software AES encryption for NRF24

alexsh1

@Anticimex Thanks for heads up - I think I messed up different versions though I remember unpacking "Arduino-development". I deleted the whole folder and unzipped the files again and voila:

Sketch uses 28,228 bytes (91%) of program storage space. Maximum is 30,720 bytes.
Global variables use 1,462 bytes (71%) of dynamic memory, leaving 586 bytes for local variables. Maximum is 2,048 bytes.

UPDATE: It turned out DEBUG took a lot of memory (DEBUG AND SIGNING DEBUG)

FotoFieber

@alexsh1
@Anticimex

Just tried

#define MY_RADIO_NRF24
#define MY_SIGNING_SOFT
#define MY_SIGNING_REQUEST_SIGNATURES
#define MY_RF24_ENABLE_ENCRYPTION

This was working in the old dev branch but doesn't work for me anymore. Did you have luck with the combination of signing and encryption?

n׌�Ox>�XܚMZ������t��ֵ���<��
�=�a�WY=��VP����E�P�pStarting repeater (RNNRAS, 2.0.0)
TSM:INIT
TSM:RADIO:OK
TSP:ASSIGNID:OK (ID=15)
TSM:FPAR
TSP:MSG:SEND 15-15-255-255 s=255,c=3,t=7,pt=0,l=0,sg=0,ft=0,st=bc:
TSP:MSG:READ 0-0-15 s=255,c=3,t=8,pt=1,l=1,sg=0:0
Skipping security for command 3 type 8
TSP:MSG:FPAR RES (ID=0, dist=0)
TSP:MSG:PAR OK (ID=0, dist=1)
TSM:FPAR:OK
TSM:ID
TSM:CHKID:OK (ID=15)
TSM:UPL
TSP:PING:SEND (dest=0)
Skipping security for command 3 type 24
!TSP:MSG:SEND 15-15-0-0 s=255,c=3,t=24,pt=1,l=1,sg=0,ft=0,st=fail:1
TSP:MSG:READ 0-0-15 s=255,c=3,t=25,pt=1,l=1,sg=0:1
Skipping security for command 3 type 25
TSP:MSG:PONG RECV (hops=1)
TSP:CHKUPL:OK
TSM:UPL:OK
TSM:READY
Signing required
Skipping security for command 3 type 15
!TSP:MSG:SEND 15-15-0-0 s=255,c=3,t=15,pt=6,l=2,sg=0,ft=1,st=fail:0101
Failed to transmit signing presentation!Waiting for GW to send signing preferences...
TSP:MSG:READ 0-0-15 s=255,c=3,t=15,pt=6,l=2,sg=0:0101
Skipping security for command 3 type 15
Mark node 0 as one that require signed messages
Mark node 0 as one that do not require whitelisting
Skipping security for command 3 type 16
!TSP:MSG:SEND 15-15-0-0 s=255,c=3,t=16,pt=0,l=0,sg=0,ft=2,st=fail:
Failed to transmit nonce request!
!TSP:MSG:SIGN fail
Skipping security for command 3 type 16
!TSP:MSG:SEND 15-15-0-0 s=255,c=3,t=16,pt=0,l=0,sg=0,ft=4,st=fail:
Failed to transmit nonce request!
!TSP:MSG:SIGN fail
TSP:MSG:READ 0-0-15 s=255,c=3,t=17,pt=6,l=25,sg=0:972DE10483D0864680CE821987E5823ABAEF8435F971670F04
Skipping security for command 3 type 17
Nonce received from 0. Proceeding with signing...
Signing backend: ATSHA204Soft
Message to process: 0F00060310FF
Current nonce: 972DE10483D0864680CE821987E5823ABAEF8435F971670F04AAAAAAAAAAAAAA
HMAC: 7922F4E571510EC46BD3CAAF37A1C1627BAE2562BA0ADC210173076854649826
Signature in message: 0122F4E571510EC46BD3CAAF37A1C1627BAE2562BA0ADC2101
Message signed
TSP:MSG:READ 0-0-15 s=255,c=3,t=17,pt=6,l=25,sg=0:59321F17D680FFDC461270BD2C22F77FBC6FF6DE90DD9A34E6
Skipping security for command 3 type 17
Nonce received from 0. Proceeding with signing...
Signing backend: ATSHA204Soft
