Is there any documentation on information security wrt the Particle Cloud and Particle devices?
Q1. I don’t believe that SSL is used between device and Particle Cloud. Is the traffic encrypted in any way?
Q2. I understand that events, function call requests and the like are not stored (good), but are there logs in play within the Particle Cloud that could store traffic (bad)?
Q3. Does Particle intend to publish an “official” cryptographic library? I note that there is a library called CRYPTOSUITE, but I have not assessed this as yet.
As Q1 is probably no and Q2 probably yes, to provide an environment that protects specific data, would need to implement Public Private Key Encryption/. I note that device firmware can be pulled from a device using DFU (and therefore potentially discover keys), so this why symmetric keys should not be used.
There is no “trust” at the Particle end where “Alice” is decrypted. In PCI DSS (Payment Card Industry Data Security Standard) parlance, the data in the Particle cloud needs to be within the “CDE” (Cardholder Data Environment). Note that my application is not for payments per se, just using PCI DSS as an example security model.
Thought! If the Photon is already encrypting the transmission using Public Key Encryption, then one could envisage exposing this functionality to the application layer (but using a different key) to encrypt the data on the device, and for it to only be decrypted by “MyService” because it has the private key.
For Wi-Fi devices (Photon, P1, Core) the cloud session is CoAP over TCP, encrypted with AES and a session key. The device and cloud mutually authenticate using RSA public and private key pairs.
For cellular devices (Electron), the cloud session is CoAP over DTLS over UDP. The device and cloud mutually authenticate using RSA public and private key pairs.
None of the publish or subscribe events are logged. Only device connect and disconnect are logged.
There is no need for a library for cellular devices as it’s completely a standard (DTLS, datagram TLS). For Wi-Fi devices it’s a straightforward implementation of AES over TCP, however there is an open-source reference implementation.
It looks very much like device to Particle cloud comms is well secured. This is a relief!
Now that this concern is covered, my next issue is what is happening within the confines of the Particle cloud?
With PCI DSS, the service provider handling sensitive data within their environment is audited as having met with the security standard. Does Particle have a similar regime?
In my example above, is “Alice” known to any entity outside of the Photon?
You gave a clue with your comment: “None of the publish or subscribe events are logged.” This is a good thing.
So, theoretically, “Alice” is decrypted and quickly passed on within the cloud and not permanently stored. The specific issue now becomes, can this in flight traffic be sniffed? Answer, yes, but are there documented/audited security measures in place to prevent this “man in the middle” seeing Alice?