For a new plugin, I need to store something (authentification token) in a secure place.
Storing it in a UPnP variable that can be consulted in the advanced tab of the device is clearly not as secure as I would like.
What would be the alternatives ?
I could store it in an UPnP variable but at least apply a minimum transformation to the value ?
I could store it in a file rather than in a UPnP variable ?
On one level, your quest is futile. Everything on Vera runs as root. There’s no hiding anything from root.
So, let’s compromise. How insecure can you tolerate?
Storing in a file would be just as (in)secure as in a device variable. It’s trivial to run a command through the web interface to get the contents of a file.
If you were prepared to require the authentication key to be entered each time the Luup engine started, you could store it in a global Lua variable in your plugin. Only your plugin’s code could access it. Though getting the key into the plugin, and preventing it from being logged in LuaUPnP.log, could be tricky.
Obfuscating the key, like all DRM techniques, is only a deterrent. How good a deterrent is a function of the value of the thing being obfuscated, not of the obfuscation algorithm.
Is it necessary to store the key at all? Can you store a hash derived from the key? This is how systems like OAuth work.
In my Ecobee plugin, I have a private application key that doesn’t change over time (part of an OAuth system). The application key is embedded in a Lua module that I distribute in encrypted form only (.luaenc file). The various tokens that are regenerated over time by the web service live in device variables because they are only valuable for a limited time, and cannot be abused without also knowing the private application key. The web API is only accessed over HTTPS, so the traffic can’t be snooped in transit.
All that said, a dedicated hacker could probably still find a way to defeat my efforts. futzle’s point about the value of the obscured information vs. the effort to uncover it is very relevant here.
watou
Yes, I need to store the key. My plugin will communicate with my internet box. The API provided by this ADSL box requires an authentification. First you have to ask an app token that is delivered by the box only after a manual validation by the user on the box. This token is I think a kind of private key and has to asked only one time and then be kept somewhere secure. Then to open a sessesion, you have to request a “challenge” from the box, hash this “challenge” with the stored app token and provides the result as a password for the session. With this solution, the admin password is never required but everything relies on the app token. When you have the app token and you know the API (public API), you are able to connect to the box and authenticate to it. By default, the rights for the app token does not include the rights to setup the box. Using the official application, you can change this rright. After that, this app token can allow changing the setup of the box.
First, I was thinking to enable this right, in particular to enable/disable Wifi from Vera scenes. Considering the security risk, I am finally not sure to enable this right !
I know that with the Vera, nothing can be secure in the box. My idea is just to make it not obvious to get this app token. So I think I will put it in a file (at least the file content will not be logged) and ofuscate its content at least a little. Analysing my lua code would allow to retrieve the app token but it will not be “in clear” somewhere in the UI.