Month: June 2017

IoT Security with SSL/TLS in MicroPython

I’m on vacation in San Francisco this week with my family and looking out over the bay at Alcatraz Island. For those who aren’t familiar with this island, it housed a maximum high-security prison 1.25 miles off the San Francisco coast for 54 years. While thinking about the high security that Alcatraz offered in the past, it makes me think about the digital security of today.

Alcatraz Island

Specifically, as it relates to the Internet of Things(IoT) and considerations that must be taken with connected devices. If you have been reading my previous IoT related blog posts, you’ll recall that I’ve been using a NodeMCU ESP8266 device with MicroPython for much of my work.

I enjoy my family and want to enjoy my vacation. Therefore I opted to not bring my IoT devices with me. In this post then, I’d like to cover some of the aspects of security that IoT connected devices face. So sit back and put your breadboards away as we take a look at some concepts.

Networking Overview

When we talk about networking we are discussing ways in which devices communicate with each other. The devices can certainly be IoT devices. But it goes beyond the physical device as the how is often as important as the device itself. In today’s world, for example, the popular how is via Ethernet or WiFi and TCP/IP. Let’s have a brief look at some networking models and see how security is implemented in them.

Network Protocol models

At one point I was very involved with networking. In the process of studying for various networking certifications from Cisco and Microsoft, there is a lot of discussion on the Open Systems Interconnection, or OSI, model of networks. There is also a more streamlined TCP/IP model that is popular as well.

OSI Networking Model

These models divide networking into various layers, starting at an Application and working down to the physical cables for a network to function. Conceptually, the OSI Model can be represented like this:

OSI Network Model
OSI Network Model
TCP/IP Networking Model

There are several “layers” there, so to simplify things, let’s take a look at the TCP/IP representation of the network model.

TCP/IP Network Model
TCP/IP Network Model

There are many different ways in which to secure a network. Some are more flexible than others. If you want a very secure network, you don’t connect it to the outside world and build it a hardened physical location with limited access. Secure, yes. Extremely user-friendly, no. Therefore, methods have been developed to provide security at higher layers of the network model which allows for privacy and data integrity between two communicating applications.

TLS/SSL Protocol Model

The software industry has used cryptographic protocols to provide network communication security for a long time. For IoT devices, it is common to utilize TLS When we start talking about network security protocols such as Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL), where do those fit in though to our Networking Models?

TLS Protocol in Network Model
Networking Model with TLS Protocol

We see that there is quite a bit going on there with TLS and that it is occurring at high levels of the network model. This is, typically, great as it allows us, as developers, to have useful access to the protocol. Further, since it is a commonly used protocol, our access to it is, generally speaking, pretty straight forward.

TLS

Websites use TLS, and previously SSL, to provide secure communication between browsers and web servers. IoT devices can take advantage of TLS as well. Some of the benefits of using TLS include:

  • private connection is established through symmetric cryptography.
  • Identities can be authenticated using public-key cryptography.
  • Communication integrity via a message authentication code.

TLS builds upon the SSL standards and, as the above image indicates, there are two layers. Within TLS there are two embedded protocols, a handshake protocol, and a record protocol. The handshake is used to establish the format of the exchange of information. The record is what encapsulates the data itself.

This is an oversimplification of the process. There are many steps to the handshake, and a TLS record includes multiple types of information, beyond what is passed from an application itself. Both internal protocols handle, to differing degrees, the cipher security features.

With all of this going on internally in TLS, there are obviously a lot of “moving parts” to this whole thing. I stated that having these security features on a high level in the networking stack can make a developer’s life easier. Fortunately, in a MicroPython based IoT world, it is fairly simple to utilize and implement TLS.

MicroPython

MicroPython includes a standard SSL/TLS module. This provides access to TLS on both the client and server sides of our applications. MicroPython includes the ssl.wrap_socket() function, which wraps a stream in an SSL context. Depending on the particular IoT device and the way the module is implemented, some functionality of wrap_socket() may not be entirely supported.

Wrap up

In this brief discussion, I’ve shown how TLS/SSL security fits into the networking model. I would highly encourage the use of the SSL/TLS module when building your MicroPython projects. In this day and age of cyber attacks, it is important to secure all communications between devices big and small.

Follow me on Twitter @kenwalger to get the latest updates on my postings on MicroPython and IoT and let me know what you are building with MicroPython.

Facebooktwitterredditlinkedinmail

Importing data with mongoimport

There comes a time in almost everyone’s experience with databases when it would be great to bring in data from an outside source. Often the data is in a spreadsheet format (CSV or TSV) or perhaps a JSON format. I discussed some of the command line tools MongoDB provides in a previous post. Importing data into a MongoDB database is made easy with the CLI tool, mongoimport.

