components
Hardware Components
STM32F103
X 1
W5100/W5500 ethernet shield
X 1
details
1. INTRODUCTION
The development of internet of things (IoT) devices has grown widely and rapidly. There are alsovarious communication media used for the IoT system, including wired ethernet [1-3], Wi-Fi [4-8], andcellular communication [9-11]. These communication media are used in the client-server network model. IoTdevices usually read sensor data and send it to a remote server. Users can then view the report of IoT devicesfrom desktop, android, or web-based applications [12, 13] or even can make control over the device [14]. It isessential for securing data transmission in the client-server network model since there are many kinds ofattacks within the network [15-17]. IoT developers should consider implementing SSL protocol for theirsystem against any possible networking or cyber-attacks. IoT devices are also very vulnerable to be hacked[18, 19]. For IoT devices, there are some existing implementations of SSL protocol nowadays, such as Espressif ESP8266 and ESP32 microcontroller [6-8], but this feature only supports for Wi-Fi network. Singleboard computer based embedded systems and IoT platforms has a complete support of SSL protocolsystem was installed with OpenSSL which has mature SSL protocol implementation [20-22]. But, thistechnology comes at quite a high price, longer start up time and higher power consumption [22].For the STM32 IoT developer, there is official support of SSL protocol using MbedTLS for anethernet controller, but this feature only ported to a high-performance device family, such as STM32F407.Even more, TCP/IP stack must also be implemented, and external ethernet PHY (physical layer) must beattached. Actually, there is a more simple solution with extra challenging development by using a cheaperSTM32F103 microcontroller device with a wiznet W5100/W5500 ethernet shield. Although with a minimalresource of STM32F103 device, 128 KB flash memory, and 20 KB RAM, but with the help of the W5500ethernet module, the STM32F103 device does not need to work much hard to handle TCP/IP stack. TheW5500 ethernet has been integrated with 8 dedicated sockets with TCP/IP stack. There was also study in ourprevious research in utilizing this ethernet module [23].In this research, the MbedTLS SSL protocol library has been studied. And the researchers addsupport for SSL protocol to STM32F103 and W5500 based MbedTLS library. This results in an STM32F103SSL client device for wired ethernet communication. Because of the limitation of the STM32F103microcontroller, not all SSL cipher suite can be integrated into the system. Our research integrated ECDHEECDHA AES128 CBC SHA256 SSL cipher suite to the system. The working system, STM32F103 SSLclient device, was able to secure sensor data transmission to a remote server. This system was expected to bebetter than AVR or Arduino based IoT devices, which have not any secure communication feature.2. RESEARCH METHOD The entire system consists of STM32F103C8T6 microcontroller, Wiznet W5500 ethernet shield,any sensor connected to it, power supply, and web server with SSL enabled. STM32F103 device with verylimited resources, 128 KB of flash memory, and 20 KB of RAM. It was configured and programmed tosupport SSL protocol through W5500 ethernet shield. STM32 device with an ethernet shield act as an SSLclient. It sent sensor data with SSL encryption to the webserver, which acts as an SSL server. The overallsystem architecture is shown in Figure 1.
Figure: System architecture
2.1.STM32F103 microcontroller configuration:
The STM32F103 device was configured to work in its maximum frequency, which is 72 MHz, toachieve the best performance of the entire system. Analog to digital converter (ADC) peripheral needed to beconfigured for sensor reading and generate a random number. SSL protocol needs a random number to workproperly and achieve the best result. STM32F103 device hasn’t a random number generator module, butADC peripheral can be used to produce a random number. Serial peripheral interface (SPI) peripheral wasused and configured for communication with the W5500 ethernet shield. The SPI peripheral was configuredin the master mode full-duplex. W5500 ethernet shield can be controlled through SPI at up to 80 MHZmaximum speed, but since the STM32F103 device has only 18 MHZ maximum speed, the system used 18MHZ SPI speed instead. Details of ADC and SPI peripheral configuration is shown in Figure 2
2.2. MbedTLS SSL library and apache web server:
