Please help me to resolve an issue with Cisco881G device.
My company bought Cisco881G. From the box we have npe firmware: c880data-universalk9_npe-mz.152-3.T1.bin
It's know that this firmware doesn't work with encryption.
I tried to update firmware to c880data-universalk9-mz.152-3.T1.bin
You can see this is the same firmware, but without npe.
After update I reboot device and facing the problem. Device can't start up correctly and create file crashinfo_20130902-140731-UTC.
I tried other firmwares but the result is the same.
In file crashinfo we can see:
*Jan 2 00:00:02.811: %LICENSE-6-EULA_ACCEPT_ALL: The Right to Use End User License Agreement is accepted
*Jan 2 00:00:02.847: %IOS_LICENSE_IMAGE_APPLICATION-6-LICENSE_LEVEL: Module name = c880-data Next reboot level = advsecurity and License = No valid license found
*Sep 2 14:07:30.055: %IFMGR-7-NO_IFINDEX_FILE: Unable to open nvram:/ifIndex-table No such file or directory
*Sep 2 14:07:30.163: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0 State changed to: Initialized
*Sep 2 14:07:30.283: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0 State changed to: Enabled
*Sep 2 14:07:30.311: SEC_POST: AES-192 decryption output mismatch!
*Sep 2 14:07:30.311: SEC_POST: POST Test for AES-192 Failed
*Sep 2 14:07:30.311: %VPN_HW-0-SELF_TEST_FAILURE: Hardware Crypto self-test failed (SEC2.0 POST(Power-On-Self-Test) Failed!)
*Sep 2 14:07:31.435: %SYS-3-LOGGER_FLUSHED: System was paused for 00:00:01 to ensure console debugging output.
Please help me to understand why I have the problem and what does this message mean.
Thanks in advance for your help.
It means the onboard encryption engine is damaged/malfunctioning/disabled and doesn't return the power up test results as it should. It could be the router was built for sale in an area that doesn't allow payload encryption and it was physically disabled by Cisco during manufacturing or the chip is just broke and the reseller loaded it without encryption to get it to pass POST on boot up.
See the Cisco documentation here:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps5460/product_bulletin_c25-566278_ps10537_Products_Bulletin.html
Universal images with the universalk9_npe" designation in the image name: The strong enforcement of encryption capabilities provided by Cisco Software Activation satisfies requirements for the export of encryption capabilities. However, some countries have import requirements that require that the platform does not support any strong crypto functionality such as payload cryptography. To satisfy the import requirements of those countries, the `npe' universal image does not support any strong payload encryption. This image supports security features like Zone-Based Firewall, Intrusion Prevention through SECNPE-K9 license.
IOS 15 uses the CSA to inhibit export of munitions grade crypto packages, but there may be a jumper or switch on the motherboard to disable the onboard crypto co-processor.
Also double check the SHA of the firmware it shipped with compared to firmware available from Cisco; the device may be counterfeit.
Related
I made an app that advertises an iBeacon. The UUID changes every 30 seconds. Within the UUID is the androidID of the phone and a timestamp. Both are encrypted. My smarthome system decrypts the UUID and gets the timestamp and the androidID.If both are valid the front door opens.
The app creates an UUID and starts advertising, stops after 30 seconds an creates a new one and restarts the advertising. This goes on for ever until the app (running in backround) doesn't get closed.
I wonder if it is possible to change the advertising data (UUID) without stopping and restarting the advertising??
Thanks!
Is starting with AdvertisingSet a solution??
The way to do this is via the setAdvertisingData() method. Calling this in the middle of advertising shouldn't be an issue (as long as you are on API 26 or later). From the Android developer website:-
Set/update data being Advertised. Make sure that data doesn't exceed
the size limit for specified AdvertisingSetParameters. This method
returns immediately, the operation status is delivered through
callback.onAdvertisingDataSet().
Advertising data must be empty if non-legacy scannable advertising is
used. For apps targeting Build.VERSION_CODES#R or lower, this requires
the Manifest.permission#BLUETOOTH_ADMIN permission which can be gained
with a simple manifest tag. For apps targeting
Build.VERSION_CODES#S or or higher, this requires the
Manifest.permission#BLUETOOTH_ADVERTISE permission which can be gained
with Activity.requestPermissions(String[], int). Requires
Manifest.permission.BLUETOOTH_ADVERTISE
Have a look at the links below for more information:-
How do you update the Android BLE advertising data at runtime
Dynamically changing BLE data in Android
BLE advertisements changing in Android
What i have:
I am running a freeradius server fully configured of how i need it to be. Everything works just fine right now.
What i need:
I need the radius to put the devices in a seperate vlan before authentication and to run a vulnerability scan (nessus / openvas etc) on the devices in this vlan to check for software status ( antivirus etc. )
if the device passes the test the authentication should be done normaly.
if it fails it should be put into a third ( fourth if you count the unauth-vid ) vlan.
can someone tell me if this is doable in freeradius ?
thanks in advance for your answers
Yes. But this is a very broad question and is dependent on the networking equipment being used. I'll give you an overview of how I'd design such a system.
