Encrypted frames
Last updated
Last updated
In this chapter we explain how to create encrypted frames using the Waspmote AES libraries.
The encrypted frame is a special binary frame which encapsulates the real encrypted frame as the payload of a new frame. The format of the encrypted frame is as follows:
Where the "Encrypted Payload" is the original frame after being encrypted using the AES algorithm.
Note: Regarding the old Waspmote v12 platform version, a different format is used. Please refer to the corresponding documentation.
Every single node in the network has its own private key (ensuring authenticity). Also, the gateway of the network (Meshlium) contains all nodes\' keys in order to decrypt the packets received from the nodes. The information goes encrypted from each node to the gateway so the intermediate nodes cannot access to it.
The process follows these steps:
Step 1: Create a new Frame (ASCII or BINARY)
Step 2: Encrypt the frame and use it as Encrypted Payload of the new Encrypted Frame
The function encryptFrame() is used to encrypt the original frame and generate the new one. It is necessary to indicate the type of AES encryption used regarding the key size: AES_128, AES_192 or AES_256. Besides, the AES private key must be specified as a string of ASCII characters.
Example of use:
Example of how to use encryption with Waspmote Frames:
https://development.libelium.com/frame-07-encrypted-frames/
Regarding the Meshlium configuration (gateway of the network), please refer to the Meshlium Technical Guide. In the "Application layer key management" section, you can see how to set up the nodes' keys.
This encryption mode is similar to the "Device to Gateway encryption" layer. However, instead of keeping the keys located in the gateway, they are stored in the Cloud. This allows to use different gateways (trusted or not trusted) as the information goes encrypted through them.
The encryptionToCloud() function allows the user to enable/disable the "Device to Cloud" encryption feature. This feature must be enabled before calling the encryptFrame() function. Basically, a different "frame type" is used in order to differentiate the "Device to Cloud" encryption mode from the "Device to Gateway" encryption mode. The frame structure is equal for the two encryption modes.
Therefore, the "Device to Cloud" encryption process follows these steps:
Step 1: Enable "Device to Cloud" encryption mode
Step 2: Create a new Frame (ASCII or BINARY)
Step 3: Encrypt the frame and use it as Encrypted Payload of the new Encrypted Frame
If the "Device to Cloud" encrypted frame is sent to Meshlium, it is stored inside the Meshlium database as it was received. It remains unencrypted. Then it should be sent to the Cloud server where the decryption process should be performed.
This section explains how to encrypt frame fragments. See the "Frame Fragments" section to understand how to fragment a original binary frame. The encryptFragment() function allows the user to encrypt the fragment currently stored in bufferFragment. This function needs two input parameters:
Encryption mode: AES_128, AES_192 or AES_256.
Password: AES encryption key to be used in encryption process.
The resulting encrypted fragment is stored in bufferFragment and lengthFragment. So the user shall send the encrypted data prior generating a new fragment.
Example of use:
Complete example:
