[security] Introducing signing support to MySensors

Anticimex

@fleinze do you have some special reason for why you want this? I don't see a real benefit and it would slightly increase the traffic. I suppose it would add some symmetry to node-gw communication.

Anticimex

@fleinze I am quite stressed out for the moment so I forget my own design :)
What you actually should do is to configure the gateway to require signed messages. It will then do so, but only from nodes that in turn require signed messages. So you should not need to change anything, just set the GW to require signatures.

fleinze

@Anticimex If I do so, this is the output of the Gateway:

0;0;3;0;9;gateway started, id=0, parent=0, distance=0
0;0;3;0;14;Gateway startup complete.
0;0;3;0;9;no sign
0;0;3;0;9;no sign
0;0;3;0;9;no sign
0;0;3;0;9;no sign
0;0;3;0;9;read: 2-2-0 s=0,c=0,t=6,pt=0,l=0,sg=0:
2;0;0;0;6;
0;0;3;0;9;read: 2-2-0 s=1,c=0,t=30,pt=0,l=0,sg=0:
2;1;0;0;30;
0;0;3;0;9;no sign
0;0;3;0;9;no sign
0;0;3;0;9;no sign

I tried to compile the node with deactivated signing feature and also with MySigningNone.
The messages get rejected because in MySensor.cpp line 570 (developement branch) it is not checked if the sender requires signing:

	if (signer.requestSignatures() && msg.destination == nc.nodeId && mGetLength(msg) && !mGetAck(msg) &&
		(mGetCommand(msg) != C_INTERNAL ||
		 (msg.type != I_GET_NONCE_RESPONSE && msg.type != I_GET_NONCE && msg.type != I_REQUEST_SIGNING &&
		  msg.type != I_ID_REQUEST && msg.type != I_ID_RESPONSE &&
		  msg.type != I_FIND_PARENT && msg.type != I_FIND_PARENT_RESPONSE)))

My thought is that if I have a mixed network (signing and non-signing nodes) for some sensors I do not need signing (i.e. temperature-sensors). But if I have a button sensor that can actually switch something on or off (via the controller), it would be a security benefit if the messages from the sensor to the gateway are signed.

Anticimex

@fleinze If you have upgraded the library version, the signing table might have shifted in EEPROM. You then need to run the clear EEPROM sketch to reset the stored state in order for the gw/nodes to re-learn the existing signing preferences of the network.

Anticimex

@fleinze said:

My thought is that if I have a mixed network (signing and non-signing nodes) for some sensors I do not need signing (i.e. temperature-sensors). But if I have a button sensor that can actually switch something on or off (via the controller), it would be a security benefit if the messages from the sensor to the gateway are signed.

This is the exact usecase for the gw default behavior to only require signing from nodes that require signing in return. But I also got "no sign" errors after I flashed development branch yesterday on node/gw and only after I wiped the GW EEPROM I got it back online. So please try that. If it still does not work, I have to look closer, and see why this has broken because it has been working like that when I submitted the signing behavior.

fleinze

@Anticimex I tried to make it work:

• took a fresh copy of the development branch
• activated signing in MyConfig.h
• flashed the ClearEepromConfig sketch to both the test-gateway and the test-node.
• built the gateway with MySigningAtsha204Soft signer; (requires signing by default)
• built the node with MySigningNone signer;

Still got the no sign message from the gateway...
Please have a look at this.

Anticimex

@fleinze mysigningnone is a special case. It won't make signatures, so could you instead try with either hard or soft atsha?

Anticimex

@fleinze also, you can mix hard and soft atsha signing in a network, but you can't mix with "none". If you mark a node that it can do signing or require signing and use the "none" backend, nodes that use atsha (hard or soft) will not accept the signatures.

fleinze

@Anticimex
Ok, I built the node with MySigningAtsha204Soft signer(false); so it does not require signing and the gateway with MySigningAtsha204Soft signer;
-> no sign error.
How do I correctly build a node that does not sign in a mixed network (signing and non-signing nodes mixed)?

Anticimex

@fleinze
In a network where you have "mixed" nodes, I would suggest something like this:
The gateway has signing enabled and is set to require signatures and uses either hard or soft ATSHA (since you earlier wrote that you wanted the GW to sign messages to nodes that signed messages in return).
For all nodes that need to be secure, enable signing and pick either hard or soft ATSHA (depending on the node hardware) and set them to require signatures.
For all nodes that do not need to be secure, just disable signing alltogether, or pick any signing backend and set it to NOT require signatures.
The result should be like this:
A "insecure" node sends and receives unsigned messages to/from GW.
A "secure" node sends and receives signed messages to/from GW.
The GW will send signed messages to all nodes that has reported to the GW that they require signatures.
The GW will send unsigned messages to all nodes that has reported to the GW that they do NOT require signatures.

fleinze

@Anticimex In your original post you said:

However, the difference is that the gateway will only require signed messages from nodes it knows in turn require signed messages.

I made pull request 208 to match this behavior in the code:
https://github.com/mysensors/Arduino/pull/208

• If node is not a gateway, everything is as always. (1 || x)
• if node is gateway and the sender requires signed messages, check signature (0 || 1)
• if node is gateway and the sender does not requires signed messages, do not check signature (0 || 0)
  please consider adding this.

Anticimex

@fleinze Ok, lets discuss this in the PR and conclude it in this thread later.

Anticimex

Ok, the problem is identified and @fleinze has provided a fix that resolves the issue which is now merged to the development branch.
Thanks for finding the issue and fixing it!
There is no change in the signing behavior as it is documented. Now gateway does as it is supposed to.

mfalkvidd

Great work @fleinze and @Anticimex !
Reading this thread (yes, all of it) has made me ready to start configuring my nodes to use signing. Better start now, while my sensor network is still small :)

FotoFieber

Compiling with the latest dev branch SecureActuator example

#define MY_SIGNING_REQUEST_SIGNATURES

I get following error:

In file included from /Users/mm/Documents/Arduino165/libraries/MySensors/MySensor.h:157:0,
                 from SecureActuator.ino:58:
/Users/mm/Documents/Arduino165/libraries/MySensors/core/MyTransport.cpp: In function 'void transportProcess()':
/Users/mm/Documents/Arduino165/libraries/MySensors/core/MyTransport.cpp:92:10: error: 'MY_IS_GATEWAY' was not declared in this scope
    if ((!MY_IS_GATEWAY || DO_SIGN(sender)) &&
          ^
/Users/mm/Documents/Arduino165/libraries/MySensors/core/MyTransport.cpp:93:20: error: 'nc' was not declared in this scope
     destination == nc.nodeId &&
                    ^
Fehler beim Kompilieren.```

Is this a problem of the code or of my setup?

Anticimex

@FotoFieber @hek something related to the recent refactoring? I have not had the opportunity to evaluate the effects on signing myself.

hek

@FotoFieber said:

MY_SIGNING_REQUEST_SIGNATURES

Let's see how Jenkins feels about this
https://github.com/mysensors/Arduino/pull/231

Avamander

@Anticimex Hello, I found this thread now. I'll ask a few more questions, sorry. This all seems really-really great.

1. If someone wishes to use TMRh20's RF24Mesh instead of MySensors how would one sign the messages sent with that library? Is is even possible? What should be done to use that functionality?

2. Also, as I understand it is possible to emulate the ATSHA204A, on what hardware is is possible (on Uno's ATMega too?)?

3. Is it also possible to use whitelisting with RF24Mesh somehow?

Again, sorry for any dumb questions and my poor English.

Anticimex

@Avamander

1. Signing as described in this post is specific to users of the MySensors library. I suppose you could use any rf backend you like but you will need to use the MySensors library to get the nonce exchange and such. Or manually port the signing specifics out from the MySensors library and integrate them into another library. It's all open source.
2. The software emulated atsha signing backend (for MySensors) is compatible with any Arduino product.
3. See 1.

Lastly, there are no dumb questions, only dumb answers :)

Silver978

Hello,

firstly, I must say that you're doing a great job and this section about security is very interesting.
Sorry, but I want to ask a question: as regards the whitelisting system, how can I add more nodes to the list of the trusted nodes of the gateway?
The part of code is this:

[...]
#ifdef MY_SECURE_NODE_WHITELISTING
whitelist_entry_t node_whitelist[] = {
  { //I want to add nodes HERE:
    .nodeId = 55, // Just some value, this need to be changed  to the NodeId of the trusted node
    .serial = {0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09} } // This need to change to the serial of the trusted node
};
MySigningAtsha204 signer(true, 1, node_whitelist);  // Select ATSHA204A software signing backend with one entry in the whitelist
[...]

but the gateway continue to fail the verification of the trusted nodes that I inserted.

To sum up, how can I add more nodeIDs and serials in addition to the number "55" presented in the example of the code?

Thank you very much in advance,
Silver978