Update packets permit to upload different files such as firmware files, profiles, configurations or containers to the routers of INSYS icom. In order to ensure the integrity of this packets, it is possible to configure the router that it will only accept update packets that have been signed or encrypted and signed with their own PKI (public key infrastructure).

The description in this Configuration Guide follows a configuration in the new user interface (web interface) available from icom OS 5.5. Update your router to the latest version of icom OS for the required functionality of the new user interface. The description of this configuration in the classic web interface is available in this Configuration Guide.

Situation

A security-sensitive application requires that update packets for the router will be encrypted and signed. This shall prevent the upload of compromised update packets to the router.

Solution

The following describes how to create the certificates necessary for encryption and signing, how to configure the router for validation and decryption of the update packets and how to encrypt and sign the update packets accordingly.

How to create own update packets is described in this Configuration Guide.

It is prerequisite that you have downloaded and installed the XCA tool to your computer. The installation of XCA will also install the OpenSSL package to your computer.
It is also prerequisite that time and date of the PC are correct. [1]

Tip The packet managers of various Linux distributions contain XCA. Running Ubuntu, XCA can be installed as follows for example:
sudo apt-get install xca

Creating the certificates

A database need to be generated prior to the creation of the certificate structure.

  1. To create a database, open XCA and select FileNew DataBase.

  2. Enter a file name and specify a suitable directory for the XCA database.

  3. Enter a password twice and click on OK to create the database. [2]

Creating a CA certificate and key

  1. To generate a CA certificate and key, change to the Certificates tab and click on New Certificate.

  2. Select the CA template [default] CA under Template for the new certificate.

  3. Click on Apply extensions to take over the extensions from the template for the CA certificate.

  4. Change to the Extensions tab, adjust the validity period of the certificate by entering a time range, if required, and click on OK. [3]

  5. Change to the Subject tab, enter a suitable commonName and enter this also as Internal Name.

  6. Complete the remaining fields in the section Distinguished name accordingly.

  7. Click on Create a new key.

  8. Preferably use the commonName also as Name and click on Create.

  9. Confirm the key creation with OK.

  10. Click on OK and confirm again with OK to complete the creation of the CA certificate.

Creating the certificate and key for signing/validating

  1. To generate the certificate and key, change to the Certificates tab and click on New Certificate.

  2. Select in the Signing section the Use this Certificate for signing option and select above created CA certificate.

  3. Select the CA template [default] HTTPS_client under Template for the new certificate.

  4. Click on Apply extensions to take over the extensions from the template for the certificate.

  5. Change to the Extensions tab, adjust the validity period of the certificate by entering a time range, if required, and click on OK. [3]

  6. Change to the Key usage tab, select the Digital Signature entry and deselect all other entries.

  7. Change to the Subject tab, enter the commonName as trust and enter this also as Internal Name.

  8. Click on Create a new key.

  9. Preferably use the commonName trust also as Name and click on Create.

  10. Confirm the key creation with OK.

  11. Click on OK and confirm again with OK to complete the creation of the certificate.

Creating the certificate and key for encrypting/decrypting

  1. To generate the certificate and key, change to the Certificates tab and click on New Certificate.

  2. Select in the Signing section the Use this Certificate for signing option and select above created CA certificate.

  3. Select the CA template [default] HTTPS_client under Template for the new certificate.

  4. Click on Apply extensions to take over the extensions from the template for the certificate.

  5. Change to the Extensions tab, adjust the validity period of the certificate by entering a time range, if required, and click on OK. [3]

  6. Change to the Key usage tab, select the Data Encipherment entry and deselect all other entries.

  7. Change to the Subject tab, enter the commonName as crypt and enter this also as Internal Name.

  8. Click on Create a new key.

  9. Preferably use the commonName crypt also as Name and click on Create.

  10. Confirm the key creation with OK.

  11. Click on OK and confirm again with OK to complete the creation of the certificate.

Exporting the certificates and keys

The certificates and keys created with XCA are stored in the respective XCA database. In order to upload the certificates and keys to the router and sign/encrypt the update packages, these must be exported. XCA offers different file formats for export. The following describes the export to the file format PEM, which is suitable for all INSYS routers.

Warning Never export the CA key, because this is essential for the security of the certificates.

  1. In order to export the CA certificate, change to the Certificates tab, highlight the CA certificate in the overview and click on Export.

  2. Specify a path and file name in the Certificate export window, select PEM as the Export Format and click on OK.

  3. In order to export the signing certificate, change to the Certificates tab, highlight the trust certificate in the overview and click on Export.

