#232 How to secure our devices using SSL (ESP8266, ESP32, Tutorial)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

most of our iot devices are insecure and vulnerable it is high time to learn how to make them more secure also because unsecured devices will no more be able to use valuable services without using the https protocol already now google services for example do no more accept unsecured connections but is it complicated let's find out create youtubers here is the guy with the swiss accent with a new episode and fresh ideas around sensors and microcontrollers our esp8266 and esp32s support such secure connections in this video i will show you how to change our unsecured sketches in a few simple steps and you will learn some basics about encryption and certificates which you can use during the next discussion with your boss or your colleagues we will cover how does ssl work we just need the most basic knowledge how can we access cloud services using https with our esp8266 and esp32s how can we create trust and how much more memory is needed to do that internet traffic is not at all secure unless your devices use the https protocol this protocol has two purposes a it encrypts all traffic transported across public networks and b it creates trust you always know who you are connected to both are very different things but this protocol combines them into one infrastructure for our purpose it is essential to know that point a is mandatory if you want to use https point b can be omitted if you do not fear very sophisticated attacks let's start with number one how does ssl encrypt our messages it uses public key cryptography what does this mean before the invention of that concept both sides had to use the same secret key and horsemen had to be sent out to bring the key to the other side using the same key for encryption as well as for decryption is called symmetric key cryptography mathematically it is quite simple and fast what is the difference between the two cryptographical methods public key cryptography uses two different keys and therefore is called asymmetric if a message is encrypted with a public key only the owner of the private or secret key can decrypt the message and vice versa the public key itself has no value because of that it can be distributed over unsecured lines no horseman is necessary anymore you can broadcast it everywhere great concept by the way this is why the inventors of this concept got the famous turing price back to our case if your device calls a server using https it gets the public key of the server because this key is part of a thing called certificate you find it when you press the padlock sign in your browser and press show certificate first you see the validity of this certificate which is vital for our future steps here its validity is only a few months after that it will be changed then you go to details and you find the public key our device starts to encrypt messages using this key and the server having the corresponding private or secret key can decrypt the messages this asymmetric key procedure is slow because it is mathematically complex and therefore not suitable for fast internet traffic this is why our device sends a symmetric key to the server this is secure because the message is encrypted using the asymmetric keys now the server and your device have the same key and can change to a symmetric encryption which is much faster fortunately all this heavy lifting is done by the wi-fi client secure library which we have to use instead of the wi-fi client library we also have to use a different port 443 and not port 80 to talk to the server the rest of the code stays pretty much the same if we only want to use encryption cool our device is future proof and safe without lots of work point number two and the encryption part of point number one is covered because our device uses ssl and encryption all servers accept our connection point number three is more complicated but i show you how to succeed also here the internet offers two fundamental ways to create trust and evan from espressif created two different example files for that purpose i used these example files to create two sketches for the esp8266 please upgrade first to version 2.4.2 in boards manager otherwise you will not find these examples the two example files are called http request and https request ca cert i changed them that they access housemyssl.com a web page which shows us how good our ssl capabilities are this page can also be called by a browser in my case after checking the different cryptographic capabilities of my browser its verdict is probably okay for the chrome browser let's come back to the sketches the difference between the two is how they create trust https request uses a so-called fingerprint and https request ca cert uses a certificate for that purpose how does the internet create trust it starts with a very reputable company everybody can trust this company is called certificate authority this company can issue certificates to other trusted companies not without making sure that they are also trustworthy just like the mafia where you have the couple or boss which publicly trusts a few people around him these trustworthy entities also can issue certificates and because we know that the couple trusts them we also trust these people as we can learn from wikipedia each mafia tribe has its own procedure to create this trust i do not know if the mafia method were the basis of https probably not but if everybody posts this fact on social media maybe it becomes the truth in https all its trust is created using a chain of unbreakable certificates we can see this chain in the browser if we press the rider certificates path if we move up the chain we see that the root certificate lives much longer if we could build our trust on this certificate we would not need to change it every few months this is precisely what our browser does it goes up this hierarchy until it reaches the root and checks if it knows this certificate then it can trust all certificates in the chain there is not only one mafia organization and there are also many certification authorities your browser knows all of them and with each browser update this list is updated too by the way if the coupo dies or gets insane we have a problem with the certificates issued by this organization which happens from time to time and creates a lot of turmoil this can also happen in the internet as we saw in the netherlands when diginoter became insane and created more than 500 fake certificates but how our esp deals with certificates because they do not have the storage capabilities of a browser they usually only store one certificate or even less the fingerprint an