-->

ESP8266 Community Forum

Open Community Forum for ESP8266, Come share Arduino and IoT (Internet of Things)
https://www.esp8266.com/

Keeping Passwords secure on flash memory ESP8266/Arduino

https://www.esp8266.com/viewtopic.php?f=32&t=21881

Page 1 of 1

Keeping Passwords secure on flash memory ESP8266/Arduino

PostPosted: Fri Sep 11, 2020 8:56 am
by kenibark6
Hi all,

I am experimenting with an esp8266 (at the moment a wemos d1 mini, but subject to change) and Oauth2.0 flow.
What I want to do is to make an IOT device that transfers sensor data to a platform. This platform is secured and I need to traverse the Oath2.0 flow to obtain an access and refresh token.

Although this is a personal project, I would like to use this as a learning experience for if I would make this a commercial product. So I will make a captive portal, allowing users to enter their Wifi credentials to connect to their wifi network. And enter their username & password for the external system to login through Oauth2.0 flow.

So here is the question I am having: How can I securely store information such as(, but not limited to) the SSID, SSIDPassword and the refreshtoken?

Is it safe to store this in flash memory (using EEPROM), or could this information be potentially obtained when someone would get their hands on one of the units? How do commercial products tackle this?

Note that I have not yet worked with flash memory, so sorry if my question is of low quality.

Thanks!

Re: Keeping Passwords secure on flash memory ESP8266/Arduino

PostPosted: Sat Sep 19, 2020 11:30 am
by giannis
Good point, I had the same thoughts and questions

I was searching the net and found this on reddit
https://www.reddit.com/r/esp8266/commen ... _firmware/

Seems like the esp8266 does not offer encryption on the flash and only the esp32 does.

https://docs.espressif.com/projects/esp ... ption.html

But again i am very new to this to have an informative opinion on the matter and i think some experience programmers should address the questions.

regards


kenibark6 wrote:Hi all,

I am experimenting with an esp8266 (at the moment a wemos d1 mini, but subject to change) and Oauth2.0 flow.
What I want to do is to make an IOT device that transfers sensor data to a platform. This platform is secured and I need to traverse the Oath2.0 flow to obtain an access and refresh token.

Although this is a personal project, I would like to use this as a learning experience for if I would make this a commercial product. So I will make a captive portal, allowing users to enter their Wifi credentials to connect to their wifi network. And enter their username & password for the external system to login through Oauth2.0 flow.

So here is the question I am having: How can I securely store information such as(, but not limited to) the SSID, SSIDPassword and the refreshtoken?

Is it safe to store this in flash memory (using EEPROM), or could this information be potentially obtained when someone would get their hands on one of the units? How do commercial products tackle this?

Note that I have not yet worked with flash memory, so sorry if my question is of low quality.

Thanks!

Re: Keeping Passwords secure on flash memory ESP8266/Arduino

PostPosted: Sat Sep 19, 2020 3:45 pm
by schufti
correct, no security on the flash.
All times are UTC - 5 hours
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/