Security for IoT

Hello everyone,

I think HTTPS for IoT (especially 8-bit uC) is difficult or even impossible. TLS certificates for small devices are impossible (internal IP). Messages from the browser are confusing for normal users. I have developed a concept for secure login and symmetrical encryption of the data transmission (see pic in attachment). Would like to discuss that.

Thanks for the effort in advance.

Interesting idea, but the TEA algorithm appears to need four, "^" operations per pass through the loop, so anything from 32 to 128 depending on the complexity chosen.
That appears totally impractical on an 8 bit CPU?

Event the SHA256 is going to take a very long time (in CPU cycles) on an 8 bit device.

A much simpler access control system exists for a low power device that has a direct internet connection - port knocking.
It is extremely simple, very secure and the device is invisible to probing.


I'd say that any important device incapable of full HTTPS security should not be connected to the internet anyway, it should be on a separate, isolated or firewalled connection to a gateway system of some sort that has full protection / encryption.

Personally, I think the whole idea of using outside resources for devices with inputs and outputs within the same home or premises is fundamentally wrong - especially when it comes to power control, HVAC or security!

External access is a useful feature, but no part of the system should fail if outside connectivity is lost.

Thanks rjenkinsgb for answer.

I implemented it on PIC18. So far it works without any delay.
Embedded needs SHA256 only 2 times. TEA send very quickly, receive not ready yet. Browser runs on the PC, the speed doesn't matter.

SHA256 3724B ROM 32B RAM
TEA 1074B ROM 0B RAM
I can live with that.

90% of our devices run internally but some need access from internet.

I'm looking at port knocking.

rjenkinsgb

Wikipedia says: "Encrypted hash values in the knock packet help against attackers who read the data traffic via packet sniffers. In principle, port knocking offers no protection against man-in-the-middle attacks. Services that are offered to the general public on the Internet, such as a web server, cannot be secured with port knocking either."

Too Pity!

If nobody has any objections it has to be perfect

Thanks.