3. Security Analysis
The MiniWeb server is well implemented. The SSL implementation does not show any failures. The only security weakness is the long life span of the certificate and the use of MD5 for the generation of the certificates. The key length of 1024 bits is sufficient for the next three to five years.
3.1.6 Time Synchronization and Logging
The security module allows time synchronization based on the
The NTP protocol neither provides authenticity nor integrity of the transferred time. A forgery of the information allows a
The logging of the time setting shows weaknesses since expired certificates and ARP spoofing attacks are not logged. Even the failure of establishing IPsec tunnels due to the expired certificates were not logged. A modification of the time is logged only when this is set manually, but not when it is set over NTP. In the default setting numerous events are not logged.
3.2Configuration
The security module is configured by means of a security configuration tool installed on the configuration PC. This tool stores its files encrypted in a database. The configuration data is transferred from the PC to the security module in an encrypted manner with SSL. During the first configuration at initialization time a direct connection between PC and security module is necessary since the addressing of the security module is made via the MAC address. Afterwards, the communication is carried out over IP such that no direct connection is required anymore for configuring the Scalance device. Certificates and keys are then transferred to the security module by the configuration tool.
It was not possible to break the encryption of the configuration files. A
escrypt GmbH | 15 |
