Quantcast

https using OpenSSL for embedded device and java server

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

https using OpenSSL for embedded device and java server

Sarvesh Renghe

Dear all,

 

I have application specific query as below.

 

We have a solution for remote data monitoring. It picks up the data from remote sites using a modem, forms a string of data values, connects to server on GPRS/Ethernet using socket and pushes data to server periodically. The modem is having firmware developed in embedded c on top of RTOS. The server has tomcat application server which hosts a data server class (in java) listening on a configurable port. The listener listens to this port and parses the data to store in database.

 

Now we want to send this data from modem to server in a secured way. Once option is to encrypt the data using RSAEncyptor before sending and decrypt the data using RSADescryptor after receiving. Second option could be to use https protocol so that it is more standardized. So if we have to use second option, what should be the approach? Are there readymade libraries available to send it on https from modem in embedded C? Are there corresponding libraries available in java to receive it on server? What should be overall architecture. We though OpenSSL can help in this.

 

I am new to this and may not have given all the information required. Feel free to let me know if you need any more inputs. Also you may direct me to appropriate forum, if this is not the right forum.

 

 

Thanks & Regards,

Sarvesh.

 

Mobile: +91 9820921719

 


Virus-free. www.avast.com

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: https using OpenSSL for embedded device and java server

Michael Wojcik
> From: openssl-users [mailto:[hidden email]] On Behalf Of Sarvesh Renghe
> Sent: Wednesday, March 29, 2017 07:32

> Now we want to send this data from modem to server in a secured way. Once option is to encrypt the data using
> RSAEncyptor before sending and decrypt the data using RSADescryptor after receiving.

This would be an inappropriate use of asymmetric cryptography. Don't use a chisel as a screwdriver.

More importantly: Don't roll your own cryptography, including cryptographic primitives, cryptographic protocols composed from primitives, application protocols composed from cryptographic protocols, and so on. Don't do that if you don't know why you shouldn't. Don't do it even if you do know why you shouldn't. Unless you're a professional cryptographer and protocol designer with a deep understanding of why you shouldn't do it, don't do it.

>  Second option could be to use https protocol so that it is more standardized. So if we have to use second option, what
> should be the approach?

Why are there only two approaches? There are a lot of secure application protocols. HTTPS is a viable one for some applications, but not for all. What about SSH, for example?

You've reduced this to a false dichotomy between "do something with a cryptographic primitive" and "HTTPS". That suggests what you actually need to do is:

1. Understand your users' threat models.
2. Understand the attack space defined by the attack surface of your device / application and those threat models.
3. Determine what risks in that space can be remediated by cryptography, and from that a list of cryptographic requirements.
4. Decide what existing cryptographic application protocol will satisfy those requirements, as much as is feasible with reasonable cost. ("Cost" here includes money, your effort, the work and cognitive load required of customers, etc.)
5. Look for suitable implementations.

Cryptography is difficult. Implementing it successfully requires special expertise.

>  Are there readymade libraries available to send it on https from modem in embedded C?

Not a question for this list, I'm afraid.

> Are there corresponding libraries available in java to receive it on server?

Nor is this. There is a vast amount of information available online and in books regarding cryptography in general and HTTPS in particular for Java.

>  What should be overall architecture. We though OpenSSL can help in this.

The OpenSSL software? The OpenSSL organization? The community?

I'm afraid the best advice is to acquire expertise in cryptography and IT security. Whether you do that in-house by studying or hire it in, that's the only viable path to a solution that's actually secure.

> I am new to this and may not have given all the information required.

Sure. Everyone's new at first. Unfortunately this is not an area in which you can get a quick answer that's of much use. (Say someone says "just use HTTPS". That's fine, but how will you manage certificates? How do you handle errors? How do you unlock private keys at startup?)

>  Also you may direct me to appropriate forum, if this is not the right forum.

No forum will suffice, if you want to do this right. You have to start with cryptography and security basics, and those are best learned through books or courses.

And it's not possible, except by chance, to recommend an approach without knowing the threat model. Do you need to provide confidentiality, integrity, identity, non-repudiation, timestamping? Against what threats, and with what cost to the attacker? Will all the product's users have similar threat models, or are there a variety? Do some of them have regulatory or other requirements (PCI-DSS, HIPPA, FIPS 140-2, ...) that have to be met?

Michael Wojcik
Distinguished Engineer, Micro Focus
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Loading...