In this research, we utilized an open-source MbedTLS SSL library. It is built in C programminglanguage. Actually, the STM32 device family has the official support of MbedTLS. But this feature onlyworks with high-performance device families such as STM32F407. This device has an ethernet controllerintegrated inside the chip but does not include TCP/IP protocol stack. Unfortunately, there is no availableimplementation of MbedTLS for the STM32F103 device. There is a various module of MbedTLS to supportmajor SSL cipher suites available nowadays. But, not all MbedTLS modules were implemented in thisresearch because of the limitation of the STM32F103 resources. This research implements ECC SSL in theform of ECDHE ECDSA AES (elliptic curve diffie Hellman ephemeral – elliptic curve diffie-hellman digitalsignature – advanced encryption standard) based cipher suite.By default, apache webserver installation has been included with SSL enabled. But, default SSLconfiguration works only for RSA based cipher suite. The researchers have been generated an ECCcertificate using OpenSSL and applied to apache configuration to support the ECDHE ECDSA AES ciphersuite. Openssl scripts below were used to generate an ECC certificate for the webserver.openssl ecparam -name prime256v1 -genkey -param_enc named_curve -out privatec.keyopenssl req -new -sha256 -newkey ec:./privatec.key -nodes -keyout server.key -x509 -days 1024 -out server.crtopenssl req -new -key server.key -out server.csr -sha2562.3. W5100/W5500 ethernet shieldWiznet W5100/W5500 is an embedded ethernet controller module with a hardwired TCP/IP stackon it. W5100 has 16 KB internal buffer memory for 4 dedicated ethernet sockets, whereas W5500 has biggerbuffer memory 32 KB for 8 sockets. The implementation of these two kinds of chips has a similar processand driver and only differ in the amount of socket that they can handle. There was also some researches usingthis ethernet module [24-27]. Those researches were using AVR Arduino microcontroller or FPGA, and therewas neither process nor method for securing data transmission.
3. RESULTS AND ANALYSIS:
The researchers have been successfully built a prototype device, as shown in Figure 3. Theprototype was used to inspect and test the SSL communication between the STM32F103 SSL client deviceand the apache SSL web server. For the testing process, the client device connects to the apache webserverdirectly using straight through unshielded twisted pair (UTP) cable. The client device has been configuredwith 192.168.137.178 IP address, while the web server using 192.168.137.177 IP address. LM35 analogtemperature sensor is used to get real sensor data for then to be sent to the webserver. Wireshark was used forinspecting ethernet traffic between client and server.The random number which is needed by MbedTLS is generated by shifting, and-ing and or-ing bitsof two ADC channels. Based on the inspection of researchers, the best result of a random number of twoADC channels is calculated as the formula below.rng = (adc_ch1 AND 0x0F) OR (adc_ch2 << 0x04) (1)The researchers have been successfully ported MbedTLS to work with STM32F103 and itsSTM32cubeIDE development environment. This results in some minimal configuration scripts of MbedTLSthat must be applied to work properly in the STM32F103 environment. The configuration script was saved inconfig.h of the MbedTLS library package. Table 1 describes a minimal configuration script that must bedefined for ECDHE ECDSA AES based cipher suite.In order to integrate the W5500 ethernet module and STM32F103 microcontroller to supportMbedTLS, there were some configuration scripts that must be added to the original W5500 driver. Thesummary of important configuration scripts from researchers’ implementation is listed below.a) Assign “mbedtls_net_context server_fd” variable to “sock” value of W5500. b) Using “mbedtls_entropy_add_source” to configure a random number generator with STM32 ADC peripheral.c) Assign “mbedtls_net_send()” function of MbedTLS to W5500 “EthernetClient.write()” function. d) Assign “mbedtls_net_recv()” function of MbedTLS to W5500 “EthernetClient.read()” function. 3.1. Sensor data transmission testing without SSLAs a comparison result of this research, plain HTTP communication between client and server mustalso be inspected. From wireshark inspection window shown in Figure 4
the client’s request format, and the server’s reply data can be obtained easily. The unfortunate consequences of this communication scheme are anyone without any privilege can push/send data to the server and get server replied information. Anysensitive information can be stolen by the untrusted user
4. CONCLUSION :
The functional system of STM32F103 microcontroller and W5500 ethernet shield has beensuccessfully built into an SSL client device. The STM32F103 SSL client device supported ECDHE ECDHAAES128 CBC SHA256 SSL cipher suite. The communication time of the first connection took about 3 seconds,and for the next data transmission, it only took about 42 ms. The main system has successfully secured sensordata transmission to the web server using SSL communication protocol as part of the HTTPS (hypertext transferprotocol secure) protocol. While ESP8266 and ESP32 Wi-Fi-based SSL platforms do not offer any ethernetversion of SSL solution, and single-board computer SSL platform comes with a higher cost, longer start up timeand higher power consumption. Otherwise, this research results a novelty and contribution of porting complexSSL protocol in ethernet communication media by using a low-cost microcontroller platform. This system should be a promising solution for low-cost IoT platform for better security concern
COMMENTS