IoT Worker

IoT Infrastructure Developer

Embedded and IoT Development

A technical blog sharing project insights, practical tools, and industry best practices.

Topics

  • Tools: Curated IoT/embedded development toolchains.
  • Practices: Hardware selection, protocol implementation, and system design.
  • Solutions: Ready-to-use IoT architectures for real-world problems.
  • Lessons: Optimizations and takeaways from projects.

About

Years of IoT experience—view my background.

Contact

Reach out via the navigation bar for discussions.

Latest Posts

Mastering Cryptography in One Article

“Good Enough” IoT Cryptography

Goal: Application, understanding, and ability to design solutions. No complex math, just essential concepts, parameters, and a checklist of pitfalls to avoid.

Essential Concepts

  • Confidentiality: Prevent unauthorized access (encryption)
  • Integrity: Prevent undetected modification (authentication)
  • Identity Non-repudiation: Who is in the conversation (signatures/certificates)
  • Symmetric Key: Same key for encryption/decryption (AES/ChaCha20-Poly1305)
  • Asymmetric Key: Private/Public keys (ECDSA/Ed25519, ECDH/X25519)
  • AEAD (Authenticated Encryption with Associated Data): Encryption + authentication in one go (GCM/CCM, ChaCha20-Poly1305)
  • MAC (Message Authentication Code): Authentication only (HMAC/AES-CMAC), no encryption
  • KDF (Key Derivation Function): Transform “raw secrets” (e.g., ECDH/X25519 shared secret) into “usable keys”
  • Key Formats: SPKI (public key)/PKCS8 (private key) containers, DER (binary)/PEM (text) encoding

Diagram

[A private key + B public key] --(ECDH/X25519)--> [Shared secret S]
[S] --(HKDF salt, info, L)--> [Symmetric key K]
[Message M, AAD] --(AEAD:K, nonce)--> [C || tag]
[M] --(HMAC/CMAC:K)--> [tag]
[M] --(Sign:Private Key)--> [signature]
  • AEAD output is always “ciphertext + tag”, verify tag before decryption
  • MAC/signature does not encrypt data
  • Shared secrets cannot be used directly as keys, must use KDF

Parameter Cheat Sheet (Length & Format)

  • Nonce/IV: GCM=12 bytes; ChaCha20-Poly1305=12 bytes; CCM=13 bytes (common); CBC=16 bytes
  • Key: AES=16/24/32 bytes; ChaCha20-Poly1305=32 bytes
  • Signature Encoding: ECDSA=DER or RAW(r||s 64 bytes); Ed25519=RAW
  • Public/Private Key Containers: SPKI (public key)/PKCS8 (private key), DER bytes can be converted to PEM text

When to Use What

  • Constrained devices/wireless protocols: AES-CCM (hardware accelerated) or ChaCha20-Poly1305 (software-friendly)
  • Web/general purpose: AES-GCM (Galois/Counter Mode) or ChaCha20-Poly1305
  • Integrity only: HMAC-SHA256 (Hash-based Message Authentication Code) or AES-CMAC
  • Firmware/long message signing: Ed25519 or ECDSA-P256
  • Session establishment: ECDH-P256 or X25519 → HKDF → AEAD

Attack/Defense Quick Cards

  • Never reuse AEAD nonce under the same key
  • CBC itself doesn’t authenticate, must “add MAC”, recommend switching to AEAD
  • Key exchange must include signatures to prevent man-in-the-middle attacks (MITM)

Quick Start

Quickly verify on CryptoBox web version:

Cryptography and Security

Docker: Your Embedded Development Environment Supercharger

Why Embedded Development Needs Docker?

1. Solving Cross-Compilation Environment Issues

  • Toolchain Version Conflicts: Different projects require different gcc-arm-none-eabi versions.
  • Dependency Management: Avoid system pollution and isolate various libraries.
  • Team Collaboration: Ensure all developers use the identical compilation environment.

2. Rapid Environment Setup

  • One-Click Launch: Get a complete embedded development environment in seconds.
  • Version Control: Development environments can also be versioned.
  • Cross-Platform: Unified development experience on Windows, Linux, and macOS.

Core Concepts

Image

Think of it as a “development environment installer” containing all necessary tools and libraries.

Productivity Tools
All Posts →