0 évaluation0% ont trouvé ce document utile (0 vote)
34 vues6 pages
This paper explains an implementation of embedded web server with security support which becomes an example of control application over IP network. A security algorithm, TEA, has been implemented in a microprocessor system together with TCP / IP stack. Clients need a plug in, which run encryption mechanism, so that they can access the embedded web server safely.
This paper explains an implementation of embedded web server with security support which becomes an example of control application over IP network. A security algorithm, TEA, has been implemented in a microprocessor system together with TCP / IP stack. Clients need a plug in, which run encryption mechanism, so that they can access the embedded web server safely.
This paper explains an implementation of embedded web server with security support which becomes an example of control application over IP network. A security algorithm, TEA, has been implemented in a microprocessor system together with TCP / IP stack. Clients need a plug in, which run encryption mechanism, so that they can access the embedded web server safely.
Laboratory for Control and Computer Systems Department Of Electrical Engineering Bandung Institute Of Technology, Indonesia e-mail: eka98@dsp.itb.ac.id candra_g@students.ee.itb.ac.id asetijadi@ee.itb.ac.id carmadi@lskk.ee.itb.ac.id Abstract IP network has been evolving significantly in last decade. Many computers and devices have been attached to the IP network and many applications were taken place over it. One of interesting applications is building embedded control system which has connectivity to Internet. This paper explains an implementation of embedded web server with security support which becomes an example of control application over IP network. A security algorithm, TEA (Tiny Encryption Algorithm), has been implemented in a microprocessor system together with TCP/IP stack. The microprocessor system is based on 8051 family microcontroller which serves as web server. The encryption algorithm is processed both on server and client. Therefore in clients need a plug in, which run encryption mechanism, so that they can access the embedded web server safely. 1 Introduction Internet is the biggest place that information or data exchange happens in nowadays. Its big network make possible to develop it as media of remote monitoring and controlling. TCP/IP protocol, standard protocol of Internet, supports to develop that functions by adding an application in the top application layer. Because most of Internet user familiar with application layer, such as web browser, the communication between client and server can be acted in that monitoring and controlling function. With this consideration then we build an embedded web server based on 8051 family microcontroller. Implementation of TCP/IP stack in 8 bit microcontroller (8051 family) is a big challenge. Several open source groups have develops this project. Picoweb group build embedded web server with AT90S8515 and Web51 group also build web server based on AT89C8252. Both of those groups build embedded server without security supporting. They only try to implement TCP/IP stack in microcontroller. Portability aspect is not considered in their design. They use assembly language that match only with certain microcontrollers. Due to those lacks, we built better embedded web server and design by high level language which compatible with various microcontrollers. Not only with 8 bit microcontrollers but also with 16 bit microcontrollers or other microcontroller systems. To solve security problems which attack web, a security protocol was developed which known as Secure Socket Layer (SSL) whose ability to authenticate and communicate personally. Secure protocol SSL is developed over asymmetric cryptography algorithm RSA (Rivest, Shamir, Adleman) but the implementation requires large code space. Of course this will become a problem to be implemented in embedded system which has limited code space. To handle this problem we choose symmetric cryptography algorithm TEA (Tiny Encryption Algorithm) which needs fewer spaces in ROM and RAM to replace RSA algorithm. In the following we describe the implementation of TCP/IP stack and TEA algorithm with C programming language in microcontroller system. Although the use of C language is considered inefficient in code space, but it can be implemented for many microcontroller types. Besides that we also make a generic web browser plug in to implement TEA algorithm in client side. This embedded web server is an early step to build internet based embedded control system. In this paper we show a simple control structure with ON-OFF controller as illustrated in Figure 1. Client IP Network Client Controller + Embedded Web Server Device or Control Plant Figure 1: Simple control structure of embedded web server. 