“There are a thousand hacking at the branches of evil to one who is striking at the root.” – Henry David Thoreau
Staying Safe on the Network
There’s been a lot of talk lately about staying safe, and rightly so. But how can you keep your IoT devices safe on the internet? Indulge us for a minute, and imagine the following scene:
You’ve just phoned your Uncle George who lives a thousand miles away. It’s been well over a year since you last spoke with him, so you’re looking forward to hearing his calming voice.
“Hello, Uncle George?”
“This is your nephew Jack. How are you and Aunt Bea doing these days?”
A familiar voice responds:
“Jack! It’s great to hear your voice, my boy! Your Aunt and I are just fine, absolutely spectacular, thank you. So, tell me, son, to what do I owe the elegant pleasure of your phone call this morning?”
Sure enough, even though you can’t see him, you relish the sound of Uncle George’s resonant baritone. The combination of his Southern accent and over-the-top manners crossing the miles via your phone connection are a delight to your ears, and you have absolutely no doubt that it’s your dear Uncle George who picked up the phone.
“It’s really nice to talk to you as well, Uncle George. I’m sorry it’s been so long! But a fellow named Tom Shaw contacted me, claiming he’s my third cousin? And that you told him we’d discount his stay at our bed and breakfast? I just want to be sure we’re not being scammed by some stranger.”
The next thing you hear is your uncle’s booming laughter.
“So that’s what this is about? Yes siree Bob, I did mention your fine bed and breakfast to Tom last time he and Sally were over for dinner. Sorry I forgot to tell you about them! Don’t worry, boy, I’ll text you a photo of your cousin.”
“Thanks, Uncle George!”
A few minutes later, you’re looking at a photo of Tom and Sally. You look forward to meeting them, and in fact you think you’ll probably comp their stay at your B&B and see if they’ll let you show them around town. It’s not every day you discover a long-lost cousin!
What just happened?
You have, in fact, just run through a peer verification protocol with your Uncle George. As a result, you now have a very high degree of confidence that Tom Shaw is who he says he is.
In a recent Learn Blog article about network security, we looked at the differences between RSA and ECC encryption. Encryption is key for keeping your data secure from prying eyes. In this learn blog, we’ll take a look at how peer verification works across the internet. We’ll also explain why you should use it, and how it compliments encryption for a more complete secure connection. Finally, you’ll see how NetBurner’s serial to Ethernet applications and development libraries support peer verification. This can make it easy for your IoT devices to positively differentiate between friend and foe across the vast and sometimes dangerous world of internet connections.
What is Peer Verification?
In a nutshell, peer verification is a process by which two entities that want to establish a connection via the internet assure one another of their true identity. No matter which side of the communication you may be on, you want to be sure “the other guy” you’re talking to is really who he says he is.
Why The Need to Verify Your Peers?
For a moment, consider the nature of public key encryption. It’s true that only you can decode and read messages encoded with your public key. However, you have to remember that your public key is public. Anyone at all can find and use your key; after all, you’ve published it for that very purpose. The question then arises: how can you (i.e., your IoT device) be sure that the client or server that sent you a message is really who they claim to be? Sure, you’re using asymmetric encryption to communicate with “them” in code, but who is “them?”
Knowing with certainty who you’re communicating with is essential because your IoT application needs to be sure that access to the data and commands it allows are all legitimate. It’s the age-old problem of interlopers; there are plenty of black-hat hackers out there, ready to gum up the works by taking over your internet transactions for their own nefarious purposes.
Fortunately, there are standards that specify ways you can use encryption to identify friends and to reject foes. This prevents your IoT device from unknowingly talking to an enemy and is where peer verification comes into play. By first going through a handshake protocol designed for this very purpose, you can be very sure that you are talking to a client or server that you trust.
The TLS Peer Verification Standard
The most widely used internet standard for peer verification (and secure communication in general) is called TLS (Transport Layer Security). TLS defines a verification “handshake,” an initial back and forth conversation between any client and server to help them decide whether and how they are willing to talk to one another.
Getting into every gory detail of TLS is beyond the scope of this article; you can check the references at the end if you want to dig deeper. For now, we’ll point out and focus on one particular step in that protocol that many have struggled with.
At the very heart of the TLS protocol is the use of a trusted third party—an entity that both sides of the communication rely on to vouch for them. This third party is known as the Certificate Authority (CA).
What is a Certificate Authority?
Simply stated, a certificate authority is anyone in whom you—by your actions when establishing a connection—choose to trust to vouch for the identity of the entity you subsequently communicate with.
Reputation, Reputation, Reputation
In the real estate business, it’s been said that the three most important features of a property are location, location, location. When choosing a certificate authority, it is usually the authority’s reputation that matters the most.
In almost all cases, this means that the certificate authority will be one chosen from a fairly short, widely known list of professional organizations. These organizations take great pains to verify the identity of websites and their internet domain owners.
