Secure Tablet Communication with Asymmetric Encryption

TL;DR

This guide shows you how to set up secure communication between a monitoring unit and a tablet using asymmetric encryption (public/private key pairs). This means only the tablet can read messages from the unit, even if someone intercepts them. We’ll cover generating keys, encrypting data on the unit, decrypting it on the tablet, and some important security considerations.

Generating Key Pairs

1. On the Tablet: You need to create a key pair on the tablet first. This will be used for decryption. Use OpenSSL or a similar tool. The following command generates a 2048-bit RSA private key and public key:

   openssl genrsa -out tablet_private.pem 2048

   openssl rsa -in tablet_private.pem -pubout -out tablet_public.pem

2. On the Monitoring Unit: The monitoring unit needs a key pair too, for signing messages (we’ll cover that later). Use OpenSSL:

   openssl genrsa -out unit_private.pem 2048

   openssl rsa -in unit_private.pem -pubout -out unit_public.pem

3. Secure Key Exchange: Crucially, you must securely transfer the tablet’s public key to the monitoring unit. Do *not* send it over an insecure channel (like email). Use a physical secure medium (USB drive), or a pre-shared secret to encrypt it during transit.

Encrypting Data on the Monitoring Unit

1. Import Tablet’s Public Key: Load the tablet’s public key into the monitoring unit’s encryption library.
2. Encryption Process: Before sending any data, encrypt it using the tablet’s public key.

   openssl rsautl -encrypt -inkey tablet_public.pem -pubin -in message.txt -out encrypted_message.enc

   (Replace message.txt with your actual data file.)

3. Send Encrypted Data: Transmit the encrypted_message.enc file to the tablet.

Decrypting Data on the Tablet

1. Receive Encrypted Data: The tablet receives the encrypted_message.enc file from the monitoring unit.
2. Decryption Process: Decrypt the data using the tablet’s private key.

   openssl rsautl -decrypt -inkey tablet_private.pem -in encrypted_message.enc -out decrypted_message.txt

   (Replace encrypted_message.enc with the received file name.)

3. Verify Data: Check that the decrypted_message.txt contains the expected data.

Adding Message Signing for Integrity

Encryption ensures confidentiality, but not integrity (someone could modify the encrypted message). Signing verifies the message hasn’t been tampered with.

1. Sign on Unit: Before encrypting, sign the data using the unit’s private key.

   openssl dgst -sha256 -sign unit_private.pem -out message.sig message.txt

2. Send Signature and Encrypted Data: Send both encrypted_message.enc and message.sig to the tablet.
3. Verify on Tablet: After decrypting, verify the signature using the unit’s public key.

   openssl dgst -sha256 -verify unit_public.pem -signature message.sig decrypted_message.txt

   A successful verification confirms the message’s integrity.

Important Security Considerations

• Key Storage: Protect private keys! Store them securely (e.g., using hardware security modules or encrypted storage). Never expose them.
• Key Length: Use at least 2048-bit RSA keys for strong security.
• Algorithm Choice: SHA-256 is a good choice for hashing/signing, but keep up to date with current cybersecurity best practices.
• Secure Communication Channel: While asymmetric encryption protects the data itself, ensure the channel used to transmit it is also reasonably secure (e.g., using TLS).
• Regular Key Rotation: Periodically generate new key pairs and update them on both devices.