Improving Confidence During Auto-Configure

From Entuura

We have no strong authentication in the configuration process, so we can't be sure that a given box is exactly who it says it is. We use the MAC address as a key, but that's a public piece of data.

It would be possible to store a piece of random data around 64 bytes long into the nvram of the boxes before they "leave the factory". At the same time we put the data into the nvram on the machine, we put it into a database on the central server. This piece of data exists only in those two places and constitutes a shared secret that the device can use to identify itself to us.

However, it's unclear exactly what we are getting by maintaining some sort of non-standard shared secret. Here's another way to use the nvram... to store a key and a cert "at the factory". This means that from the very first time the box contacts us, it will be able to prove who it is, via normal SSL. If we turn on SSL client authentication on the server... bingo.

As for the other direction: Because the config script is signed by the update key, the device gets a chance to authenticate that it is not being hijacked by a rogue central server. And it can also profit from server-authentication, because the server's SSL key will be signed by the CA, which the client already knows to trust.