Hi,
I'd like to use the ESP-AT as a coprocessor in an existing application to establish an MQTT connection over TLS with a client certificate. However, I would like to prevent attackers with physical access to the device from reading out the certificate/key and thus being able to connect to my broker with another device.
As far as I can tell, once the certificate and key are uploaded using AT+SYSMFG=2 (or baked into the firmware at compile-time), it is possible to simply read out the files using AT+SYSMFG=1 (and there may be other commands which could be used to get the files?).
Is there a way to securely store this data and enable TLS connections without being able to read out the certificate and/or key? Of course, the use of Flash encryption is mandatory so the PKI data can't just be read from an SPI flash dump.
Prevent readout of MQTT client certificates
Re: Prevent readout of MQTT client certificates
Hello @fbrozovic , you can refer this two examples:
- https://github.com/espressif/esp-at/tre ... e_security
- https://github.com/espressif/esp-at/tre ... e_security
- https://github.com/espressif/esp-at/tre ... e_security
- https://github.com/espressif/esp-at/tre ... e_security
Who is online
Users browsing this forum: No registered users and 1 guest