diff --git a/sec_iot_arduino_server.adoc b/sec_iot_arduino_server.adoc new file mode 100644 index 0000000..9acd8f2 --- /dev/null +++ b/sec_iot_arduino_server.adoc @@ -0,0 +1,98 @@ +Secure IOT (Arduino Server) +--------------------------- + +There are many ways to secure and authenticate a networking communication, but not all solutions will run on a microcontroller, where processing power and memory is a scarce resource. + +How does it work? +~~~~~~~~~~~~~~~~~ + ++Server -> the iot device that will receive the command+ + ++Client -> the command sender+ + + +. The Client connects to the Server. + +. [ Optional: The Client sends a predefined ammount of data for the Server to wake up. (Some libraries need the client to send first data, else they will not recognize that a connection was just made.) ] + +. The Server sends a challenge to be solved. + +. The Client send the solved challenge with the command. + +. The Server extracts the command from the response/solution, executes it [Optional: sends back the response ]. + +. [ Optional: The Client extracs the execution response from the Server response. ] + + + +Implementation +~~~~~~~~~~~~~~ + +Server + Client Requirements +^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +- set the same initial data length (0-n) +- set the same hashing function +- set the same symmetric password + +Data +^^^^ + +. [ Optional: Client Sends: 1-n bytes (wake up packet) ] + +. Server: Sends Challenge (1-n bytes) + +. Client: Sends solved challenge ( Len(hash) bytes) + +. [ Optional: Server: Sends Response ( Len(hash) bytes) ] + + +Methodology +^^^^^^^^^^^ + +. [ Optional: The Client after connection, sends a predefined number of bytes. ] + +. The Server generates and sends a random number (bigger -> more secure) for each connection. +. The Client calculates and sends the HMAC of (random server data + command) using the shared secret password + +. The Server tries to find what possible command could the Client have sent +(calculates HMAC of random server data + possible command, using the shared secret password and compares them) +and then calls the corresponding function. [ Optional: The response of that function is then calculated +(HMAC of random server data + response, using the shared secret password) and sent to the Client. ] + +. [ Optional: The Client tries to find what possible response command could the Server have sent +(calculates HMAC of random server data + response command, using the shared secret password) ] + + + +Considerations +~~~~~~~~~~~~~~ + +Pros +^^^^ + +- Minimalistyc nor verbose +- minimal memory usage* +- minimal cpu usage* +- fast** +- authentication +- confidentiality +- replay protection + +*with the use of appropriate hashing functions + +**when a limited ammount of commands is used + +Cons +^^^^ + +- uses symetric cryptography +- is not designed to send multiple bytes (1 byte commands recommended) +- requires a random seed + +Proof of Concept +~~~~~~~~~~~~~~~~ + +Tested and fully working demo is attached! + +This demo was implemented on a pc (Node.JS Client) and an arduino pro mini with an ethernet shield (Server). diff --git a/sec_iot_arduino_server.html b/sec_iot_arduino_server.html new file mode 100644 index 0000000..37f98ab --- /dev/null +++ b/sec_iot_arduino_server.html @@ -0,0 +1,941 @@ + + + + + + + + + + + +
+
+

Secure IOT (Arduino Server)

+
+

There are many ways to secure and authenticate a networking communication, but not all solutions will run on a microcontroller, where processing power and memory is a scarce resource.

+
+

How does it work?

+

Server → the iot device that will receive the command

+

Client → the command sender

+
    +
  1. +

    +The Client connects to the Server. +

    +
  2. +
  3. +

    +[ Optional: The Client sends a predefined ammount of data for the Server to wake up. (Some libraries need the client to send first data, else they will not recognize that a connection was just made.) ] +

    +
  4. +
  5. +

    +The Server sends a challenge to be solved. +

    +
  6. +
  7. +

    +The Client send the solved challenge with the command. +

    +
  8. +
  9. +

    +The Server extracts the command from the response/solution, executes it [Optional: sends back the response ]. +

    +
  10. +
  11. +

    +[ Optional: The Client extracs the execution response from the Server response. ] +

    +
  12. +
+
+
+

Implementation

+
+

Server + Client Requirements

+
    +
  • +

    +set the same initial data length (0-n) +

    +
  • +
  • +

    +set the same hashing function +

    +
  • +
  • +

    +set the same symmetric password +

    +
  • +
+
+
+

Data

+
    +
  1. +

    +[ Optional: Client Sends: 1-n bytes (wake up packet) ] +

    +
  2. +
  3. +

    +Server: Sends Challenge (1-n bytes) +

    +
  4. +
  5. +

    +Client: Sends solved challenge ( Len(hash) bytes) +

    +
  6. +
  7. +

    +[ Optional: Server: Sends Response ( Len(hash) bytes) ] +

    +
  8. +
+
+
+

Methodology

+
    +
  1. +

    +[ Optional: The Client after connection, sends a predefined number of bytes. ] +

    +
  2. +
  3. +

    +The Server generates and sends a random number (bigger → more secure) for each connection. +

    +
  4. +
  5. +

    +The Client calculates and sends the HMAC of (random server data + command) using the shared secret password +

    +
  6. +
  7. +

    +The Server tries to find what possible command could the Client have sent +(calculates HMAC of random server data + possible command, using the shared secret password and compares them) +and then calls the corresponding function. [ Optional: The response of that function is then calculated +(HMAC of random server data + response, using the shared secret password) and sent to the Client. ] +

    +
  8. +
  9. +

    +[ Optional: The Client tries to find what possible response command could the Server have sent +(calculates HMAC of random server data + response command, using the shared secret password) ] +

    +
  10. +
+
+
+
+

Considerations

+
+

Pros

+
    +
  • +

    +Minimalistyc nor verbose +

    +
  • +
  • +

    +minimal memory usage* +

    +
  • +
  • +

    +minimal cpu usage* +

    +
  • +
  • +

    +fast** +

    +
  • +
  • +

    +authentication +

    +
  • +
  • +

    +confidentiality +

    +
  • +
  • +

    +replay protection +

    +
  • +
+

*with the use of appropriate hashing functions

+

**when a limited ammount of commands is used

+
+
+

Cons

+
    +
  • +

    +uses symetric cryptography +

    +
  • +
  • +

    +is not designed to send multiple bytes (1 byte commands recommended) +

    +
  • +
  • +

    +requires a random seed +

    +
  • +
+
+
+
+

Proof of Concept

+

Tested and fully working demo is attached!

+

This demo was implemented on a pc (Node.JS Client) and an arduino pro mini with an ethernet shield (Server).

+
+
+
+
+

+ + +