On Monday 31 May 2021 at 07:17:52, Garry Adkins wrote:
> > If these things don't have access to the Internet, what security concerns
> > are you trying to address by using encryption at all?
>
> > Maybe you could explain where the IoT devices are and where Apache is, in
> > networking terms, so we can understand what communications you are trying
> > to secure, and against what threats.
>
> The devices are very simple embedded controllers, and they're monitoring
> environmental factors, the exact things they monitor depends on how they're
> configured.
> Apache is installed on a dedicated computer with a private wifi network
> that houses the control scripts, update files, and database. This machine
> is also not internet connected. The machine can be queried to create
> reports on the data, and can reach out to a third machine (via wired lan)
> to send alerts if something goes out of range. It currently runs a version
> of Debian.
> The security concerns are two fold, one technical, one political.
> The technical issue is fairly straightforward. Using PSK, only devices that
> have the PSK can talk to Apache, giving a degree of validation that only
> verified devices can send data. This is for data integrity purposes.
> Others cannot connect. In a large (physical size) organization, they can be
> configured to connect over the location's internal WiFi so WiFi encryption
> alone is not sufficient.
>
> The political issue is (imho) kind of pointless but very real. Many
> organizations have little checklists that will eliminate you from competing
> for business. Very often there will be a requirement like "All
> communication is encrypted using a minimum of TLS 1.2 or higher". If you
> can't pass that checkbox, you are disqualified.
>
> So the question is:
> Can I configure Apache to use PSK (preferably TLS1.3 version of PSK) by
> sharing a key between the server and the client?
I can find no indication that Apache supports TLS / PSK.
Provided your IoT devices can manage the client end, I would suggest you look
into using https://www.stunnel.org/ on the Apache server, to provide TLS over
the network, and plain HTTP internally on the server (localhost only) between
stunnel and Apache.
Antony.
--
Behind the counter a boy with a shaven head stared vacantly into space,
a dozen spikes of microsoft protruding from the socket behind his ear.
- William Gibson, Neuromancer (1984)
Please reply to the list;
please *don't* CC me.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|