Design Architecture

Our solution architecture consists of entrance/exit nodes, the parking spot nodes, the mobile application and management portal representing the frontend of the system and the cloud server. The hardware nodes have been given their own power supplies and the all the frontend software and the hardware nodes are connected to the cloud server via Wi-Fi.

HC-SR04 ultrasonic distance sensors will sense the incoming vehicle at the entrance node and the digital camera will get the license plate image. This image will be processed at the Raspberry Pi 4 (Python and Tessaract OCR will be used for the Automatic Number Plate Recognition in the Raspberry Pi) and the necessary data will be send to the server. Once a spot number is received from the server, the Raspberry Pi 4 will signal the servo motor to open the gate while displaying the spot number on the LCD display. Each hardware node has an AC-DC power supply attached and the components operate on 5V DC. We will have secure Wi-Fi with standard WPA2 encryption to avoid unauthorized access.

The servo motor will open the spot gate once a spot is assigned to a vehicle. The NodeMCU ESP8266 will decide the parking spot status based on the sensor data received from the HC-SR04 ultrasonic distance sensor and the spot status will be sent to the server. We will be creating an ESP-MESH to create a Wi-Fi mesh network and will be using the in-built Wi-Fi module for connectivity. NodeMCU ESP8266 takes in 5VDC power but operates on 3V3DC power. Similar to the entrance/exit node, power will be provided using and AC-DC power supply. Unauthorized parties may intercept communication between the nodes and the server. To prevent this, as mentioned before, secure Wi-Fi channels with standard WPA encryption will be used to ensure secure connection to the server.

The PCB designs were developed for the Spot Node. The designs shown above were developed using Proteus software. The design includes connections to the NodeMCU ESP 8266 and several headers which can be used to provide connections for the servo motor and the proximity sensor. An additional set of headers was used to provide power for this unit via a micro-USB breakout board.

For the backend we will be using the MERN Stack (MongoDB Database, Express.js web framework, React.js Frontend Framework, Node.js server). The backend is primarily handled by a Node.js web server running on an AWS cloud VM instance. The Express web framework is used to simplify the development process since it abstracts away things like HTTP request handling, parsing URLs etc. In-built Express methods are used to develop the REST API that the web application and the mobile app uses to communicate with the server. The REST API endpoints will use HTTPS to leverage TLS/SSL encryption for the communication with the server.

A MongoDB database on an Atlas instance is used for data storage. The Mongoose data modelling library is used to provide a layer of abstraction to the connection between the Node server and the database. The Atlas service provides the ability to do routine backups of the database. The hardware nodes will communicate with the server using the MQTT protocol. The server will interact with the hardware nodes using AWS IoT Core. MQTT can be configured to use TLS/SSL encryption so that the communication is secure.

The server runs the spot picking algorithm (Python script) as a child processes using the child-process library. Reservation handling is done by running it as a separate JavaScript file, which handles reservations one hour prior to the reservation time. Owners can observe reservations through the management portal. Records of usage of the parking lot are stored in the database and the temporary storage has a lifetime of three months. (Reservations and spot assignments.) Cors library is used to enable CORS (Cross-Origin Resource Sharing) for security. This allows us to limit access to the API based on the origin. Bcrypt is used for password hashing which uses the blowfish cipher with ten salting rounds to prevent attacks without a large hit to performance. Jsonwebtoken is used for user authentication. This generates a session token for a registered user when they log in that can be used to authenticate the user with the credentials stored in the database. Details of the REST API endpoints for the server side are available in the project repository.

During a power outage, if the car park management decides to keep the car park open despite the hardware nodes being down, they can manually enter the data into the system through the management portal to keep the system up to date so that it can recover properly and continue operation once it is back online. Hardware node online/offline status will be detected by the transmission of an MQTT “heartbeat” message every 5 mins.

Spot Picking Algorithm

Whenever a customer arrives at the Entrance Node, the backend server is expected to find a suitable unoccupied spot (unless it is reserved) for the customer. This process is done considering the possibility of a customer parking at the wrong spot once they are inside the parking lot. To avoid such a situation, the spot picking algorithm tries to find the furthest spot from the last allocated spot for the most recent user.


Reservation Algorithm

It is possible for registered car park users to make reservations through the mobile application. For a user to make such a reservation, the following prerequisites need to be satisfied: the reservation must be on the same day, have to be made more than one hour before the reservation time, reservations are not a guarantee for a parking spot.

Our system security is mainly characterized by the five elements given above. Bcrypt has been used for password hashing in order to securely store login credentials of the users. CORS (Cross-Origin Resource Sharing) is used for security to limit access to the API based on the orgin. Atlas will limit ingress access to requests coming in from the server’s IP address (Server communicates with Atlas instance over HTTPS). Access Management Control is deployed within the system by covering the 3A's; Authentication, Authorization and Accountability. Jsonwebtoken is used for user authentication, while the location of the user is checked at the entrance. We only allow GET method access for the mobile app users using CORS. For authentication we wiil be passing the auth-token for every API request as a header. We are using Transport Layer Security (TLS) to secure the connection and the data. This technology encrypts data before it is sent from the client to the server, thus preventing some common hacks. Without TLS POST requests will be visible so their network traffic is vulnerable to packet sniffing and man-in-the-middle attacks. Utilizing Secure Socket Layer (SSL) encryption was done while using Nginx to handle TLS.

Validatorjs is used in order to validate user input to limit SQL injections and XSS attacks. This is done to validate every input for the frontend since some attackers can send SQL commands or harmful java script code to execute. Validatorjs is used to prevent such attacks by checking whether the input is a valid email. Using npm to manage our application’s dependencies is powerful and convenient. But the packages that we use may contain critical security vulnerabilities that could also affect our application. To avoid such vulnerabilities, we will be using Snyk which offers both a command-line tool and a GitHub integration that checks our application against Snyk’s open-source vulnerability database for any known vulnerabilities in our dependencies. X-Powered-By reveals information about the technologies used in an app. Therefore, to avoid outsiders exploit server security weaknesses of our server technology we will be disabling this header.