Pages: [1]   Go Down
Author Topic: Project Frizzbar; secure web send  (Read 557 times)
0 Members and 1 Guest are viewing this topic.
Netherlands
Offline Offline
Newbie
*
Karma: 1
Posts: 41
View Profile
 Bigger Bigger  Smaller Smaller  Reset Reset

After solving my first problem with the coin acceptor a new mission comes up.

The plan is to use a RFID reader to identify a chip. The unique chip code should be send to a webserver which checks in a SQL database if the chip still has some credit (if so withdraws "1") and then returns a "Yes" ( - if a credit could be deducted) or a "No" ( - if the rfid chip wasn't recognized or has less then 1 credit).

This seems not the most difficult thing to do, however since it is used as a payment gateway using plain HTML isn't secure. I'm afraid that by reading network information on the local network the arduino is on someone could be able to reproduce an answer and send the "Yes" to the arduino without the script on the webserver even being touched.

Ofcourse SSL/TLS is not available for the arduino uno so what would you do to do this?
Logged

0
Offline Offline
Tesla Member
***
Karma: 145
Posts: 9637
Arduino rocks
View Profile
 Bigger Bigger  Smaller Smaller  Reset Reset

Quote
Ofcourse SSL/TLS is not available for the arduino uno so what would you do to do this?

Move to a hardware platform that can support security features.
Logged

Consider the daffodil. And while you're doing that, I'll be over here, looking through your stuff.   smiley-cool

Netherlands
Offline Offline
Newbie
*
Karma: 1
Posts: 41
View Profile
 Bigger Bigger  Smaller Smaller  Reset Reset

Move to a hardware platform that can support security features.

Let's assume for the discussion that this is not possible.

One of the ideas I had regarding this is the use of a SB70 LC (Serial to Ethernet adapter). This support SSL encryption and I believe it can be connected to an Arduino. But this costs another $59, so I am looking for a cheaper solution.

Another brain jump is that I only accept messages from the IP the server hosting the php file. That way not some malicious person could simply send info to the arduino, on the other hand Its possible to spoof an IP adres.
Logged

Seattle, WA USA
Offline Offline
Brattain Member
*****
Karma: 617
Posts: 49463
Seattle, WA USA
View Profile
 Bigger Bigger  Smaller Smaller  Reset Reset

One thing to consider in the process is exactly what the cost of secure data transmission is worth, compared to the possible loss from insecure transmissions. If the credit you speak of is worth a lot, then security is worth a lot. If the credit is the cost of a can of soda, then security isn't all that valuable.

You could have the server side return something other than yes or no. The value returned could be a function of the RFID tag sent, with yes or no embedded in the answer. If the Arduino can decode the result, that provides reasonable security.

If that seems to easy to break, include the date and time as function arguments. That way, the same tag will never get the same result back, making guessing the correct value much more difficult.
Logged

Netherlands
Offline Offline
Newbie
*
Karma: 1
Posts: 41
View Profile
 Bigger Bigger  Smaller Smaller  Reset Reset

No, security isn't worth a lot of money to me. It is however worth the effort and challenge. So, its a soda machine run by and for friends so I am not that scared it will be abused.

I do like your suggestion. I guess its also possible to fill the EEPROM with random data (copy the data to my webserver securely) and use that to code and encode data I transmit.
Logged

Pages: [1]   Go Up
Jump to: