ESP8266 Community Forum

- Fri Jul 10, 2015 5:24 pm #22960

Secret keys over unencrypted HTTP are not that useful.Attacker only has to listen once. You would need to have synchronized clocks (add a RTC) and then hash a pre-shared secret with the time or similar in order to do this half-way securely.

It could be a call/response thing where there's a generated seed or initial key coming from the ESP. etc etc. But anyway we're only talking about what AP the ESP will connect to... and APs aren't Ft Knox anyway. So it's not something to obsess over, I don't think. And I don't generally run mission-critical stuff on a $5 board from the far east.

- Sat Jul 11, 2015 5:34 pm #23025

The button is definitely safer, though perhaps not as user friendly. It is a tradeoff.

Yes- this makes sense. I'm thinking it has to be this way.
OK. lets say that the ESP module is in a "black box" which has a "Wifi Reset" button i.e. option 2 approach is to be used.
Lets say for now, that no-one can get into the "Black Box" (perhaps the whole thing is encased in acrylic !!!). This means that re-engineering the code is difficult, because the physical access is difficult etc (I accept its not impossible though - just not easy to hack into quickly without leaving evidence of tampering)

I now see there are 2 areas of security which need looking at, which are:

- How to securely enter the SSID.
I did think that a MOBILE APP (or even another ESP module) would have to be used here.
The User enters the ssid and password into the MOBILE APP and this data along with a "transmit key" is scrambled before being sent to the ESP. When the ESP gets the data, it knows it is scrambled, and so unscrambles it to make the AP connection and the "transmit" key (for the next bit below)

- How to securely send data.
I'm think that because the on-boarding process passes a "transmit key", this can be used to encrypt the data before sending. After the data has been sent, the receiving system knows what the "transmit" key is, and so decrypts the data. Not only that but it does some sort of CRC check before passing the data on to where it has to be processed. (cloud storage or whatever)

Would really appreciate thoughts on this or better approaches.
Its a tricky balancing knowing when to stop going "overboard" with "on boarding"
Thanks guys

- Sun Jul 12, 2015 10:06 am #23066

The button is definitely safer, though perhaps not as user friendly. It is a tradeoff.

Yes- this makes sense. I'm thinking it has to be this way.
OK. lets say that the ESP module is in a "black box" which has a "Wifi Reset" button i.e. option 2 approach is to be used.
Lets say for now, that no-one can get into the "Black Box" (perhaps the whole thing is encased in acrylic !!!). This means that re-engineering the code is difficult, because the physical access is difficult etc (I accept its not impossible though - just not easy to hack into quickly without leaving evidence of tampering)

I now see there are 2 areas of security which need looking at, which are:

- How to securely enter the SSID.
I did think that a MOBILE APP (or even another ESP module) would have to be used here.
The User enters the ssid and password into the MOBILE APP and this data along with a "transmit key" is scrambled before being sent to the ESP. When the ESP gets the data, it knows it is scrambled, and so unscrambles it to make the AP connection and the "transmit" key (for the next bit below)

- How to securely send data.
I'm think that because the on-boarding process passes a "transmit key", this can be used to encrypt the data before sending. After the data has been sent, the receiving system knows what the "transmit" key is, and so decrypts the data. Not only that but it does some sort of CRC check before passing the data on to where it has to be processed. (cloud storage or whatever)

Would really appreciate thoughts on this or better approaches.
Its a tricky balancing knowing when to stop going "overboard" with "on boarding"
Thanks guys

This is quite close to how I'm doing it in one project. And in most applications, on-boarding should only happen once, or very occasionally anyway, after which you have the connection and just about any form of rolling data encryption is possible.