  4. Specify a path and file name in the Certificate export window, select PEM as Export format and click on OK. [4]

  5. In order to export the encrypting certificate, change to the Certificates tab, highlight the crypt certificate in the overview and click on Export.

  6. Specify a path and file name in the Certificate export window, select PEM as Export format and click on OK. [5]

  7. In order to export the signing key, change to the Private Keys tab, highlight the trust key in the overview and click on Export.

  8. Specify a path and file name in the Export private key window, select PEM as the Export Format and click on OK. [4]

  9. In order to export the encrypting key, change to the Private Keys tab, highlight the crypt key in the overview and click on Export.

  10. Specify a path and file name in the Export private key window, select PEM as the Export Format and click on OK. [5]

Encrypting and signing the update packets

All update packets can be signed or encrypted and signed. The following describes how to encrypt and sign an update packet. The OpenSSL commands are entered in a shell using the command line.

The following procedure requires that the update packet to be encrypted and signed is in a directory together with above generated certificates and keys.
Following commands are based on this naming conventions:

  • upacket.tar: File name of the update packet to be signed/encrypted

  • upacket.tar.enc: File name of the encrypted update packet

  • upacket.tar.enc.sign: File name of the update packet to be encrypted and signed

  • crypt.crt: Certificate for encrypting the packet

  • crypt.pem: Private key for encrypting the packet

  • trust.crt: Certificate for signing the packet

  • trust.pem: Private key for signing the packet

The following procedure generates the encrypted and signed update packet upacket.tar.enc.sign:

  1. Open a shell on your computer (Windows Powershell or Linux Terminal).

  2. Navigate in the shell to the directory with the update packet and the certificates and keys.

  3. Encrypt the update packet using the command:
    openssl cms -encrypt -aes-256-cbc -in upacket.tar -binary -outform DER -out upacket.tar.enc crypt.crt

  4. Sign the update packet using the command:
    openssl cms -sign -nocerts -md sha256 -in upacket.tar.enc -nodetach -binary -signer trust.crt -inkey trust.pem -out upacket.tar.enc.sign -outform DER

Configuring the router

  1. Open the user interface of the router in a browser: insys.icom [6]

  2. Click in the cog outline AdministrationCertificates menu on file upload and upload above generated CA certificate to the router.

  3. Click on   SUBMIT  .

  4. Click in the cog outline AdministrationCertificates menu on file upload and upload above generated signing certificate trust.crt to the router.

  5. Click on   SUBMIT  .

  6. Click in the cog outline AdministrationCertificates menu on file upload and upload above generated encrypting certificate crypt.crt to the router.

  7. Click on   SUBMIT  .

  8. Click in the cog outline AdministrationCertificates menu on file upload and upload above generated encrypting key crypt.pem to the router.

  9. Click on   SUBMIT  .

  10. Activate in the cog outline AdministrationAutomatic update menu in the Allow only signed update packets the Enable features switch and read the related note.

  11. Click on   ENABLE SIGNATURE CHECK  cog counterclockwise white  .

  12. Click on   ACTIVATE PROFILE  cog white  .

Uploading the update package to the router

Note Depending on the type of update packet (e.g. firmware, configuration or container), the packet must be uploaded to different pages. The following example shows how to upload a firmware packet on the Firmware page.

  1. Click in the cog outline AdministrationFirmware menu on file upload and upload the encrypted and signed update packet (here packet.tar.enc.sign) to the router.

  2. Click on   SUBMIT  .

The encrypted and signed update packet will be validated and then encrypted and uploaded.

Result testing

Upon successful upload, the uploaded content of the update packet will appear on the respective page. A failure message will be issued in case of a failure.

Troubleshooting

  • Check the system time and date of the computer to ensure the certificates are created with the actual date; otherwise they might be invalid.

Back to the Configuration Guides for icom OS routers

Back to overview

1. Certificates have an expiry date. A wrong system time (time and date) is a frequent failure source. Therefore, ensure that the system time of the PC is correct when creating the certificate structure.
2. We strongly recommend to specify a password. Keep this password in mind. It is necessary every time the database of this CA project will be opened.
3. Select a time range that is reasonable for your purpose. The default values are a good guideline. Too long time ranges may cause security or compatibility problems.
4. It is recommended to keep trust as file name that the following commands for encrypting and signing don’t have to be modified.
5. It is recommended to keep crypt as file name that the following commands for encrypting and signing don’t have to be modified.
6. Standard IP address: 192.168.1.1; authentication depending on configuration; default for past firmware versions: User name: insys, Password: icom