Good thing mysensors has non-repeatable encryption....
-
@Anticimex said in Good thing mysensors has non-repeatable encryption....:
@NeverDie remember that mysensors encryption has a static IV so it is repeatable. Two identical messages will also be identical when encrypted. And therefore subject to replay attacks. Only when combined with signing do you get decent grade security.
You were right all along. I remember doubting that I would ever truly need it. Buying a signing chip and adding it a board seemed bordering on paranoid. And yet how quickly that perception has changed with the proliferation of hacker tools.
@NeverDie in security engineering it is all about being ahead of the curve. Alas, personally I have not had the time to evolve the security solution further beyond the draft state as seen on github.
Do you feel secure today? No? Start requiring some signatures and feel better tomorrow ;)
-
@NeverDie in security engineering it is all about being ahead of the curve. Alas, personally I have not had the time to evolve the security solution further beyond the draft state as seen on github.
@Anticimex For a long time z-wave had all kinds of flaws that kept it from working the way it should. I remember that in 2010 I wanted to hack z-wave for the simple reason that I wanted to fix the flaws in my own system. However, I had no access to the tools now so readily available, and virtually everything about z-wave but the carrier frequency was a trade secret, so at the time it would have required tremendous effort to sort through it. At the time, that's what made it sufficiently secure for most people: not that z-wave couldn't be hacked, but the level of effort required to unravel it meant practically no one was doing it. And for most of the world mysensors was practically unknown, so for the same reason it seemed reasonably safe as well, even without the signing chip. Now that cracking tools are rapidly becoming a game that even children can play, it completely changes that assessment. I mean, in my neighborhood there are kids who ring doorbells and try to run away without being seen, just for fun. But from the looks of things, soon they'll be able to ring doorbells (figuratively and perhaps literally) and not have to run, because they'll be doing it from nowhere close.
So, what's coming next after that? i.e. where is the curve heading?
-
@Anticimex For a long time z-wave had all kinds of flaws that kept it from working the way it should. I remember that in 2010 I wanted to hack z-wave for the simple reason that I wanted to fix the flaws in my own system. However, I had no access to the tools now so readily available, and virtually everything about z-wave but the carrier frequency was a trade secret, so at the time it would have required tremendous effort to sort through it. At the time, that's what made it sufficiently secure for most people: not that z-wave couldn't be hacked, but the level of effort required to unravel it meant practically no one was doing it. And for most of the world mysensors was practically unknown, so for the same reason it seemed reasonably safe as well, even without the signing chip. Now that cracking tools are rapidly becoming a game that even children can play, it completely changes that assessment. I mean, in my neighborhood there are kids who ring doorbells and try to run away without being seen, just for fun. But from the looks of things, soon they'll be able to ring doorbells (figuratively and perhaps literally) and not have to run, because they'll be doing it from nowhere close.
So, what's coming next after that? i.e. where is the curve heading?
@NeverDie it is generally the view that because something is not easily understood by the general public, it does need securing. In other terms; security by obscurity.
To secure something properly, you need to view things from a more paranoid standpoint, assuming someone will actively try to bypass any mechanism put in place to prevent it. And always assume these mechanisms will be constantly challenged. The best approach (in my opinion) is to have as little obfuscation as possible and have the mindset that "even if you can access almost everything, you still cannot hack it".Do you feel secure today? No? Start requiring some signatures and feel better tomorrow ;)
-
@NeverDie it is generally the view that because something is not easily understood by the general public, it does need securing. In other terms; security by obscurity.
To secure something properly, you need to view things from a more paranoid standpoint, assuming someone will actively try to bypass any mechanism put in place to prevent it. And always assume these mechanisms will be constantly challenged. The best approach (in my opinion) is to have as little obfuscation as possible and have the mindset that "even if you can access almost everything, you still cannot hack it".@Anticimex One of the parents in my neighborhood is a professional penetration tester, and he has the view that just about any system can be penetrated if what's on it is valuable enough to justify the effort. He didn't elaborate on what the boundaries of effort were, so I guess you could both be right. Still, what we think is mathematically secure today could all be unraveled if quantum computers were to happen, so there's always that Damocles Sword hanging over things if there's no limit on paranoia. Just how does one judge what level of paranoia to apply? I mean an out-of-his-mind paranoid person would imagine that everyone but him already has access to unlimited quantum computing for free. On the other hand, if your security is good enough to handle even that, then you can certainly sleep soundly at night. ;-)
-
@Anticimex One of the parents in my neighborhood is a professional penetration tester, and he has the view that just about any system can be penetrated if what's on it is valuable enough to justify the effort. He didn't elaborate on what the boundaries of effort were, so I guess you could both be right. Still, what we think is mathematically secure today could all be unraveled if quantum computers were to happen, so there's always that Damocles Sword hanging over things if there's no limit on paranoia. Just how does one judge what level of paranoia to apply? I mean an out-of-his-mind paranoid person would imagine that everyone but him already has access to unlimited quantum computing for free. On the other hand, if your security is good enough to handle even that, then you can certainly sleep soundly at night. ;-)
@NeverDie well, post quantum cryptography is already a reality so the introduction of quantum technology won't prevent secrets staying secret if you so desire. But in most cases, the effort of breaking modern algorithms will still be so high it won't be readily doable since if the solution is designed clever enough, timeouts will be involved that force an attacker to derive the necessary keys in a limited time frame which require significant computing power.
Do you feel secure today? No? Start requiring some signatures and feel better tomorrow ;)
-
@NeverDie well, post quantum cryptography is already a reality so the introduction of quantum technology won't prevent secrets staying secret if you so desire. But in most cases, the effort of breaking modern algorithms will still be so high it won't be readily doable since if the solution is designed clever enough, timeouts will be involved that force an attacker to derive the necessary keys in a limited time frame which require significant computing power.
