Update packets permit to upload different files such as firmware files, profiles, configurations or containers to the routers of INSYS icom. In order to ensure the integrity of this packets, it is possible to configure the router that it will only accept update packets that have been signed or encrypted and signed with their own PKI (public key infrastructure).

Situation

A security-sensitive application requires that update packets for the router will be encrypted and signed. This shall prevent the upload of compromised update packets to the router.

Solution

The following describes how to create the certificates necessary for encryption and signing, how to configure the router for validation and decryption of the update packets and how to encrypt and sign the update packets accordingly.

How to create own update packets is described in this Configuration Guide.

It is prerequisite that you have downloaded and installed the XCA tool to your computer. The installation of XCA will also install the OpenSSL package to your computer.
It is also prerequisite that time and date on the PC are correct. [1]

The packet managers of various Linux distributions contain XCA. Running Ubuntu, XCA can be installed as follows for example:
sudo apt-get install xca

Creating the certificates

A database need to be generated prior to the creation of the certificate structure.

  1. To create a database, open XCA and select FileNew DataBase.

  2. Enter file name and specify an appropriate directory for the XCA database.

  3. Enter a password twice and click on OK to create the database. [2]

Creating a CA certificate and key

  1. In order to create a CA certificate and key, change to the Certificates tab and click on New Certificate.

  2. Select the CA template [default] CA under Template for the new certificate.

  3. Click on Apply extensions to take over the extensions from the template for the CA certificate.

  4. Change to the Extensions tab, specify the validity period of the certificate with a time range if necessary and click on OK. [3]

  5. Change to the Subject tab, specify a suitable commonName and assign this as Internal Name as well.

  6. Complete the remaining fields in the section Distinguished name accordingly.

  7. Click on Generate a new key.

  8. Preferably use the commonName also as Name and click on Create.

  9. Confirm the key generation with OK.

  10. Click on OK and confirm with OK again to complete the creation of the CA certificate.

Creating the certificate and key for signing/validating

  1. In order to create the certificate and key, change to the Certificates tab and click on New Certificate.

  2. Select in the Signing section the option Use this certificate for signing and select above created CA certificate.

  3. Select the template [default] HTTPS_client under Template for the new certificate.

  4. Click on Apply extensions to take over the extensions from the template for the certificate.

  5. Change to the Extensions tab, specify the validity period of the certificate with a time range if necessary and click on OK. [4]

  6. Change to the Key usage tab, highlight the entry Digital Signature and un-highlight all other entries.

  7. Change to the Subject tab, specify the commonName as trust and assign this as Internal Name as well.

  8. Click on Generate a new key.

  9. Use the commonName trust also as Name and click on Create.

  10. Confirm the key generation with OK.

  11. Click on OK and confirm with OK again to complete the creation of the certificate.

Creating the certificate and key for encrypting/decrypting

  1. In order to create the certificate and key, change to the Certificates tab and click on New Certificate.

  2. Select in the Signing section the option Use this certificate for signing and select above created CA certificate.

  3. Select the template [default] HTTPS_client under Template for the new certificate.

  4. Click on Apply extensions to take over the extensions from the template for the certificate.

  5. Change to the Extensions tab, specify the validity period of the certificate with a time range if necessary and click on OK. [5]

  6. Change to the Key usage tab, highlight the entry Data Encipherment and un-highlight all other entries.

  7. Change to the Subject tab, specify the commonName as crypt and assign this as Internal Name as well.

  8. Click on Generate a new key.

  9. Use the commonName crypt also as Name and click on Create.

  10. Confirm the key generation with OK.

  11. Click on OK and confirm with OK again to complete the creation of the certificate.

Exporting the certificates and keys

The certificates and keys created with XCA are stored in the respective XCA database. In order to upload the certificates and keys to the router end sign/encrypt the update packets, these must be exported. XCA offers different file formats for export. The following describes the export to the file format PEM, which is suitable for all INSYS Smart Devices.

Never export the CA key, because this is essential for the security of the certificates.
  1. In order to export the CA certificate, change to the Certificates tab, highlight the CA certificate in the overview and click on Export.

  2. Specify a path and file name in the Certificate export window, select PEM as Export format and click on OK.

  3. In order to export the signing certificate, change to the Certificates tab, highlight the certificate trust in the overview and click on Export.

  4. Specify a path and file name in the Certificate export window, select PEM as Export format and click on OK. [6]

  5. In order to export the encryption certificate, change to the Certificates tab, highlight the certificate crypt in the overview and click on Export.

