CaptainBisquick
Posts: 8
Joined: Sun Jun 04, 2017 6:09 am

Key system for IoT device

Fri Oct 13, 2017 12:20 am

I'm running a NodeJS system on my rpi and I'm looking for a strategy (npm module ideally) to authenticate the device as being one of mine. I will give these devices to users and my server will allow them to associate their account with the device. What would be the best way to do this, without being too difficult to setup? This is for a prototype project, so doesn't need to have the same level of strength as a mass produced product.

asandford
Posts: 1674
Joined: Mon Dec 31, 2012 12:54 pm
Location: Ealing

Re: Key system for IoT device

Fri Oct 13, 2017 12:35 am

There have been upteem threads over the years asking how to secure a pi running a proprietary paid for application against theft / copying / unlicensed use...etc.

The consensus is you can't with such an easily removable storage medium.

CaptainBisquick
Posts: 8
Joined: Sun Jun 04, 2017 6:09 am

Re: Key system for IoT device

Fri Oct 13, 2017 3:50 am

That's not what I'm asking. I only care that I can verify the device connecting to my server is the one I built, and likely hasn't been tampered with. I could, for example, glue the SD card into the device, as a means of deterring tampering. Then the next question is how to employ encryption in my NodeJS project.

IanS
Posts: 152
Joined: Wed Jun 20, 2012 2:51 pm
Location: Southampton, England

Re: Key system for IoT device

Fri Oct 13, 2017 12:23 pm

It sounds like you are looking for what is often called mutual authentication. Normally when using HTTPS, the server presents a certificate to the client to prove who it is. With mutual authentication, the client also has to prove who it is to the server, again often using a certificate based method. This is not necessarily easy to set up - you would need to set up your own PKI. You would not need the root certificate to be commercially signed to prevent warnings if you install the public part of the signing certificate on all your clients.
Since cloning the SD card would copy any certificates you might want to tie in some other identification factor too. Perhaps the client could provide its MAC or the serial number from /proc/cpuinfo, and you check against a white-list on the server. None of these is a perfect mechanism, but the more you layer together the harder it is to mimic all of them.

In terms of tamper detection, the main two (free) tools for Linux are Tripwire and OSSEC. See https://www.upguard.com/articles/tripwi ... ht-for-you for a comparison.

asandford
Posts: 1674
Joined: Mon Dec 31, 2012 12:54 pm
Location: Ealing

Re: Key system for IoT device

Sat Oct 14, 2017 12:55 am

CaptainBisquick wrote:
Fri Oct 13, 2017 3:50 am
That's not what I'm asking. I only care that I can verify the device connecting to my server is the one I built, and likely hasn't been tampered with. I could, for example, glue the SD card into the device, as a means of deterring tampering. Then the next question is how to employ encryption in my NodeJS project.
This has been asked many times for various languages, and none are viable.

Return to “Advanced users”

Who is online

Users browsing this forum: No registered users and 15 guests