We need to add RSA encryption after my Qualcomm (QCA4020) Iot device gets paired to android app.
Not sure how to implement this case to exchange RSA public keys between devices.
After device pairing, do we need to define GATT service to exchange RSA public keys?
if yes are there any standard GATT service defined by bluetooth for key exchange?
What is the standard way for implementing application level encryption that is defined by bluetooth?
Looking for some brief explanation.
Thank you.
After device pairing, do we need to define GATT service to exchange RSA public keys?
Yes, if you want to use you own security procedure at application level you need to define a GATT service to transfer the keys. You could reuse an existing one as long as you can differentiate between a normal message and your keys
if yes are there any standard GATT service defined by bluetooth for key exchange?
No, there are, to my knowledge, no predefined GATT services available for key exchanges
What is the standard way for implementing application level encryption that is defined by bluetooth?
There is no standard, application level security is totally up to you. I personally would go with a more lightweight encryption method like AES with an ECDH key exchange
Related
Here is the scenario:
The device calls the endpoint(Function App/WebService) with some device information.
The endpoint will have embedded intermediate certificate(X509)(created using root cert) this intermediate certificate is uploaded to the enrollment group
The endpoint will create device id and leaf certificate for device and call the DPS service(using DPS sdk) to register the device
DPS registers the device successfully.
Now, the endpoint needs to return some information to the device that'd tell the device that it has been provisioned and registered in the iothub and it can start sending the telemetry.
I am not sure what the device will require in this step. If we use symmetric key, we'd normally use the device id and symmetric key to create device client and use device client to send device to cloud messages.
The endpoint will create device id and leaf certificate for device and call the DPS service(using DPS sdk) to register the device
When we reach this step we then need to install the leaf certificate in a secure way to the device - how is this being achieved in your architecture? Always make sure that you are protecting your device's private key on this process. Using a secure silicon chips in the form of Hardware Secure Modules (HSM) for protecting device private keys.
Now, the endpoint needs to return some information to the device that'd tell the device that it has been provisioned and registered in the iothub and it can start sending the telemetry.
If you can trust that the endpoint is secure, then the information to be exchanged with the device is the leaf certificate containing the private key for the Proof-of-possession needed when establishing a connection with IoT Hub.
Devices manufactured for X.509 CA authentication are equipped with device unique certificates and a certificate chain from their respective manufacturing supply chain. Device connection, even for the very first time, happens in a two-step process: certificate chain upload and proof-of-possession.
Ref: https://learn.microsoft.com/en-us/azure/iot-hub/iot-hub-x509ca-concept
I am developing an IoT device that uses TI's tm4c129encpdt microcontroller, cc3100 wifi chip and TI RTOS, and I am using TLS for secure communication with the server (HTTPS).
I just want to make my device more secure by adding some authentication methods. I am already assigning tokens to the device through a server.
Is there any standard way to add authentication method to an IoT device based on which I can assure to my clients that it has secured communication and authentication method?
Thanka and Regards
Akhilesh Gangwar
Use the 2-way authentication using TLS.
I have a problem with security of my system. I have develop a mobile app that communicate with my Bluetooth Low Energy device. My device requires challenge-response authorization, it stored secret key, and it has not the Internet access. The question is how can I store that secret key safely in my cloud database? All my users need to use the same secret key to communicate with that device.
I'm currently researching on PGP and authentication schemes.
Let's say i'm communicating with someone who claims to be an admin of a ftp site. (say, his email address is admin#genuine-website.com)
Assume both of us have one another's PGP public keys.
Say first, we exchange fingerprints and verify them (by directly transmitting them and not using out of band authentication like phone/sms). In the second step, we exchange a signed message and then verify the signature.
Are these two steps good enough to establish authenticity?
By means of this fictitious example, the basic question i'm trying to ask is whether these steps are "enough" or should i opt for another mutual authentication scheme on top of this?
That's enough, however the most tricky is to verify fingerprints.
For PGP this is done via cross-signing keys with other keys. While in X.509 it is hierarchical structure (top CAs and signed by them certificates), in PGP it is done as 'web of trust'.
No, that's not good enough. A man-in-the-middle can substitute his public keys for yours and your partner's, and then do the same thing with the fingerprints so that everything appears to check out okay.
You'll need to use PGP's web of trust, or exchange fingerprints in another medium that you trust, to verify the public key you received is authentic.
I am new to PKCS#11 and Common Access Cards but as I understand it, on the card you have the certificates(s) that can be extracted and the private key(s) that can't. I am trying to write an app that communicates with a web server that requires certificates for authentication. The PKCS library provided from the hardware vendor is pretty thin. I can essentially access the certificate object or sign data using the on-card private key.
What I am unsure of how I handle the handshake and such when connecting to the webserver. Am I supposed to provide the certificate along with something else signed by the private key? If so, what is it that I sign with the private key? I have Googled this but have been unable find some kind of explanation for this process.
If you are using an RSA key on the common access card for authentication, you'll need to send a CertificateVerify message in the handshake, which contains digital signatures over the handshake records to that point. You'll also need to send the client certificate, of course. See §7.4.8 of the TLS specification for details.
Hopefully, your TLS library supports the use of a PKCS #11 cryptographic module. If not, you might have to switch. Implementing TLS yourself when you aren't familiar with the specification is unreasonable.
I think you just need to retrieve your client certificate from your PKCS#11 device and then use it along the request you are making to web server. You don't need to implement SSL if you use existing libraries. They should contain all you need.