Security... maybe MD5?

I have my arduino talking to my webserver. I need to make sure the arduino only runs things when the command comes from the webserver.

Currently I use cURL in PHP to send l=toggle8 to the arduinos IP, like http://192.168.1.30/?l=toggle8

The arduino grabs that and runs the function. But i can also manually go to that address locally and it runs the function. While its nice for testing, i need to know how to make them pass some sort of authentication between each other.

Can I, in C, generate a MD5 hash based on some sort of keyword or something? I know I can in PHP, and I could make them check against each other before it runs the function.

http://www.arduino.cc/cgi-bin/yabb2/YaBB.pl?num=1263301069

I saw that, but the post ended in

I am not a C/C++ guy, so I don't really know what to do.

which doesn't inspire confidence in the posts information.

There's the AVR Crypto library:

http://www.das-labor.org/wiki/AVR-Crypto-Lib/en

What you're trying to do is "digitally sign" the request from the web server. While MD5 is no longer considered secure, I suspect you'll be very safe using in your application.

A simple way to verify the request came from your web server is to generate an MD5 hash on the request and a large secret random number. On the Arduino, calculate the MD5 hash in the same fashion (request + the same large secret random number). If the two hash values are the same, it is very very likely the request came from your server.

The large secret random number, in some contexts, is called a "salt".

A simple way to verify the request came from your web server is to generate an MD5 hash on the request and a large secret random number. On the Arduino, calculate the MD5 hash in the same fashion (request + the same large secret random number). If the two hash values are the same, it is very very likely the request came from your server.

This is exactly what i'm trying to do. I know how to do it in php, but lacking in the syntax/libraries for C.

I'm digging into the AVR Crypto library now.

Maybe I don't know how to use it, but I took the MD5 folder out of the AVR Crypto library and put it into the libraries folder under arduino-0018.

I have this code:

#include <md5.h>
#include <md5_sbox.h>

Serial.begin(9600);
char strA[] = "Hello world!";
char destination[16];

void setup(){ 
 md5(destination, strA, 72);
}

void loop()
{
  
}

And i get this:
C:\arduino-0018\libraries\MD5\md5-asm.S:26:28: error: avr-asm-macros.S: No such file or directory

Ok, looks like I need the entire 70mb library. More to come.

Ok, yeah I have no idea what i'm doing.

I currently have the md5 hash being generated on the php server and have the hash hard coded into the arduino sketch. Anything wrong with doing it this way?

The exchange will be vulnerable to a "man in the middle / replay" attack.

Is that a concern in you application?

The exchange will be vulnerable to a "man in the middle / replay" attack.

Is that a concern in you application?

Considering it could only happen on my local network I think it's enough.

I'd have the server add something simple in the returned data that is unique to the server. The server could take the last number of something like the current time and an associated character and send that to the client. The client could check to see if the pair matched what is expected. I think people often get over done with security expecting that others are just dying to get into their system. If tight security is needed, then don't DIY, get professionals involved with the solution.

While probably overkill for this project, it seems like the MD5 algorithm isn't that complex - and should be easily implementable as a standalone library for the Arduino (vs an all-in-one like the avr crypto lib)...

:slight_smile:

Given this...

Considering it could only happen on my local network I think it's enough

Why do you need to do this...

I need to make sure the arduino only runs things when the command comes from the webserver

Is there someone malicious in your house?

If you control the physical part of the connection, the IP address of the sender (web server) is enough to verify the sender.

I do trust the ppl in my house.... But I also let friends get on my wifi sometimes.... oh i never posted what the arduino is doing...

Its part of my home automation system, dont want my friends pulling up at my house at 4am and turning my lights on and off...

But I also let friends get on my wifi sometimes

Which implies something in your house is a DHCP server. I'm going to guess it's the router / access point.

Assign a fixed IP address to your server. Configure your DHCP server to exclude your web server's address. On your Arduino, only execute commands that come from the web server's IP address. Problem solved.

It's not as interesting as digitally signing messages but it should take considerably less time.

Its part of my home automation system, dont want my friends pulling up at my house at 4am and turning my lights on and off...

Sorry to be a party pooper, but it is ~99.9999% sure deal that nobody will care anything about trying to penetrate and control your system. If you let people into your wifi system, they are much more likely to use your system for dealing child porn, email spamming and scamming, and other ugly things where you would be the suspect and not them.

Sorry to be a party pooper, but it is ~99.9999% sure deal that nobody will care anything about trying to penetrate and control your system. If you let people into your wifi system, they are much more likely to use your system for dealing child porn, email spamming and scamming, and other ugly things where you would be the suspect and not them.

You don't know my friends...

Which implies something in your house is a DHCP server. I'm going to guess it's the router / access point.

Sorta... I run 2 DL380 G3 racks. One for NAT and the other runs ESXi.