Authentication and encryption for device-to-device communications

I’m working on some tools that I hope to release open-source in the not-too-distant future. Right now I’m looking for use cases where what I’m making would be more generally useful, and I’ll try to put some flexibility in my libraries and tools to allow for those use cases.

These are the problems I’m solving for:

  • Device ID (PKI / public key) discovery across applications/roots of trust:
    • It’s usually a manual process to get devices talking together, across PKI roots of trust and application namespaces. Copying cert chains is a pain, and it’s either difficult or unreasonably expensive to maintain trust through credential rotation.
  • Local service discovery for universal device ID:
    • mDNS is useful for service discovery on the local LAN, but tying a service discovered on mDNS to a universally-recognized device ID is an interesting proposition.
  • Encryption and authentication of payload passing through the Balena device URL proxy

Using a standards-based approach, and staying away from blockchain.

A use case I had in mind was getting NVRs working with cameras, where the NVR may need to securely discover and communicate with cameras from different vendors, do so in a way which eliminates the need to manage text-based credentials (no username/password or API key/secret), and doesn’t make bootstrapping of a trust relationship terribly onerous. Also allows device certificate rotation at-will.

Think of this as universal discovery and auth for device-to-device communication patterns.

Looking for feedback on whether or not I’m addressing a problem that the Balena community is experiencing. I suppose it’s possible that people just avoid PKI altogether, disable trust chain verification, or pass messages through an off-device service layer…