Safe communication over serial

Hello!
Have developed a Windows software for analysis of sensor data with Arduino Nano. Have created the Arduino sketch and it send the data in clear text to a Windows with USB serial in a way of space separated values, like:
2.56 12.58 14.57 0.36 5.59 1.48 2.36 65.58 63.44 45.93

But i wish now to secure a communication, because somebody else can create a similar software for arduino and use it with my Windows program. To use simple base64 is not a think, the possible copier can decrypt it easily. Have tested much AES libs, but no one worked to me good, it failed almost on base64 encrypt of AES binary, on the end i have not find any usable AES example that generate a good base64 or HEX with AES CBC (ECB is not interesant for me).
RSA will be my next step, because the communication is always in one direction from Arduino Nano to Windows Program, but i don't known do the small Nano have enough memory for storing a key?
How You safe the communication over serial at reasonable way to keep secret the communication?

What do You mean by "communicating via serial"? A cable from Your Arduino to Your Pc ought to be safe.

Railroader:
What do You mean by "communicating via serial"? A cable from Your Arduino to Your Pc ought to be safe.

I wish to prevent a clear text communication over serial, from Arduino nano to PC program.

emilr:
I wish to prevent a clear text communication over serial, from Arduino nano to PC program.

It will help if you describe the project you are trying to create.

I can't envisage any realistic situation where someone could get access to data being transferred to a PC over the regular USB cable.

...R

Robin2:
It will help if you describe the project you are trying to create.

I can't envisage any realistic situation where someone could get access to data being transferred to a PC over the regular USB cable.

...R

I gather the OP is trying to prevent someone from using his/her PC application with their own device by encrypting the communications between the Arduino and the PC, hence preventing/stalling reverse engineering.

If you can include encryption and key management within a small enough memory footprint you have to consider whether the computational requirements to encrypt will interfere with any time-sensitive operations the Arduino needs to perform. I believe you will have to analyze this for yourself since you have not provided any specific requirements with respect to the computational requirements of your specific application.

Easier and simpler to just reverse the bit order of each byte. Then the data is not readable plain text, etc.

Paul

ToddL1962:
I gather the OP is trying to prevent someone from using his/her PC application with their own device by encrypting the communications between the Arduino and the PC, hence preventing/stalling reverse engineering.

Exactly this.

On the Windows side, i have integrated an AES 128 CBC. The problem is the Arduino side.
Example, if i crypt the message "24051984"
with key: Key: 1, 2, 3, 4, 5, 6, 7, 8, 9, 1, 2, 3, 4, 5, 6, 7
and IV: 7, 6, 5, 4, 3, 2, 1, 9, 8, 7, 6, 5, 4, 3, 2, 1
I need to receive a ciphertext: pArfBo2HLU9+DXGhFPJDFg==
Acording to this crypter: AES Encryption: Encrypt and decrypt online — Cryptii
But the Arduino won't give me this message. Have mentioned the problem to the writer of the library here Problem with decrypt the message · Issue #15 · suculent/thinx-aes-lib · GitHub
At this page is the Arduino code also.

The Windows program i wrote, can decrypt the pArfBo2HLU9+DXGhFPJDFg== message to base64 and later to clear text in my program correctly, but not the Arduino generated ciphertext.
The autor wrote me that a Nano have not enough memory to do the job. This is a reason why i ask what is the most common method to done the communication between Arduino and PC over serial (the serial is not so important, is just a medium for data transfer) but on crypted way to prevent the RE or make it so dificult that is cheeper to make own solution for the possible (chinese companies) copier?
How You solve this problem in real life?

emilr:

I gather the OP is trying to prevent someone from using his/her PC application with their own device by encrypting the communications between the Arduino and the PC, hence preventing/stalling reverse engineering.

Exactly this.

That does nothing to explain where the security risk is coming from.

Even if there is no encryption how could someone else have an Arduino with a clone of the OP's Arduino program? And if they did not already have a clone of the program how could a clone be devised just by connecting an arbitrary Arduino into the PC.

And if there is a security risk wouldn't it be much simpler just to have an identification process between the PC and the Arduino. The PC sends some message to the Arduino and expects a specific response.

Wouldn't it be even easier just to restrict access to the PC by locking the door of the room it is in?

The simplest way to deal with reverse engineering is to publish the source code as an OpenSource project.

On the other hand if this is a commercial project the OP should not be expecting to enhance his/her profit with free advice from this Forum.
...R

Robin2:
Exactly this.

