1

I am building an IoT platform that should receive data from a Raspberry Pi over a REST API. Assuming the platform could in the future be used to manage multiple devices of multiple users, my question is, how the device should be assigned correctly (and securely) to the account of the user who owns the device. The simplest solution would be to issue an access token that is linked to a user and a device, which is then manually (e.g. with a Bluetooth app) deployed to the device. Whenever the device sends data to the server, the access token ensures, that the data is associated with the correct user account.

However, this method does not prevent the user from logging manually to the server e.g. using a python script. I was thinking about a private/public key mechanism, that could ensure, that only the device with the correct private key is able to post data to the server. I also have an idea about how to implement this, but my question is, is this really needed? Is it a problem, if users can log manually (without the device) to the server? Does it matter, what data is sent to the server if the API post includes a valid access token?

kleka
  • 111
  • 2

2 Answers2

1

There is a simple way to prevent your users using your REST API from outside their RPI. It would work in the following way:

  1. You protect the file system of the RPI by a root password that is not shared with the user. The filesystem must be encrypted too.
  2. Instead of assigning an access token to a user, you assign a security key.
  3. The user puts the security key on the RPI as a non-root user.
  4. The RPI calculates a unique token for every API request using the security key and any unique part of the message body of the request (e.g.: a request counter). For exaple: a unique token could be the hash of the security key concatenated with the counter.
  5. Since the server knows the security key and the way to calculate the unique token, it can verify every token.
  6. Since users don't know how the unique token are calculated, they cannot use the API through an external Python script.

Please note, that this way of authentication works even in case the API requests were not encrypted.

Norbert Herbert
  • 802
  • 3
  • 11
0

You can try some workflows provided by OAUTH providers.

Essentially, you place some credentials in the machine and use them to procure a token. The token is then sent along with your requests to your server. Both the RASPI and your REST service use the provider as a reference for the validation of the requestor.

If you need more information, you can refer to this link. Although specific to auth0, it can provide you a starting point.

https://auth0.com/blog/using-m2m-authorization/

Venkata Rahul S
  • 151
  • 1
  • 2