Secure IOT (Arduino Server) --------------------------- There are many ways to secure and authenticate a networking communication, but not all solutions will run on a microcontroller, where processing power and memory is a scarce resource. How does it work? ~~~~~~~~~~~~~~~~~ +Server -> the iot device that will receive the command+ +Client -> the command sender+ . The Client connects to the Server. . [ Optional: The Client sends a predefined ammount of data for the Server to wake up. (Some libraries need the client to send first data, else they will not recognize that a connection was just made.) ] . The Server sends a challenge to be solved. . The Client send the solved challenge with the command. . The Server extracts the command from the response/solution, executes it [Optional: sends back the response ]. . [ Optional: The Client extracs the execution response from the Server response. ] Implementation ~~~~~~~~~~~~~~ Server + Client Requirements ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - set the same initial data length (0-n) - set the same hashing function - set the same symmetric password Data ^^^^ . [ Optional: Client Sends: 1-n bytes (wake up packet) ] . Server: Sends Challenge (1-n bytes) . Client: Sends solved challenge ( Len(hash) bytes) . [ Optional: Server: Sends Response ( Len(hash) bytes) ] Methodology ^^^^^^^^^^^ . [ Optional: The Client after connection, sends a predefined number of bytes. ] . The Server generates and sends a random number (bigger -> more secure) for each connection. . The Client calculates and sends the HMAC of (random server data + command) using the shared secret password . The Server tries to find what possible command could the Client have sent (calculates HMAC of random server data + possible command, using the shared secret password and compares them) and then calls the corresponding function. [ Optional: The response of that function is then calculated (HMAC of random server data + response, using the shared secret password) and sent to the Client. ] . [ Optional: The Client tries to find what possible response command could the Server have sent (calculates HMAC of random server data + response command, using the shared secret password) ] Considerations ~~~~~~~~~~~~~~ Pros ^^^^ - Minimalistyc nor verbose - minimal memory usage* - minimal cpu usage* - fast** - authentication - confidentiality - replay protection *with the use of appropriate hashing functions **when a limited ammount of commands is used Cons ^^^^ - uses symetric cryptography - is not designed to send multiple bytes (1 byte commands recommended) - requires a random seed Proof of Concept ~~~~~~~~~~~~~~~~ Tested and fully working demo is attached! This demo was implemented on a pc (Node.JS Client) and an arduino pro mini with an ethernet shield (Server).