How Does a Certificate Authority Validate a Certificate?
Any internet domain owner can submit an application to the certificate authority organization of their choice requesting them to sign their certificate. When the certificate authority receives an application requesting their signature, they then require the applicant to jump through various hoops to prove their identity.
For example, they may ask the requester to place some unique, identifying string on a web page under the control of the domain in question. Other tests may be applied, such as phone calls or text messages sent to a phone number listed in the domain’s “whois” listing.
Only after the certificate authority has verified the source of the certificate application to its satisfaction will it respond to the request. It does this by cryptographically signing the certificate for the use of the applicant. Subsequently, until it expires, that certificate can provide a reasonable level of confidence in the identity of the certificate holder. In our lead story, you recognized Uncle George’s voice on the phone, and he sent you a photo of Tom for verification; but in the case of an internet certificate authority, you need some special cryptographic tools to help establish identity.
The rest of this article is intended to walk you through finding and using the one vital piece of information you need from the certificate authority in order to perform peer verification. This piece of information is called the Root Certificate.
Setting Up The Basics for Peer Verification
As an IoT device implementer, your mission—should you decide to accept it—is to get to the root of the matter. But is this Mission Impossible?
A key question that must be answered to enable peer verification is, “Where do I find a copy of the Certificate Authority’s root certificate?” Sometimes, even the simplest things can be hard to figure out without a little guidance.
Take heart! You’re not the first engineer who has been left scratching his head over finding these certificates. Fortunately, finding the root certificate you need is actually a fairly simple manual process.
The first thing you have to figure out is which Certificate Authority issued the peer’s TLS certificate. If you trust that authority, and if they have signed your peer’s certificate, then you’re golden.
Identifying the Certificate Authority
Finding out which Certificate Authority a web peer is using is a straightforward, manual process.
For the purposes of this example, we’ll be finding the Certificate Authority for https://google.com by using the Google Chrome browser. We’ll then use that information in a handshake between our IoT device and Google to verify that it is, in fact, Google that we’re talking to.
Start by opening up the URL in your web browser. There, right next to the google.com URL, you’ll see a small padlock. Hover your mouse over the padlock and click it.
Once you’ve clicked on the padlock, you’ll be able to select “Certificate”:
After clicking on “Certificate,” you’ll see a hierarchy of three certificates:
This hierarchy is called a certificate chain or certification path. The entry at the top is the Root Certificate for the GlobalSign Certificate Authority. The root certificate has signed the two certificates listed under it.
Now you know that GlobalSign is the Certificate Authority that vouches for https://google.com. You also know that the Chrome browser has been able to validate that it is in fact Google. If next you click on GlobalSign at the top, you’ll see the following additional details:
Among those details in this example, it is the Organizational Unit—‘GlobalSign Root CA – R2’— that is the key bit of information you need. You’ll find this process to be very much the same with most widely used web browsers.
Getting a Copy of the Root Certificate
CURL is an internet source that can provide you with a collection of the most-referenced Certificate Authorities’ Root Certificates. These are distributed in a format (called PEM) that makes it easy for your IoT software to use. Go to this curl link: ‘Extract CA Certs from Mozilla’. From the top link on the page labeled “cacert.pem”, download the most recent compilation of certificates contained in a file called, surprise, cacert.pem.
If you download cacert.pem, you can edit it with any text editor and extract the root certificate(s) for the CA’s you need to use. Though unintelligible to mere humans, trust me: your TLS library will love it! Here’s an example of the actual text in PEM format that you’ll feed to your IoT device’s peer verification firmware:
