This is the first in what I hope to be a series of posts about the MCUboot bootloader from a security perspective. Please note that although I work in security, I am by no means a cryptographer. I appreciate any feedback on any and all flaws in my analysis. The MCUboot project The MCUboot Project is …a secure bootloader for 32-bit MCUs. The goal of MCUboot is to define a common infrastructure for the bootloader, system flash layout on microcontroller systems, and to provide a secure bootloader that enables easy software upgrade.
On Hacker News, user jgrahamc writes: If you take a narrow focus on a particular cryptographic event (such as your encryption of a string with an RSA public key) then you miss the greater story about encryption: it’s not just the individual cryptographic primitive that needs to be implemented correctly, it’s everything else. I recently have been involved in putting a demo together of using Arm’s TrustZone for Microcontrollers This is based around putting “secure” operations within a trusted firmware app.
Security analysis of Cloud IoT services Below is my analysis of Google’s “Cloud IoT Core” and Amazon’s “AWS IoT Core”, from a security perspective. The “Core” service from both of these providers is very similar, and consists of a message broker that supports a publish/subscribe model. In both cases, it is possible for an external host to subscribe to messages, as well as to have messages sent to various compute resources within the respective provider’s cloud offerings.
This is a bit unusual of a post, as it is more of a brain dump than a nicely written prose. I may fill this in over time. TLS and why it is hard Introduction In an ideal magical world, TLS is a thing you drop into a connection and it becomes secure. Both parties just communicate as if they were read/write send/recv packets, but everything is secured.
Recently, I’ve been looking at using Amazon Glacier for some of my off-site backup needs. I already have a small amount of my data being stored in s3, and the lower cost of Glacier ($0.004/GB-month) make it a possibility for backing up even more data. Since I intend for these backups to be fairly long time, I wanted to do a little analysis, comparing it with something like LTO-6. A LTO-6 tape drive looks to cost about $3000.
My regular job has me working, from time to time, with both Go and Rust. Both of these languages have a good following, and strong communities behind them, and there are things I enjoy about both languages. For the most part, if I am writing a utility for personal purposes, I will choose one of these two languages (notably, not Python). Several of my projects, I find myself maintaining in both Go and Rust, because I can’t make up my mind as to which I prefer, or which is a better fit for the problem.
I have been paying for an Adobe Creative Cloud subscription for around a year now. In order to help justify this expense, I’ve given myself a goal to learn the other programs in the suite that I don’t yet use (I primarily use Illustrator, Photoshop and Acrobat). I started with Premiere. Coming from Final Cut (before the “X” version which seems to have turned it into a toy), the user interface initially felt very different.
I am unable to access the Adobe forums, at least if I am logged in with my Adobe account. I thought I’d start by contacting Adobe Support. It seems that their support is only set up to help people with their applications, and they have nothing in place to help someone that is having a problem with their website. Vinay Pratap: Hello! Welcome to Adobe support. Vinay Pratap: We appreciate your patience and apologize for the wait.
After going through a bunch of tutorials for the various Adobe Creative Cloud Suite, I have made my first animation. I drew the clock in Illustrator (which I’ve known for many years, at least 30), with each hand on a separate layer. This took about 20 minutes. Then, I animated the hands using After Effects. This took maybe another 20 minutes. Then, I brought that animation into Premiere Pro and made a sequence that repeated for 2 minutes.
This post summarizes the relevant RFCS (and other standards) related to cryptography and, specifically, relevant to MCUboot. I intend to update this post with more RFCs as I refer to them in my work. Last update: 2018-05-31 Cryptography The following documents describe protocols and encodings relevant to digital signatures. RFC3447: Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 RFC4279: Pre-Shared Key Ciphersuites for Transport Layer Security (TLS) RFC5208: Public-Key Cryptography Standards (PKCS) #8: Private-Key Information Syntax Specification Version 1.