There has been som discussion about "reboot counters":
> > The purpose of the reboot counter is to prevent replay.
> Let me ask a return question... If the reboot counter is implemented as
> e.g. Albert suggested, it is more or less a timestamp
Let me add my points:
First, (and major!)
We should not intermix -sign and -international discussions. As I'm
not following -international (no time:-), I will concentrate on "how
and why in -sign. See for yourself whether is is valid for -international
* The reboot-counter is not "just a timestamp"! It is a "ad hoc"
constant, for as long thr system is up. As long as the system is up
(or at least syslogd in my unix-implementation), the same "number"
will be just.
This is needed (can/must be used) by the -sign validator, all messages
with that same number share something (like the same key).
Aftewr a reboot, a new number is needed, as everything starts all
over. With probably a new key(pair). It the validator who need to
know!
On windows, start time of the application(service) can be used.
On very-small systems, with no NVRAM (or simulair), this isn't a
showstopper. Just get a number, e.g. the version number of the key.
Note: as that one should be stored someware, there is probably place
for more bits to, like the priviour "number". Then just add one.
Also, when the keys don't change, it is probably OK to use the same
reboot-counter number. We have to live with simple HW, with limits.
> > In which environments is this challenging? To utilize a
> > timestamp, devices will require a TOY (Time of Year chipset).
> > To utilize a reboot counter, a device just needs some memory
> > that will persist over a reboot.
Not correct. If a TOY is present, just read it on boot, and store that
value in RAM. And use that RAM value as reboot-counter.
It will change (increase) after a reboor, which is ment to be for a
reboot counter!
> Windows, it is not uncommon that the OS is freshly installed. This will
It that case, a reboot-timestamp will do.
But also any other number, as a new, fresh Windows PC can equally been
seen as "an new (other) system".
Hope it clearifies, If not, mail for details
--
ALbert Mietus
Send prive mail to: [EMAIL PROTECTED]
Send business mail to: [EMAIL PROTECTED]
Don't send spam mail!
