MeshCentral2 - Design Document, TPM support, Speed & IoT

This holiday break was no break for MeshCentral as it continued to progress. Big thanks to the people that post issues on GitHub. Because of the community, MeshCentral is getting a lot better and issues that would be difficult to find are being fixed. Over the past month a lot of things have changed and here is a small rundown of some of them:
  • Published the first version of the Design and Architecture document. This new document comes on top of the existing Install Guide and User’s Guide documents. It covers the internal workings of MeshCentral including the programming languages used, the dependencies, certificate generation, connection authentication, security and much more. The goal here for anyone to be able to get a good grasp as to how MeshCentral2 was designs, the trade-offs and how the security works. This is the first published version. Obviously, this document will grow in size as times permits. One possible use of this document is so that anyone can conduct a security review of MeshCentral.
  • Windows Mesh Agent now supports TPM modules for extra security. Each mesh agent connecting to the server uses a self-generated certificate to uniquely authenticate to the server. The hash of the public key of the agent certificate becomes the device identifier and this is not a identifier that can be easily spoofed by other agents on the network. In order to improve security and harden the agent certificate, the Windows Mesh Agent will now automatically detect that a TPM module is present on the platform and make use of it by generating it’s certificate using the TPM backed cryptographic provider. This means that the device identifier on the server is now backed by hardware on the agent if available. Also, if you delete the “meshagent.db” file and start the agent again, it will come back to the server with the same device identifier, which is pretty cool.
  • Mesh Agent setup and start speed improvement. On smaller, less capable IoT devices the mesh agent was very slow to start. Especially the first time you ran it. This is because the agent was generating no less than 5 certificates the first time it ran and generating 2 certificates each time after that. This was very inefficient, caused CPU and power waste and very slow starts. The new agent on Linux/OSX as of 2 weeks ago only generates 1 certificate on first run and no certificates after that making it super-fast. On Windows, the agent will generate 2 certificates on first run (with one possibly in TPM) and no certificate generation on subsequent runs.
  • Improved MeshCentral IoT testing. As the picture shows below, the MeshCentral lab has gotten a bunch of small IoT devices permanently connected for ongoing testing. The 4 devices (2 Raspberry Pi, 1 Tinker Board, 1 LattePanda) are used to run both the MeshAgent and the MeshCentral server. It’s pretty amazing that the entire server can run on such small devices and manage quite a large network of computers. As time goes on, more will likely be added to the test bench.
This is just a few of the changes, you can see a list of the MeshCentral commits on GitHub here. Many thanks for Bryan Roe who tirelessly keeps improving the MeshAgent. Many of this new features have not made it into the server yet, so that is a backlog in fun things to come.

Enjoy!
Ylian
MeshCentral2: http://www.meshcommander.com/meshcentral2
Twitter: https://twitter.com/meshcentral



Published the new MeshCentral2 Design & Architecture Guide
http://info.meshcentral.com/downloads/MeshCentral2/MeshCentral2DesignArchitecture.pdf



The MeshCentral2 agent on Windows now supports TPM modules for improved security.
It will automatically use the Windows TPM cryptographic provider when available.



There is a set of small computers being used for MeshCentral2 testing.
These computers run both the agent and the entire server.

Popular posts from this blog

MeshCentral - Windows ARM64, NodeJS v11, NPM Packages

Starting work at Microsoft

MeshCentral - New Windows Agents - Installation Dialog, Customization and Server Lock