I have built a dash button using ESP8266 microcontroller. The microcontroller should make a response to a ASP.NET WebApi Rest Service to trigger an action. How can i make this api call secure. The action should only be triggered from this specific microcontroller. Replaying the Api Call may not be possible.
How can i archive this?
I think about challange response with a secret both client(esp8266) and server knows.
You would want a large list of secrets on SPIFFS files (removing after use) or track used secrets (and search for usage using a set of nested 1st letter\2nd letter\etc folders) to prevent a replay attack.
A dash button is simple; depending on your other libs and code, you probably have enough RAM left to use HTTPS (depending on the cert). That would make replay a lot harder since the prior guesses would be "dark" to observers. You can likely re-use keys or at least parts of keys if you use HTTPS.
Another option would be to use secure ESPNOW to talk to another ESP which has an Ethernet controller which talks over the wire to a PC that then uses HTTPS to talk to the outside world, and can further authenticate requests in a PC environment (lots of easy options) instead of an MCU environment (few hard options).
