Is REST API over SSH possible?

Question

I am designing an API for confidential communication between an IoT device and a client. A must is that that the client-device connection is secure and no man-in-the middle can temper the communication or attack the devices, including the routing server.

The network diagram is the following:

• IoT devices are always in home behind the same network.
• Client devices are mobile and change networks
• Clients continuously connect and disconnect to the IoT device

The clients must be able to execute commands on the IoT devices via an API server running on each IoT device. The routing server only tunnels the requests, but must not be trusted.

My question is:

What protocol should I use to implement this scheme?

I am a little confused over SSH. It seems to be the perfect fit for the secure client <--> IoT device communication over a Tunnel.

But is it possible to create a RESTful API using SSH?

I don't need direct access to the device's shell, I need a layer of abstraction, provided by an API running on the IoT device.

If SSH is not an option, can I securely route requests and execute commands on the IoT device from the Client in any other way?

Answer 1

The way to do it is just to use HTTPS and certificate pinning (this is very similar to what SSH does under the hood).

On the first request to the IoT device, the user pins the device's certificate - after confirming that it is the correct one.

Once we have the certificate we just expose the REST API over the insecure proxy. Everything from then on is handled by the TLS protocol automatically.

The security guarantees are the same, as with the SSH protocol.