Message to process: 0F00060310FF
Current nonce: 59321F17D680FFDC461270BD2C22F77FBC6FF6DE90DD9A34E6AAAAAAAAAAAAAA
HMAC: 09031876715AD7ADBC81671982D07A46122D564110C59880AB733AACB111289E
Signature in message: 01031876715AD7ADBC81671982D07A46122D564110C59880AB
Message signed
Skipping security for command 3 type 16
!TSP:MSG:SEND 15-15-0-0 s=255,c=3,t=16,pt=0,l=0,sg=1,ft=6,st=fail:
Failed to transmit nonce request!
!TSP:MSG:SIGN fail
Skipping security for command 3 type 16
!TSP:MSG:SEND 15-15-0-0 s=255,c=3,t=16,pt=0,l=0,sg=1,ft=8,st=fail:
Failed to transmit nonce request!
!TSP:MSG:SIGN fail
TSP:MSG:READ 0-0-15 s=255,c=3,t=17,pt=6,l=25,sg=1:24AB30408F0D10A7DB4CE357B22C908ED2438638C567DF52AE
Skipping security for command 3 type 17
Nonce received from 0. Proceeding with signing...
Signing backend: ATSHA204Soft
Message to process: 0F00060310FF
Current nonce: 24AB30408F0D10A7DB4CE357B22C908ED2438638C567DF52AEAAAAAAAAAAAAAA
HMAC: C2B0487B88AD8AE2FD7FB63C21E841324ED48975681EB881A7EC556D74637B33
Signature in message: 01B0487B88AD8AE2FD7FB63C21E841324ED48975681EB881A7
Message signed
TSP:MSG:READ 0-0-15 s=255,c=3,t=17,pt=6,l=25,sg=1:4CDF80D7AAF5358B4DA616FBB1556569F68818F331C6C681F3
Skipping security for command 3 type 17
Nonce received from 0. Proceeding with signing...
Signing backend: ATSHA204Soft
Message to process: 0F00060310FF
Current nonce: 4CDF80D7AAF5358B4DA616FBB1556569F68818F331C6C681F3AAAAAAAAAAAAAA
HMAC: C12B5B8BD5EA6DD142908FBB02A06933E3FFBC399876B8B52E30BA9A1A66B4FC
Signature in message: 012B5B8BD5EA6DD142908FBB02A06933E3FFBC399876B8B52E
Message signed
Skipping security for command 3 type 16
!TSP:MSG:SEND 15-15-0-0 s=1,c=3,t=16,pt=0,l=0,sg=1,ft=10,st=fail:
Failed to transmit nonce request!
!TSP:MSG:SIGN fail
!TSM:UPL FAIL, SNP
TSM:FPAR
TSP:MSG:SEND 15-15-255-255 s=255,c=3,t=7,pt=0,l=0,sg=0,ft=0,st=bc:
TSP:MSG:READ 0-0-15 s=255,c=3,t=17,pt=6,l=25,sg=1:0EEFA88D4FB45539A0B20C586D989BF510FC83F270ABEC3E2A
Skipping security for command 3 type 17
Nonce received from 0. Proceeding with signing...
Signing backend: ATSHA204Soft
Message to process: 0F0006031001
Current nonce: 0EEFA88D4FB45539A0B20C586D989BF510FC83F270ABEC3E2AAAAAAAAAAAAAAA
HMAC: 2AEEC1974BF5ED7DE100A555DD98E420E5CA0C33918F8BEFF3524B1FED047C52
Signature in message: 01EEC1974BF5ED7DE100A555DD98E420E5CA0C33918F8BEFF3
Message signed
TSP:MSG:READ 0-0-15 s=255,c=3,t=8,pt=1,l=1,sg=0:0
Skipping security for command 3 type 8
TSP:MSG:FPAR RES (ID=0, dist=0)
TSP:MSG:PAR OK (ID=0, dist=1)
!TSP:SEND:TNR
!TSP:SEND:TNR
!TSP:SEND:TNR
!TSP:SEND:TNR
TSM:FPAR:OK
TSM:ID
TSM:CHKID:OK (ID=15)
TSM:UPL
TSP:PING:SEND (dest=0)
Skipping security for command 3 type 24
!TSP:MSG:SEND 15-15-0-0 s=255,c=3,t=24,pt=1,l=1,sg=0,ft=0,st=fail:1
TSP:MSG:READ 0-0-15 s=255,c=3,t=25,pt=1,l=1,sg=0:1
Skipping security for command 3 type 25
TSP:MSG:PONG RECV (hops=1)
TSP:CHKUPL:OK
TSM:UPL:OK
TSM:READY
Request registration...
Skipping security for command 3 type 26
