[NTLUG:Discuss] What is the best method to communicate between a device and a server?

[Stephen Davidson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

steve at sjbaker.org wrote:
|> The monetary value of the data is the same level as the data on your
|> neighbor's water or electrical meter.  You can look at the water meter
|> in front of his house or the electrical meter on the side of his house,
|> but it is not much value to you or anyone else other than your neighbor
|> and the water or electrical company.
|
| But security does matter for those things - not because there is much
| value on spying in on it - but because there would be huge value in
| spoofing it.  Take your water meter for example: If you could build a
| machine that could fake data from the real water meter computer - then you
| could maybe tell the system that you weren't using as much water as you
| really are - and thereby gain from spoofing it.
|
| It's hard to imagine any kind of data you might be collecting that has
| value to you but zero value to both an observer and a spoofer.
|
| Your hex substitution table is only as good as your ability to protect its
| contents against ex-employees with copies of the source code or people who
| steal one of your monitoring boxes and disassemble the ROM contents.
| People like to do that - some just for fun - some out of malice.
|
| A fixed substitution table is easy to spoof - you simply watch what bytes
| the gizmo produces for what water level in the tank (or whatever) and
| notice immediately that when the water level doesn't change, these bytes
| over here don't change - but when the level does change, they do.  You can
| see what data pattern it always produces for a particular level and make
| yourself a chart of what water level produces what bytes.  Then you notice
| that these other bytes over there change though a fixed cycle of values as
| each day passes - so those must be the encrypted date.  Then you notice
| that the same cycle of byte values go by for both the day and the water
| level so you guess a simple subsitiution cypher - so you try using that
| same substitution on the water level numbers you have - and bingo you
| realise that this is how the water level is sent!  You've cracked the
| cypher.  Then you look at the output of another one of these gadgets and
| notice that another section of bytes that never change value are different
| between two different gizmos and then you know how the gizmo's identify
| themselves to the mothership.
|
| Someone who was motivated could crack this code in very short order.
|
|> Currently the micro-controller does not support ssh on its Ethernet
|> stack. I am certain I could get the source code and recompile it for
|> this computer. Is it worth it? Would it fit? I do not know, I have not
|> looked at it.
|
| When I recommended scp - I didn't realise how small your monitoring
| machines really were.  I think scp is worth looking at...but I think you'd
| have a hard time fitting the executable into 16K RAM.  There must be a lot
| of code in ssh/scp that you don't need.  But ssh uses libcrypto to do all
| of the actual cryptography - and that pulls in other modules to do the
| actual encryption.  libcrypto.a itself is pretty big - and its not really
| clear which of the other libraries you'd actually need for scp.
|

Greetings.

I know that the CVM (Card Virtual Machine -- Java for smart cards) has
some kind of encyrption capability to handle this.  American Express is
one firm that is using this capability on their Credit Cards.  But I am
not very familiar with the tech myself (Its way over on the other side
of the spectrum from where I normally hangout).  And a Smart Card only
has about 16K Ram itself (at least, that's what it had last time I
looked, which was a few years ago).

Just a suggestion.

- -Steve

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4-svn0 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFH+Oj7SphIUSiVzgYRAoFVAJ9AgnuadhWqvq/nAQ9BCyVrPcq/cACeId4X
Vo8plWnjn75o0+K2XK/k61k=
=f+Mg
-----END PGP SIGNATURE-----