@Anticimex Well, seeing as you were already correctly ahead of the curve on this topic, you have my respect.
What then is your current view as to what is "good enough" security wrt mysensors? Is the current crypto-signing good enough, or is there something more (or different) that we should be doing now? -
@Anticimex Well, seeing as you were already correctly ahead of the curve on this topic, you have my respect.
What then is your current view as to what is "good enough" security wrt mysensors? Is the current crypto-signing good enough, or is there something more (or different) that we should be doing now?@NeverDie I would say that combined with signing (preferably hw based) the security solution should be good enough for personal use.
As always, with open source projects, deploying to sensitive environments are every person's own responsibility. To me the biggest issue with the existing signing solution is ease of use and efficiency. Removing the need for personalization and allowing less handshaking would be a good thing. A concept for this can be seen in the github issues tagged with security v3 but alas, time is not a luxury I have for this in recent years. Kids, house and so on takes its toll.
But technically, sha256 and hmac are still strong algorithms. But the shared static key is my biggest concern (which would be solved by ecdh key exchange). -
@Anticimex said in Good thing mysensors has non-repeatable encryption....:
@NeverDie remember that mysensors encryption has a static IV so it is repeatable. Two identical messages will also be identical when encrypted. And therefore subject to replay attacks. Only when combined with signing do you get decent grade security.
You were right all along. I remember doubting that I would ever truly need it. Buying a signing chip and adding it a board seemed bordering on paranoid. And yet how quickly that perception has changed with the proliferation of hacker tools.
@NeverDie Is a signing chip really necessary?
If the packets are truly encrypted, and the hack you're trying to foil is a simple replay attack, I would think that including a simple incrementing counter into the message would do it. All the receiver would have to do is to only accept decrypted messages with a counter number GREATER than the last one it received. This should be simple to do if the encryption/decryption is already considered relatively secure? -
@NeverDie Is a signing chip really necessary?
If the packets are truly encrypted, and the hack you're trying to foil is a simple replay attack, I would think that including a simple incrementing counter into the message would do it. All the receiver would have to do is to only accept decrypted messages with a counter number GREATER than the last one it received. This should be simple to do if the encryption/decryption is already considered relatively secure?@172pilot without a chip, the key for signing (and encryption) is entirely unprotected. So if your kode is stolen, it is trivial to extract it. And since it is shared on the network, that network is completely compromised until you change the key on all nodes that rely on it (which would be all in the network if encryption is used). Furthermore, in the case of encryption, the signing chip is not involved, so the encryption key is never physically protected.
So signing (with a atsha chip) is the only fully protected communication mechanism.Do you feel secure today? No? Start requiring some signatures and feel better tomorrow ;)
-
@172pilot without a chip, the key for signing (and encryption) is entirely unprotected. So if your kode is stolen, it is trivial to extract it. And since it is shared on the network, that network is completely compromised until you change the key on all nodes that rely on it (which would be all in the network if encryption is used). Furthermore, in the case of encryption, the signing chip is not involved, so the encryption key is never physically protected.
So signing (with a atsha chip) is the only fully protected communication mechanism.@Anticimex I 100% agree on the "totally protected" but since the issue, at least as far as protecting from the "kiddie toy" that was the subject of the original thread, I'm just saying to ONLY add a cheap level of protection that would prevent a basic record/playback of a valid signal, I'd think this would work... for free.. I totally get that a real signature system would be better, but at a significant cost and effort.
I dont know the bits and bytes of MySensors well, but I took as implication from the discussion that decryption of the packet wasn't the primary concern against this particular attack because you're right - If you can decrypt, it's over, especially if it's a single shared key amongst all the devices.. -
@Anticimex I 100% agree on the "totally protected" but since the issue, at least as far as protecting from the "kiddie toy" that was the subject of the original thread, I'm just saying to ONLY add a cheap level of protection that would prevent a basic record/playback of a valid signal, I'd think this would work... for free.. I totally get that a real signature system would be better, but at a significant cost and effort.
I dont know the bits and bytes of MySensors well, but I took as implication from the discussion that decryption of the packet wasn't the primary concern against this particular attack because you're right - If you can decrypt, it's over, especially if it's a single shared key amongst all the devices..@172pilot no, and this is why I have advocated signing over encryption. Signing gives entropy, authenticity and replay protection. It does not give obfuscation but the need for that is lower in my opinion than the other three. Yes, someone could sniff what states your locks are in, but they can also just try the handle to achieve the same thing.
-
@NeverDie Is a signing chip really necessary?
If the packets are truly encrypted, and the hack you're trying to foil is a simple replay attack, I would think that including a simple incrementing counter into the message would do it. All the receiver would have to do is to only accept decrypted messages with a counter number GREATER than the last one it received. This should be simple to do if the encryption/decryption is already considered relatively secure?@172pilot said in Good thing mysensors has non-repeatable encryption....:
@NeverDie Is a signing chip really necessary?
If the packets are truly encrypted, and the hack you're trying to foil is a simple replay attack, I would think that including a simple incrementing counter into the message would do it. All the receiver would have to do is to only accept decrypted messages with a counter number GREATER than the last one it received. This should be simple to do if the encryption/decryption is already considered relatively secure?I think the answer is probably yes. Today. At this moment. At least for me and probably you. I mean, one could reasonably ask: why bother with having better security than my garage door opener? But as cracker tools become more prevalent, who knows what's coming next? It's not just us against juveniles and thugs, it's us against whatever weapons juveniles or thugs can download or buy ready-to-use from kickstarter (or aliexpress for cheap soon thereafter).
