I am designing an API for confidential communication between an IoT device and a client. A must is that that the client-device connection is secure and no man-in-the middle can temper the communication or attack the devices, including the routing server.
The network diagram is the following:
The clients must be able to execute commands on the IoT devices via an API server running on each IoT device. The routing server only tunnels the requests, but must not be trusted.
My question is:
What protocol should I use to implement this scheme?
I am a little confused over SSH. It seems to be the perfect fit for the secure client <--> IoT device communication over a Tunnel.
But is it possible to create a RESTful API using SSH?
I don't need direct access to the device's shell, I need a layer of abstraction, provided by an API running on the IoT device.
If SSH is not an option, can I securely route requests and execute commands on the IoT device from the Client in any other way?
SSH and REST are orthogonal. SSH carries the traffic, REST simply defines what that traffic looks like. Do you realize that with both methods the final user will need to open ports on his firewall to allow the connection ?
SSH CLI API - DetailsSSH (SSH client) is a program for logging into a remote machine and for executing commands on a remote machine. ssh connects and logs into the specified hostname with user name.
In short, all panelists agree that REST is still a relevant and useful style. One reason is that REST was designed to last. “If you are building an API product that will be consumed by clients you have no control of, it should scale indefinitely and last for decades,” said Z.
The way to do it is just to use HTTPS and certificate pinning (this is very similar to what SSH does under the hood).
On the first request to the IoT device, the user pins the device's certificate - after confirming that it is the correct one.
Once we have the certificate we just expose the REST API over the insecure proxy. Everything from then on is handled by the TLS protocol automatically.
The security guarantees are the same, as with the SSH protocol.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With