HTTPS - How to secure http with SSL?

Hello, I am looking for a way to communicate safely over https with my Arduino MEGA board.

Right now I am playing with the Ethernet Shield from Arduino, but the libraries do not support HTTPS. Does anyone know if Arduino has a plan to release a new Ethernet shield with support for HTTPS in near future?

Alternatively, Xport Pro seems to be a networking module with a build-in server (Evolution OS or Linux) and can do HTTPS/SSL. Does anyone have experience with this module used with an Arduino MEGA? Is it possible to get it work together?

I only miss the support for HTTPS on my Ethernet shield and do not need a full server, so the Xport Pro seems to be overkill for my solution. Is there any better device/solution to solve my problem?

Does anyone know if Arduino has a plan to release a new Ethernet shield with support for HTTPS in near future?

maybe you?

The encryption for https is rather complex and the footprint of the code is probably quite large. You should check if you can find sources (open if possible) and try to port it to Arduino.

If written in C or C++ it should be not to difficult to port. NB encryption is on the datalayer not on the transport layer!

The chip's not fast enough to do SSL, IMO. Certainly it would be a major project. Go and look at the OpenSSL sources if you want to see the scale of the problem... (hint its over 18 MB of source code in 2300 files)

There are other approaches using more lightweight (non-public-key) secure protocol, but nothing as standard as SSL

What about Xport Pro or MatchPort b/g Pro? Does anyone have experience using them with an Arduino MEGA board?

i've been working on a low-level protocol/standard for doing this.

http://ardiri.com/blog/utls_defining_lightweight_security_for_iot_part_1 http://ardiri.com/blog/utls_defining_lightweight_security_for_iot_part_2 http://ardiri.com/blog/utls_defining_lightweight_security_for_iot_part_3

i currently do have code for the Arduino to perform RSA1024 and RC4.. by simulating the layers of TLS; it should be possible to get a level of security that is solid enough to say "yes, it is secure". i am interested in collaborations; a while ago i did the RSA code on an Arduino UNO (and all subsequent models) - mixing C with avr assembly:

http://ardiri.com/blog/iot_security_feasibility_in_micro_controllers

since not much is happening in this area; i figured i would work on this project to bring saviour to a number of Arduino and other low-powered micro-controllers on the market.. i would be interested to discuss licensing; for my next blog entry i will have a working RC4 cipher within this protocol.

the best part is; we can run a single server - and have different layers of security for different micro-controllers. for example; for some micro-controllers, you may not care.. but others may be better off with at least rsa512/rc4 over nothing and the more powerful ones could do rsa2048/aes if be needed.

On a related note, what are the new crop of internet of things sensors using for encryption, or are they inherently insecure and relying on a Linux hub to be the secure (or not) gateway to the outside world.

We have chips that can do complex protocols like Ethernet and CAN bus, why not one that acts as a transparent HTTPS proxy?

mikb55: On a related note, what are the new crop of internet of things sensors using for encryption, or are they inherently insecure and relying on a Linux hub to be the secure (or not) gateway to the outside world. We have chips that can do complex protocols like Ethernet and CAN bus, why not one that acts as a transparent HTTPS proxy?

this is a valid point - most sensors out there typically connect over a digital, analog line or some form of bus such as 1wire, SPI et al. the issue is that the sensors themselves do not have integration points directly and need a micro-controller or third party service to secure them. unless you take into consideration security; chances are - your not going to be secure.. of end up using an overpowered device to communicate to your backend..

i've just released part 4 of my blog..

http://ardiri.com/blog/utls_defining_lightweight_security_for_iot_part_4

where i have demonstrated doing communication between server and client using the RC4 protocol. it can be done - and i've still got a tonne of program space and memory available to implement much more - this is on an Arduino UNO!