0

There is a Java server and many Arduino devices, and they are connected via TCP connection. Board that we can use: Arduino Uno or Arduino Mega 2560

Each Arduino device is actually reporter (say, it takes data from water meter and transmits data to the server) or some kind of remote control for some appliances.

Currently, this connection isn't secure. I need to make it secure, i.e. implement VPN.

I'm completely new in this field of knowledge, and I'm trying to figure out the way should I use.

I really hope that I can find existing implementation of some protocol, and build it into this system.

But which protocol?

I already found out that I can't use IPSec, since TCP/IP stack is hardware-implemented in these Arduino devices, so, we can't modify it.

Therefore, I need to use some protocol higher than TCP, and I need implementation in C (for client devices) and in Java (for server).

I'm trying to find implementations of SSL, or PPTP, or L2TP, or something else which I still don't know about.

If anyone have experience in this field, I would be glad to see your suggestions.

angelatlarge
  • 4,086
  • 2
  • 19
  • 36
Dmitry Frank
  • 10,417
  • 10
  • 64
  • 114
  • 3
    If you have a fixed server you are talking to, you can simplify your problem greatly by hard-coding the public key into your Arduino (rather than negotiating a key) and then doing the usual SSL trick: generate a local key to encode the data, and send the encrypted version of the key by encrypting with the public key. If the data is not too big you could even just encode with the public key directly. I am guessing that you just need the data to be secure - this is actually less than the capability of a "full" VPN connection... – Floris Mar 18 '13 at 01:16
  • Yes, you are guessing right: I just need the data to be secure. Thanks for the hint! – Dmitry Frank Mar 18 '13 at 05:02
  • @Floris, could you please elaborate more on "less than the capability of a full VPN connection"? What key difference it has comparing to my needs: to make the data to be secure? Of course I googled before ask, but as I see, VPN purpose is to build the "tunnel" for secure data exchange. And I can't state concrete differences of VPN and making-data-secure. – Dmitry Frank Mar 23 '13 at 13:59

3 Answers3

2

Response to your follow up question got too long...

VPN usually creates a "tunnel" into an infrastructure- say, the University computer system. That is, the VPN concentrator "sits st the perimeter" of the university network, and when you connect to it, you create a "pass through" into the system behind the firewall - any protocols, any IP addresses inside the firewall become accessible. Key is that anyone observing the flow of traffic from your computer to the concentrator (also called "VPN gateway") only sees you talking to the concentrator - they don't know what IP addresses inside the firewall you are talking to, with what protocol, or what data. By contrast if you don't need to hide all that stuff you just have to encrypt your data itself; a simple encryption algorithm is easy to implement, especially if you don't need to worry about people stealing your devices and getting the code. How complex the encryption needs to be will depend on your application- there is a trade off between speed, memory use, and security.

Goog. le "Arduino encryption library" for some examples; pick a key, then encrypt your data, and just POST it...

Let us know how you make out!

Floris
  • 45,857
  • 6
  • 70
  • 122
  • Thank you very much! I will surely let you know, when I finish it. – Dmitry Frank Mar 24 '13 at 17:23
  • It seems it's done now, so, I did like that: really, I haven't implemented SSL or some other VPN, I used Rabbit cipher (http://en.wikipedia.org/wiki/Rabbit_%28cipher%29) and just a simple session init: each device has its unique ID and hardcoded pair key/IV (init vector); Server has database with ids and these pars. Client sends to Server its ID as a plain text, server generates new pair key/IV, encrypts them by hardcoded key/IV, and sends to the client. So, further communication is done with these generated pair key/IV. – Dmitry Frank May 14 '13 at 06:53
  • Glad you were able to figure it out yourself from just a few suggestions! And appreciate you taking the time to report back on how you solved it. – Floris May 14 '13 at 18:03
  • What happens if someone listening to the communication deletes the return message from the server? – bubblebath May 23 '14 at 14:55
  • @bubblebath - what do you mean? The communication will be encrypted, so how does "someone listening" a) know what is the return message, and b) how do they delete it? If a message was sent but not received, it is usually re-sent (this is how TCP/IP works...). How can someone listening delete, exactly? – Floris May 23 '14 at 15:34
1

I very much agree with @Floris. To add some ideas to that:

  • What about HTTPs? If your communication is one-way (Arduino -> PC) then it should be sufficient for your needs. This issue is discussed in this post, with references to this discussion. HHTPs on Arduino is not easy, but it may have been done.

  • Apparently, XXTEA is another alternative, and there are several stackoverflow questions on this topic as well.

  • If you go the -build-it-yourself route, check out this post on electronics.SE: apparently there is a cryptography library for AVR, and also useful list of attacks to consider in the electronics.SE post: are you worried only about MitM attack? What if someone rips your device open the reads the keys, is that a problem?

Community
  • 1
  • 1
angelatlarge
  • 4,086
  • 2
  • 19
  • 36
  • Thanks for the answer. Need for some elaboration: why is HTTPs sufficient for one-way communication, but not for two-way one? And, another question: By HTTPs you mean just using of SSL/TLS, right? (currently, no HTTP is used, there is just simple text protocol via TCP connection) And, about ripping the device: no, currently I'm not worried about that. – Dmitry Frank Mar 18 '13 at 05:17
  • Well, my thought on one-way vs. two-way was that beyond request-response it might be tougher to implement the kind of communication protocol that involve states. Yes on the HTTPS = SSL/TLS: it just seemed like HTTPS being ubiquitous the SSL/TLS for HTTPS purposes was more likely to be implemented than anything else. Certainly, you are right, if there is a general purpose SSL implementation for Arduino out there you wouldn't be limited to HTTPS. – angelatlarge Mar 18 '13 at 06:10
-1

Here is described an implementation of the [CHAP] (en.wikipedia.org/wiki/Challenge-Handshake_Authentication_Protocol) for Arduino/AVR devices.

And here is described a similar implementation of [HMAC] (en.wikipedia.org/wiki/Hash-based_message_authentication_code) and [SHA256] (en.wikipedia.org/wiki/SHA-2) for Arduino/AVR.

[Cryptosuite] (github.com/wgoulet/Cryptosuite) is an implementation of HMAC-SHA-256 for Arduino.

Finally, [here] (github.com/arpitchauhan/cryptographic-protocols-arduino-and-PC) are demonstrated some cryptographic procolos for Arduino, including key exchange using RSA.

So it is definitely possible to secure communication between Arduino and a server.

niutech
  • 1
  • Welcome to Stack Overflow! While supplementing your answer with links can be very helpful, please make sure your answer has sufficient information to stand on its own, in case those links should ever fail to load. – Hayden Schiff Aug 17 '15 at 20:28