[openssl-users] https using OpenSSL for embedded device and java server

[Michael Wojcik]

> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Sarvesh Renghe
> Sent: Wednesday, March 29, 2017 07:32

> Now we want to send this data from modem to server in a secured way. Once option is to encrypt the data using
> RSAEncyptor before sending and decrypt the data using RSADescryptor after receiving.

This would be an inappropriate use of asymmetric cryptography. Don't use a chisel as a screwdriver.

More importantly: Don't roll your own cryptography, including cryptographic primitives, cryptographic protocols composed from primitives, application protocols composed from cryptographic protocols, and so on. Don't do that if you don't know why you shouldn't. Don't do it even if you do know why you shouldn't. Unless you're a professional cryptographer and protocol designer with a deep understanding of why you shouldn't do it, don't do it.

>  Second option could be to use https protocol so that it is more standardized. So if we have to use second option, what
> should be the approach?

Why are there only two approaches? There are a lot of secure application protocols. HTTPS is a viable one for some applications, but not for all. What about SSH, for example?

You've reduced this to a false dichotomy between "do something with a cryptographic primitive" and "HTTPS". That suggests what you actually need to do is:

1. Understand your users' threat models.
2. Understand the attack space defined by the attack surface of your device / application and those threat models.
3. Determine what risks in that space can be remediated by cryptography, and from that a list of cryptographic requirements.
4. Decide what existing cryptographic application protocol will satisfy those requirements, as much as is feasible with reasonable cost. ("Cost" here includes money, your effort, the work and cognitive load required of customers, etc.)
5. Look for suitable implementations.

Cryptography is difficult. Implementing it successfully requires special expertise.

>  Are there readymade libraries available to send it on https from modem in embedded C?

Not a question for this list, I'm afraid.

> Are there corresponding libraries available in java to receive it on server?

Nor is this. There is a vast amount of information available online and in books regarding cryptography in general and HTTPS in particular for Java.

>  What should be overall architecture. We though OpenSSL can help in this.

The OpenSSL software? The OpenSSL organization? The community?

I'm afraid the best advice is to acquire expertise in cryptography and IT security. Whether you do that in-house by studying or hire it in, that's the only viable path to a solution that's actually secure.

> I am new to this and may not have given all the information required.

Sure. Everyone's new at first. Unfortunately this is not an area in which you can get a quick answer that's of much use. (Say someone says "just use HTTPS". That's fine, but how will you manage certificates? How do you handle errors? How do you unlock private keys at startup?)

>  Also you may direct me to appropriate forum, if this is not the right forum.

No forum will suffice, if you want to do this right. You have to start with cryptography and security basics, and those are best learned through books or courses.

And it's not possible, except by chance, to recommend an approach without knowing the threat model. Do you need to provide confidentiality, integrity, identity, non-repudiation, timestamping? Against what threats, and with what cost to the attacker? Will all the product's users have similar threat models, or are there a variety? Do some of them have regulatory or other requirements (PCI-DSS, HIPPA, FIPS 140-2, ...) that have to be met?

Michael Wojcik 
Distinguished Engineer, Micro Focus