BETA: new OneRNG tamper check mechanism

Paul Campbell paul at taniwha.com
Fri Feb 10 08:32:06 GMT 2017 

I've sort of hinted at this for a while (and the source code has been sitting 
on GitHub since we finished shipping the kickstarter build) - but when we 
started shipping the 2.0 OneRNGs we put a unique fingerprint (just some random 
bits, we have lots of those) in every OneRNG we build.

Because of the way we set up the device during programming this value cannot 
be read, reprogramming the device always erases it.

This gives us an extra mechanism to create a check to see if a device has been 
tampered between when we ship it and you receive it which is what I'm 
announcing here. 

This will not work on a device that has been reprogrammed or on one of the 
beta/early kickstarter devices (the 'boxy' ones). If you reprogrammed it 
yourself you already know what's in the firmware, and if someone else did, 
well that is something you really want to know.

We have a database of all the fingerprints that have been used, but we don't 
know which device contains which fingerprint - we use a portion of the 
fingerprint to look up the rest of the data in our database and then use the 
rest as a key/secret data pair to exchange the secret data between the device 
and our DB - in the end you can compare the encrypted secret data direct from 
the device and from our DB server - this avoids some possible MITM scenarios.

The full details of the protocol are available in the OneRNG source on GitHub. 
Comments are welcome.

Under normal operation the validation server logs nothing about people who use 
it, it does keep a count of the number of times the server has been accessed 
for a particular device - first time you use it it should be "1", next time 
"2" etc - that way we can detect someone who's somehow subverted the 
protections mentioned above and used an image on multiple devices.

HOWEVER - this is a beta test - despite what I just said above, and what it 
says on the validation landing page, the current server IS logging some 
information, looking for bugs, it does not record IP addresses.

So - I'm looking for BETA testers - I've set up a page that provides a better 
description of what's going on and which provides a link to the beta test 
server here:

http://moonbaseotago.com/onerng/validation.html

I'd like to invite anyone on the list to try it out - the instructions are 
much longer than the actual process which simply involves cutting and pasting 
a few hex strings back and forwards between a terminal emulator and a web 
page. Please report successes as well as failures.

	thanks 

	Paul Campbell
	Moonbase Otago

More information about the Discuss mailing list