!TSP:MSG:SEND 15-15-0-0 s=255,c=3,t=26,pt=1,l=1,sg=0,ft=1,st=fail:2
TSP:MSG:READ 0-0-15 s=255,c=3,t=16,pt=0,l=0,sg=0:
Skipping security for command 3 type 16
Signing backend: ATSHA204Soft
SHA256: 23DD90319EEA644480F44B15B3A95D6B20AD8380A953D40C7600000000000000
Skipping security for command 3 type 17
!TSP:MSG:SEND 15-15-0-0 s=255,c=3,t=17,pt=6,l=25,sg=0,ft=2,st=fail:23DD90319EEA644480F44B15B3A95D6B20AD8380A953D40C76
Failed to transmit nonce!
TSP:MSG:READ 0-0-15 s=255,c=3,t=27,pt=1,l=1,sg=1:1
Signature in message: 011EA3852B9E54EF00F415B0A6121E25B32B9C5F976A090B
Message to process: 000F0E231BFF01
Current nonce: 23DD90319EEA644480F44B15B3A95D6B20AD8380A953D40C76AAAAAAAAAAAAAA
HMAC: 611EA3852B9E54EF00F415B0A6121E25B32B9C5F976A090BF2C96E0C02F28D72
Signature OK
Node registration=1
Init complete, id=15, parent=0, distance=1, registration=1
Skipping security for command 3 type 16
!TSP:MSG:SEND 15-15-0-0 s=2,c=3,t=16,pt=0,l=0,sg=1,ft=3,st=fail:
Failed to transmit nonce request!
!TSP:MSG:SIGN fail
TSP:MSG:READ 0-0-15 s=255,c=3,t=17,pt=6,l=25,sg=1:AA800D53018F5EAFCD48C21D3F702501539BFE5DF7E008B204
Skipping security for command 3 type 17
Nonce received from 0. Proceeding with signing...
Signing backend: ATSHA204Soft
Message to process: 0F0006031002
Current nonce: AA800D53018F5EAFCD48C21D3F702501539BFE5DF7E008B204AAAAAAAAAAAAAA
HMAC: 2E1247A4A77CA0767BFD16B9A1FCE401EF39B4D76FA6A96EF0978CE322271A6F
Signature in message: 011247A4A77CA0767BFD16B9A1FCE401EF39B4D76FA6A96EF0
Message signed
Skipping security for command 3 type 16
!TSP:MSG:SEND 15-15-0-0 s=3,c=3,t=16,pt=0,l=0,sg=1,ft=5,st=fail:
Failed to transmit nonce request!
!TSP:MSG:SIGN fail
TSP:MSG:READ 0-0-15 s=255,c=3,t=17,pt=6,l=25,sg=1:358C0D190097ABD8AB64BF680AF252EAC6036B73222A854502
Skipping security for command 3 type 17
Nonce received from 0. Proceeding with signing...
Signing backend: ATSHA204Soft
Message to process: 0F0006031003
Current nonce: 358C0D190097ABD8AB64BF680AF252EAC6036B73222A854502AAAAAAAAAAAAAA
HMAC: 4A209EA1B12FB01659122DD26F2F3FB7EC15439DDEFEA90813AA0E8F87321683
Signature in message: 01209EA1B12FB01659122DD26F2F3FB7EC15439DDEFEA90813
Message signed
Ping: 60 cm
Skipping security for command 3 type 16
!TSP:MSG:SEND 15-15-0-0 s=1,c=3,t=16,pt=0,l=0,sg=1,ft=7,st=fail:
Failed to transmit nonce request!
!TSP:MSG:SIGN fail
TSP:MSG:READ 0-0-15 s=255,c=3,t=17,pt=6,l=25,sg=1:0677F380706F11E12CFC0C43FE9559F36D8FDAEB6854836E06
Skipping security for command 3 type 17
Nonce received from 0. Proceeding with signing...
Signing backend: ATSHA204Soft
Message to process: 0F0006031001
Current nonce: 0677F380706F11E12CFC0C43FE9559F36D8FDAEB6854836E06AAAAAAAAAAAAAA
HMAC: 5E895658E4C08BCE1D6B5FC560D1AA608AB2AEDF9385EA80ABA1EDD8EE003EE5
Signature in message: 01895658E4C08BCE1D6B5FC560D1AA608AB2AEDF9385EA80AB
Message signed
Send button 1 pressed
Skipping security for command 3 type 16
!TSP:MSG:SEND 15-15-0-0 s=4,c=3,t=16,pt=0,l=0,sg=1,ft=9,st=fail:
