On -board cryptography: basic bricks and communication with Serialguard

Once upon a time there was a small ESP32. However, installed in a cellar, who wanted to contact his boyfriend on the roof to send data by 4G. Similarly, He spoke little, so he could use the Lora radio standard. Similarly, It is at low speed, but allows a much greater range than a classic modulation. Nevertheless, The problem is that he was talking in clear. Consequently, and that anyone could listen or worse: inject false data, even corrupt the remote server.

The fashionable communication protocol is that of signal, also used by WhatsApp and Messenger. Similarly, Another vogue protocol is Wireguard. Moreover, whose objective is to offer a light VPN for Linux, based on a limited set of modern and highly recommended cryptographic bricks, which are no longer left to the choice of the user.

The idea was therefore to find -board cryptography: basic bricks communication an implementation of this type for embedded. Similarly, Well, I found almost nothing.

Summary – -board cryptography: basic bricks communication

Basic bricks – -board cryptography: basic bricks communication

TLS is the absolute reference for all algos, but it’s up to you to make your choice. Meanwhile, Libsodium is an implementation of the latest recommended algos and chooses for you. However, These two libraries are enormous and are optimized for PC. Furthermore, A cryptography teacher wrote a series of tweets that contains a small Lib which takes up the Libsodium algorithms. Consequently, in auditable version (https://tweetnacl.cr.yp.to/). However, But it is slow.

Another person writes what I’m looking for: Monocypher. Therefore, It is a .C file with the main Libsodium algoes and which compiles in pure C without dependence! Meanwhile, It’s perfect for my need.

This library only provides basic bricks, we are very far from a signal protocol. In addition, When we talk about cryptography. However, we think of AES for -board cryptography: basic bricks communication symmetrical encryption, RSA for encryption with public key and signature, hashs sha1 or sha512 for a hash of cryptographic quality. Moreover, The necessary properties are fascinating but that does not say how to use them afterwards.

Symmetrical encryption – -board cryptography: basic bricks communication

It is a question of quantifying a block with a fixed size key. Moreover, The best known representative is AES, with keys of 128 or 256 bits. Similarly, We have a block, we have a key, and we get a more or less random block. Moreover, AES uses modes (GCM, XTS, etc.) to strengthen the mixture and guarantee security according to different contexts.

Here, the recommended algorithm is Chacha20. However, No need for an external mode: everything is planned in the basic algorithm.

To deciphering, the brick does not arise any questions: if the data has been altered, the result will also be. Nevertheless, So you have to add an authentication -board cryptography: basic bricks communication protocol, which uses the same key and a hash to check the integrity. Consequently, Classic algorithms are Mac, HMAC, but it is easy to make a mistake in their use.

Monocypher uses Poly1305 to authenticate the message (AEAD – Authenticated Encryption with Associated Data). Moreover, Its API combines XCHACHA20. POLY1305, which avoids asking questions: in the event of modification of the encrypted message, the deciphering function returns an explicit error.

This function requires a nonce (“Number Used Once”), which must be different with each call.

Le Hash – -board cryptography: basic bricks communication

A hash takes a data block. makes a large salad and makes a figure of fixed size with good crypto properties. The goal is to have a fixed size footprint for a data block. and that it is impossible to forge an identical hash by modifying the original data a little. Bulk.

The recommended hash is Blake2b: “As Secure AS Sha-3 and -board cryptography: basic bricks communication AS Fast as MD5”. It is 256 or 512 bits.

“Password hashing”. key creation from password

When a password is entered, it is never used as it is: it is first transformed into a fixed size value via a hash function. To counter attacks by brute force. we started by applying hundreds of SHA1 iterations, before adopting voluntarily slow hash functions, such as Bcrypt or Scrypt. The goal is precisely to prevent them from being rapid, unlike conventional hash functions.

Today, Argon2 is recommended.

Public key encryption

The image is often that of an open padlock: anyone can close the padlock. but only the key owner can open it. RSA was the first algorithm invented with this property. Today, fashion is elliptical curves with X25519.

The main function is based on the diffies-Hellman exchange (DH). This is the magic thing of the asymmetrical crypto.

DH (Public key of -board cryptography: basic bricks communication A. private key from b) = DH (public key of b, private key of a) = n

Without a private key, it is cryptographically impossible to find N.

How to create a private key? It’s just 32 very random bytes. All security depends on this. We remember the Debian flaw using a foreseeable generator in 2008.

Random generator

To make cryptography seriously, you need a real random generator of cryptographic quality. Monocypher, for example, does not provide, because it depends too much on the material used. It is therefore up to you to provide a correct one.

Do not use Random () or Rand (): these functions are not provided for safety. They often offer barely 32 bits of entropy. which means that they can generate values that run in a loop after only 4 billion cases, which is trivial to explore for a modern attacker.

