Secure IOT (NodeJS Client)

There are many ways to secure and authenticate a networking communication, but not all solutions will run on a microcontroller, where processing power and memory is a scarce resource.

How does it work?

Server → the iot device that will receive the command

Client → the command sender

  1. The Client connects to the Server.

  2. [ Optional: The Client sends a predefined ammount of data for the Server to wake up. (Some libraries need the client to send first data, else they will not recognize that a connection was just made.) ]

  3. The Server sends a challenge to be solved.

  4. The Client send the solved challenge with the command.

  5. The Server extracts the command from the response/solution, executes it [Optional: sends back the response ].

  6. [ Optional: The Client extracs the execution response from the Server response. ]

Implementation

Server + Client Requirements

  • set the same initial data length (0-n)

  • set the same hashing function

  • set the same symmetric password

Data

  1. [ Optional: Client Sends: 1-n bytes (wake up packet) ]

  2. Server: Sends Challenge (1-n bytes)

  3. Client: Sends solved challenge ( Len(hash) bytes)

  4. [ Optional: Server: Sends Response ( Len(hash) bytes) ]

Methodology

  1. [ Optional: The Client after connection, sends a predefined number of bytes. ]

  2. The Server generates and sends a random number (bigger → more secure) for each connection.

  3. The Client calculates and sends the HMAC of (random server data + command) using the shared secret password

  4. The Server tries to find what possible command could the Client have sent (calculates HMAC of random server data + possible command, using the shared secret password and compares them) and then calls the corresponding function. [ Optional: The response of that function is then calculated (HMAC of random server data + response, using the shared secret password) and sent to the Client. ]

  5. [ Optional: The Client tries to find what possible response command could the Server have sent (calculates HMAC of random server data + response command, using the shared secret password) ]

Considerations

Pros

  • Minimalistyc nor verbose

  • minimal memory usage*

  • minimal cpu usage*

  • fast**

  • authentication

  • confidentiality

  • replay protection

*with the use of appropriate hashing functions

**when a limited ammount of commands is used

Cons

  • uses symetric cryptography

  • is not designed to send multiple bytes (1 byte commands recommended)

  • requires a random seed

Proof of Concept

Tested and fully working demo is attached!

This demo was implemented on a pc (Node.JS Client) and an arduino pro mini with an ethernet shield (Server).