Failed to transmit nonce request!
!TSP:MSG:SIGN fail
!TSM:UPL FAIL, SNP
TSM:FPAR
TSP:MSG:SEND 15-15-255-255 s=255,c=3,t=7,pt=0,l=0,sg=0,ft=0,st=bc:
TSP:MSG:READ 0-0-15 s=255,c=3,t=17,pt=6,l=25,sg=1:EE3BFA6BFDD922BB892AC9A1BF2079803D8C3C258B18DFA29B
Skipping security for command 3 type 17
Nonce received from 0. Proceeding with signing...
Signing backend: ATSHA204Soft
Message to process: 0F0006031004
Current nonce: EE3BFA6BFDD922BB892AC9A1BF2079803D8C3C258B18DFA29BAAAAAAAAAAAAAA
HMAC: 7BEF3C478AD984729ED9A2717575A5325E66EF4C0CC9D3D761A1886A4BF4C4FD
Signature in message: 01EF3C478AD984729ED9A2717575A5325E66EF4C0CC9D3D761
Message signed
TSP:MSG:READ 0-0-15 s=255,c=3,t=8,pt=1,l=1,sg=1:0
Skipping security for command 3 type 8
TSP:MSG:FPAR RES (ID=0, dist=0)
TSP:MSG:PAR OK (ID=0, dist=1)
!TSP:SEND:TNR
TSM:FPAR:OK
TSM:ID
TSM:CHKID:OK (ID=15)
TSM:UPL
TSP:PING:SEND (dest=0)
Skipping security for command 3 type 24
!TSP:MSG:SEND 15-15-0-0 s=255,c=3,t=24,pt=1,l=1,sg=0,ft=0,st=fail:1
TSP:MSG:READ 0-0-15 s=255,c=3,t=25,pt=1,l=1,sg=1:1
Skipping security for command 3 type 25
TSP:MSG:PONG RECV (hops=1)
TSP:CHKUPL:OK
TSM:UPL:OK
TSM:READY
Send button 1 pressed
Skipping security for command 3 type 16
!TSP:MSG:SEND 15-15-0-0 s=4,c=3,t=16,pt=0,l=0,sg=1,ft=1,st=fail:
Failed to transmit nonce request!
!TSP:MSG:SIGN fail
TSP:MSG:READ 0-0-15 s=255,c=3,t=17,pt=6,l=25,sg=1:9069C5ABD4E3E13F19A92D0B708ABB41C809B6D67654357C61
Skipping security for command 3 type 17
Nonce received from 0. Proceeding with signing...
Signing backend: ATSHA204Soft
Message to process: 0F0006031004
Current nonce: 9069C5ABD4E3E13F19A92D0B708ABB41C809B6D67654357C61AAAAAAAAAAAAAA
HMAC: 01CCD77E9CC961B65E896180243DAB5E9174C0B88032D38261ED78BB619A00EF
Signature in message: 01CCD77E9CC961B65E896180243DAB5E9174C0B88032D38261
Message signed
Skipping security for command 3 type 16
!TSP:MSG:SEND 15-15-0-0 s=2,c=3,t=16,pt=0,l=0,sg=1,ft=3,st=fail:
Failed to transmit nonce request!
!TSP:MSG:SIGN fail
TSP:MSG:READ 0-0-15 s=255,c=3,t=17,pt=6,l=25,sg=1:1B94EC3D5354C0431C3D49CEC8903433984E2DE5D04F2D00DD
Skipping security for command 3 type 17
Nonce received from 0. Proceeding with signing...
Signing backend: ATSHA204Soft
Message to process: 0F0006031002
Current nonce: 1B94EC3D5354C0431C3D49CEC8903433984E2DE5D04F2D00DDAAAAAAAAAAAAAA
HMAC: D46DFC8ACCEE0FA7E6D282E8556F9EC7659804AD3D33163E9522F7769449F809
Signature in message: 016DFC8ACCEE0FA7E6D282E8556F9EC7659804AD3D33163E95
Message signed
Ping: 61 cm
Ping: 60 cm
Ping: 60 cm
TSP:MSG:READ 12-12-255 s=255,c=3,t=7,pt=0,l=0,sg=0:
TSP:MSG:BC
TSP:MSG:FPAR REQ (sender=12)
TSP:PING:SEND (dest=0)
Skipping security for command 3 type 24
!TSP:MSG:SEND 15-15-0-0 s=255,c=3,t=24,pt=1,l=1,sg=0,ft=5,st=fail:1
TSP:MSG:READ 0-0-15 s=255,c=3,t=25,pt=1,l=1,sg=0:1
Skipping security for command 3 type 25
TSP:MSG:PONG RECV (hops=1)
TSP:CHKUPL:OK
TSP:MSG:GWL OK
TSP:MSG:SEND 15-15-12-12 s=255,c=3,t=8,pt=1,l=1,sg=0,ft=6,st=ok:1
Ping: 60 cm

