Search code examples
securityauthenticationtcpembedded

Simple authentication and encryption methods over TCP for microcontroller embedded device

I have designed a simple communications protocol, over raw TCP sockets, to enable simple messaging between some embedded devices. To put things in context, my embedded device is a box of electronics containing a relatively small microcontroller that is running a basic embedded RTOS (which essentially provides just task priority and message queueing) and TCP/IP stack. The intended use for the TCP protocol is to

  1. Enable two or more 'boxes' to communicate with each other over a LAN in one building
  2. To allow a box to exchange data with an external server over the Internet.

I now have a messaging protocol working between my metal boxes that I'm happy with. The basic messaging procedure between two boxes is basically:

  1. Box 'A' initiates a socket connection to 'B'.
  2. Box 'A' sends a message report or command sequence.
  3. Box 'B' responds with an acknowledge and / or command response.
  4. Box 'A' closes the socket.

What I would now like to do is to incorporate some level of security and authentication. The great restriction here is that I don't have any kind of OS or glorified TCP stack that can provide me with any security features; I just have simple TCP stack, and therefore I must implement security measures at application level, and with microcontroller limitations in mind.

The objectives I would like to meet are:

  1. Authentication between devices. To achieve this, I'm intending to do the following measures:

    • Hold a table of known IPs from which connections shall only be accepted.

    • Each time a socket connection is established, unique identifiers are always exchanged first. The number might be a unique serial number for a given device, and must be known to the other devices.

  2. Encryption of data, in the event that packets are somehow intercepted. Presumably I need some kind of cipher algorithm that isn't too 'expensive' to perform on a small microcontroller, used in conjuction with a unique key that is programmed into all devices. One such algorithm I've seen, which looks compact enough to implement in my code, is TEA (Tiny Encryption Algorithm).

I would be most grateful for any advice or pointers.

Solution

  • Tea looks to be quite simple and will probably do what you need.

    compiling for thumb with -O2 or similar optimizations:

    arm-none-linux-gnueabi-gcc (Sourcery G++ Lite 2011.03-41) 4.5.2 encrypt 136 bytes decrypt 128 bytes

    llvm 29 encrypt 92 bytes decrypt 96 bytes

    compiling for generic arm...

    gnu encrypt 188 bytes, decrypt 184 bytes llvm encrypt 112 bytes, decrypt 116 bytes

    For authentication, is there a one to one relationship between the ip address table and the number of devices? Basically does there need to be more than one unique identifier per device? Are you wanting the other side that is making the connection to the embedded system to log in in some form or fashion? Or are you controlling the binaries/code on both ends and there are no users or no selection of devices (the programs know what to do), etc? If each device has a known ip address, that ip address could be the key to the encryption (plus other bytes common to all or derived in some fashion that everyone knows) If a connection coming in is 1) not from the approved list 2) encryption fails when the embedded systems ip address based key fails then reject the connection.

    Your security can only go so far anyway, if you need something really robust you probably need more horsepower in the embedded system and then implement one of the common/standard systems like ssl.