[NTLUG:Discuss] What is the best method to communicate between a device and a server?

Sun Apr 6 10:00:59 CDT 2008

> The monetary value of the data is the same level as the data on your
> neighbor's water or electrical meter.  You can look at the water meter
> in front of his house or the electrical meter on the side of his house,
> but it is not much value to you or anyone else other than your neighbor
> and the water or electrical company.

But security does matter for those things - not because there is much
value on spying in on it - but because there would be huge value in
spoofing it.  Take your water meter for example: If you could build a
machine that could fake data from the real water meter computer - then you
could maybe tell the system that you weren't using as much water as you
really are - and thereby gain from spoofing it.

It's hard to imagine any kind of data you might be collecting that has
value to you but zero value to both an observer and a spoofer.

Your hex substitution table is only as good as your ability to protect its
contents against ex-employees with copies of the source code or people who
steal one of your monitoring boxes and disassemble the ROM contents. 
People like to do that - some just for fun - some out of malice.

A fixed substitution table is easy to spoof - you simply watch what bytes
the gizmo produces for what water level in the tank (or whatever) and
notice immediately that when the water level doesn't change, these bytes
over here don't change - but when the level does change, they do.  You can
see what data pattern it always produces for a particular level and make
yourself a chart of what water level produces what bytes.  Then you notice
that these other bytes over there change though a fixed cycle of values as
each day passes - so those must be the encrypted date.  Then you notice
that the same cycle of byte values go by for both the day and the water
level so you guess a simple subsitiution cypher - so you try using that
same substitution on the water level numbers you have - and bingo you
realise that this is how the water level is sent!  You've cracked the
cypher.  Then you look at the output of another one of these gadgets and
notice that another section of bytes that never change value are different
between two different gizmos and then you know how the gizmo's identify
themselves to the mothership.

Someone who was motivated could crack this code in very short order.

> Currently the micro-controller does not support ssh on its Ethernet
> stack. I am certain I could get the source code and recompile it for
> this computer. Is it worth it? Would it fit? I do not know, I have not
> looked at it.

When I recommended scp - I didn't realise how small your monitoring
machines really were.  I think scp is worth looking at...but I think you'd
have a hard time fitting the executable into 16K RAM.  There must be a lot
of code in ssh/scp that you don't need.  But ssh uses libcrypto to do all
of the actual cryptography - and that pulls in other modules to do the
actual encryption.  libcrypto.a itself is pretty big - and its not really
clear which of the other libraries you'd actually need for scp.