Lately I’ve been building a webserver, in school as a light and curtain controller, on top of an AtMEGA168 and ENC28J60, I’ve based it off an article I found at TuxGraphics.org. Which by the way is a fine place to order components for personal usage – They’re cheap and they shipped to Denmark in 2-3 days…

Anyway, the webserver software I found sends a plaintext password over HTTP for authentication. This is of course not desirable since anybody with access to the same network link can see the password. This is very bad security, especially if it’s a wireless link. And who would want a light and curtain controller if the neighbor kid suddenly hacked it.

Therefore I decided that I needed a secure authentication method. Asymmetric cryptographic algorithms are already out of the question since I’m working on a microprocessor with 16kbytes program memory. I tried to find a conventional md5 or sha1 implementation, however they were very easily too big in program size and inefficient. So I looked around and found HSH 11/13 by Herbert Glarner.

HSH 11/13 looked to be efficient, small and easy implement. Later I discovered that with my lack of experience with bit manipulation in C ladder was not true. However, I did manage to get an implementation working, it’s written in C and I’ve tested it with GCC and AVR-GCC against glibc and AVR-libc respectively. You may download it here:

• Download C implementation of HSH 11/13.

Now having a webserver with a serverside hash algorithm doesn’t solve the issue. The client needs to have the hash algorithm as well. Therefore I wrote a compatible implementation of HSH 11/13 in Javascript. This may seam rather weird, and it’s sure not efficient anymore. I’ve only tested the script in Firefox 2.0, however I’d imagine that it works in other browsers as well. You may download the Javascript implementation here:

• Download Javascript implementation of HSH 11/13.

Like I said before this may seam rather weird, as the webserver isn’t capable of serving pages as big as the Javascript implementation. However the solution is to let the main page of the embedded webserver be:

< script src = 'http://mywebhost.com/myjsfile.js' > < / script>

Where “http://mywebhost.com/myjsfile.js” is a file located on a remote ordinary webserver, e.g. not served from the embedded webserver. The included Javascript file then writes an entire web 2.0 application using “document.write”. Once the web 2.0 application have been loaded it can use AJAX requests and the HSH 11/13 implementation to communicate with the embedded webserver.Apart from the main page, a simple AJAX API is all the embedded webserver needs to host. Authentication against the webserver may then be done using a HSH hashsum of a timestamp + password + data, referred to as token. Where timestamp, data and token, are send everytime an API request is made. The embedded webserver then knows the password and generates the token from the given timestamp and data, one can then authenticate the request by comparing the generate token with the received token. Note, it may not be desirable to keep track of time on a embedded webserver, so it’s easier to just check if received timestamp is bigger than the latest received timestamp, and then save the timestamp for later use.