2 TCP/IP TCP/IP is the standard protocol used in Internet. In RFC 1180, TCP/IP follow seven layers in OSI which adopted into four layers (see Figure 2). Data Link Layer Network Layer Transport Layer Session Layer Physical Layer Presentation Layer Application Layer Network Interface Layer Internet Layer Host-to-Host Transport Layer Application Layer OSI Model Layer TCP/IP Protocol Architecture Layers Figure 2: TCP/IP protocol architecture layers. From the bottom of TCP/IP, network layer is the definition type of physical network media. Such as Ethernet, frame relay, ATM, and Token Ring. In Internet layer there are protocols: IP, ARP, IGMP, and ICMP. In embedded web server we built, we implemented IP, ARP, and ICMP. IGMP was not implemented, because we assumed that routing process conducted in routing table at local server. Then in Host-to-Host Transport Layer there are two protocols namely, TCP and UDP. We only implemented TCP, because web server or HTTP server only need TCP. To become a web server TCP only working on port 80 and ignore if receive other ports. Port 80 means application layer related to HTTP. This HTTP was made to send HTML file. 3 Tiny Encryption Algorithm (TEA) TEA cryptography algorithm is one of symmetric algorithm. This algorithm need delta constant (delta = 31 2 * ) 1 5 ( ) and number of iteration (n) in calculation process. One iteration will produce 64 data bit with 128 key bit which also result 64 ciphertext. In this case data is in array v[ ], key is in array k[ ], and result of encryption will be saved in array v[ ] which replace data position which formerly in array v[ ]. 3.1 Encoding and Decoding Process Flowchart in Figure 3 shows that there is n iteration process. Sign << tell that number of shift left of the number, >> is vice-versa. Sign ^ means XOR operation among the operand. Example: y = y + (( z << 4 )+ k[0] ) ^ (z + sum)^(( z >> 5 )+k[1] ) Y variabel is total of y variabel before with z variabel which shift left 4 bit, added with k[0] then XOR-ed with total of z and sum and finally XOR again with z which has shifted right 5 bit and added with k[1]. S T A R T E N D v [ 0- 1 ] =d a t a 1 ( 6 4 bi t ) k [ 0 - 3 ] =k u n c i 1 ( 1 2 8b i t ) n >0 ? n =n -1 s u m =s um +de l t a y =y +( (z <<4 ) +k [ 0 ] ) ^( z +s um ) ^( (z >>5 ) +k [ 1 ] ) z =z +( (y <<4 ) +k [ 2 ] ) ^( y +s um ) ^( (y >>5 ) +k [ 3 ] ) v [ 0 ] =y v [ 1 ] =z n o y e s d e l t a = 0 x 9e 3 7 7 9 b 9 n = 3 2 s um = 0 y = v [ 0 ] z = v [ 1 ] Figure 3: Encoding process Encryption result (ciphertext) which in array v[ ] will become data for decoding process, after running n iteration. Result from decoding process (plaintext) will return in array v[ ] (see Figure 4). START END v[ 0-1] =dat a1(64bit ) k[ 0-3] =kunci1(128bit ) n>0? n=n-1 z=z-((y<<4)+k[ 2] )^(y+sum)^((y>>5)+k[ 3] ) y=y-((z<<4)+k[ 0] )^(z+sum)^((z>>5)+k[ 1] ) sum=sum-delt a v[ 0] =y v[ 1] =z no yes delt a = 0x9e3779b9 n = 32 sum = delt a<<5 y = v[ 0] z = v[ 1] Figure 4: Decoding process From both encoding and decoding flowcharts we see that cryptography algorithm TEA is very simple so that easy to be implemented in any kind of programming language including assembly language. This algorithm emphasizes number of iteration and length of the key that produces a secure ciphertext. The longer of key the more iteration so the algorithm becomes more secure. 4 Design & Implementation 4.1 Hardware Design The hardware architecture we designed here is a microprocessor based system. We choose a 8051 family microcontroller, AT89C55, which has 20 KB ROM and 256 bytes RAM. AT89C55 is interfaced to NE-2000 Ethernet controller by ISA bus. The whole hardware architecture is shown in Figure 5. Figure 5: Hardware architecture 4.2 TCP/IP Stack Implementation As we know that a microcontroller based system design implies high complexity to debugging for TCP/IP stack implementation. To reduce the implementation time significantly, we realize the embedded web server by residing the program written in C language in ROM and RAM of microcontroller. Functions of embedded web server are limited for: Serving request with one page from one to five clients; Content of web page shows status from several variables in RAM of microcontroller; From user interface at web page, condition of RAM variable can be changed; Only served ICMP, ARP, HTTP request. Besides those protocols all packets are ignored. Due to the limit of memory space in microcontroller (20 KB ROM, 256 byte RAM) there is