Lightweight web authentication for embedded system

Question

I'm working on a slightly esoteric project where we need to implement some basic authentication in a small/slow embedded micro (no OS). The device serves a couple of web-pages through its serial port which then get squirted over the IP network by a bit of hardware we have no control over.

The server code, such as it is (think nweb on a starvation diet), takes in HTTP GET/POST requests and spits out pages & changes its settings accordingly.

We need some way of authenticating a user login/session so that we don't allow people to see data or change settings they shouldn't.

The device is not intended to be directly exposed to the internet or be 100% impregnable to serious hacking (network security / separation is the customer's issue*), the security requirement is more about keeping the lower ranks from touching the blinkenlights ;)

Due to the lack of space/processing power (assume we have ~2k of code space and not many MHz) we can't implement things like SSL, but it would be nice to go at least one better than the bog standard HTTP access control.

We can handle GET, POST and set/read cookie data. One thing our micro does have is a decent crypto-standard hardware random number generator, should that be of any help at all.

• = Really the customers should be hanging the device on its own network, physically disconnected or at least firewalled to death, from anything else. But hey, if it works for Boeing...

Answer 1

If you only want to protect against access: Any time there is a GET request, look for a cookie of the password. If the cookie isn't set, send back a HTML login form that POSTs password to server. If the server gets the POST data with the right password send back a "logged in ok" page that sets the COOKIE to the password. Then anyone who login (with the right password obviously) will have the cookie set in all future GET requets. Anyone who has never logged in will always see the login page. You can 'hide' it by setting two cookie values: A random number, and the XOR of the random and the password. This way clients won't be able to figure out what the values in the cookies are. If you go futher and XOR it with say the client IP, clients won't be able to copy the cookies to other computers. The server will always be able to un-do everything and figure out the password/ip from the random number and the other cookie values.

If you want to have simple encryption you could use XMLHTTPREQUESTS in javascript. Have the server encrypt data with a simple puesdo random number generator (or a simply XOR obsfuncitation or whatever) and have the client do the same thing backwards in javascript. You can have the server encrypt every page except say index.html, and in index.html you can have it so it XMLHTTPREQUESTS the other pages in javascript and decrypts them, then puts the contents into a div using innerHTML or whatever.