End-to-End Security


#1

-I am wondering how the security is managed in bluz project? Is it End-to-End? For example, if I send a command from my mobile to the device, the content of my command is visible on it’s way to the device (e.g., in the cloud or the gateway), or it is encrypted between the mobile and the BLE?

-Morover, is it possible to replace the public cloud (spark) with an on-premises server?


#2

Data is encrypted all the way from the device to the final endpoint as long as you are going through the cloud. So there is a handshake that takes place when bluz connects, and all further communication from bluz to the cloud is encrypted. That includes all subscribers of events from the cloud, the data is encrypted from the hardware on bluz to that endpoint. Even the gateway themselves cannot decrypt or see the data passing through them.

That encryption is all completely separate from BLE encryption.

Now, if you use local communication to talk directly from bluz to some other device over BLE and bypass the cloud, there is no encryption. However, you could add your own on top. It is just a channel to send data, so you could encrypt it yourself if you need to.

There is an open source version of the Particle cloud. Originally Particle supported it but then someone picked it up and ran with it. I can never find the link, but if you search on the Particle forums I am sure you can find it.


#4

Hey Eric- Thanks for the explanation. Since the local communication is not encrypted, it raises a question for me. To me there are two approaches:

We encrypt the communication between the BLE device and the cloud! And then we use HTTPS for the connection between cloud and the mobile application. But, in this way, Cloud can decrypt and see the data passing through it.

During the installation phase, the Application (iOS, Android, etc.) directly handshake with the BLE device and agree on a key (End-to-END). In this approach, even the cloud cannot decrypt the packages between BLE device and the mobile application.

Could you please let me know which approach is deployed?

May I also ask, what library is used for handshaking and encryption? Is it ECDH and AES? I understand that WolfSSL provides a library for that. But I am not sure how did you implement it in your code (Nordic BLE module, Cloud, and Mobile Application).

How many shared-key be stored in the BLE device? Is there any limitation?


#5

The handshake to the cloud uses RSA public/private keys, then swaps AES encryption once keys are established.

There is no encryption at the BLE level. This has been shown in multiple ways to not be secure.

Most of the code in bluz firmware is TropicSSL to do the above.

There are keys on each bluz for connection to the cloud. You can see a bit of an explanation here: http://docs.bluz.io/tutorials/bootloader/#updating-keys. Those are the RSA keys used for the initial handshake.

Most of the above is very specific to the Particle cloud communication. You can, however, add any other type of encryption on top to do what you need.