I'm interested in encrypting a data stream between a mechatronics system run by an arduino board and a laptop. So the board and the laptop talk to each other over serial and I just need to place a dongle in the middle to prevent communications through some sort of encryption maybe, if the dongle cannot be authenticated. I don't know much about encryption or authentication but I thought maybe there were dongles out there that are "hardware authenticated" so they only work with 1 PC that they were made to work with. I dunno if there are other methods of authentication but I'm flexible on that - so long as you need the dongle to allow the serial communications to pass through.
Anybody know of an off-the-shelf commercial product that could achieve this? Just some dongle I can buy and plug into the serial/usb port and plug a usb cable into the other end and go to my arduino board so that nobody else can use the board but me?
Maybe it is enough to just use a unique physical plug interface.
How would I do that? Or perhaps I should ask, how could this be mass produced so that anyone with a laptop could have their own unique physical interface. This solution needs to be usable by many customers (eventually).
Don’t they have things akin to smartcards that just bridge a usb connection or serial connection? I call it a dongle but that’s just for lack of a better word.
Everyone have a unique end, why?
Let’s assume your Arduino is a Pro Mini.
Solder a cable to the GND DTR RX and TX, then add a unique connector of your choice to the other end.
Cut the TTL end off a USB to TTL converter cable.
Add a matching connector to the TTL cable end.
Connect the modified USB to TTL converter cable to the PC.
Plug connectors together.
Yeah but... that sounds extremely trivial to hack. Unless I'm misunderstanding something. The idea is to provide a nearly unhackable pass-thru so that no malicious person could ever gain access to the system, even if they stole the software running it or the laptop for that matter.
I don't know that it's paranoid. Protecting intellectual property that you plan to sell has already necessitated all sorts of existing security technologies. I just think it's cheap insurance.
Nowadays, there is no way to stop someone else from copying your work.
If you have a widget that does this, that, and another thing, someone can make the same thing.
If you have a drug that cures cancer, others take it apart chemically and make a cheaper version.
Suggest you don’t get caught up up in this protection stuff, patent things sure, but copy cats will come along if you are making money.
Of course you're right but deterrents will buy you time. Only the most skilled and determined people will bother to hack some dongle or simulate the authentication coming from it and probably with diminishing returns, the harder it is to hack. That's why I think it's still viable.
I'm interested in encrypting a data stream between a mechatronics system run by an arduino board and a laptop. So the board and the laptop talk to each other over serial and I just need to place a dongle in the middle to prevent communications through some sort of encryption maybe, if the dongle cannot be authenticated.
Exactly what threat do you want to guard against?
If you are worried about keeping secret the program code on an Arduino then protecting data between it and a PC seems a bit pointless.
If you want to prevent someone using your PC program with a clone of your Arduino board then it seems to me you need some sort of unique ID on the Arduino board rather than anything on the interface with the PC. I believe you can buy chips that have a pre-programmed unique ID - maybe you could build one into your hardware.
If you want to protect the code of your PC program then that seems to be a well-trodden path that is beyond the scope of this Forum.
The other important question (essential question, IMHO) is what sort of person you want to protect yourself against. I don't believe there is any possibility of protecting your intellectual property from an expert with the necessary tools and time - short of a "this board will self-destruct in 3 hours" and I suspect that sort of pyrotechnic would be illegal.
It's more the 3rd option you presented with one exception. All code is executed server side and only after login credentials have been entered - so nothing resides on the PC locally. The server authentication + the dongle (hardware authentication) would constitute 2-step authentication that would make it unlikely that someone would try to hack both. The code on the arduino is nothing special - just measuring sensors. I don't care about that. Just the PC software is worth protecting (handled by keeping it server-side) and the inability to run the machine (handled by the dongle).
I mean I've seen stuff the looks like what I want but it's exactly to the specs I'm describing so I'm just curious if anyone has seen or used such a thing with an Arduino.
Just the PC software is worth protecting (handled by keeping it server-side) and the inability to run the machine (handled by the dongle).
So why not look for advice on a Forum where they deal with PC software security?
All code is executed server side and only after login credentials have been entered - so nothing resides on the PC locally. The server authentication + the dongle (hardware authentication) would constitute 2-step authentication that would make it unlikely that someone would try to hack both.
Maybe I’m just thick, but I can’t get any clear image of how things work from that description.
If there is nothing on the PC then what is it that you are trying to protect?
If code must come from a distant server isn’t the transfer from the server the weak link in the chain? Or the opportunity for the Mafia to clone the whole server?
I'm not the software guy so it's hard for me to be more specific but as I understand it, the program executes on the server so there is merely a data stream going back and forth, using the PC as a node. The PC doesn't need protecting but if the correct server credentials are entered, the code can be run, the data can be exchanged and the machine can work. However if a dongle is also required, then you need both information (server credentials) and physical hardware (a dongle) to make anything work.
I just figured people on this forum would have a vague familiarity with this stuff, even if they're not experts at it, because it's somewhat related. Not like asking a chef about particle physics or something.
I think your main goal is to make the machine inoperable without the dongle?
However if a dongle is also required, then you need both information (server credentials) and physical hardware (a dongle) to make anything work.
Why not make the Arduino the "physical hardware" by giving it a unique ID ?
I'm not sure. I'm being told by people who know more than I do, that that is very shallow in terms of protection.
Put it this way. For whatever reason, there is a need for top of the line security to protect a piece of IP so no improvised solution is going to be good enough. I need a commercial product designed to act as a hardware-based security layer - something of smart card grade except that it would merely be a bridge between the PC and Arduino to permit communication. I assume that if the PC doesn't recognize the unique signature of the dongle it will just tell the server to refuse to work or something like that. I don't know how you would implement an ID in the Arduino board but if you did, I somehow doubt it would be as robust as whatever technology they use in these smart cards and dongles so that's the issue.
Qdeathstar: That is correct
You can store a unique serial number in NVRAM in the Arduino.
The Arduino reads this at power up.
At PC power up, user must enter this number into the PC to get things running.
You could do that but Arduino memory is easy to dump and read so it could be cloned 100 times if someone gained access to it.
I mentioned in Reply #9 that I believe you can buy chips that have a unique ID (like a MAC address, I think). If you build an Arduino board that includes one of them then wouldn't that give you a high level of security? If they removed it or replaced it the thing would not work.
If the thing you want to protect is so valuable that the advice you have been getting here is not adequate then I reckon you need advice from a professional computer security expert.
Even banks get stung some of the time and they just make good the customer's losses - and they have deep pockets for security.
And speaking of banks, do you have a system in place to notify you when your secret has been stolen?