WingNews logo WingNews
top | item 37082080

(no title)

oll3 | 2 years ago

Diffie-hellman would not be enough if there is a MITM at the time of the exchange, would it?

Somehow the control panel and the reader must authenticate each other. I'm no security expert but only way I can think of is to use some pre-shared key. A key set via a trusted side channel, or at a time when the osdp channel is known to not be intercepted.

discuss

order

hqsolomo|2 years ago

Security neophyte here- you are exactly right. It also seems like in this case there was a "default encryption key" and is 100% a part of the problem

oll3|2 years ago

I guess the default key is a problem too. Mainly since it might trick developers/manufactures that this somehow makes the key exchange secure if you use it while setting a device unique key.

I do work with OSDP devices and I have heard this argument from manufactures, like "we only support setting a new key while using the default key, it's more secure that way". While it, at best, will just obfuscate the process.