In general, you'll have an easier time if you can use the same DHCP server/IP range for your NAC and full access VLAN. That means you don't have to signal the higher networking layers in the client that there's been a state change, you can swap out VLANs behind the scenes to change what they can access.
You'd set up a database with an entry for each client. This doesn't have to be pre-populated, it could be populated during the first auth attempt. Part of each client entry would be a status field detailing when they last completed NAC.
You'd also need an accounting database, to store information about where each client is connected to the network.
If the client had never completed NAC checks before, you'd assign the client to the NAC VLAN, and signal your NAC processes to start interrogating it.
FreeRADIUS can act as both a RADIUS and DHCPv4 server, so you'd probably do signal the NAC process from the DHCPv4 side because then you'd know what IP the client received.
Binding the RADIUS and DHCPv4 sides can be done in a couple of ways. The most obvious is MAC, another common way is NAS/Port ID using the accounting table.
Once the NAC checks had completed, you'd have the NAC process write out a receipt in detail file format, and have that read back in by a detail file listener (there are examples of this in sites-available/ in the 'decoupled-accounting' virtual server files). When reading those entries back in, you'd change the state in the database, and send a CoA packet to the switch using information from the accounting database to identify the client. This would flip the VLAN and allow them to the standard set of networking resources.
I know this is very high level, documenting it properly would probably exceed StackOverflow's character limit. If you need more help with this, I suggest you research what I've described above and then start asking the RADIUS related questions on the FreeRADIUS user's mailing list https://freeradius.org/support/.
I have written an applet in my java card and the other applet in my SAM. I want to create mutual authentication by sending random number created each side.
The model of reader is:
c:\>gp.exe -all -d
# Detected readers from SunPCSC
[*] ACS ACR1281 1S Dual Reader PICC 0
[*] ACS ACR1281 1S Dual Reader SAM 0
I select applet on SAM ,create random number and send out. Then I select applet on java card creating string with random of SAM and new random creation by card and send the mixed random.
So I should again select applet on SAM to check the random, but as my randoms are in transient Clear_ON_RESET Memory, they gone.
I need random numbers in transient CLEAR_ON_RESET Memory.And I use gp.exe for sending APDU's.
Is there any way that I can have both SAM and Card selected? I guess there should be a way to have both them up.
If you've got different (logical)) reader devices then there is no need to close the channel to either one of them while using the other. You should be able to use them concurrently, even from the same thread.
The problem is using gp.exe which is a tool not written for such usage. Please code an application, for instance using Java & javax.smartcardio instead.
I'm trying to read some data from the secure element in the SIM of a global platform 2.2 card.
My SELECT command of the applet is successful 90,00 with some PDOL data in the response. However when I send Get Processing Options it returns 6D00. It seems the Security Domain is still in charge and does not understand the GPO command.
My investigation says applet specific commands needs to go over a secure channel, while the CRS runs on the basic channel. Is this requirement true even if the card is not being accessed over the contactless interface?
First of all verify that your applet must be selected on same I/O interface and the same logical channel on which you are sending the command.
The status word '6D00' shows that the command sent over another applet or SD that does not understand it instead of secure channel initiation requirement.
And yes if you are communicating with secured card like and Secure element then you need to initiate scp session.
SELECT APDU should be sent first with correct AID.
If AID belongs to the EMV card, response should come with status SW 90 00 with data area. Processing Options Data Object List in data area should be properly parsed and GET PROCESSING OPTIONS should be constructed with required parameters (Terminal
Transaction Qualifiers,Amount, Authorized , Unpredictable Number etc.)
Try this TLV utilities and see the options list:
9F38 Processing Options Data Object List (PDOL)
9F66049F02069F37045F2A029A03
I have a public computer that is used in an ATM sort of fashion. When a certain action occurs (person inserts money), the program I've written on the computer sends a request to a trusted server which does a very critical task (transfers money).
I'm wondering, since I have to communicate to a server to start the critical task, the credentials to communicate with it are stored on this public computer. How do I prevent hackers from obtaining this information and running the critical task with their own parameters?
HSM (Hardware Security Modules) are designed to store keys safely:
A hardware security module (HSM) is a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. These modules traditionally come in the form of a plug-in card or an external device that attaches directly to a computer or network server.
HSMs may possess controls that provide tamper evidence such as logging and alerting and tamper resistance such as deleting keys upon tamper detection. Each module contains one or more secure cryptoprocessor chips to prevent tampering and bus probing.
Impossible in general
If your user has access to this PC, they can easily insert fake money. Your model is doomed.
Minimize attack surface
This PC ought to have unique token (a permanent cookie is enough), and sever will refuse a request without a valid cookie. Server maintains database of device types, and this ATM-PC is only allowed certain operations (deposit money up to NNN units). Ideally it is also rate-limited (at most once per 3 seconds).