2

I am setting up a private home management system containing several daemons/servers and a few clients to connect from.

I am trying to achieve end-to-end encryption with the most monitoring and health check processes I can in order to create trust in this homemade system.

Tl;dr:

I want to ensure the authenticity of every ongoing connections to each independent modules. Avoiding MitM and losing track of transitting data. At any point, the data should keep its integrity and be protected from any alteration unless ordered by an authenticated session.

Storyboard

Architecturally speaking, here's what I have in mind:

A shell client, an admin GUI (web), and a mobile app can connect to my home network.

To connect, the first step would be an auth server that generates a session. Then, the session would be spread among every module in the home network (talking about a few raspberries plugged here and there).

Once the session is created, the client (either shell, web, mobile) can interact with a Command & Control main hub, which then spreads the commands and fetches information to and from every other module (raspbpies)

The modules do not need to communicate with each other, but they all, independently should communicate with the Command & Control hub.

To communicate with C&C, each module should once be registered and given an API_KEY

Now here's how I would try and secure it:

Web/Shell/App Connection: 2 step-auth (Basic + HOTP)
Client -> Auth Server: HTTPS TLS
Auth-Server -> Command & Control hub: Session related JWT

C&C -> Modules

As those modules should not be reachable through the internet, I was thinking of generating a session-related RSA keypair between C&C and each module to authorize the connection.

Maybe, the keypair could be generated from the API_KEY provided by C&C.

The modules would send needed information to C&C, which will then be delivered to the logged-in client.

I would appreciate if you could point my mistakes or point me to other useful resources that I may have missed.

Additional note: Most (if not all) daemons will be nodejs processes

Xcrowzz
  • 23
  • 4
  • Then we might start asking *why* you need all that in a home LAN ... – schroeder Aug 05 '19 at 14:07
  • Edited. Thanks for pointing it out. Now to answer the *why* I'm thinking about the best way to secure such interactions, however I may have overkilled it describing my process and there are probably easier protocols to set up in order to reach that level of integrity, authenticity and availability. (Such as the RSA keypair I mentioned, might not be useful) – Xcrowzz Aug 05 '19 at 14:10
  • Do you care that the data transmitted is read? All you've mentioned is authenticity and integrity. You don't need encryption for that. – schroeder Aug 05 '19 at 14:12
  • As long as it is not in plaintext during the transmission I'd say no e.g, one of the module is a security camera, I wouldn't want the stream to be readable from where it wouldn't be intended to – Xcrowzz Aug 05 '19 at 14:13
  • If your Internet connection is not a **Business** account, be aware that most providers do not allow home servers to operate. They will generally identify standard server ports quickly, and non-standard ports over time. – user10216038 Aug 05 '19 at 15:07
  • @user10216038 I didn't know about that. I will look forward to confirm this statement with my case. However I still want to reach the end of my project as it also serves as an personal technical experimentation. Thanks for pointing this out – Xcrowzz Aug 05 '19 at 15:10

1 Answers1

1

You could setup a Kerberos server on one of your Raspberry Pis. It would achieve secure authentication with all your clients. The best part about kerberos is that it is supported by a large number of clients and daemons. You will easily find APIs for integration in almost all popular languages and Operating Systems.

SSH and web servers are kerberised in a straightforward manner with a handful of commands. For APK modules (mobile apps) you can use the Java API (see here) or any other libraries which provide a wrapper interface to kerberos.

I'd written an article about setting up such a server here, you may find it useful since it was setup using a Raspberry Pi. Also refer to this excellent guide giving an overview of all possible ways to integrate kerberos within apps.

In addition to the kerberos server, the same raspberry pi could also serve as a RADIUS server, an NTP server and a common syslog server to gather all the logs of all the daemons across your network. But ensure that you harden it properly. If you need good redundancy, the entire setup can be mirrored very easily as all these protocols natively support mirroring.

Sandeep S. Sandhu
  • 402
  • 3
  • 5
  • Thank you, I will look forward to Kerberos as it indeed seems to ease the management of a few extra resources I was willing to deploy. – Xcrowzz Aug 05 '19 at 16:12