I am producing a web service which will allow any third party “device” to communicate with it. Each device has a reasonably unusual string to identify itself and uses the web service to store data against this id. However, this allows someone who wishes to game the service to scan through and guess device ids and store malicious data against them.
The device itself using this web service is relatively “dumb” and doesn’t offer a suitable interface for data entry, so a password or any form of entry on the client is not available.
As this web service is open for anyone who wishes to produce a device of this nature to use, I can’t increase security with the use a private key as this would be publicly defined in a specification. Also due to the simplistic nature of the device and it’s IP/HTTP stack, HTTPS is unsuitable for this implementation.
To the best of my knowledge I can’t see a way of using a privately shared key in this operation. To this extent, I believe it be impossible to secure a system of this nature, but I am wondering if some other methods which I’ve yet to find may help me secure this system somewhat?
Is there a reason you can’t use a public/private key pair?
You could publish the server’s public key with the specification, and require each device to generate a random public/private key pair for itself. The device could encrypt its public key with the server’s public key and send it to the server. The server could use its private key to decrypt the device’s public key, and then assume that nobody else could decrypt any message that the server encrypts using that public key. The server therefore registers that public key as the device’s ID.
If you set up some kind of session, the server can retain the device’s public key associated with that session. If not, some defined portion of any message sent from the device to the server must include the device’s public key encrypted this way, so that the server can know which device sent the message.
Any message sent to the server will be encrypted with both the client’s private key (so the server knows this device sent it) and the server’s public key (so only the server can read it). Messages sent to the device will be encrypted with the server’s private key (so the client knows the server sent it) and the client’s public key (so only the client can read it). Only you know your private key, and only they know their private key, so everything’s secure as long as you (and they) use good seeding and encryption algorithms.
Does that make sense?