That does nothing to explain where the security risk is coming from.

Even if there is no encryption how could someone else have an Arduino with a clone of the OP's Arduino program? And if they did not already have a clone of the program how could a clone be devised just by connecting an arbitrary Arduino into the PC.

And if there is a security risk wouldn't it be much simpler just to have an identification process between the PC and the Arduino. The PC sends some message to the Arduino and expects a specific response.

Wouldn't it be even easier just to restrict access to the PC by locking the door of the room it is in?

...R

An identification process is one good method, but can be sniffed and with RE solved.
The potential RE don't need to receive the whole arduino code, just to RE the "messages" that send the Arduino to the Windows PC and create his own code, put in his own arduino and use it with my program.
Your method is good only if is a public/private keys based.
Believe me, for some companies is cheaper to RE a communication and make his own "hardware" with a software from others. A good example is the OBD2 ELM devices. A Chinese clones cost about a 1/4 of the original price, and use the same software as the original.
I wish to prevent this.

Hi emilr,

is your program so complex that someone couldn't create something similar in a short time?

Surely it can't be that difficult to read sensor data and manipulate it with a PC program?

Yes, it's nice to play around with things like encryption but I can't see that it would gain you anything commecially.

If there's money in it then someone will copy it and the best you can hope for is a few months of exclusive sales.

Peter

Peterd51:
Hi emilr,

is your program so complex that someone couldn't create something similar in a short time?

Hi Peter51!
The simplest thing is to RE a communication, why to waste a time with own development if someone can use Your work?

Peterd51:
Yes, it's nice to play around with things like encryption but I can't see that it would gain you anything commecially.

It not need to be commercially, but to prevent that someone use Your work as his own.

An encryption will be de best, but the AES still not works, i pasted a link to source.
How You solve this problems?

emilr:
I wish to prevent this.

emilr:
The simplest thing is to RE a communication, why to waste a time with own development if someone can use Your work?

It not need to be commercially, but to prevent that someone use Your work as his own.

Whatever are you trying to make that deserves all this protection?

If it's not commercial then why not just publish the code as an OpenSource project? It's good to share.

...R

emilr:
I wish to prevent a clear text communication over serial, from Arduino nano to PC program.

So send binary data in packets with a CRC and your own protocol markers. Make every other byte random if need be, who could figure it out would be wasting the value of their time doing so, I'm sure.

Robin2:
Exactly this.

That does nothing to explain where the security risk is coming from.

Even if there is no encryption how could someone else have an Arduino with a clone of the OP’s Arduino program? And if they did not already have a clone of the program how could a clone be devised just by connecting an arbitrary Arduino into the PC.

And if there is a security risk wouldn’t it be much simpler just to have an identification process between the PC and the Arduino. The PC sends some message to the Arduino and expects a specific response.

Wouldn’t it be even easier just to restrict access to the PC by locking the door of the room it is in?

The simplest way to deal with reverse engineering is to publish the source code as an OpenSource project.

On the other hand if this is a commercial project the OP should not be expecting to enhance his/her profit with free advice from this Forum.
…R

Don’t misconstrue my response as advocating this scheme or the veracity of it. I was simply stating my interpretation of what the OP was looking for.

I agree with you regarding using physical security to protect it if it was a “one off” product. If it were a commercially available product and one was trying to protect their intellectual property then that is a whole different issue and what the OP is seeking is a viable way to protect the IP. Whether the OP should seek the assistance of this forum to protect his IP is another debate.

Having said all of that, there have been suggestions of obfuscation to mask the details of the protocol. That will work for a while but someone could easily analyze that away. I’ve reverse engineered such communications in my career (in order to replace obsolete/unsupported components). Conversely, I’ve also implemented secure schemes to protect IP on commercial products. Confidentiality and non-repudiation are suited for such applications. The question is whether the processing and memory requirements can be supported by the Arduino.

I would propose the OP consider a level of encryption the Arduino can handle. Unless the product was a truly disruptive technology or a matter of national security (which would not be using an Arduino because of the CyberSecurity and tamper proof requirements) I don’t think anyone is going to go to a lot of trouble to replicate the OP’s application.

Protect it more than twice it's worth is enough. Don't forget to burn the lock fuses.

Disassembly of the PC program is the weak point anyway.

I have good experience with AES but the problem is that an arduino is a bit to weak for this.