17 Lab: Basic Access Control Setup

Components and Circuit Design for IoT Security

17.1 Learning Objectives

By completing this lab setup, you will be able to:

Identify the hardware components needed for an IoT access control system
Wire the circuit correctly for LEDs, buzzer, and buttons
Understand the code structure for authentication and authorization
Configure access levels for different user roles
Implement security features like account lockout and constant-time comparison

For Beginners: Lab: Basic Access Control Setup

Access control determines what each user or device is allowed to do in an IoT system. Think of a hospital where doctors, nurses, and visitors each have different access levels – doctors can prescribe medication, nurses can administer it, and visitors can only visit patients. Similarly, IoT access control ensures each device and user can only perform actions appropriate to their role.

Prerequisites

Before starting this lab, you should:

Complete Authentication and Authorization Fundamentals
Have basic Arduino/C++ programming knowledge
Understand ESP32 GPIO operations

Concept Relationships

Concept	Related To	Relationship Type
Access Levels	RBAC, Hierarchy	Implements - Guest < User < Admin follows role-based access control
Credential Database	Authentication, Storage	Stores - User identities and access levels for verification
Security State	Session Management	Tracks - Failed attempts, lockout status, current authentication state
Constant-Time Compare	Side-Channel Defense	Prevents - Timing attacks that leak password information via execution time
Audit Log	Compliance, Forensics	Records - All access events for security investigation and regulatory requirements
Debouncing	Hardware Reliability	Ensures - Single button press registers once, preventing double-authentication

17.2 Components

Component	Purpose	Wokwi Element
ESP32 DevKit	Main controller with access control logic	`esp32:devkit-v1`
Green LED	Access granted indicator	`led:green`
Red LED	Access denied indicator	`led:red`
Yellow LED	System status / rate limit warning	`led:yellow`
Blue LED	Admin mode indicator	`led:blue`
Buzzer	Audio feedback for access events	`buzzer`
Push Button 1	Simulate RFID card tap (cycle through cards)	`button`
Push Button 2	Request access with current card	`button`
Resistors (4x 220 ohm)	Current limiting for LEDs	`resistor`

Try It: GPIO Pin Assignment Explorer

Explore how each ESP32 GPIO pin connects to a specific component. Select a component to see its pin, purpose, and wiring details.

Show code

viewof selectedComponent = Inputs.select(
  ["Green LED (GPIO 2)", "Red LED (GPIO 4)", "Yellow LED (GPIO 5)", "Blue LED (GPIO 18)", "Buzzer (GPIO 19)", "Button 1 - Select Card (GPIO 15)", "Button 2 - Request Access (GPIO 16)"],
  {label: "Select component", value: "Green LED (GPIO 2)"}
)

Show code

pinData = {
  const components = {
    "Green LED (GPIO 2)": {pin: 2, type: "Output", purpose: "Access Granted indicator", wiring: "GPIO 2 → LED Anode (+) → 220Ω Resistor → GND", color: "#16A085", resistor: true, currentDraw: "~15mA"},
    "Red LED (GPIO 4)": {pin: 4, type: "Output", purpose: "Access Denied indicator", wiring: "GPIO 4 → LED Anode (+) → 220Ω Resistor → GND", color: "#E74C3C", resistor: true, currentDraw: "~15mA"},
    "Yellow LED (GPIO 5)": {pin: 5, type: "Output", purpose: "System Status / Rate limit warning", wiring: "GPIO 5 → LED Anode (+) → 220Ω Resistor → GND", color: "#E67E22", resistor: true, currentDraw: "~15mA"},
    "Blue LED (GPIO 18)": {pin: 18, type: "Output", purpose: "Admin Mode indicator", wiring: "GPIO 18 → LED Anode (+) → 220Ω Resistor → GND", color: "#3498DB", resistor: true, currentDraw: "~15mA"},
    "Buzzer (GPIO 19)": {pin: 19, type: "Output", purpose: "Audio feedback for security events", wiring: "GPIO 19 → Buzzer (+) → GND", color: "#9B59B6", resistor: false, currentDraw: "~25mA"},
    "Button 1 - Select Card (GPIO 15)": {pin: 15, type: "Input (INPUT_PULLUP)", purpose: "Simulate RFID card tap - cycles through cards", wiring: "GPIO 15 → Button → GND (uses internal pull-up)", color: "#7F8C8D", resistor: false, currentDraw: "~0mA"},
    "Button 2 - Request Access (GPIO 16)": {pin: 16, type: "Input (INPUT_PULLUP)", purpose: "Request access with current card", wiring: "GPIO 16 → Button → GND (uses internal pull-up)", color: "#7F8C8D", resistor: false, currentDraw: "~0mA"}
  };
  return components[selectedComponent];
}

html`<div style="background: linear-gradient(135deg, #f8f9fa 0%, #e9ecef 100%); padding: 1.2em; border-radius: 8px; border-left: 4px solid ${pinData.color}; margin: 0.5em 0;">
<div style="display: grid; grid-template-columns: 1fr 1fr; gap: 0.8em;">
  <div>
    <div style="font-size: 0.85em; color: #7F8C8D; text-transform: uppercase; letter-spacing: 0.5px;">GPIO Pin</div>
    <div style="font-size: 1.4em; font-weight: bold; color: ${pinData.color};">${pinData.pin}</div>
  </div>
  <div>
    <div style="font-size: 0.85em; color: #7F8C8D; text-transform: uppercase; letter-spacing: 0.5px;">Direction</div>
    <div style="font-size: 1.1em; font-weight: bold; color: #2C3E50;">${pinData.type}</div>
  </div>
  <div style="grid-column: 1 / -1;">
    <div style="font-size: 0.85em; color: #7F8C8D; text-transform: uppercase; letter-spacing: 0.5px;">Purpose</div>
    <div style="color: #2C3E50;">${pinData.purpose}</div>
  </div>
  <div style="grid-column: 1 / -1;">
    <div style="font-size: 0.85em; color: #7F8C8D; text-transform: uppercase; letter-spacing: 0.5px;">Wiring</div>
    <div style="font-family: monospace; color: #2C3E50; background: white; padding: 0.4em 0.6em; border-radius: 4px; font-size: 0.9em;">${pinData.wiring}</div>
  </div>
  <div>
    <div style="font-size: 0.85em; color: #7F8C8D; text-transform: uppercase; letter-spacing: 0.5px;">Current-Limiting Resistor</div>
    <div style="color: #2C3E50;">${pinData.resistor ? "Yes (220Ω)" : "Not required"}</div>
  </div>
  <div>
    <div style="font-size: 0.85em; color: #7F8C8D; text-transform: uppercase; letter-spacing: 0.5px;">Typical Current Draw</div>
    <div style="color: #2C3E50;">${pinData.currentDraw}</div>
  </div>
</div>
<p style="margin: 0.8em 0 0 0; font-size: 0.85em; color: #555;">Total GPIO pins used: 7 of 34 available on ESP32 DevKit. Total current draw with all LEDs on: ~85mA (well within USB power limits).</p>
</div>`

17.3 Interactive Wokwi Simulator

Use the embedded simulator below to build and test your secure IoT access control system. Click “Start Simulation” after entering the code.

17.4 Circuit Connections

Before entering the code, wire the circuit in Wokwi:

ESP32 Pin Connections:
---------------------
GPIO 2  --> Green LED (+)  --> 220 ohm Resistor --> GND  (Access Granted)
GPIO 4  --> Red LED (+)    --> 220 ohm Resistor --> GND  (Access Denied)
GPIO 5  --> Yellow LED (+) --> 220 ohm Resistor --> GND  (System Status)
GPIO 18 --> Blue LED (+)   --> 220 ohm Resistor --> GND  (Admin Mode)
GPIO 19 --> Buzzer (+)     --> GND
GPIO 15 --> Button 1       --> GND  (Select RFID Card)
GPIO 16 --> Button 2       --> GND  (Request Access)

Circuit wiring diagram for an ESP32-based IoT access control system showing GPIO pin connections to four colored LEDs (green for access granted, red for access denied, yellow for system status, blue for admin mode) through 220 ohm current-limiting resistors, a buzzer for audio feedback, and two push buttons for RFID card selection and access requests — Figure 17.1: Circuit diagram showing ESP32 connections to LEDs, buzzer, and buttons

17.5 Code Structure Overview

The access control system is organized into several key sections:

17.5.1 1. Pin Definitions and Access Levels

/*
 * Secure IoT Access Control System
 * Demonstrates: RFID-style authentication, role-based access control,
 *               lockout policies, and comprehensive audit logging
 *
 * Security Concepts Implemented:
 * 1. Token-based authentication (simulating RFID cards)
 * 2. Role-based access control (RBAC) with three access levels
 * 3. Account lockout after failed attempts
 * 4. Comprehensive audit logging with timestamps
 * 5. Visual and audio feedback for security events
 * 6. Constant-time comparison to prevent timing attacks
 */

#include <Arduino.h>

// ============== PIN DEFINITIONS ==============
const int LED_ACCESS_GRANTED = 2;   // Green LED
const int LED_ACCESS_DENIED = 4;    // Red LED
const int LED_SYSTEM_STATUS = 5;    // Yellow LED
const int LED_ADMIN_MODE = 18;      // Blue LED
const int BUZZER_PIN = 19;          // Buzzer for audio feedback
const int BUTTON_SELECT = 15;       // Select RFID card
const int BUTTON_ACCESS = 16;       // Request access

// ============== ACCESS LEVELS ==============
enum AccessLevel {
    ACCESS_NONE = 0,
    ACCESS_GUEST = 1,
    ACCESS_USER = 2,
    ACCESS_ADMIN = 3
};

17.5.2 2. User Credential Structure

// ============== USER CREDENTIAL STRUCTURE ==============
struct UserCredential {
    const char* cardId;       // Simulated RFID card ID
    const char* userName;     // User name for logging
    AccessLevel accessLevel;  // Permission level
    bool isActive;            // Account status
};

// ============== CREDENTIAL DATABASE ==============
// In production: Store in secure element, never in code!
const int NUM_USERS = 6;
UserCredential userDatabase[NUM_USERS] = {
    {"RFID_ADMIN_001", "Alice Admin", ACCESS_ADMIN, true},
    {"RFID_ADMIN_002", "Bob Admin", ACCESS_ADMIN, true},
    {"RFID_USER_001", "Charlie User", ACCESS_USER, true},
    {"RFID_USER_002", "Diana User", ACCESS_USER, true},
    {"RFID_GUEST_001", "Eve Guest", ACCESS_GUEST, true},
    {"RFID_DISABLED", "Frank Former", ACCESS_USER, false}  // Disabled account
};

// Test cards for simulation (includes invalid cards)
const int NUM_TEST_CARDS = 8;
const char* testCards[NUM_TEST_CARDS] = {
    "RFID_ADMIN_001",   // Valid admin
    "RFID_USER_001",    // Valid user
    "RFID_GUEST_001",   // Valid guest
    "RFID_DISABLED",    // Disabled account
    "RFID_UNKNOWN_1",   // Unknown card
    "RFID_UNKNOWN_2",   // Unknown card
    "RFID_ADMIN_002",   // Valid admin
    "RFID_USER_002"     // Valid user
};

17.5.3 3. Security Configuration

// ============== SECURITY CONFIGURATION ==============
const int MAX_FAILED_ATTEMPTS = 3;
const unsigned long LOCKOUT_DURATION_MS = 60000;  // 1 minute lockout
const unsigned long LOCKOUT_ESCALATION_MS = 30000; // Add 30s per additional failure
const int MAX_LOCKOUT_DURATION_MS = 300000;  // Max 5 minutes

Putting Numbers to It

Brute Force Attack Prevention with Lockout Policies:

Consider an ESP32 access control system where an attacker attempts to present forged RFID tokens. The system has 6 valid tokens, and the attacker is trying unknown card IDs at random.

Without Lockout Protection: \[ \text{Token attempt rate} = 1 \text{ attempt per 2 seconds} = 0.5 \text{ Hz} \]

If the attacker can make unlimited guesses without penalty, they could systematically try card IDs indefinitely until finding a valid one.

With Linear Escalating Lockout (as configured in this lab):

The lab’s lockout policy works as follows:

After 3 consecutive failures: locked for 60 seconds (base)
Each additional failure adds 30 seconds
Maximum lockout: 300 seconds (5 minutes)

After every 3 failed attempts, the attacker must wait: \[ \text{Lockout}(n) = \min(60{,}000 + (n - 3) \times 30{,}000,\ 300{,}000) \text{ ms} \]

where $n$ is the total number of consecutive failures.

Failures	Lockout Duration	Cumulative Wait
3	60 s	60 s
4	90 s	150 s
5	120 s	270 s
6	150 s	420 s
10	270 s	1,380 s
12+	300 s (max)	grows by 300 s per attempt

Once the lockout reaches the 300-second cap, the attacker can only make roughly 1 attempt every 5 minutes. Over 24 hours, that limits them to about 288 attempts – a dramatic reduction from the 43,200 attempts possible without lockout (at 0.5 Hz).

Defense Factor: \[ \frac{43{,}200 \text{ attempts/day (no lockout)}}{288 \text{ attempts/day (with lockout)}} = 150\times \text{ slower attack} \]

This makes brute force against unknown RFID token IDs impractical for any reasonably sized token space.

Show code

viewof maxFailed = Inputs.range([2, 10], {value: 3, step: 1, label: "Max failed attempts before lockout"})
viewof baseLockout = Inputs.range([10, 120], {value: 60, step: 10, label: "Base lockout (seconds)"})
viewof escalation = Inputs.range([0, 60], {value: 30, step: 5, label: "Escalation per extra failure (seconds)"})
viewof maxLockout = Inputs.range([60, 600], {value: 300, step: 30, label: "Maximum lockout (seconds)"})
viewof attemptRate = Inputs.range([0.1, 2.0], {value: 0.5, step: 0.1, label: "Attempt rate without lockout (Hz)"})

lockoutCalc = {
  const attemptsPerDay = attemptRate * 86400;

  // Calculate effective rate with lockout
  // After maxFailed failures, each subsequent attempt incurs a lockout
  // We simulate 100 attempts to get the average time per attempt
  let totalTime = 0;
  let simAttempts = 200;
  for (let i = 1; i <= simAttempts; i++) {
    totalTime += (1 / attemptRate); // time for the attempt itself
    if (i >= maxFailed) {
      let extra = i - maxFailed;
      let lockout = Math.min(baseLockout + extra * escalation, maxLockout);
      totalTime += lockout;
    }
  }
  const avgTimePerAttempt = totalTime / simAttempts;
  const effectiveAttemptsPerDay = 86400 / avgTimePerAttempt;
  const defenseFactor = attemptsPerDay / effectiveAttemptsPerDay;

  return {
    attemptsPerDay: Math.round(attemptsPerDay),
    effectiveAttemptsPerDay: Math.round(effectiveAttemptsPerDay),
    defenseFactor: defenseFactor.toFixed(1),
    lockoutAt10: Math.min(baseLockout + Math.max(0, 10 - maxFailed) * escalation, maxLockout),
    lockoutAt20: Math.min(baseLockout + Math.max(0, 20 - maxFailed) * escalation, maxLockout)
  };
}

html`<div style="background: #f0f7ff; padding: 1em; border-radius: 8px; border-left: 4px solid #3498DB; margin: 1em 0;">
<h4 style="margin-top:0; color: #2C3E50;">Lockout Policy Impact</h4>
<table style="width:100%; border-collapse: collapse;">
<tr style="border-bottom: 1px solid #ddd;">
  <td style="padding: 6px;"><strong>Attempts/day without lockout:</strong></td>
  <td style="padding: 6px;">${lockoutCalc.attemptsPerDay.toLocaleString()}</td>
</tr>
<tr style="border-bottom: 1px solid #ddd;">
  <td style="padding: 6px;"><strong>Effective attempts/day with lockout:</strong></td>
  <td style="padding: 6px;">${lockoutCalc.effectiveAttemptsPerDay.toLocaleString()}</td>
</tr>
<tr style="border-bottom: 1px solid #ddd;">
  <td style="padding: 6px;"><strong>Defense factor (slowdown):</strong></td>
  <td style="padding: 6px;">${lockoutCalc.defenseFactor}x slower</td>
</tr>
<tr style="border-bottom: 1px solid #ddd;">
  <td style="padding: 6px;"><strong>Lockout after 10 failures:</strong></td>
  <td style="padding: 6px;">${lockoutCalc.lockoutAt10} seconds</td>
</tr>
<tr>
  <td style="padding: 6px;"><strong>Lockout after 20 failures:</strong></td>
  <td style="padding: 6px;">${lockoutCalc.lockoutAt20} seconds</td>
</tr>
</table>
<p style="margin-bottom:0; font-size: 0.9em; color: #555;">Adjust the sliders above to explore how different lockout parameters affect brute force attack feasibility.</p>
</div>`

17.5.4 4. Access Control Zones

// ============== ACCESS CONTROL ZONES ==============
// Different areas with different access requirements
struct AccessZone {
    const char* zoneName;
    AccessLevel requiredLevel;
};

const int NUM_ZONES = 4;
AccessZone accessZones[NUM_ZONES] = {
    {"Public Lobby", ACCESS_GUEST},
    {"Office Area", ACCESS_USER},
    {"Server Room", ACCESS_ADMIN},
    {"Control Center", ACCESS_ADMIN}
};

Try It: Role-Based Access Control Zone Checker

Select a user from the credential database and a zone to check whether access is granted or denied based on the RBAC hierarchy (Guest < User < Admin).

Show code

viewof selectedUser = Inputs.select(
  ["Alice Admin (ADMIN)", "Bob Admin (ADMIN)", "Charlie User (USER)", "Diana User (USER)", "Eve Guest (GUEST)", "Frank Former (USER - DISABLED)"],
  {label: "Select user", value: "Alice Admin (ADMIN)"}
)

viewof selectedZone = Inputs.select(
  ["Public Lobby (requires GUEST)", "Office Area (requires USER)", "Server Room (requires ADMIN)", "Control Center (requires ADMIN)"],
  {label: "Select zone", value: "Server Room (requires ADMIN)"}
)

Show code

accessResult = {
  const userLevels = {
    "Alice Admin (ADMIN)": {level: 3, name: "Alice Admin", active: true, label: "ADMIN"},
    "Bob Admin (ADMIN)": {level: 3, name: "Bob Admin", active: true, label: "ADMIN"},
    "Charlie User (USER)": {level: 2, name: "Charlie User", active: true, label: "USER"},
    "Diana User (USER)": {level: 2, name: "Diana User", active: true, label: "USER"},
    "Eve Guest (GUEST)": {level: 1, name: "Eve Guest", active: true, label: "GUEST"},
    "Frank Former (USER - DISABLED)": {level: 2, name: "Frank Former", active: false, label: "USER"}
  };
  const zoneLevels = {
    "Public Lobby (requires GUEST)": {level: 1, name: "Public Lobby", label: "GUEST"},
    "Office Area (requires USER)": {level: 2, name: "Office Area", label: "USER"},
    "Server Room (requires ADMIN)": {level: 3, name: "Server Room", label: "ADMIN"},
    "Control Center (requires ADMIN)": {level: 3, name: "Control Center", label: "ADMIN"}
  };
  const user = userLevels[selectedUser];
  const zone = zoneLevels[selectedZone];

  if (!user.active) {
    return {granted: false, reason: "Account DISABLED - access denied regardless of level", userLevel: user.label, zoneRequired: zone.label, led: "red", ledColor: "#E74C3C", userName: user.name, zoneName: zone.name};
  }
  if (user.level >= zone.level) {
    return {granted: true, reason: `${user.label} (level ${user.level}) >= ${zone.label} (level ${zone.level})`, userLevel: user.label, zoneRequired: zone.label, led: "green", ledColor: "#16A085", userName: user.name, zoneName: zone.name};
  }
  return {granted: false, reason: `${user.label} (level ${user.level}) < ${zone.label} (level ${zone.level}) - insufficient privileges`, userLevel: user.label, zoneRequired: zone.label, led: "red", ledColor: "#E74C3C", userName: user.name, zoneName: zone.name};
}

html`<div style="background: ${accessResult.granted ? 'linear-gradient(135deg, #e8f8f5 0%, #d5f5e3 100%)' : 'linear-gradient(135deg, #fdedec 0%, #fadbd8 100%)'}; padding: 1.2em; border-radius: 8px; border-left: 4px solid ${accessResult.ledColor}; margin: 0.5em 0;">
<div style="display: flex; align-items: center; gap: 1em; margin-bottom: 0.8em;">
  <svg width="48" height="48" viewBox="0 0 48 48">
    <circle cx="24" cy="24" r="20" fill="${accessResult.ledColor}" opacity="0.2" />
    <circle cx="24" cy="24" r="12" fill="${accessResult.ledColor}" />
    <circle cx="24" cy="24" r="8" fill="${accessResult.ledColor}" opacity="0.6" />
  </svg>
  <div>
    <div style="font-size: 1.3em; font-weight: bold; color: ${accessResult.ledColor};">
      ${accessResult.granted ? "ACCESS GRANTED" : "ACCESS DENIED"}
    </div>
    <div style="color: #2C3E50; font-size: 0.95em;">${accessResult.userName} → ${accessResult.zoneName}</div>
  </div>
</div>
<div style="background: white; padding: 0.6em 0.8em; border-radius: 4px; margin-top: 0.5em;">
  <div style="font-size: 0.85em; color: #7F8C8D; text-transform: uppercase; letter-spacing: 0.5px;">Decision Logic</div>
  <div style="font-family: monospace; color: #2C3E50; font-size: 0.9em;">${accessResult.reason}</div>
</div>
<div style="display: grid; grid-template-columns: 1fr 1fr 1fr; gap: 0.5em; margin-top: 0.8em;">
  <div style="text-align: center; background: white; padding: 0.4em; border-radius: 4px;">
    <div style="font-size: 0.75em; color: #7F8C8D;">User Level</div>
    <div style="font-weight: bold; color: #2C3E50;">${accessResult.userLevel}</div>
  </div>
  <div style="text-align: center; background: white; padding: 0.4em; border-radius: 4px;">
    <div style="font-size: 0.75em; color: #7F8C8D;">Comparison</div>
    <div style="font-weight: bold; color: ${accessResult.ledColor};">${accessResult.granted ? ">=" : "<"}</div>
  </div>
  <div style="text-align: center; background: white; padding: 0.4em; border-radius: 4px;">
    <div style="font-size: 0.75em; color: #7F8C8D;">Zone Requires</div>
    <div style="font-weight: bold; color: #2C3E50;">${accessResult.zoneRequired}</div>
  </div>
</div>
<p style="margin: 0.6em 0 0 0; font-size: 0.85em; color: #555;">In the circuit, the green LED lights for granted access and the red LED for denied. The buzzer provides distinct tones for each outcome.</p>
</div>`

17.5.5 5. Security State and Audit Log

// ============== SECURITY STATE ==============
struct SecurityState {
    int failedAttempts;
    unsigned long lockoutEndTime;
    bool isLocked;
    int currentCardIndex;
    String lastAuthenticatedUser;
    AccessLevel currentAccessLevel;
    unsigned long sessionStartTime;
} secState;

// ============== AUDIT LOG ==============
struct AuditEntry {
    unsigned long timestamp;
    const char* cardId;
    const char* userName;
    const char* eventType;
    const char* zoneName;
    bool success;
    AccessLevel attemptedLevel;
};

const int MAX_AUDIT_ENTRIES = 50;
AuditEntry auditLog[MAX_AUDIT_ENTRIES];
int auditIndex = 0;

17.6 Constant-Time Comparison

A critical security feature is constant-time string comparison, which prevents timing attacks:

// Constant-time string comparison prevents timing side-channel attacks
bool constantTimeCompare(const char* a, const char* b) {
    size_t lenA = strlen(a);
    size_t lenB = strlen(b);

    // Always compare full length to prevent length-based timing
    size_t maxLen = (lenA > lenB) ? lenA : lenB;

    volatile int result = 0;
    for (size_t i = 0; i < maxLen; i++) {
        char charA = (i < lenA) ? a[i] : 0;
        char charB = (i < lenB) ? b[i] : 0;
        result |= charA ^ charB;
    }

    // Also check lengths match
    result |= (lenA != lenB);

    return (result == 0);
}

Try It: Timing Attack Simulator

See how standard string comparison leaks information through timing, and how constant-time comparison prevents it. Enter a guess to compare against a hidden password and observe the execution time difference.

Show code

viewof secretPassword = Inputs.select(
  ["PASS1234", "SECRET99", "ADMIN007", "IOT_KEY!"],
  {label: "Hidden password (pretend you don't know)", value: "PASS1234"}
)

viewof attackerGuess = Inputs.text(
  {label: "Your guess", value: "PASS0000", placeholder: "Enter a password guess..."}
)

viewof comparisonMode = Inputs.select(
  ["Standard (early exit)", "Constant-time (XOR all)"],
  {label: "Comparison method", value: "Standard (early exit)"}
)

Show code

timingResult = {
  const secret = secretPassword;
  const guess = attackerGuess || "";
  const isConstantTime = comparisonMode === "Constant-time (XOR all)";

  // Simulate character-by-character comparison
  let matchingChars = 0;
  const maxLen = Math.max(secret.length, guess.length);
  const steps = [];
  let xorAccumulator = 0;

  for (let i = 0; i < maxLen; i++) {
    const sChar = i < secret.length ? secret[i] : "\0";
    const gChar = i < guess.length ? guess[i] : "\0";
    const match = sChar === gChar;
    const xorVal = sChar.charCodeAt(0) ^ gChar.charCodeAt(0);
    xorAccumulator |= xorVal;

    if (match) matchingChars++;

    steps.push({
      index: i,
      secretChar: "*",
      guessChar: gChar,
      match: match,
      xorVal: xorVal,
      examined: isConstantTime ? true : (i <= matchingChars || !isConstantTime)
    });

    if (!isConstantTime && !match) break;
  }

  // Standard: time proportional to matching prefix length
  // Constant-time: always examines all characters
  const standardTime = (matchingChars + 1) * 0.1;
  const constantTime = maxLen * 0.1;
  const reportedTime = isConstantTime ? constantTime : standardTime;
  const charsExamined = isConstantTime ? maxLen : (matchingChars + 1);
  const isMatch = (secret === guess);

  return {steps, matchingChars, reportedTime, charsExamined, maxLen, isConstantTime, isMatch, xorAccumulator};
}

html`<div style="background: linear-gradient(135deg, #f8f9fa 0%, #e9ecef 100%); padding: 1.2em; border-radius: 8px; border-left: 4px solid ${timingResult.isConstantTime ? '#16A085' : '#E74C3C'}; margin: 0.5em 0;">
<h4 style="margin: 0 0 0.8em 0; color: #2C3E50;">Comparison Results</h4>

<div style="display: grid; grid-template-columns: repeat(${Math.min(timingResult.maxLen, 10)}, 1fr); gap: 4px; margin-bottom: 1em;">
  ${timingResult.steps.slice(0, 10).map(s =>
    `<div style="text-align: center; padding: 0.3em; border-radius: 4px; font-family: monospace; font-size: 0.85em;
      background: ${!s.examined ? '#eee' : s.match ? '#d5f5e3' : '#fadbd8'};
      color: ${!s.examined ? '#bbb' : '#2C3E50'};
      border: 1px solid ${!s.examined ? '#ddd' : s.match ? '#16A085' : '#E74C3C'};">
      <div style="font-size: 0.7em; color: #7F8C8D;">pos ${s.index}</div>
      <div style="font-weight: bold;">${s.guessChar || '\u00B7'}</div>
      <div style="font-size: 0.7em;">${!s.examined ? 'skip' : s.match ? 'match' : 'fail'}</div>
    </div>`
  ).join('')}
</div>

<div style="display: grid; grid-template-columns: 1fr 1fr 1fr; gap: 0.8em;">
  <div style="background: white; padding: 0.5em; border-radius: 4px; text-align: center;">
    <div style="font-size: 0.75em; color: #7F8C8D; text-transform: uppercase;">Simulated Time</div>
    <div style="font-size: 1.3em; font-weight: bold; color: ${timingResult.isConstantTime ? '#16A085' : '#E67E22'};">${timingResult.reportedTime.toFixed(1)}ms</div>
  </div>
  <div style="background: white; padding: 0.5em; border-radius: 4px; text-align: center;">
    <div style="font-size: 0.75em; color: #7F8C8D; text-transform: uppercase;">Chars Examined</div>
    <div style="font-size: 1.3em; font-weight: bold; color: #2C3E50;">${timingResult.charsExamined} / ${timingResult.maxLen}</div>
  </div>
  <div style="background: white; padding: 0.5em; border-radius: 4px; text-align: center;">
    <div style="font-size: 0.75em; color: #7F8C8D; text-transform: uppercase;">Result</div>
    <div style="font-size: 1.3em; font-weight: bold; color: ${timingResult.isMatch ? '#16A085' : '#E74C3C'};">${timingResult.isMatch ? "MATCH" : "NO MATCH"}</div>
  </div>
</div>

<div style="background: ${timingResult.isConstantTime ? '#e8f8f5' : '#fef9e7'}; padding: 0.6em 0.8em; border-radius: 4px; margin-top: 0.8em;">
  <strong style="color: #2C3E50;">${timingResult.isConstantTime ? 'Secure:' : 'Vulnerable:'}</strong>
  <span style="color: #555;">${timingResult.isConstantTime
    ? `All ${timingResult.maxLen} positions examined regardless of where mismatch occurs. Attacker cannot infer matching prefix length from timing.`
    : `Only ${timingResult.charsExamined} positions examined before early exit. Attacker learns that the first ${timingResult.matchingChars} character(s) match, leaking password information.`
  }</span>
</div>
<p style="margin: 0.5em 0 0 0; font-size: 0.85em; color: #555;">Try changing your guess one character at a time in standard mode. Notice how matching more prefix characters increases the time, revealing password information.</p>
</div>`

17.7 Password Hashing Concepts

While this lab uses simple string comparison for demonstration, production systems use cryptographic hashing:

Try It: Password Hash Brute Force Calculator

Explore how password length, character set, and hashing algorithm cost affect the time required for a brute force attack on stolen password hashes.

Show code

viewof pwLength = Inputs.range([4, 16], {value: 8, step: 1, label: "Password length (characters)"})

viewof charsetChoice = Inputs.select(
  ["Digits only (10)", "Lowercase letters (26)", "Mixed case (52)", "Alphanumeric (62)", "Full printable ASCII (95)"],
  {label: "Character set", value: "Alphanumeric (62)"}
)

viewof hashAlgorithm = Inputs.select(
  ["MD5 (fast, insecure)", "SHA-256 (fast)", "bcrypt cost 10", "bcrypt cost 12", "bcrypt cost 14", "Argon2id (recommended)"],
  {label: "Hashing algorithm", value: "bcrypt cost 12"}
)

viewof attackerGPUs = Inputs.range([1, 100], {value: 4, step: 1, label: "Attacker GPU count"})

Show code

bruteForceResult = {
  const charsets = {
    "Digits only (10)": 10,
    "Lowercase letters (26)": 26,
    "Mixed case (52)": 52,
    "Alphanumeric (62)": 62,
    "Full printable ASCII (95)": 95
  };
  // Hashes per second per GPU (approximate real-world benchmarks)
  const hashRates = {
    "MD5 (fast, insecure)": 25000000000,
    "SHA-256 (fast)": 5000000000,
    "bcrypt cost 10": 5000,
    "bcrypt cost 12": 1250,
    "bcrypt cost 14": 310,
    "Argon2id (recommended)": 200
  };

  const charset = charsets[charsetChoice];
  const ratePerGPU = hashRates[hashAlgorithm];
  const totalRate = ratePerGPU * attackerGPUs;
  const searchSpace = Math.pow(charset, pwLength);
  const avgAttempts = searchSpace / 2;
  const secondsTocrack = avgAttempts / totalRate;

  // Convert to human-readable time
  let timeStr;
  let timeColor;
  if (secondsTocrack < 1) {
    timeStr = "< 1 second";
    timeColor = "#E74C3C";
  } else if (secondsTocrack < 60) {
    timeStr = `${secondsTocrack.toFixed(1)} seconds`;
    timeColor = "#E74C3C";
  } else if (secondsTocrack < 3600) {
    timeStr = `${(secondsTocrack / 60).toFixed(1)} minutes`;
    timeColor = "#E74C3C";
  } else if (secondsTocrack < 86400) {
    timeStr = `${(secondsTocrack / 3600).toFixed(1)} hours`;
    timeColor = "#E67E22";
  } else if (secondsTocrack < 86400 * 365) {
    timeStr = `${(secondsTocrack / 86400).toFixed(1)} days`;
    timeColor = "#E67E22";
  } else if (secondsTocrack < 86400 * 365 * 1000) {
    timeStr = `${(secondsTocrack / (86400 * 365)).toFixed(1)} years`;
    timeColor = "#16A085";
  } else if (secondsTocrack < 86400 * 365 * 1e9) {
    timeStr = `${(secondsTocrack / (86400 * 365 * 1e6)).toFixed(1)} million years`;
    timeColor = "#16A085";
  } else {
    timeStr = `${(secondsTocrack / (86400 * 365 * 1e9)).toExponential(2)} billion years`;
    timeColor = "#16A085";
  }

  // Security rating
  let rating, ratingColor;
  if (secondsTocrack < 3600) {
    rating = "CRITICAL - Crackable in under an hour";
    ratingColor = "#E74C3C";
  } else if (secondsTocrack < 86400 * 30) {
    rating = "WEAK - Crackable within a month";
    ratingColor = "#E67E22";
  } else if (secondsTocrack < 86400 * 365 * 100) {
    rating = "MODERATE - May resist casual attacks";
    ratingColor = "#E67E22";
  } else {
    rating = "STRONG - Computationally infeasible";
    ratingColor = "#16A085";
  }

  // Strength bar (log scale)
  const logTime = Math.log10(Math.max(secondsTocrack, 0.001));
  const barPct = Math.min(100, Math.max(2, (logTime + 3) / 25 * 100));

  return {searchSpace, totalRate, secondsTocrack, timeStr, timeColor, rating, ratingColor, barPct, charset, pwLength: pwLength};
}

html`<div style="background: linear-gradient(135deg, #f8f9fa 0%, #e9ecef 100%); padding: 1.2em; border-radius: 8px; border-left: 4px solid ${bruteForceResult.ratingColor}; margin: 0.5em 0;">
<h4 style="margin: 0 0 0.8em 0; color: #2C3E50;">Brute Force Time Estimate</h4>

<div style="background: white; padding: 0.6em 0.8em; border-radius: 4px; margin-bottom: 0.8em;">
  <div style="display: flex; justify-content: space-between; align-items: center; margin-bottom: 0.3em;">
    <span style="font-size: 0.85em; color: #7F8C8D;">Security Strength</span>
    <span style="font-size: 0.85em; font-weight: bold; color: ${bruteForceResult.ratingColor};">${bruteForceResult.rating}</span>
  </div>
  <div style="background: #ecf0f1; border-radius: 4px; height: 10px; overflow: hidden;">
    <div style="width: ${bruteForceResult.barPct}%; height: 100%; background: linear-gradient(90deg, #E74C3C, #E67E22, #16A085); border-radius: 4px; transition: width 0.3s;"></div>
  </div>
</div>

<div style="text-align: center; margin: 0.8em 0;">
  <div style="font-size: 0.85em; color: #7F8C8D;">Average time to crack</div>
  <div style="font-size: 1.6em; font-weight: bold; color: ${bruteForceResult.timeColor};">${bruteForceResult.timeStr}</div>
</div>

<div style="display: grid; grid-template-columns: 1fr 1fr; gap: 0.6em; margin-top: 0.8em;">
  <div style="background: white; padding: 0.5em; border-radius: 4px;">
    <div style="font-size: 0.75em; color: #7F8C8D; text-transform: uppercase;">Search Space</div>
    <div style="font-weight: bold; color: #2C3E50; font-size: 0.9em;">${bruteForceResult.charset}<sup>${bruteForceResult.pwLength}</sup> = ${bruteForceResult.searchSpace.toExponential(2)} combinations</div>
  </div>
  <div style="background: white; padding: 0.5em; border-radius: 4px;">
    <div style="font-size: 0.75em; color: #7F8C8D; text-transform: uppercase;">Attacker Speed</div>
    <div style="font-weight: bold; color: #2C3E50; font-size: 0.9em;">${bruteForceResult.totalRate.toExponential(2)} hashes/sec</div>
  </div>
</div>
<p style="margin: 0.6em 0 0 0; font-size: 0.85em; color: #555;">Compare MD5 vs bcrypt: the same password that falls in seconds with MD5 may take centuries with bcrypt. This is why production IoT systems must use slow hash functions for credential storage.</p>
</div>`

Worked Example: Sizing Account Lockout for Real-World Deployment

Scenario: You’re deploying an access control system for a 500-person office building. Calculate appropriate lockout settings to minimize help desk calls while maintaining security.

Current baseline (no lockout implemented):

12,000 login attempts/month
600 failed logins/month (5% failure rate)
23 suspected brute force attacks/month
$18,000/year in help desk costs (password resets)

Proposed lockout policy:

const int MAX_FAILED_ATTEMPTS = 3;
const unsigned long LOCKOUT_DURATION_MS = 60000;  // 1 minute

Impact calculation:

Failed login distribution (analyzed from logs):
  1 failure:  420 users (70% - simple typo, corrected immediately)
  2 failures: 120 users (20% - forgotten password, second attempt works)
  3 failures:  45 users (7.5% - will trigger lockout)
  4+ failures: 15 users (2.5% - brute force or major user confusion)

Lockout events per month:
  3-attempt lockout = 45 + 15 = 60 users/month

Cost analysis:
  Help desk calls: 60 x $25/call = $1,500/month
  Productivity loss: 60 users x 5 min avg = 300 min = $750/month (@ $150/hr avg wage)
  Total cost: $2,250/month = $27,000/year

Security benefit:
  Brute force attempts stopped after 3 tries (was unlimited)
  Estimated prevented breaches: 2/year x $50,000 avg = $100,000 saved

Net benefit: $100,000 - $27,000 = $73,000/year ROI

Optimized with escalating lockout:

// Escalating lockout: base + (extra failures * escalation), capped at max
unsigned long calculateLockout(int attempts) {
    return min(LOCKOUT_DURATION_MS + (attempts - MAX_FAILED_ATTEMPTS) * LOCKOUT_ESCALATION_MS,
               (unsigned long)MAX_LOCKOUT_DURATION_MS);
}

// Results with MAX_FAILED_ATTEMPTS=3, base=60s, escalation=30s, max=300s:
//   3 attempts: 60s lockout (most users recover quickly)
//   4 attempts: 90s lockout
//   5 attempts: 120s lockout
//   11+ attempts: 300s lockout (max cap reached)

// New help desk calls: 45 (down 25% - faster recovery for short lockouts)
// Annual cost: $20,250 (vs $27,000)
// Additional savings: $6,750/year

Decision Framework: Circuit Design Trade-offs for IoT Access Control

Component	Option A (Basic)	Option B (Enhanced)	Option C (Production)
LEDs	4 single-color LEDs	RGB LED module	Addressable LED strip
Cost	$2	$5	$15
Complexity	4 GPIO pins	3 GPIO pins (R/G/B)	1 GPIO pin (data line)
Use Case	Lab learning	Prototype	Production deploy
Feedback Options	4 states (G/R/Y/B)	16M colors	Animations, patterns
Buzzer	Passive (tone)	Active (fixed freq)	Piezo + amplifier
Cost	$0.50	$1	$8
Audio Quality	Beeps only	Single tone	Musical notes
Buttons	Basic tactile	Debounced hardware	Capacitive touch
Cost	$0.20 each	$0.50 each	$3 each
Reliability	Bouncing (software fix)	No bouncing	No mechanical wear

Recommendation for this lab: Option A (Basic). Total cost: $4.40. Focus is on learning authentication concepts, not hardware polish.

For production: Upgrade to Option C for reliability. Cost: $32 per unit, but eliminates 90% of hardware support issues.

Common Mistake: Insufficient Debouncing Causes Double-Login Attempts

Problem: Button mechanical bouncing can trigger multiple authentication attempts from a single press.

Impact:

User presses button once
ESP32 detects: Press -> Release -> Press -> Release (in 50ms)
System processes: 2 authentication attempts
Account locked out after 2 button presses (instead of 3)

Lab code correctly handles this:

const unsigned long DEBOUNCE_DELAY = 250;  // 250ms minimum between presses

if (digitalRead(BUTTON_ACCESS) == LOW &&
    (currentTime - lastButtonAccessTime) > DEBOUNCE_DELAY) {
    lastButtonAccessTime = currentTime;
    requestAccess(2);  // Only processes once
}

Testing: Press button rapidly 10 times. Should process exactly 10 requests (not 20-30).

Matching Quiz: Match Lab Setup Concepts to Details

Ordering Quiz: Order Lab Environment Setup Steps

Label the Diagram

💻 Code Challenge

17.8 Summary

In this setup chapter, you learned:

Hardware components needed for an IoT access control system
Circuit wiring for LEDs, buzzer, and buttons with ESP32
Code organization with clear separation of concerns
Access level hierarchy from GUEST to ADMIN
Security configurations for lockout policies
Constant-time comparison to prevent timing attacks

Lab Shortcuts vs Production

This lab intentionally shows what NOT to do in production:

Lab Shortcut	Production Requirement
Hardcoded credentials	Store in secure element (ATECC608B, TPM)
Plain text card IDs	Encrypted credential storage
In-memory audit log	Persistent, tamper-evident logging
Single-factor auth	Multi-factor authentication (MFA)
Local database	Centralized identity provider (LDAP, AD)

17.9 Knowledge Check

Quiz: Lab: Basic Access Control Setup

Common Pitfalls

1. Committing .env Files with Secrets to Version Control

The .env file containing JWT_SECRET, database credentials, and API keys must never be committed to git. Always add .env to .gitignore before the first commit, and use environment variable injection (CI/CD secrets, AWS Parameter Store) in deployment pipelines.

2. Setting bcrypt Rounds Too Low for Production

bcrypt with 4 rounds (the minimum) hashes in <1 ms — fast enough for an attacker to try millions of passwords per second. The recommended rounds for production is 12 (2^12 iterations), which takes ~250 ms per hash — acceptable for login but infeasible for brute force.

3. Not Validating Input Before Passing to the Database

Accepting username and password fields directly from the request body without validation allows SQL injection (in raw queries), NoSQL injection, and excessively long strings that cause DoS. Always validate and sanitize all user inputs before using them in database operations.

4. Using SQLite in Production IoT Platforms

SQLite is single-writer, file-based, and lacks the concurrency, replication, and backup capabilities needed for production IoT platforms. Use PostgreSQL or MySQL for production, and design your data access layer with an ORM or query builder to make migration straightforward.

17.10 What’s Next

Continue to the full implementation:

Lab: Access Control Implementation: Complete the code with authentication, authorization, and testing scenarios

If you want to…	Read this
Implement the access control code	Lab: Access Control Implementation
Learn advanced access control concepts	Advanced Access Control Concepts
See the full lab overview	Authentication and Access Control Overview
Understand zero trust principles	Zero Trust Security
Study authentication fundamentals	Auth & Authorization Basics

Key Concepts

Express.js Middleware: Functions that execute in sequence for every HTTP request; authentication middleware validates tokens before requests reach route handlers
bcrypt.hash(): The function call that produces a salted hash of a password; the cost factor (rounds) determines computation time and security margin
JWT Sign/Verify: jwt.sign() creates a signed token; jwt.verify() validates the signature and extracts claims; the secret/key must be kept server-side
SQLite (Dev Database): A file-based SQL database suitable for development and testing; replaced with PostgreSQL or similar for production deployments
Environment Variables: Configuration values (JWT secret, database URL, port) stored outside the codebase; loaded with dotenv to avoid hardcoding secrets
Express Router: A mini-application that handles routing for a subset of paths; used to organize authentication routes separately from application routes
HTTP Status Codes: 200 (OK), 201 (Created), 401 (Unauthorized — not authenticated), 403 (Forbidden — authenticated but not authorized), 409 (Conflict — resource already exists)

In 60 Seconds

This lab sets up the foundational Node.js/Express environment with bcrypt password hashing, JWT token generation, and database initialization — the infrastructure layer that all subsequent authentication and authorization features are built upon.