Security choice on an embedded system. - PPP

This is a discussion on Security choice on an embedded system. - PPP ; Hello, I'm working with a vendor on implementing a client (my app) server (vendor) interface. The server is to reside on a very limited proprietary system (a flavor of Linux) while the client on standard pc systems. One of the ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Security choice on an embedded system.

  1. Security choice on an embedded system.

    Hello,
    I'm working with a vendor on implementing a client (my app) server
    (vendor) interface. The server is to reside on a very limited
    proprietary system (a flavor of Linux) while the client on standard pc
    systems. One of the requirements is that the connection must be secure,
    requiring user authentication and data encryption over the wire.
    When the suggestion of using something like ssh port forwarding was made
    (they do plan on having an ssh server on the system) the vendor
    developer did some calculations and figured at best the authentication
    process would take up to 30 seconds while stopping all other traffic on
    the system while the very small processor worked the math in cracking
    the username/password.
    A suggestion was made to consider something like CHAP for our purposes.
    The server is being developed in C while the client code is Java. Any
    insights on whether this is a logical approach, what I'm up against
    and/or information on how to proceed?

    thanks!

    --
    If replying directly, please remove the
    cleverly decorated addition to my return address.

  2. Re: Security choice on an embedded system.

    K2 writes:
    > A suggestion was made to consider something like CHAP for our
    > purposes. The server is being developed in C while the client code is
    > Java. Any insights on whether this is a logical approach, what I'm up
    > against and/or information on how to proceed?


    We're missing quite a lot of information here. First of all, what
    sort of connection are we talking about? Is it an Ethernet? ATM?
    Synchronous? Async?

    If the connection happens to be some sort of point-to-point medium,
    and if you're running PPP over it, then something like CHAP might be a
    fair answer.

    Note that CHAP provides _only_ authentication. It doesn't do data
    encryption.

    Ordinarily, I'd suggest looking into IPsec, Kerberos, ssh, and SSL as
    various sorts of encryption-capable technologies. But if your
    platform is unable to process a simple D-H key exchange for ssh in a
    reasonable amount of time, I'd say that this is probably an
    overconstrained problem. Either the implementation on that client is
    poorly done (and perhaps could be sped up), or the hardware choice is
    bad (buy a faster CPU).

    If you really must use this particular hardware platform (you're stuck
    with the performance problems), and depending on what your threat
    model is (you haven't really explained that), you might be able to get
    away with Microsoft's proprietary MPPE on PPP, which uses RC4 for the
    cyphering. That protects only the link itself, though.

    --
    James Carlson, KISS Network
    Sun Microsystems / 1 Network Drive 71.232W Vox +1 781 442 2084
    MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677

+ Reply to Thread