minimization code in TCP/IP stack implementation. From C file which implements TCP/IP we need C compiler for 8051 microcontroller to convert to hexadecimal file that will be downloaded to the microcontroller. There are SDCC, Keil, PV31 (Franklin), etc. We use a free software SDCC and the result takes 75 bytes of RAM and 6564 bytes of ROM. start initiation any new packet ? EtherType = 0x800 (IP) ? Protocol = 1 ( ICMP ?) EtherType = 0x806 (ARP) ? Type = 8 (Echo Request) ? do Echo Reply, initiation of sending packet Protocol = 6 (TCP) ? Port = 80 (HTTP) ? implementation of TCP state machine Tipe = 01 (ARP request)? target IP address match with this address web server ? do ARP Reply, initiation of sending packet yes no no yes no no no no no no no no yes yes yes yes yes yes yes Figure 6: TCP/IP stack implementation. 4.3 Design and Implementation TEA Implementation of TEA aims to support security aspect of embedded web server. As realized in UNIX operation system, our embedded web server is design with a hierarchy of system access consisting of administrator or super user (root in UNIX), operator (group user), and guest. Administrator has the highest privilege so that it has full access to this embedded web server. First, an administrator has authority to make control commands to I/O ports both of digital I/O and serial port. Second, an administrator can make a change in setting function of each digital I/O pins. Third, an administrator also can monitor all status of I/O ports. This monitoring ability shows input status from each I/O ports. Based on those administrator privileges, web page which will be send to the administrator containing control of digital I/O pins and serial I/O, monitoring I/O, and setting of embedded web server. 8051 microcontroller family +5V DC Regulator 16 KB Serial I2C EEPROM NE-2000 Ethernet Controller 10base T Interface MAXIM RS-232 XCXR 9-24 VDC Ethernet Digital I/O RS-232 Operator is one level below administrator. An operator has authority to make commands to I/O ports which mean it can change output status of digital I/O (ON or OFF) and change output value from serial port I/O. An operator also has authority to get information about monitoring result from input ports. Based on these authorities, an operator will get a web page contains control part of digital I/O and serial I/O with full access to make changes to them. Guest is the lower level in privilege hierarchy. A guest only get information about monitoring process of I/O ports and can not make any changes. Authentication process in this embedded web server consists of two input references: ID and password so that the embedded web server recognises what type of user is accessing to the system. First process which embedded web server do when there is a request from client is parsing process. This process translates URL coding which is received from client. Server will detect what type of the request and then will continue the process with method related to type of request. If type of request is GET, server directly send index.html file to client. If the type is POST, server will continue to detect what the code next. The next step is to detect I/O condition which located in html form when user push GO button. This information located in Message Body of URL coding. Form of Message Body which will be sent is: nameinput1=inputvalue1&nameinput2=inputvalue2&&x = . Inputs are got from radio button, text box, password and hidden input. All these input values are firstly saved in memory for next use. Figure 7: Authentification process. After finishing parsing process, server will handle chipertext description (password client) and authentification. Password chipertext will be described and used to determine user privilege. Result of privilege, which is web page with user privilege, will be sent back to client with a POST response. See Figure 7. Figure 8: Encryption and decryption process. Web page has three elements user interface. There are two textbox for ID information, password, and a hidden input as sign of the end of URL coding. User gives input such as text in two textbox. Then that information will be sent to server in URL form like this: T1=name&T2=password&x= Server will parse to this URL coding and save input value to each user interface provided in memory location. Information about password still in chipertext form needs to be encrypted by client before send to server. Information about name and password will be used to determine the privilege of that user. In the beginning of authentification process the description of chipertext password that send by client is compared with user database in server. If those information are match, server