For many use cases, mongoimport is pretty straight forward. It is, in fact, highly used in the MongoDB University courses as a way to quickly populate a database, for example. I’d like to look at some use cases beyond simply populating an empty collection, however.

mongoimport

Connections

The mongoimport will connect to a running mongod or mongos, instance running, by default, on port 27017 on localhost. The syntax of the mongoimport command is fairly straightforward. If for example, we want to populate the posts collection in the blog database with a posts.json file it is simple enough to run the following command.

mongoimport --db blog --collection posts --file posts.json

That is pretty easy. We can make it easier too by using the shorthand version of those flags.

mongoimport -d blog -c posts --file posts.json

If we want to make sure that our posts collection is dropped and only the new data is there, we can use the --drop flag.

mongoimport -d blog -c posts --drop --file posts.json

If you need to change the host or port number, there are flags for that as well, --host and --port, respectively. --host is even more convenient because it allows you to add the port at the end, and use a shorter flag -h. So the following are the same:

mongoimport --host 123.123.123.1 --port 1234 -d blog -c posts --file posts.json

mongoimport -h 123.123.123.1:1234 -d blog -c posts --file posts.json

That’s easy enough as well. What if, however, our MongoDB server requires user authentication, like any good server should?

mongoimport Server Authentication

Data security should be on everyone’s mind when it comes to server management. With that in mind, MongoDB offers a variety of ways to secure your data. Assuming that one needs to get authenticated access to the server, how can one use mongoimport to do so? You guessed it, there are flags for that too. --username or -u and --password or -p are your friends.

mongoimport -h 123.123.123.1:1234 -u user -p "pass" -d blog -c posts --file posts.json

We can add in some extra assurances by leaving off the --password flag and mongoimport will prompt for an appropriate password.

That works great for some simpler authentication options, but what if we have a more involved authentication system with an authentication database? We can specify one with the --authenticationDatabase flag. That’s pretty handy to keep only authorized people from importing data into your collection.

mongoimport provides a great range of flag options for connecting to secured servers. I would highly recommend looking at the documentation for specifics based on your environment.

File & Column Types

As stated earlier, mongoimport works on CSV, TSV, and JSON documents. By default the import format is JSON. With the --type flag we can import CSV or TSV files. Since CSV and TSV files can contain some special features, let’s look at some of the options for working with them and mongoimport.

Many times a CSV or TSV file will include a header line. It would be handy if we could utilize those header values as field names in our MongoDB documents, right? Well, mongoimport offers a --headerline flag that accomplishes that for us.

For times in which our CSV or TSV file doesn’t include header information, mongoimport has a solution for that as well. With the --fields flag, one can provide a comma-separated list of field names. Alternatively, you can generate a file of field names, with one name per line, and pass it along with the --fieldFile flag.

Along with some of the other features new to MongoDB version 3.4, there are some new features added to mongoimport. One of them is the
--columnsHaveTypes flag. When used in conjunction with the --fields,  --fieldFile, or --headerline flag it allows you to specify the types of each field. You pass in the field name in the format of columnName.type() along with any arguments into the type() method. So, for example, if you were typing a filed called isAdmin you would use isAdmin.bool(). Have a look at the --columnsHaveTypes documentation for a list of available types and supported arguments.

Fair warning here, the flags dealing with header information are for CSV and/or TSV files. If one attempts to use them with a JSON formatted file, mongoimport gets grumpy and returns an error.

Importing into an existing collection

One last concept and list of flags I’d like to cover is for those instances in which you want to import data into an existing collection. The
--mode flag offers a way to tell mongoimport how to handle existing collection documents which match incoming ones. There are three options to the --mode flag, insert, upsert, and merge.

  • Insert allows the documents to get put into the collection with the only check being on fields with a unique index. If there are duplicate values, mongoimport logs an error.
  • Upsert replaces documents in the database with the new documents from the import file. All other documents get inserted.
  • Merge, well, it merges existing documents with matching incoming documents and inserts the others. This is another new feature of version 3.4.

If you are needing to import documents in one of these ways, look at the documentation for options on upserting and merging based on field other than _id.

Wrap Up

MongoDB also provides a similar, but inverse, function mongoexport. While both tools are powerful they do not preseve the BSON data types than MongoDB uses. As such, these tools should not be used for production backups. MongoDB provides other tools for backup methods.

I hope that this post has given you some insights into one of the powerful MongoDB Package Component tools that are provided “out of the box”, mongoimport. Some programming languages have developed their own separate tools for importing data. Some of them are better than others. For me, since such a powerful import tool is already provided, I find myself using mongoimport more often than not.

If you haven’t tried it out yet yourself, I would encourage you to do so.

There are several MongoDB specific terms in this post. I created a MongoDB Dictionary skill for the Amazon Echo line of products. Check it out and you can say “Alexa, ask MongoDB for the definition of authentication?” and get a helpful response.

Follow me on Twitter @kenwalger to get the latest updates on my postings.

Facebooktwitterredditlinkedinmail