I have a problem with security of my system. I have develop a mobile app that communicate with my Bluetooth Low Energy device. My device requires challenge-response authorization, it stored secret key, and it has not the Internet access. The question is how can I store that secret key safely in my cloud database? All my users need to use the same secret key to communicate with that device.
Related
I like to Create a Clipboard Synchronisation Program.
That work across Windows, Mac and Linux.
Technologies: Electron and Ionic.
Primary Priority : Security
How to Sync Clipboard across devices without storing or touching user data?
How to Identify and Authenticate a user and enable communication between his devices? Without storing Clipboard data or IPadress to the Server?
Need help with system design
You can sync clipboard data across devices without storing or touching user data is to use end-to-end encryption. This means that the clipboard data is encrypted on the sender's device and can only be decrypted on the recipient's device using a unique key that is not stored on the server.
To authenticate users, you could use a combination of public-key cryptography and authentication tokens. The user could generate a unique public/private key pair on each of their devices, and the server could use these keys to establish secure communication channels between the devices.
you could have the devices communicate directly with each other using peer-to-peer networking, this would help avoiding storing any user data on server.
There can be more approaches for all of these but these are few you can try
We need to add RSA encryption after my Qualcomm (QCA4020) Iot device gets paired to android app.
Not sure how to implement this case to exchange RSA public keys between devices.
After device pairing, do we need to define GATT service to exchange RSA public keys?
if yes are there any standard GATT service defined by bluetooth for key exchange?
What is the standard way for implementing application level encryption that is defined by bluetooth?
Looking for some brief explanation.
Thank you.
After device pairing, do we need to define GATT service to exchange RSA public keys?
Yes, if you want to use you own security procedure at application level you need to define a GATT service to transfer the keys. You could reuse an existing one as long as you can differentiate between a normal message and your keys
if yes are there any standard GATT service defined by bluetooth for key exchange?
No, there are, to my knowledge, no predefined GATT services available for key exchanges
What is the standard way for implementing application level encryption that is defined by bluetooth?
There is no standard, application level security is totally up to you. I personally would go with a more lightweight encryption method like AES with an ECDH key exchange
Here is the scenario:
The device calls the endpoint(Function App/WebService) with some device information.
The endpoint will have embedded intermediate certificate(X509)(created using root cert) this intermediate certificate is uploaded to the enrollment group
The endpoint will create device id and leaf certificate for device and call the DPS service(using DPS sdk) to register the device
DPS registers the device successfully.
Now, the endpoint needs to return some information to the device that'd tell the device that it has been provisioned and registered in the iothub and it can start sending the telemetry.
I am not sure what the device will require in this step. If we use symmetric key, we'd normally use the device id and symmetric key to create device client and use device client to send device to cloud messages.
The endpoint will create device id and leaf certificate for device and call the DPS service(using DPS sdk) to register the device
When we reach this step we then need to install the leaf certificate in a secure way to the device - how is this being achieved in your architecture? Always make sure that you are protecting your device's private key on this process. Using a secure silicon chips in the form of Hardware Secure Modules (HSM) for protecting device private keys.
Now, the endpoint needs to return some information to the device that'd tell the device that it has been provisioned and registered in the iothub and it can start sending the telemetry.
If you can trust that the endpoint is secure, then the information to be exchanged with the device is the leaf certificate containing the private key for the Proof-of-possession needed when establishing a connection with IoT Hub.
Devices manufactured for X.509 CA authentication are equipped with device unique certificates and a certificate chain from their respective manufacturing supply chain. Device connection, even for the very first time, happens in a two-step process: certificate chain upload and proof-of-possession.
Ref: https://learn.microsoft.com/en-us/azure/iot-hub/iot-hub-x509ca-concept
I am developing an IoT device that uses TI's tm4c129encpdt microcontroller, cc3100 wifi chip and TI RTOS, and I am using TLS for secure communication with the server (HTTPS).
I just want to make my device more secure by adding some authentication methods. I am already assigning tokens to the device through a server.
Is there any standard way to add authentication method to an IoT device based on which I can assure to my clients that it has secured communication and authentication method?
Thanka and Regards
Akhilesh Gangwar
Use the 2-way authentication using TLS.
I am creating a Windows Phone 8.1 app that will run on devices that we supply to our customers. We want to associate the device with a customer during provisioning. As the customer employees use the device, they also have to log in to identify themselves. This will drive the authorization process. So really, I want to transparently authenticate the device with no user interaction and then authenticate each user using the usual username/password combination.
For authenticating the device, I am trying to decide whether to:
Use Azure Active Directory, setting up the device as a user, storing
the password on the device and then add the customer information I need to
the device Identity claims during provisioning.
Create an Azure storage table or blob and secure it with keys which
are stored on the phone, and rotated occasionally.
Once the device knows which customer it belongs to, the rest of the process of authenticating the user seems (relatively) straightforward. I do have some concerns about multiple authentication headers in the HTTP call, but I haven't gotten that far, yet.
I'm looking for opinions on the best way to do this, or any experiences anyone might have had in attempting something similar.
Thanks in advance.