next topic »

[on:]

After solving my first problem with the coin acceptor a new mission comes up.

The plan is to use a RFID reader to identify a chip. The unique chip code should be send to a webserver which checks in a SQL database if the chip still has some credit (if so withdraws "1") and then returns a "Yes" ( - if a credit could be deducted) or a "No" ( - if the rfid chip wasn't recognized or has less then 1 credit).

This seems not the most difficult thing to do, however since it is used as a payment gateway using plain HTML isn't secure. I'm afraid that by reading network information on the local network the arduino is on someone could be able to reproduce an answer and send the "Yes" to the arduino without the script on the webserver even being touched.

Ofcourse SSL/TLS is not available for the arduino uno so what would you do to do this?

[Reply #1 on:]

Ofcourse SSL/TLS is not available for the arduino uno so what would you do to do this?

Move to a hardware platform that can support security features.

[Reply #2 on:]

Move to a hardware platform that can support security features.

Let's assume for the discussion that this is not possible.

One of the ideas I had regarding this is the use of a SB70 LC (Serial to Ethernet adapter). This support SSL encryption and I believe it can be connected to an Arduino. But this costs another $59, so I am looking for a cheaper solution.

Another brain jump is that I only accept messages from the IP the server hosting the php file. That way not some malicious person could simply send info to the arduino, on the other hand Its possible to spoof an IP adres.

[Reply #3 on:]

One thing to consider in the process is exactly what the cost of secure data transmission is worth, compared to the possible loss from insecure transmissions. If the credit you speak of is worth a lot, then security is worth a lot. If the credit is the cost of a can of soda, then security isn't all that valuable.

You could have the server side return something other than yes or no. The value returned could be a function of the RFID tag sent, with yes or no embedded in the answer. If the Arduino can decode the result, that provides reasonable security.

If that seems to easy to break, include the date and time as function arguments. That way, the same tag will never get the same result back, making guessing the correct value much more difficult.

[Reply #4 on:]

No, security isn't worth a lot of money to me. It is however worth the effort and challenge. So, its a soda machine run by and for friends so I am not that scared it will be abused.

I do like your suggestion. I guess its also possible to fill the EEPROM with random data (copy the data to my webserver securely) and use that to code and encode data I transmit.