Anticimex

Not sure if it is a typo or now but you list
#define MY_SIGNING_ASOFT but it should be #define MY_SIGNING_SOFT

In any case, you get st=fail which mean your radio setup is basically not working.
For any security to work, messages has to get through, and from your log, they don't:
"Failed to transmit signing presentation!"
"Failed to transmit nonce request!"
So I think from the log that signing and encryption is working, but occasionally you get messages dropped due to a poor radio link which manifests itself as failed transmissions.

lyndaeldo

If implemented correctly, AES is AES; the output between two different implementations is identical, and therefore no distinction is possible in after-the-fact comparison -- if done correctly, the one is exactly the same as the other.

But there are a few points where differences can crop in:

Operation Mode
Truecrypt implements a modified counter mode called XTS. It's pretty well vetted and has withstood some serious abuse from some powerful attackers (such as the US Government).

From examining the p7zip source code, it appears that AES encoding for the 7-zip format operates in CBC mode. This is certainly not necessarily insecure; it's the mode most popularly used in protocols such as TLS, but it is potentially vulnerable to padding oracle attacks. See this discussion on operation modes for more information.

Key Derivation
Truecrypt uses PBKDF2 to turn your password into an encryption key. It's difficult to come up with a better alternative than that. p7zip uses a salted SHA256 hash repeated over a configurable number of iterations. PBKDF2 is a bit more configurable, but 7-zip's alternative is functionally similar and arguably reaches the same goals.

FotoFieber

@Anticimex
Sorry for the typo.

Interestingly, the sketch is working perfect without signing.

I will try to add another power source and try again.

