Mender 2.5 release: Expanding the security capabilities of Mender
We are excited to release the hosted and on-premise editions of 2.5.0 (together with 2.4.1).
Security and robustness is the prime directive of Mender in doing over-the-air software updates, and we work hard to make sure that directive never goes out of our sight. Mender 2.5.0 is a further testament to that directive and comes with these brand new features focused on expanding Mender’s capabilities in security:
- Mutual TLS for Device authentication
- Hardware security for Device authentication
- Elliptic Curve Cryptography support for Device authentication
The availability of the new features depends on the commercial plan listed on the features page. The new features are described below. A more detailed description can be found in the Mender 2.5.0 release notes.
Mutual TLS for Device authentication
Mender has since the beginning used one-sided TLS in order to set up a secure communication channel between the Mender client and server. In this approach the Mender client verifies the TLS certificate of the Mender server, while the Mender server authorizes the Mender client based on an JSON web token. Since only the server has a TLS certificate (that the client verifies), this is often called a one-sided TLS.
However, when manufacturing devices for larger scale, it is common that each device has its own unique certificate as well. This certificate can be used by several cloud services to authenticate the device.
With the new Mutual TLS support, Mender can now leverage existing device certificates to authenticate against the Mender server. This means that no extra keys or certificates are required to use Mender if one already exists. This simplifies key management and thus increases security due to lower risk of losing track of keys and certificates on the devices.
Hardware security for Device authentication
Mender can now leverage hardware support for authentication of Devices. Hardware Security Modules (TSMs) and Trusted Platform Modules (TPMs) securely store keys inside hardware, making them tamper proof and harder to steal. Device applications like Mender only operate on these keys, such as requesting signing and decryption, rather than reading the keys and operating with them directly.
For environments already leveraging hardware security, this ensures that the OTA update process with Mender is secured in the same way as other applications leveraging cryptography operations on the device. For more resource-constrained environments it also provides better performance and lower power usage as hardware acceleration is leveraged for cryptography operations.
Mender is using OpenSSL to support hardware security on the Device, which gives support to a large share of TSMs and TPMs through custom OpenSSL Engines provided by the manufacturers. The Mender client is now only using OpenSSL for crypto operations and all use of the Golang Crypto library has been removed.
Elliptic Curve Cryptography support for Device authentication
Elliptic Curve Cryptography (ECC) is a form of public key cryptography like RSA but it provides improved performance because the keys can be much shorter and still achieve the same level of security. For example, for 128-bit security, a key length of 3072 bits is required with RSA but only 256 bits with ECC.
The shorter key lengths with ECC mean that less resources are required in order to carry out cryptography operations such as establishing a secure channel with the Mender server. For more resource-constrained devices, this translates into faster operations, power savings and potentially longer battery life.
When combined with hardware security, this increases the benefits and enables selection of hardware that only supports ECC, which can lead to cost savings due to simpler hardware design.
Support for your board
If you are new to OTA updates, or lack time to integrate the Mender client with your specific board for robust A/B system updates, several resources are available to you:
The Board Integrations category in Mender Hub is a community site to contribute, reuse and maintain Mender board integrations.
We are happy to help with consulting services to ensure verified Mender support for your board.
Share your feedback
We would love your general feedback on Mender, whether positive or in need for improvement, in the Mender Hub General Discussions forum. Your continued feedback helps Mender meet your needs even better in the future!
If you believe you have encountered a bug, please submit your report at the Mender JIRA issue tracker.
We hope you enjoy all the new features, and we look forward to hearing from you!