* Michael Richardson <m...@sandelman.ca> [24.02.2017 19:00]:
[...]
> The server can either given everyone during a period of an hour the same
> random challenge, it can make them up and store them, or it can construct
> them as the HMAC-SHA256 of, for instance, the IP address which is asking,
> such that it never has to record any of them.
>
> A script kiddie now needs to do some work each time, has to request a new
> token each time, and if the challenges are based upon IP address, the kiddie
> can vote once per IP address they have. So, now they need a bot net to
> vote a lot... probably that's okay.
thank you for this very good explanation.
> >> I thought from the subject line and explanation that it was to permit
> >> a firmware image to be validated as being uncorrupted/tained. One
> >> might do this before flashing a device with it.
>
> > how should this be done before flashing? if there is a mistake
> > (e.g. forgotten package during build) the image itself is fine, but not
> > "good".
>
> Right. So getting the stamp into the image at the very last moment is the
> key. That way the build is reproduceable if you ignore those very few bytes.
> Ideally, there is a spot in the image that shows up to userspace. Have you
> figured this part out? I would attempt to make it a kernel boot command
> line option, if that can be tweaked easily.
for now i patch 'usign' for a now option B = build:
root@LEDE:~ :) usign -B
98021604736550012081493806018992642304441039324849310980174888200312941028157
114543661949658574850110716953530268394806126479026079327889534650057251922973
(it output the 2 prime factors for the solution)
baking it into the kernel-commandline is an interesting idea:
we have already figured out how to do this for each target,
because we are baking a special thing in out kernel:
root@LEDE:~ :) cat /proc/cmdline
board=TL-WR1043ND oops=panic panic=10 console=ttyS0,115200
rootfstype=squashfs,jffs2 noinitrd
^^^^^^^^^^^^^^^^^^^
prevent seldom hangs during boot...
so we can easily add: prime1=x prime2=y or secret=foo
thanks a lot for your input, i will think about it and implement your ideas.
bye, bastian
_______________________________________________
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev
