Hello,
i have an aquarium at home. I want to see and control aquarium equipment from any point in the word. For this purpose i have made several things:
1. Visual Basic application running on my PC, designed to control aquarium equipment. It works like TCP client.
2. Aquarium control board, based on PIC microcontroller. Aquarium devices are attached to her.
3. ESP8266 WiFi board, connected to control board (through UART) from one side and connected to the router from the other side (through WiFi). It works like TCP server.

So i can reach aquarium devices from my PC through a router. There is such path:
PC application - router - WiFi board - aquarium control board. WiFi board has stock Espressif firmware, i did not want to alter it. To reach aquarium from outside network i have made port forwarding in my router. No i can reach aquarium from PC using router's external IP address. Router redirects data packets coming to this IP to WiFi board's internal IP address. Everything is OK, but i am afraid of hacking my aquarium controller. So i have thought about 2 ways to make this connection more secure:
a. Control board will accept incoming data packets only from clients with predefined MAC address. But i do not know yet is it possible to do easily.
b. Control board will ask authorisation, and client must send user name and password.
All code related with the security measures bust be implemented in microcontroller.
I prefer to use authorisation method. But because connection between the router and my aquarium is wireless, i need some password and name encryption. Login credentials must be encrypted before sending them from my PC software. I have searched all over the internet how to do that but found nothing. Maybe someone have any suggestions how to do that, which algorithms to use. I did not need extra strong security, encryption must not exceed my PIC18F microcontroller capabilities.

 

Normally MAC filtering is done on router.

 

This https://www.godaddy.com/help/http-vs-https-5454 will give you a taste of how to start. The problem is, you can't have a certificate unless the IP of your aquarium can be reverse DNS'ed. This web certificate is different than the certificate talked about below.

==

If you were say use a Rasberry PI (guess) as a front end, you could likely use the SSH protocol to communicate with your aquarium. With SSH you can set things up where there is a certificate on both machines that are trying to connect. If it's set up properly then no password is necessary to connect. The certificates are freely visible.

It's been a while since I set up SSH. SSH has a way to tunnel too. If you have a PC, you can set up a Cygwin with an SSH server and have that do the tunneling to another server (your aquarium). I did this once. It's called a "man in the middle" type of attack.

The WIFI network is encrypting stuff sent across the WIFI network.

Another way to limit the connection is to use a separate wireless network for the aquarium using an access point. Here ftp://ftp2.dlink.com/PRODUCTS/DAP-1522/REVA/DAP-1522_MANUAL_1.30_EN.PDF is an example. The MAC filter would only let the aquarium connect to the wireless access point through it's WAN.
The AP could be MAC filtered in your router too.

The MAC address from the outside world may "stop" at the router with NAT enabled. Inside your network, the MAC addresses are valid, but outside your network coming in, you see the MAC address of your router.

Even though the MAC addresses are unique, they only have to be unique through a routeable portion.

Https kinda gets around these things, by finding out who you think you are. It partially does this through the reverse DNS system. e.g. given an address, what is the domain name. then, I believe it checks the certificate at the domain with your certificate. There may be some public/private stuff here. So, you are who you say your are based on the reverse DNS and registered certificates.

I'm not an expert by any means.

You might also find some information here https://aws.amazon.com/ of use. Your essentially using Cloud computing to access your stuff at home.

Hopefully, you have a dynamic DNS account and your router supports it or you have a fixed IP address.

 

Look up "RC2" encryption algorithm. This gives you an idea how the encryption works.

There are lots of different types of attacks. For example, someone can intercept your encrypted message that instructs the aquarium to increase temperature by 1 degree. Then they re-transmit it to the aquarium a hundred times ... Encryption must not allow this. So, for each session, you need to generate a new key, and make sure the old keys are not re-usable. Typically, it is done through a session keys - Aquarium sends you some random bytes. You generate random bytes and send it to the aquarium. Then both of you use these random data along with your secret key (which is known only to you and the aquarium) to generate the encryption key. Random data are always different. This guarantees that old keys cannot be re-used.

 

Thanks you all for answers, and for the useful information!