ISO IEC 29341-13:2010 pdf – Information technology – UPnP Device Architecture – Part 13-10: Device Security Device Control Protocol – Device Security Service.
The EncryptedliMAC Value ts formed by encrypting a value formed accordtng to Rl’U2 104. using the hash algorithm named in l-lMAcAlgorithm. The value is a HASE64 encoding of HMAC( Secret. (SUPublicKey I I)esiccPuhliekey I Lifetime.Scqucncellase), where the first argument to IIMAC is the key and the second is the value being hashed. In this computation, both the Secret and the LifetimeSequencellase are printable strings. while Use PublicKey blocks are XML structures with no white space.
Specifically, let
H = SHAI-HMAC( Secret, (SCPublickey I DevicePublieKey 1.ifetimeSequenceflasel)
where StPubhcKey is the (XML formatted) Security Console signing public key and I)evicePublicKey is the (XML fonmttedl Device confidentiality public key. The Secret is the device’s ownership password (a UTF-8 string). The LifetimeSequetsceBase is the string returned by the device from GetLifetimeSequenceBase. which needs to he called just bet’ore TakeOwnership. The operator —r is normal stnng concatenation
This value H is then encrypted in the public key of the device, using PKCS#I V 1.5 padding, as described in section 4.6 and 0.
Use reply nlessttge to this action is not intended to be signed.
Use LifetimeSequenceBase changes with each call to TakeOwnership. whether successful or not, so that the value, II. will not ever rcpcat..
Device manufacturers should note that the secret value used needs to be unique to the device and large enough to withstand repeated guessing attacks mounted by a computer when the device first comes online. The computation of H insures that no other UP-Device pair could produce that value and that even that pair would not produce the same value of H at a fixture time. Therefore, H can not be used in a replay attaelc By encrypting H to form EncryptedHMAC Value. no attacker could learn something frons observing someone else’s TakeOwnership message.
An attack on TakeOwnership then requires either possession of the secret (e.g.. from seeing it written in device documentation or on a label on the pitysical device) or a network-mediated guessing attack on the secret, That snack will require 2 network round trips, one to get a new LifetinseSequencel3ase and the second to try a tr.s’ guessed Secret. If these two round trips take 1 millisecond each, for example. then the following table shows how long a secret of a given size is expected to withstand attack. a.”auming that the secret value is random and expressed as IJASE32 characters:
If the Device generates its own keys and Secret values (which it can, if it has a source of randomness and an output device capable of displaying or printing a key hash and a secret value), then the exposure now does not accumLtlate. The exposure time is only that time between when a device is plugged in and when TakeOwnership by the proper Secuntyt’osssole succeeds. After that time, the device will not respond to TakeOwnership. even if the secret were correct, so an attacker would learn nothing from repeated anempts.
If tlse Device comes with a pennanent built in secret then exposure time accumulates over all times that the device is on the network and not yet owned, presumably times that occur only when the device changes hands from the store to the first owner and then to a second owner. These times should be yeats apart.
The use of a secret shared between the device and the Security Console provides a common mechanism for taking ownership. This mechanism must be available in all devices, However, this is not to preclude the possibility of a device and security console product. from the same vendor, constructed to pc’nntt the taking of ownership in some more efficient manner. For example, one might have a security console that is portable and that cats be touched to an electrical contact on the device to achieve taking of owisership. Any alternative TakeOwnership mechanism must be analyzed for security to insure that it does not represent a security hole.