A good generator -board cryptography: basic bricks communication is based on sources of entropy. in other words, unpredictable phenomena: the noise of the system, the deadlines between events, temperature, etc. Then, these sources are mixed (often via a large hash) to produce numbers with solid statistical properties.

For example, Linux collects full of internal metrics (network activity, mouse movements, etc.) to supply its random /dev /urandom generator.

On the hardware side. some platforms offer a real physical generator: it can measure the electrical noise through a diode via an analog-numeric converter (ADC), or even exploit the slight variations in internal oscillator speed (inverters rings), which are then mixed with circuits like LFSR combined via XOR.

Use the cryptographic generator supplied by your platform (for example Getrandom (). ARC4random (), or a material trng if you are on board).

You should not create your own generator without knowing exactly what you do. The worst is to reuse data (keys -board cryptography: basic bricks communication for example) to generate other numbers. We thus create a huge dependence between them, which are no longer random.

The latest flaws of Brother printers come from the fact that administration passwords are derived from their serial number (!).

Signature

We have a data block, we sign with a private key, we check the signature with the public key.

Monocypher propose EdDSA.

Serial Guard, le protocole de communication

You should not create your own cryptography, it’s too easy to make a mistake. However, that’s exactly what I did. The rest can therefore contain errors. The idea is to create a light communication protocol. If experts pass by and see a horror, which they do not hesitate to cry.

We now have the basic blocks. And they must now be aged as it should be. We want to communicate with B (Alice. Bob), without being able to understand the -board cryptography: basic bricks communication messages, insert messages, modify messages, replay messages, recover messages in the future if he has recorded everything and recover the private keys.

In the world of “simple” embedded, we communicate with reading and Write on a series link. The ideal is to have roughly the same API.

It is necessary to minimize the exchange of prior information to be as light as possible.

I leave aside the “framing”, that is to say the packaging to be sent to a physical link. A series link sends bytes, Serialguard operates in byte packets. A package must be reconstructed before sending it to the library.

The base is to have a private key each, with long lifespan. This makes it possible to authenticate according to the principle: if it is always the same key since installation. it is always the same peer: tofu.

If we need to do better, it would be necessary -board cryptography: basic bricks communication that a “key of trust” sign this key. But we enter the complex meanders of a Key Infrastructure audience, certificates or web of Trust Type GPG.

To be able to change a long-term private key. while having security to avoid Man-in-The-Middle, you have to keep a secret shared in all peers. It can be very complicated on a network of servers, but here, each case is scheduled in the same place.

It is simply a number of 32 random bytes shared by all. It is pompously named Pre-Shared Key (PSK).

It will be necessary to avoid leaving it lying around in the source code.

A session key is a temporary, renewable key. The idea is to use asymmetrical cryptography to agree on a symmetrical key.

If we use the number generated by Diffie-Hellman (DH) directly. it is unique per peer of private keys: it is not top. We could exchange -board cryptography: basic bricks communication random numbers to agree on a symmetrical key, but I want to limit exchanges to the minimum.

For this, I will use an asymmetrical session key, which is the invention of the signal protocol. Once the symmetrical key has been generated, the ephemeral private key is thrown. It will then be impossible to decipher the session, even in the future.

We therefore start with an exchange of 2 public keys: one for a long lifespan and the other ephemeral.
We meet the 8 keys (2 public. 2 private on each side) in 3 DH exchanges, we sort the numbers to have the same order on the 2 sides, and the result is given to the hash with the PSK.

We have our symmetrical session key.

-board cryptography: basic bricks communication

Rejuvenance

As long as the session is active, sending a previous message remains valid. To avoid this, a nonce is -board cryptography: basic bricks communication used in symmetrical encryption. It is any number provided but which should never be identical from one pack to another. It can be transmitted with the package, but it takes up space.

I chose to use a simple counter, this avoids having to remember the passed nunci to avoid rejuvenium.

As the connections are not reliable, a package can be corrupt: you must be able to decode the following package. I simply chose to test the 10 successive numbers in case of errors, before failing.

Session

A session must be limited in or in terms of information transmitted. You have to find a symmetrical event on both sides to reduce a Handshake. I left this point to the application. This could be included in the higher level network protocol.

Sending a single message

This scheme does not cover the case with -board cryptography: basic bricks communication a single message.

In the Internet of Objects, we push a message in MQTT and we do not expect an answer. It would be much more practical to be able to do so. You have to be able to send without preliminary Handshake. But you still have to send the public keys, which takes up space.

The system needs the public key to the server. the PSK, and everything else is provided in addition to the quantified (nonce, public key, and ephemeral public key) in the message sent.

The difference is that there are only 2 DH, and no ephemeral key on the server side.

Work in progress

It is still a work in progress. It lacks field tests and performance evaluation on several platforms.

Go further