Prevent Man in the Middle (MITM) using MKey Authentication

Mkey is a Stratodesk only Security component that protects against Man in the Middle attacks between NoTouch Center and NoTouch OS Devices

Client MKey Authentication helps prevent an unauthorized access to a client machine's configuration. When a client is put into a group first and retrieves a configuration from NoTouch Center (first time) it will be assigned an MKey, which is essentially a very long unpronouncable password. The client will store this password and use it to authenticate every subsequent call to NoTouch Center.

NoTouch Center however will, as soon as an MKey has been assigned, only accepts requests with that MKey. As soon as this client (or somebody pretending to be that client) connects without the MKey, NoTouch Center will not store any information from this system, will not deliver a configuration and not deliver firmware updates. Instead, NoTouch Center will log an MKey Authentication Failure.

MKey failures in regular operation

There are two situations in regular operation that can create an MKey Authentication Failure:

  • Client-side Factory reset. The moment you delete all local data, the client will forget its MKey as well. NoTouch Center does not know that you have intentionally Factory reset the device, it just sees a machine that is not authenticated any more.
  • New installation/"update" with USB or PXE. Similar to the factory reset, if you do not do a normal firmware update but instead overwrite the installation using the NoTouch installers via USB stick or PXE-install, the client will have all local configuration data reset, including any MKeys.
  • Downgrade to a client OS version older than 2.39.215. Client versions before 2.39.215 did not have support for MKey authentication, so they will just ignore the MKey token. NoTouch Center however will insist. It can not simply accept the fact that the OS is older. An intruder would certainly fake the version number - this would be as if you would nicely ask the burglar at the front door if he was a criminal or not.

Resetting the MKey for a client or group

  1. Click on the group or client
  2. Click on the "Actions" tab
  3. Select "MKey Authentication reset"
  4. Click "Execute"

From now on, this client or all members of the group you executed the MKey reset on, will be allowed to talk to NoTouch Center without an MKey. Older firmware releases (see "Downgrade" above) will then do so forever. New software releases will immediately be assigned a new MKey.

MKey settings

In the NoTouch Center Settings you can disable the MKey authentication mechanism totally. Look for the section named "Advanced Settings".

  • Use MKey Auth tokens. When disabled, no MKeys will be handed out and MKeys are not required any more. When on, the functionality is as described above. Default: on.
  • Allow older versions without MKey support. This switch should be allowed if you run versions older than 2.39.215, those that can not handle MKeys. If set to off NoTouch will assign MKeys to any OS version. Default: on.

Note: Even when "Allow older versions without MKey support" is on, that still means that a downgrade from a newer, MKey-capable OS to an older, MKey-incapable OS will need a reset. The switch only controls assigning keys in the first place. Otherweise the whole mechanism would be pointless if one could circumvent it by pretending to have done a downgrade.