Do you have a working setup with encryption and signing?

Anticimex

@FotoFieber When you use signing, the max message size is used, and this strains the rf link the most. Signing is still not your problem. It is clear from the log that messages fail to transmit, and that is a radio problem.

alexsh1

@Anticimex @FotoFieber

We have been through this a few times. Just a suggestion - shall we do an FAQ link explaining what you have just said (st=fail is a problem of radio and not singing). Ingerestingly enough I did not manage to resolve this issue with the Sensebender. I still get several fail to transmit nonce before it starts working fine. Only the Sensebender. All other nodes work flawlessly

Anticimex

@alexsh1 It is already documented where all signing is documented:
https://ci.mysensors.org/job/Verifiers/job/MySensorsArduino/branch/master/Doxygen_HTML/group__MySigninggrp.html

Check the troubleshooting section for details. Link to all documentation is on the github frontpage and on the "head" post of the signing topic on this forum.

alexsh1

@Anticimex OK, that's super. I think we all became victims of nrf24l01+ terrible fake copies. Some of these work OK until....
Then a woodoo dance has to be performed (highly recommended) in order to make them work again.

Anticimex

@alexsh1 Don't forget the goat sacrifice

FotoFieber

I have tried a different setups now

• Arduino Mega2560, Arduino Uno
• different NRF modules from different vendors, with and withoud amplifier, with different capacitors
• different power supplies

I always end up getting st-fail, even with encryption only. But it is working even with these fails... :smile:

@Anticimex
You have a working setup with encrpytion and the actual libraries from github without st-fail?

Next tests:

• change NRF and power supply on the gateway
• and if all that doesn't help: make a setup without encryption

Anticimex

@FotoFieber No, I have no set up at all for the moment. But I have been using both encryption and signing yes. And I can tell you again (and again and again) that st=fails has nothing to do with signing or encryption. Unless you don't use the same AES key for your nodes because if the message is encrypted, it is jibberish to the receiver and NRF does not natively support encryption so I don't thinnk it will be able to ack properly. I trust you are sure you have your keys properly configured per the instructions for version 2.0.0?

FotoFieber

@Anticimex
I have a very reduced sketch now (sending millis() every second) and yes, I have configured the keys as it should be.

As long, as nobody can prove with a concrete setup, that with the actual git-version (with encryption and NRF24L01) it is working without st-fail, the possibility exists, that it there is a bug. :smile:

Anticimex

@FotoFieber No. At least not for signing. As st=fail is something set by the transport/radio layer and signing has nothing to do with that. Encryption I discourage from using (detailed in the documentation) since it provides little benefit in the form used here.

FotoFieber

@Anticimex
As the bug is there even with encryption only, it can't be in the signing code.

For privacy concerns, signing is no solution.

Anticimex

@FotoFieber Neither is encryption for NRF24 as it does not use IV:s. And the data you encrypt is predicable so the key can be derived quite easily, effectively eliminating the "protection" the encryption is supposed to give.

FotoFieber

@Anticimex
No IV? Then the AES Transport implementation is not secure, more ore less an obfuscation...

Is this a known bug, that will be fixed?

Anticimex

@FotoFieber it is a known limitation and is currently not in scope for improvement for nrf24 because it require reliable sync which nrf radios are notoriously bad at providing. If you have an idea on how to fix it, a pr is always welcome :)

FotoFieber

Hm, I am not an encryption expert. What about a Diffie-Hellmann key exchange and then use the key as IV?

Anticimex

Me neither. I care about security, not obscurity. I see no reason to encrypt a '1' or a '0' and digital streams like audio and video is not supported anyway. But exchange of constant (but random) data is already used and supported since signing is based on nonce exchange. But I believe IV:s "evolve" with the messages encrypted which implies the messages need to be exchanged trustworthy and sender and receiver need to be om sync. But I know to little about that to be sure.
In any case, I welcome any development that adds to security, and will happily review such code, but I don't have the bandwidth nor motivation to "drive" the development of encryption in the core library as I don't feel it adds enough value to be worth the effort.