GlobalSign Root CA - R2 ======================= -----BEGIN CERTIFICATE----- MIIDujCCAqKgAwIBAgILBAAAAAABD4Ym5g0wDQYJKoZIhvcNAQEFBQAwTDEgMB4GA1UECxMXR2xv YmFsU2lnbiBSb290IENBIC0gUjIxEzARBgNVBAoTCkdsb2JhbFNpZ24xEzARBgNVBAMTCkdsb2Jh bFNpZ24wHhcNMDYxMjE1MDgwMDAwWhcNMjExMjE1MDgwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxT aWduIFJvb3QgQ0EgLSBSMjETMBEGA1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2ln bjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKbPJA6+Lm8omUVCxKs+IVSbC9N/hHD6 ErPLv4dfxn+G07IwXNb9rfF73OX4YJYJkhD10FPe+3t+c4isUoh7SqbKSaZeqKeMWhG8eoLrvozp s6yWJQeXSpkqBy+0Hne/ig+1AnwblrjFuTosvNYSuetZfeLQBoZfXklqtTleiDTsvHgMCJiEbKjN S7SgfQx5TfC4LcshytVsW33hoCmEofnTlEnLJGKRILzdC9XZzPnqJworc5HGnRusyMvo4KD0L5CL TfuwNhv2GXqF4G3yYROIXJ/gkwpRl4pazq+r1feqCapgvdzZX99yqWATXgAByUr6P6TqBwMhAo6C ygPCm48CAwEAAaOBnDCBmTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E FgQUm+IHV2ccHsBqBt5ZtJot39wZhi4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5nbG9i YWxzaWduLm5ldC9yb290LXIyLmNybDAfBgNVHSMEGDAWgBSb4gdXZxwewGoG3lm0mi3f3BmGLjAN BgkqhkiG9w0BAQUFAAOCAQEAmYFThxxol4aR7OBKuEQLq4GsJ0/WwbgcQ3izDJr86iw8bmEbTUsp 9Z8FHSbBuOmDAGJFtqkIk7mpM0sYmsL4h4hO291xNBrBVNpGP+DTKqttVCL1OmLNIG+6KYnX3ZHu 01yiPqFbQfXf5WRDLenVOavSot+3i9DAgBkcRcAtjOj4LaR0VknFBbVPFd5uRHg5h6h+u/N5GJG7 9G+dwfCMNYxdAfvDbbnvRG15RjF+Cv6pgsH/76tuIMRQyV+dTZsXjAzlAcmgQWpzU/qlULRuJQ/7 TBj0/VLZjmmx6BEP3ojY+x1J96relc8geMJgEtslQIxq/H5COEBkEveegeGTLg== -----END CERTIFICATE-----
Validating the Certificate
Assume for the moment that your IoT device wants to verify that it is communicating with the real Google website. Your device can use a copy of GlobalSign’s root certificate to verify that the trusted authority in fact issued the certificate your peer (Google) has presented you with.
By the way, you can use this same procedure to discover the root certificate authority for whatever peer you may want your IoT device to communicate with.
Ready to Rock? Let NetBurner Help
Whether you’re using an off-the-shelf device server or building your own embedded IoT application using one of our development kits, NetBurner can help ensure that you’re talking to exactly who you think you are.
While you could implement peer verification entirely on your own by following published standards, NetBurner products, software, documentation, and support can get you there a lot faster and easier. Why not let us help?
Providing the Information
The root certificate you found and extracted from the cacert.pem file for the Certificate Authority you want to use can be fed to the NetBurner SSL/TLS library in the text format extracted from the PEM file. You can either compile it into your code as a string, or store it in a file to be read into your IoT device at runtime. Already have a development kit? See the examples found in
<NNDK Install>\examples\SSL\SslClientVerifyPeerBasic and
<NNDK Install>\examples\SSL\SslClientVerifyPeerEffs to see how to approach these two methods, respectively.
For NetBurner’s device servers and serial to Ethernet servers, the web interface provides a handy way to upload your Certificate Authority’s root certificates directly to the NetBurner device. For more information please see the HTTPS section of the Secure Serial Factory Application User’s Manual.
As always, we love to hear what’s on your mind. If you have any additional questions or thoughts on peer verification, please let us know in the comments below. You can also email us directly at firstname.lastname@example.org.
Digging Deeper: Recommended Reading
This article provides only a simple overview of what’s involved in peer verification. If you want a deeper understanding, you’ll want to gain a more comprehensive understanding of how TLS works. This is especially true if you’re implementing an actual peer verification handshake protocol for your IoT devices,
Here’s a well-written article that presents a more thorough, but still simple (and quite amusing!) overview:
And we can’t recommend this NetBurner document highly enough:
The resources listed below are also very helpful.
Some NetBurner TLS Resources
NNDK 3.2 Documentation: SSL Programming Guide
Learn Blog Article: Comparing RSA and ECC Encryption
NetBurner SSL/TLS How Toe: “Creating a Self-Signed SSL/TLS Certificate for Secure IoT Applications”
SSL/TLS Basics: “Cover Your Data Assets with TLS”
WebSockets for Real-Time Web and IoT Applications: Part 1, Part 2, Part 3
NetBurner Cipher Support: The Latest Ciphers June 2018
Other TLS Resources
CURL Homepage: https://curl.haxx.se/
Peer Verification RFC: “Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)”
Acunetix’ comprehensive series of articles on TLS Security
IBM Knowledge Center: Cryptographic security protocols: SSL and TLS
SSL — A network Secure Socket Layer; uses encryption for security
TLS — Transport Layer Security, an upgrade for SSL
Peer Verification — A method to positively identify and secure client-server communication
Public key encryption — Asymmetric encryption used for peer verification
Certificate Authority — A trusted 3rd party that vouches for internet peers
Root Certificate — The published, verified signing key used by the Certificate Authority
Certificate Chain or Certification Path — A list of certificates used to authenticate a peer
PEM — File format used for checking root certificates
SSL — A network Secure Socket Layer; uses encryption for security
TLS — Transport Layer Security, an upgrade for SSL