How to send Device's key to Private Server & vice-versa?

Hi,
Goal : I’m trying to get a Photon-based-device to talk to our private server securely.
Level : Relatively new. Have done some reading on these pages - Reference, Guide, Community Forum.

ASYMMETRIC ENCRYPTION FAQ
Q1) How do I share the device’s public key from within Firmware to Particle’s server ?
DP : On the reference page - I see CLI commands but didn’t find Firmware functions.

Q2) How could I share the device’s public key from within Firmware to a Private server ?
By this I mean - what are the relevant device-firmware function calls ?
DP : I’m considering sending the key via Particle’s server.

Q3) How do I decrypt data received on the Device from the Private server using the Device’s private key ?
By this I mean - what are the relevant device-firmware function calls ?
DP : Let’s assume I somehow got the Device’s public key to the Private server (from Q2 above), using which it sent over a message encrypted with the Device’s public key.

SYMMETRIC ENCRYPTION FAQ
Q4) How could I get an AES key from within Firmware from a Private server ?
By this I mean - what are the relevant device-firmware function calls ?
DP : I’m considering getting the key via Particle’s server.

Q5) How do I decrypt data received on the Device from the Private server using an AES key ?
By this I mean - what are the relevant device-firmware function calls ?
DP : Let’s assume I somehow got the AES key from the Private server (from Q4 above), using which it sent over a message encrypted with the same AES key.

Guidance would be most appreciated !

Thanks,
Dhaval

Q1) How do I share the device’s public key from within Firmware to Particle’s server ?
DP : On the reference page - I see CLI commands but didn’t find Firmware functions.

There is no user firmware function to do this. It's handled automatically by the Device OS (system firmware) when necessary. That's only when a device makes a connection to the cloud the first time. After that, the public key is set for the device and that public/private key pair will always be required (unless reset using the CLI).

Q2) How could I share the device’s public key from within Firmware to a Private server ?
By this I mean - what are the relevant device-firmware function calls ?
DP : I’m considering sending the key via Particle’s server.

As the device public key is in flash, you could extract it and send it to a different server. There's no user firmware function to do it.

Q3) How do I decrypt data received on the Device from the Private server using the Device’s private key ?
By this I mean - what are the relevant device-firmware function calls ?
DP : Let’s assume I somehow got the Device’s public key to the Private server (from Q2 above), using which it sent over a message encrypted with the Device’s public key.
Q4) How could I get an AES key from within Firmware from a Private server ?
By this I mean - what are the relevant device-firmware function calls ?
DP : I’m considering getting the key via Particle’s server.
Q5) How do I decrypt data received on the Device from the Private server using an AES key ?

This is possible, but you need to understand how the CoAP encryption protocol for TCP devices works, and it's undocumented. Fortunately, there's an implementation of the protocol in NodeJS which is the best reference for how to do it:

Also, while the Spark Server (local cloud server) isn't really supported, it's a good base for how the device to cloud communication is done:

A community member also has a more up-to-date fork of it:

3 Likes

One other point I wanted to add to @rickkas7 excellent response: None of the Particle cloud crypto is unique. It just uses a standard crypto library in normal ways. The only impediment to you using that same library is that the functions are not brought into the hardware abstraction layer (HAL) that is the key to having small updates of user firmware without reflashing the entire Device OS every time. Basically you cannot link against the crypto functions without compiling a different way.

If you choose to build locally with gcc on your computer in monolithic mode, you can easy access the crypto library, but you are giving up on a number of great features that the Particle world brings such as small user flash updates and easy cloud reflashing.

So what you seem to want is possible but is way outside the mainstream so expect to do a lot of the work yourself.

2 Likes

@dhavalcpatel, did you ever make progress with this? My guess is no…