  6. Specify a path and file name in the Certificate export window, select PEM as Export format and click on OK. [7]

  7. In order to export the signing key, change to the Private keys tab, highlight the key trust in the overview and click on Export.

  8. Specify a path and file name in the Export private key window, select PEM as Export format and click on OK. [8]

  9. In order to export the encryption key, change to the Private keys tab, highlight the key crypt in the overview and click on Export.

  10. Specify a path and file name in the Export private key window, select PEM as Export format and click on OK. [9]

Encrypting and signing the update packets

All update packets can be signed or encrypted and signed. The following describes how to encrypt and sign an update packet. The OpenSSL commands are entered in a shell using the command line.

The following procedure requires that the update packet to be encrypted and signed is in a directory together with above generated certificates and keys.
The following commands are based on this naming conventions:

  • upacket.tar: File name of the update packet to be signed/encrypted

  • upacket.tar.enc: File name of the encrypted update packet

  • upacket.tar.enc.sign: File name of the update packet to be encrypted and signed

  • crypt.crt: Certificate for encrypting the packet

  • crypt.pem: Private key for encrypting the packet

  • trust.crt: Certificate for signing the packet

  • trust.pem: Private key for signing the packet

The following procedure generates the encrypted and signed update packet upacket.tar.enc.sign:

  1. Open a shell on your computer (Windows Powershell or Linux Terminal).

  2. Navigate in the shell to the directory with the update packet and the certificates and keys.

  3. Encrypt the update packet using the command:
    openssl cms -encrypt -aes-256-cbc -in upacket.tar -binary -outform DER -out upacket.tar.enc crypt.crt

  4. Sign the update packet using the command:
    openssl cms -sign -nocerts -md sha256 -in upacket.tar.enc -nodetach -binary -signer trust.crt -inkey trust.pem -out upacket.tar.enc.sign -outform DER

Configuring the router

  1. Open web interface of the router using a browser:

    • 192.168.1.1

    • User name: insys (default)

    • Password: icom (default)

  2. In the title bar of the web interface, click on (Display help text) to show the inline help that provides helpful information regarding the individual configuration parameters.

  3. In the AdministrationCertificates menu in the Import certificates or keys section, click on Browse…​, select above generated CA certificate and upload it to the router with a click on Import certificates.

  4. In the AdministrationCertificates menu in the Import certificates or keys section, click on Browse…​, select above generated signing certificate trust.crt and upload it to the router with a click on Import certificates.

  5. In the AdministrationCertificates menu in the Import certificates or keys section, click on Browse…​, select above generated encryption certificate crypt.crt and upload it to the router with a click on Import certificates.

  6. In the AdministrationCertificates menu in the Import certificates or keys section, click on Browse…​, select above generated encryption key crypt.pem and upload it to the router with a click on Import certificates.

  7. In the AdministrationUpdate menu, click on Only accept signed packets .

  8. Confirm the warning with a click on Enforce signed packets.

  9. Activate the profile with a click on the blinking gear in the title bar ().

Uploading the update package to the router

  1. In the AdministrationUp-/Download menu in the Upload: Send data to the device section, click on Browse…​, select the encrypted and signed update packet (here packet.tar.enc.sign) and click on Upload.

The encrypted and signed update packet will be validated and then encrypted and uploaded.

Result testing

Upon successful upload, the uploaded content of the update packet will appear on the Up-/Download page under Following files have been saved. A failure message will be issued in case of a failure.

Troubleshooting

  • Check system date of the computer to ensure that the certificates have been created with the actual date; otherwise, they may be invalid.


1. Certificates have an expiry date. A wrong system time (time and date) is a frequent failure source. Therefore, ensure that the system time of the PC is correct when creating the certificate structure.
2. It is strongly recommended to use a password. Keep this password in mind. It is necessary every time the database of this CA project will be opened.
3. Select a time range suitable and reasonable for your purpose. The default values are a good guideline. Too long time ranges may cause security and compatibility problems.
4. Select a time range suitable and reasonable for your purpose. The default values are a good guideline. Too long time ranges may cause security and compatibility problems.
5. Select a time range suitable and reasonable for your purpose. The default values are a good guideline. Too long time ranges may cause security and compatibility problems.
6. It is recommended to keep trust as file name that the following commands for encrypting and signing don’t have to be modified.
7. It is recommended to keep crypt as file name that the following commands for encrypting and signing don’t have to be modified.
8. It is recommended to keep trust as file name that the following commands for encrypting and signing don’t have to be modified.
9. It is recommended to keep crypt as file name that the following commands for encrypting and signing don’t have to be modified.