Filter results by

Package Signing

Enabling a gateway for OTA updates leaves it vulnerable to attack, due to exposure from software packages received. While ARTIK provides a secure communications channel, that alone may not be sufficient to prevent an attack.

As an example: In what is known as a "rollback attack", an attacker updates the device with a legitimate OTA package of an older version containing a known security flaw, then makes use of this security flaw to control the device.

Package signing, supported by the ARTIK "Secure OTA" feature and its OTA manager software, prevents rollback attacks. Secure OTA stores a per-update record of signing-time information within the gateway. The OTA manager then verifies the signing time of received OTA packages, and only applies the update if it is more recent than the signing time of the last applied update.

Overview

ARTIK supports signing OTA packages through signing portals backed by a highly secure signing infrastructure, where the keys are operated within secure facilities and hardware-security modules. The signature is accompanied by code verification certificates (CVC) issued from the ARTIK Root Certificate Authority (CA) key hierarchy.

ARTIK provides OTA distribution mechanisms through its cloud infrastructure. Once an OEM signs its OTA package through the signing service, the OEM can submit the signed OTA package to the cloud portal, which then delivers the OTA package to the requesting devices over a secure connection.

ARTIK modules provide a software application module called the OTA manager, responsible for:

  • Receiving the OTA package from the cloud
  • Verifying the signature on the package using the provided CVCs and the stored root of trust
  • Ensuring that the signing time of the package is valid (to prevent rollback attacks).

Sequence

The developer applying an OTA update to a device using the secure mechanism must take two extra steps, compared to applying a non-verified update.

  1. Generates the firmware package to send “over the air”
  2. Generates a signature file in PKCS #7 format associated with the firmware package
  3. Prepends the PKCS #7 signature to the firmware package
  4. Uploads the package to ARTIK Cloud
  5. Triggers ARTIK Cloud to send the firmware package over the air to the device.

After the Gateway receives the firmware, the OTA Manager performs these steps. All are specific to handling signed packages.

  1. Splits the signature from the firmware package
  2. Verifies the validity of the signer certificate contained in the PKCS #7 signature against a specific root certificate authority (CA) stored by the device
  3. Verifies the PKCS #7 signature against the firmware package
  4. If applicable, verifies that the signing time extracted from the PKCS #7 signature file is more recent than the last stored signing time
  5. Applies the firmware package
  6. Stores the signing time of this package for the next OTA update.

The figure illustrates the complete Secure OTA firmware-update sequence.

Preparing a signed firmware package

Make sure your gateway is operating in the correct time zone. Time is important during signed OTA update because the signing time is used to determine whether a package is valid.
timedatectl set-timezone US/Pacific-New

You have two options for signing a firmware package.

  • Use a third party signing server, such as Kyrio. You will be downloading a signing key that is associated with your OEM-specific code verification certificate (CVC).

  • Creating a self-signed certificate. This option is for development, but is not recommended for secure OTA in a production environment.

For detailed information, download the ARTIK Secure OTA Guide.

Example using the Kyrio PRISM portal

  1. Log into the PRISM portal using your hardware token.
  2. Click Choose File to upload the package.tar.xz image file to sign.

  3. Click Generate.

  4. Wait for the browser to automatically download a file named package.tar.xz.signature that contains the PKCS7 signature in DER format.

  5. Convert the signature from DER format to a Privacy Enhanced Mail (PEM) encoded format using the following openssl command:

    openssl pkcs7 -inform DER -in package.tar.xz.signature -text > package.tar.xz.signature.pem

  6. Prepend the PKCS #7 signature to the firmware package.

    cat package.tar.xz.signature.pem > package.tar.xz.signed

    cat package.tar.xz >> package.tar.xz.signed

Return to and continue the general procedure when finished.

Example using self-signed certificates

  1. Follow the procedure in the ARTIK Secure OTA Guide to create self-signed certificates and use them to sign your package.tar.xz file.

    • Make sure you set the 0.organizationName parameter identically on all three certificates.
    • When you sign the firmware, < package to sign > will be your package.tar.xz file.
  2. Prepend the PKCS #7 signature (already in .pem format) to the firmware package.

    cat signature.pem > package.tar.xz.signed

    cat package.tar.xz >> package.tar.xz.signed

Return to and continue the general procedure when finished.


Last updated on: