From what I understand, Particle is using my device’s public RSA key to manage some kind of privacy/authentication problem (I assume this is to validate firmware pushes, but I haven’t dug into it). What I’m wondering is whether there’s a way for me to perform similar cryptographic operations on the device, either decrypting my own messages or signing outbound messages (or, potentially,outbound encryption under some other key). Is there any way to access the libraries that are being used for RSA-related operations?
If there’s any HMAC-SHA256 support, that’d be nice as well.
Full disclosure: I work on web service authentication for a living, so my paranoia level is turned up to 11. While I realize that it’s slightly ridiculous to worry about messages passing through Particle’s cloud services given that they can, in theory, flash whatever they want and extract my private keys, it’s a much smaller attack surface than the full suite of cloud methods and their attendant backend services. You know. Defense in depth and all that. Is it so wrong to want a little non-repudiation and/or confidentiality?
P.S. It’s totally awesome that you’re using asymmetric keys at all. So, thanks for that.