hans-Martin