This week, I met up with Alex and Alex to go over the Raspberry Pi side of the locking mechanism. I also wrote up a short Python test script that connects to the WebSocket and sends some test messages to ensure that we can receive messages from the “server”. Since WebSocket requires a persistent connection, I’ll have to migrate the code later on once we get the other features up and running so that the WebSocket connection is properly maintained.
I also did some extra research on the security architecture of the system and was able to conclude that using IAM keys to authenticate the Raspberry Pi to the server was the best available solution, as AWS API Gateway does not support mutual TLS for WebSocket APIs. Many of the articles that I read such as this Heroku one (https://devcenter.heroku.com/articles/websocket-security) suggest having the user authenticate with secret information such as a username and password to retrieve a token that will authenticate all future requests. However, since the RPi is handling the server communication and the user is not able to directly interface with the RPi, we decided that we would need to use the IAM keys since the user would not have to enter them and the permissions on the associated IAM role would only allow any adversary to invoke the API if the keys were compromised.
There aren’t any major risks at the moment. My work has been pretty straightforward and standalone, so integrating with the other code should be simple. Next week, I plan to work with both Alex’s again to get all of the server communication set up on the RPi. I also plan to work with Alex Li to get the WebSocket communication up and running on the Android.