iOS上通过蓝牙进行TLS类加密? [英] TLS-like encryption over Bluetooth on iOS?
问题描述
所以,这可能是一个非常特殊的情况,但我希望有人可以帮助我。
我需要通过蓝牙与外设通话。一种我们也可以控制固件的设备。现在的问题是:我们需要确保没有人可以窃听,因为要发送的信息将被保密。这意味着我们需要一个加密的通信。
从我所看到的是,蓝牙LE 4.2支持加密,但是我们必须能够支持比6s更老的iPhone。这意味着:没有BLE 4.2,没有内置加密。
换句话说:我们需要自己构建加密。外围开发商和我同意使用TLS握手来通信密钥交换,以减少我们可以破坏的事情的数量。
我过去几天搜索解决方案和如何解决这个问题。然而,这似乎是一个非常具体的案例,没有很多人处理。我可以找到的所有库都依赖于套接字。所有我可以找到iOS的插座是IP网络,而不是蓝牙。
有没有人有这种蓝牙通信的经验?还是其他一些建议?可能有一些明显的解决方案,我忽略了?
谢谢:)
TLS的整体基础是信任,即证书,证书颁发机构和认证链,并确保发送和接收的所有数据都被认证。您可以说整个安全性依赖于认证部分。加密本身是相当直接的。您应该回答的一个问题是:
是否可以连接到模拟协议的外设,即不是由您制造的外围设备?如果没有,与您的场所一样,您必须在每个外围设备中具有一些(唯一)秘密,例如私钥。相应的公钥可以由您自己的CA签名。 CA的公钥可以捆绑在您的智能手机应用程序中(因此您的应用程序中只需要一个密钥,而不是所有外设的一个密钥)。这样,您可以验证您连接的外围设备是由贵公司制造的。该公开密钥也应该是外设的标识符。如果您的外设中没有私钥/公钥对,无法进行密钥比较,并且没有任何共享的对称密钥,据我所知,这是不可能避免中间人攻击的。
由于每个智能手机还必须首先被对待未经身份验证,如果以后需要重新启动会话,则需要为外设中的每个智能手机分配唯一的ID。 / p>
考虑到这一点,您基本上有三个不同的选项:
- 尝试修改一些现有的TLS服务器软件,如mbedtls,通过BLE而不是套接字发送所有数据包。我有一种感觉,这可能是不平凡的,因为它似乎是基于阻塞套接字的概念。
- 只需阅读 https://tools.ietf.org/html/rfc5246 ,并实现最少的TLS服务器,只需要您所需的功能。这实际上并不是那么难,因为如果你只做一个最小化的实现,并且使用现有的构建块,如RSA,AES,SHA-2,ECDHE,X.509证书解析代码,可能看起来像第一个(你可以在这里找到: a href =https://tls.mbed.org/source-code =nofollow> https://tls.mbed.org/source-code )。
- 提取TLS中的重要部分,并制作简化的协议,无需所有协商参数(因为它们可以被硬编码)。例如,您不需要发送并能够解析所有类型的消息(例如ClientHello),处理分片等。只需直接发送随机值,证书,签名数据,加密数据。
So, this might be a very special case, but I hope someone can help me out here.
I need to talk to a peripheral via Bluetooth. A device for which we also control the firmware. Now the issue is: we need to make sure noone can eavesdrop as the information to be sent will be confidential. That means we need an encrypted communication.
From what I see is that Bluetooth LE 4.2 supports encryption, BUT we have to be able to support older iPhones than the 6s. That means: no BLE 4.2 and no built in encryption.
In other words: we need to build the encryption ourselves. The peripheral developers and me agreed on using the TLS handshake to communicate the key exchange to reduce the amount of things we could break.
I've spent the last few days searching for solutions and how to tackle this. However this seems to be a very specific case that not a lot of people have tackled. All libraries that I could find rely on sockets. And all I could find about sockets for iOS was IP networking, not Bluetooth.
Does anyone have experience with this kind of Bluetooth communication? Or some other suggestions? Maybe some obvious solution that I'm overlooking?
Thanks :)
The whole foundation in TLS builds upon trust, i.e. Certificates, Certificate authorities and certification chains, and making sure all data sent and received are authenticated. You could say the whole security relies on the authentication part. The encryption itself is quite straight-forward. One question you should answer is:
Should it be possible to connect to peripherals that mimic your protocol, i.e. peripherals NOT manufactured by you? If not, with your premises you must have some (unique) secret in each peripheral, for example a private key. The corresponding public key can be signed by your own CA. The public key of the CA can be bundled in your smartphone app (so you need only one key in your app, not one for all peripherals). That way you can verify that the peripheral you connect to is made by your company. This public key should also be the identifier of the peripheral. If you don't have a private / public key pair inside your peripheral and can't do passkey comparison and don't have any shared symmetric key, as far as I know it's impossible to avoid man-in-the-middle attacks.
Since each smartphone must also initially be treated unauthenticated, if you need to resume a session later, you need to store some unique ID assigned to each smartphone in the peripheral.
With this in mind, you have basically three different options:
- Try to modify some present TLS server software like mbedtls to send all packets over BLE rather than sockets. I have a feeling this might be non-trivial because it seems it's based on the concept of blocking sockets.
- Just read the TLS spec on https://tools.ietf.org/html/rfc5246 and implement a minimal TLS server with only the features you need. This is actually not so hard as it may look like first if you only do a minimal implementation and use existing building blocks such as RSA, AES, SHA-2, ECDHE, X.509 certificate parsing code (you can find those here: https://tls.mbed.org/source-code).
- Extract the important parts in TLS and make a simplified protocol without all negotiation parameters (since they can be hardcoded). For example, you don't need to send and be able to parse all kind of messages (for example ClientHello), handle fragmentation etc. Just send the random values, certificates, signed data, encrypted data directly.
这篇关于iOS上通过蓝牙进行TLS类加密?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
