I use WireGuard as a lightweight VPN.
I thought about how to safely deploy a relatively powerful Linux-powered device that can do a lot of processing such as sensors and cameras.
the security business. I've done a lot of things at home. Out-of-home DNS AD Construction (Samba4) Nextcloud server operation Home Gluster Distributed File System Construction (infiniband) Jupyter notebook GPU Machine Learning Server (nvidia Geforce RTX2070) Volumio Airplay Server SORACOM IoT Meetup - IoT Device Security Study session! Learning Secure Elements 2022/2/21
has been adopted as a standard module of Linux and is being used. Various security measures are considered on the edge device side such as sensors and cameras However, I wondered if it would be possible to use WireGuard for secure edge communication.
kernel module Linux userspace wireguard-tools rtnetlink kernel⇔network I/F communication netlink kernel⇔userspace I/F Interface config Transfer key pair Device creation, communication About WireGuard
Static Public Pub Pub Ephemeral Public Ephemeral Secret Handshake comm. Static Public Pub Get in advance Static Public for counterpart Pub Static Public for counterpart (get in advance) Pub Static Public for counterpart Pub Ephemeral Secret 3rd.DH calc. Static Public for counterpart Pub Static Secret 4th.DH calc. Static Secret Pub Ephemeral Secret Static Secret for counterpart Ephemeral Public Pub Ephemeral Public 1st.DH calc. Ephemeral Secret Pub Ephemeral Public About WireGuard
hide private keys to prevent spoofing Basic features: ▪ There is no command to read the private key, and the public key can be read. There are only commands. ▪ Value (hash) to the secret key in the secure element There are commands that give and sign, perform DH calculations, etc. and return the results.
to I2C. (MIKROE Plug & Trust click is available as COTS) Enable I2C with $ sudo raspi-config $ i2cdetect –y 1 command to check 0x48 recognition WireGuard Security Enhancements
key to the secure element DH calculation 2nd.DH calc. Static Secret Static Public Pub Pub Ephemeral Public Ephemeral Secret Handshake comm. Static Public Pub Get in advance Static Public for counterpart Pub Static Public for counterpart (get in advance) Pub Static Public for counterpart Pub Ephemeral Secret 3rd.DH calc. Static Public for counterpart Pub Static Secret 4th.DH calc. Static Secret Pub Ephemeral Secret Static Secret for counterpart Ephemeral Public Pub Ephemeral Public 1st.DH calc. Ephemeral Secret Pub Ephemeral Public
• wg genkey command In order to hide the output private key, it is the internal key storage number of the SE050. Output the object ID instead This value itself can be leaked. • wg pubkey command Using the object ID as an argument, the public key is output from the SE050.
code that performs the handshake, change the contents of the wg->static_identity.static_private structure to the object ID, which is the internal key storage number of SE050. Change and replace the function that calls it for ECDH calculations with the SE050 API. NXP's Plug & Trust middleware is for user space, so the kernel HAL (Hardware Abstraction Layer) must be created for the module. The code also needs to be rewritten for kernel space. Linux kernel WireGuard kernel module
wg genkey 0x10000009 | wg pubkey Yh3rhVp7LfvPC4YWjB7L8mJO2hk2VXMh9sZ9B6tLm2c= The 0x10000009 became Base64, and the private key could be hidden. Output the public key of the object ID 0x10000009 of SE050. Register this with the counterpart.
= CQAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= Address = 10.0.0.110/32 [Peer] PublicKey = XXXXX= Endpoint = XXX.XXX.XXX.XXX:XXXXX AllowedIPs = 10.0.0.0/24 PersistentKeepalive = 25 Register a number with the 0x10000009 set to Base64 as the secret key Register the counterpart public key
public key with a new key number on the client side. $ wg genkey 0x10000006 BgAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= $ wg genkey 0x10000006 | wg pubkey 9oGFAiGUSMIzg2gzwwEBasjfKxkULebTwzOEjn7K4Rk=
$ sudo wg set wg0 peer "9oGFAiGUSMIzg2gzwwEBasjfKxkULebTwzOEjn7K4Rk=" allowed- ips 10.0.0.111/32 The connection is lost when you do this. $ sudo wg set wg0 peer "ChgKBqwSnkov+rcC2KKUQKMgPH9pfrnWXzLpMzfKpg4=" remove IP is Current IP The public key of the currently connected peer
$ sudo wg-quick down /etc/wireguard/wg0.conf Change the following in $ sudo vi /etc/wireguard/wg0.conf ``` [Interface] PrivateKey = BgAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= Address = 10.0.0.111/32 ``` $ sudo wg-quick up /etc/wireguard/wg0.conf IP is Current IP Specify the key for the new 0x10000006
the EC Montgomery curve 25519 is used: each shared secret generation will cause additional NVM write operations as well to store the external public key that is used in the shared secret generation.” It seems that internal flash writes occur every time ECDH calculation is performed on the SE050. Measurement: 4 runs in 5 minutes According to the data sheet, the number of times allowed to write is At worst, 20 million times, average 100 million times. If you assume that ECDH is calculated once a minute, it will be 38 years at worst.
as existing MQTT The code I tested is below: https://github.com/kmwebnet/wireguard-se https://github.com/kmwebnet/wireguard-tools-se I write blogs related to IoT security. Any feedback would be appreciated. https://qiita.com/kmitsu76 https://medium.com/kmitsu-iot-security-tech-note/
increasing cloud connectivity will be more reliable in the network, data handled, and devices, and the range of applications will expand References: Make and understand WireGuard https://speakerdeck.com/fadis/zuo-tuteli-jie-suruwireguard
kmwebnet
gachimuchiengineer
amaotone
yudai00
leveragestech
kioto
o11yfes2023
yu4u
ysknsid25
.jpg){kind=avatar}
m3_engineering
shuta13
kimitashoichi
kakehashi
lara
colly
tammyeverts
pedronauck
erikaheidi
garrettdimon
pauljervisheath
thekraken
ufuk
ddemaree
eileencodes
![WireGuard Security Enhancements ▪wireguard $ sudo cat /etc/wireguard/wg0.conf [Interface] PrivateKey](https://files.speakerdeck.com/presentations/a182852bce304b3e92797a28aefd3589/slide_16.jpg){kind=link}
