CaptainBisquick
Posts: 10
Joined: Sun Jun 04, 2017 6:09 am

Key system for IoT device

Fri Oct 13, 2017 12:20 am

I'm running a NodeJS system on my rpi and I'm looking for a strategy (npm module ideally) to authenticate the device as being one of mine. I will give these devices to users and my server will allow them to associate their account with the device. What would be the best way to do this, without being too difficult to setup? This is for a prototype project, so doesn't need to have the same level of strength as a mass produced product.

asandford
Posts: 1787
Joined: Mon Dec 31, 2012 12:54 pm
Location: Ealing

Re: Key system for IoT device

Fri Oct 13, 2017 12:35 am

There have been upteem threads over the years asking how to secure a pi running a proprietary paid for application against theft / copying / unlicensed use...etc.

The consensus is you can't with such an easily removable storage medium.

CaptainBisquick
Posts: 10
Joined: Sun Jun 04, 2017 6:09 am

Re: Key system for IoT device

Fri Oct 13, 2017 3:50 am

That's not what I'm asking. I only care that I can verify the device connecting to my server is the one I built, and likely hasn't been tampered with. I could, for example, glue the SD card into the device, as a means of deterring tampering. Then the next question is how to employ encryption in my NodeJS project.

IanS
Posts: 158
Joined: Wed Jun 20, 2012 2:51 pm
Location: Southampton, England

Re: Key system for IoT device

Fri Oct 13, 2017 12:23 pm

It sounds like you are looking for what is often called mutual authentication. Normally when using HTTPS, the server presents a certificate to the client to prove who it is. With mutual authentication, the client also has to prove who it is to the server, again often using a certificate based method. This is not necessarily easy to set up - you would need to set up your own PKI. You would not need the root certificate to be commercially signed to prevent warnings if you install the public part of the signing certificate on all your clients.
Since cloning the SD card would copy any certificates you might want to tie in some other identification factor too. Perhaps the client could provide its MAC or the serial number from /proc/cpuinfo, and you check against a white-list on the server. None of these is a perfect mechanism, but the more you layer together the harder it is to mimic all of them.

In terms of tamper detection, the main two (free) tools for Linux are Tripwire and OSSEC. See https://www.upguard.com/articles/tripwi ... ht-for-you for a comparison.

asandford
Posts: 1787
Joined: Mon Dec 31, 2012 12:54 pm
Location: Ealing

Re: Key system for IoT device

Sat Oct 14, 2017 12:55 am

CaptainBisquick wrote:
Fri Oct 13, 2017 3:50 am
That's not what I'm asking. I only care that I can verify the device connecting to my server is the one I built, and likely hasn't been tampered with. I could, for example, glue the SD card into the device, as a means of deterring tampering. Then the next question is how to employ encryption in my NodeJS project.
This has been asked many times for various languages, and none are viable.

CaptainBisquick
Posts: 10
Joined: Sun Jun 04, 2017 6:09 am

Re: Key system for IoT device

Tue Oct 31, 2017 10:51 am

asandford wrote:
CaptainBisquick wrote:
Fri Oct 13, 2017 3:50 am
That's not what I'm asking. I only care that I can verify the device connecting to my server is the one I built, and likely hasn't been tampered with. I could, for example, glue the SD card into the device, as a means of deterring tampering. Then the next question is how to employ encryption in my NodeJS project.
This has been asked many times for various languages, and none are viable.
Even if I pot the entire device in resin (leaving an open cooling path for the CPU)? There are measures to lock down the OS. I'm not convinced yet. I need to hear more than just "impossible" before I'll walk away convinced. That's like my parents expecting me to take them for their word when their answer consists only of "because I said so".

CaptainBisquick
Posts: 10
Joined: Sun Jun 04, 2017 6:09 am

Re: Key system for IoT device

Tue Oct 31, 2017 10:53 am

IanS wrote:
Fri Oct 13, 2017 12:23 pm
It sounds like you are looking for what is often called mutual authentication. Normally when using HTTPS, the server presents a certificate to the client to prove who it is. With mutual authentication, the client also has to prove who it is to the server, again often using a certificate based method. This is not necessarily easy to set up - you would need to set up your own PKI. You would not need the root certificate to be commercially signed to prevent warnings if you install the public part of the signing certificate on all your clients.
Since cloning the SD card would copy any certificates you might want to tie in some other identification factor too. Perhaps the client could provide its MAC or the serial number from /proc/cpuinfo, and you check against a white-list on the server. None of these is a perfect mechanism, but the more you layer together the harder it is to mimic all of them.

In terms of tamper detection, the main two (free) tools for Linux are Tripwire and OSSEC. See https://www.upguard.com/articles/tripwi ... ht-for-you for a comparison.
Thanks, this is really helpful.

asandford
Posts: 1787
Joined: Mon Dec 31, 2012 12:54 pm
Location: Ealing

Re: Key system for IoT device

Thu Nov 02, 2017 1:49 am

CaptainBisquick wrote:
Tue Oct 31, 2017 10:51 am

Even if I pot the entire device in resin (leaving an open cooling path for the CPU)? There are measures to lock down the OS. I'm not convinced yet. I need to hear more than just "impossible" before I'll walk away convinced. That's like my parents expecting me to take them for their word when their answer consists only of "because I said so".
You asked for advice, take it or leave it.

Return to “Advanced users”

Who is online

Users browsing this forum: No registered users and 19 guests