15,925,440 members
Sign in
Sign in
Email
Password
Forgot your password?
Sign in with
home
articles
Browse Topics
>
Latest Articles
Top Articles
Posting/Update Guidelines
Article Help Forum
Submit an article or tip
Import GitHub Project
Import your Blog
quick answers
Q&A
Ask a Question
View Unanswered Questions
View All Questions
View C# questions
View C++ questions
View Javascript questions
View Visual Basic questions
View Python questions
discussions
forums
CodeProject.AI Server
All Message Boards...
Application Lifecycle
>
Running a Business
Sales / Marketing
Collaboration / Beta Testing
Work Issues
Design and Architecture
Artificial Intelligence
ASP.NET
JavaScript
Internet of Things
C / C++ / MFC
>
ATL / WTL / STL
Managed C++/CLI
C#
Free Tools
Objective-C and Swift
Database
Hardware & Devices
>
System Admin
Hosting and Servers
Java
Linux Programming
Python
.NET (Core and Framework)
Android
iOS
Mobile
WPF
Visual Basic
Web Development
Site Bugs / Suggestions
Spam and Abuse Watch
features
features
Competitions
News
The Insider Newsletter
The Daily Build Newsletter
Newsletter archive
Surveys
CodeProject Stuff
community
lounge
Who's Who
Most Valuable Professionals
The Lounge
The CodeProject Blog
Where I Am: Member Photos
The Insider News
The Weird & The Wonderful
help
?
What is 'CodeProject'?
General FAQ
Ask a Question
Bugs and Suggestions
Article Help Forum
About Us
Search within:
Articles
Quick Answers
Messages
Comments by GPIB99 (Top 3 by date)
GPIB99
1-May-15 9:55am
View
I see from a reference setup that I found:
Application: SSL/TLS / WebSocket
Authentication: X.509 / RSA-2048
Encryption: AES128
API: REST
Micro: ARM Cortex M3
SO based on all the feedback and understanding more about what X.509/SSL/TLS is then I think this is the direction I am going to head in for secure communications from an embedded system.
Also from what I understand is that if you are using an arduino or other low resource chip is that some form of encryption is available (google) but secure communications would definitely be handled differently.
So either way as part of deploying numerous end-points of these devices there would have to be a procedure to configure a known address or other way of identifying them on whatever the end network is. So if using very low resource devices the key and address can be setup (with the caveats as you mentioned above) or with more robust devices just a known address can be setup with the communication handled the SSL/TLS x509 way.
As an aside after pondering this for awhile, since communication is just a stream of bits and the x509 SSL describes the process to create a secure channel then couldn't this technically be applied to ANY connection including something like a serial port?
GPIB99
30-Apr-15 10:43am
View
Interesting, this is making more sense and gives me a direction to further research. Thanks to all for the information.
"PKI/SSL is a very big hammer to be wielding in a arduino environment "
"## asymetric (PKI) encryption is VERY slow, so typically what happens in the credential/key-exchange/message-exchange phase is a random symmetric key is generated, THAT latter key is used to encrypt the data (because symmetric encryption is very fast), the symmetric key is encrypted using the asymmetric encryptor and handed over"
This means though I will still need to framework in place for PKI/SSL to hand over the key? (IF I do not pre-load a private key into all site devices)
As a side note I heard one embedded IoT system that referenced x509 used for its security, I am guessing that this may then be what you describe. It uses the x509 to establish a secure SSL connection, hands over a symmetric key and then continues with that?
I wish there was a book or something that described "Here are the current security schemes used, and here are the heavyweight central server methods and here are the alternatives as you travel down the device capabilities from something like a RPi to a Arduino"
GPIB99
29-Apr-15 12:28pm
View
From what I can tell so far this is the way all secure communication is done in general from web servers to IoT devices? However you do explain it well to get an idea of how it all works together, thanks!
Also from what I read is that SSL can be used for secure http, ftp, tcp communications, so I am guessing that HTTPS server could be used interchangeably with FTP server, TCP/IP server etc.?
X509 comes up often with secure connections and I have only seen it associated with SSL, is this the case or are there other SSL like secure communication schemes that can be used with this?
The type of encryption used is part of the X509 certificate? RSA AES etc is indicated as part of the certificate? This is what I understand currently.
From the description I see that that public key can decrypt anything from the server. So if someone gets the certificate and intercepts the traffic between the server and my device they could decrypt and read whatever I am trying to securely send from the server?
I see how the device can send its login information to the server from what you describe:
- Server passes x509 with public key
- Server requests x509 from device, generate and send self signed
- Now at this point the server sends data through SSL using the server private key which can be decrypted in the device from the received x509 with public key
- The device can send data securely to the server using the device self generated x509 private key and the server decrypts by using the device self generated x509 public key it received.
If someone gets the server x509 sent to the device and intercepts the self generated x509 sent to the server then don't they have both public keys and can decrypt any data that they intercept either way including login/password?
So the components of a secure connection:
- Certificates that describes the public key and type of encryption used (X509)
- The actual encryption implementation (RSA, AES etc)
- The transport that handles the handshake and exchange of encrypted data (HTTPS for example)
I feel however that this is not absolute and there are other ways to securely communicate. If you had a bunch of arduinos talking to each other over a local network in a mesh style with no central server then the above does not seem to fit well. I am sure there is still a certificate mechanism but I don't see how you can generate and distribute the certificates in this system in such a way that the public key cant be used to decrypt communication.
If all devices were pre-loaded with private keys and they were known among the set of all devices internally is how I imagine complete security would be attainable.
I have googled and read somewhat in depth a few dozen more articles and I keep ending up at either
- Security needs to be addressed, you need to communicate on a secure channel of which HTTPS/SSL/X509 is used in this specific article (um yes of course)
- Wikipedia page on X509 certificates (ok great, how does this fit in with everything and what are the alternatives?)
Am I searching for something that is not there, is in fact SSL and X509 THE ONLY option out there for secure communications? How does this apply to a mesh network of devices with no central server?
If you had an encryption library could you initiate secure communication between devices. I am guessing you would either need to pre-load keys or roll a X509/SSL type library to handle the certificate authentication/passing.
Lets say that I would like to learn more about encryption, authentication and authorization. Is it plausible to start off implementing secure communication between two serial ports and then progressing up to something like HTTP/TCP/FTP?