will store user privilege information in privilege memory (1= Administrator, 2=Operator, 3= Guest) then server will send web page which related to that user privilege. If information is not match server will send again authentification page. TEA algorithm plays important rule in encryption and decryption process of user and password information. See Figure 8. TEA algorithm is implemented in C language as given bellow. Data for encryption and decryption is limited only 8 characters, but the key 16 characters. Keys which is GET request ? START Send GET response, build Post request ? END Description ciphertext, Authentication Send POST response, build N Y Y N Send START RETURN Decryption Build HTML Find Privilege Send HTML Post Array Make TCP Segment Close Connection Encryption START RETURN used have defined both in client and server, so that it doesnt need distribution of the key. Encryption: void encipher(const unsigned long *const v,unsigned long *const w, const unsigned long *const k) { register unsigned long y=v[0],z=v[1],sum=0,delta=0x9E3779B9, a=k[0],b=k[1],c=k[2],d=k[3],n=32; while(n-->0) { sum += delta; y += (z << 4)+a ^ z+sum ^ (z >> 5)+b; z += (y << 4)+c ^ y+sum ^ (y >> 5)+d; } w[0]=y; w[1]=z; } Decryption: void decipher(const unsigned long *const v,unsigned long *const w, const unsigned long *const k) { register unsigned long y=v[0],z=v[1],sum=0xC6EF3720, delta=0x9E3779B9,a=k[0],b=k[1], c=k[2],d=k[3],n=32; /* sum = delta<<5, in general sum = delta * n */ while(n-->0) { z -= (y << 4)+c ^ y+sum ^ (y >> 5)+d; y -= (z << 4)+a ^ z+sum ^ (z >> 5)+b; sum -= delta; } w[0]=y; w[1]=z; } Client for this embedded web server needs special plug in to access the web page. Formerly, we built dedicated web browser for the client as indicated in Figure 9. Figure 9: Dedicated web browser for clients. We built this web browser with security protocol to encrypt user password information. This protocol begins working after user inputing its name and password (each maximum 8 characters). Then user will give guidance whether using secure or non secure communication. If user wants to use secure communication, user need to push secure button before pushing GO button. Process that happens when secure pushed is encryption process. When secure button pushed, information about password is taken from input textbox HTML, encrypted, and returned to the place before. After that, if user push GO button then information will be sent is ID and password which have been encrypted. Implementation this secure protocol with base on cryptography TEA algorithm in client side are realized with Visual Basic programming. TEA algorithm in client side has function to call subroutine encryption and decryption similar to cryptography process in server side. 5 Debugging and Testing To debug TCP/IP stack in microcontroller, we connect serial port to Hyperterminal program in PC. Here we can see all process in microcontroller, for example when microcontroller detects Ethernet card connection. PC for Debugging Embedded Web Server Serial Port Users Internet Figure 10: Debugging configuration Figure 11: Number address of Ethernet card. Figure 11 shows number address of Ethernet card. To check if TCP/IP runs properly, we sent ICMP packet to server by PING command in client. Server can reply the ICMP packet. We can also check it by browsing the IP address of embedded web server, it will show authentication page. To check security protocol, we can input any string to textbox HTML. Only valid couple of name and password will be processed. 6 Conclusion This embedded web server is a good media to attach device to Internet. Many applications can be developed by this system primarily in field of remote monitoring and controlling. For example remote monitoring of Weather Station, Oil Storage, Home Automation, etc. We can build this system with low cost and easy to install. References [1] Adolfo R., et al, TCP/IP Tutorial and Technical Overview (IBM, August 2001) [2] D., Comer, Internetworking with TCP/IP Volume I (Prentice-Hall, 1995) [3] D.C. Plummer, An Ethernet Address Resolution Protocol, RFC 826, Internet Engineering Task Force, June 1999 [4] D. Wheeler, R. Needham, TEA, a Tiny Encryption Algorithm, Computer Laboratory, Cambridge University, England, November 1994 [5] J Postel, Control Protocol. RFC 793, Internet Engineering Task Force, September 1981 [6] J. Postel, Internet Control Message Protocol, RFC 792, Internet Engineering Task Force, September 1981 [7] R. Braden, Requirement for Internet Host- Communication Layer, RFC 1122, Internet Engineering Task Force, October 1989 [8] R. Fielding et al, HTTP / 1.1 , RFC 2616, Internet Engineering Task Force, June 1999