abbreviation or hash of a certificate now we finished the trust part of point number one back to the examples the https request example uses the fingerprint for the bottom certificate and cannot go up the hierarchy to the root and as we saw this certificate usually is only valid for a few months and because we usually hard code the fingerprint into our sketch it stops to run after a short time if we do not regularly update the certificate information but the fingerprint also has an advantage it is very short and straightforward this fingerprint works with many servers but not always because companies can use different servers with different certificates we might get an error message even if we think we have a valid fingerprint in my case google did not accept the fingerprint presented in the browser if used by the esp8266 let's summarize what we know till now to access https web services it is sufficient to use the wi-fi client secure library instead of wi-fi client we do not need a valid certificate because the service sends one to our esp at the beginning of each conversation only if we want to make sure the service we call is really what we think we can check the validity of that certificate we can either use a fingerprint or a root certificate to create this trust the fingerprint usually is only valid for a few months we can use the root certificate to do this check if we do not want to change our sketch frequently let's now do some tests and start with httprequest.ino and the fingerprint on the esp82 if we use a wrong fingerprint to access housemyssl.com our sketch shows that the fingerprint does not match but it continues and still gets the response from the service as a json formatted text to create it more readable i paste it into a json interpreter we see the rating of the esp82 ssl library improvable the same rating is given if we use the correct fingerprint the wrong fingerprint does not hinder our connection nor does it influence the rating but we are not sure if we are really connected to housemyssl.com a bad guy could have hijacked your connection to for example a porn site fortunately also here i have a simple trick as long as your esp8266 does not become red or very hot it is most probably not connected to a porn site or is this perhaps also fake news the check of the fingerprint is done with this statement if we delete these lines we omit the check and our sketch works and creates encrypted connections for a long time we continue with the https request ca cert example on the esp8266 which needs a certificate unfortunately this is more complicated first we go with our browser to the site we want to access choose the root certificate and copy it to a file let's call it housemyssl.cer in chrome you can select the format choose the der coded x 509 format if you open the cer file with your preferred text editor you see this scrambled text but our esp8266 needs this nice looking hex format this is why i wrote a small python program which does that conversion for you just enter the file name of the der coded file and run it in python idle now you get the certificate including the necessary code which you can copy and paste into the arduino ide this sketch runs now for a few years because it uses the root certificate problem solved for the esp8266 at least as usual you find a link to the code and the python programs in the video description how much resources does the esp8266 need this sketch uses 31 flash and 37 dynamic memory with a fingerprint or a certificate a non-secure sketch would use 24 respective 35 percent around 30 percent less this is acceptable for what we get let's continue with esp32 there i only found an https example using a root certificate the example is called wi-fi secure it does not behave like the asp 8266 where we have a separation between encryption and trust with the esp32 we need to set a ca certificate with a command client.set ca cert then the client connect method uses this certificate and does not connect if it is not valid so here you definitely need a certificate fortunately it is not too complicated to get one this time we export the root certificate in the x 509 base 64 format again i wrote a small python program which converts this certificate file in a text which we can copy paste into our example file it looks different to the esp8266 format but the content behind the scenes is the same the rest of the calls are the same as with http and if we call housemyssl we even get a probably okay the same as with the chrome browser not bad probably because it supports much more cipher suites and some other stuff the esp32 as usual uses much more resources 62 flash and 12 dynamic memory without encryption it uses 46 or a cert less flash summarized we learned that public key cryptography is used to securely exchange symmetric keys between our esp and the server the public key is part of the certificate sent by the server to the esp at the beginning of a session the symmetrical keys allow efficient encryption of the traffic during a session all this is done by the secure libraries on the esp8266 and esp32 with the esp8266 you have three options using no certificate a fingerprint or a certificate i would not use a fingerprint unless it is valid for a long time which is hardly ever the case the esp32 has a better library but needs a valid certificate if you want to use https i wrote small python programs to format both certificates as needed together with the other knowledge it is easy to convert our sketches to https i assume that parts of this know-how are also valid for other arduinos using internet connections new arduinos have a cryptographic chip on board which makes it even easier to deal with https by the way if your esps do not do what you want you can switch debug message on then you see what's up and maybe you find the problem not only to debug https code i want to thank all my supporters on patreon and viewers using my links for their purchases for supporting the channel without you it would be difficult for me to do what i do now bye you

Info

Channel: Andreas Spiess

Views: 86,661

Rating: undefined out of 5

Keywords: arduino, arduino project, beginners, diy, do-it-yourself, eevblog, electronics, esp32, esp32 project, esp32 tutorial, esp8266, esp8266 project, greatscott, guide, hack, hobby, how to, iot, nodemcu, simple, smart home, ttgo, wemos, wifi, https, esp8266 https, esp8266 ssl, ESP32 ssl, esp32 https, certificate hierarchy, certificate authority, howsmyssl, arduino ide, private key, transport layer security (protocol), transport layer security, TLS, public key, project, ssl tutorial, HTTPS tutorial

Id: Wm1xKj4bKsY

Channel Id: undefined

Length: 17min 27sec (1047 seconds)

Published: Sat Oct 13 2018