Signing ATSHA Key?
-
I just follow the Tutorial:
Pick a “master” device with serial debug port. Set the following sketch configuration of the personalizer: Enable LOCK_CONFIGURATION Disable LOCK_DATA Enable SKIP_KEY_STORAGE Disable SKIP_UART_CONFIRMATION Disable USER_KEY Execute the sketch on the “master” device to obtain a randomized key. Save this key to a secure location and keep it confidential so that you can retrieve it if you need to personalize more devices later on. Now reconfigure the sketch with these settings: Enable LOCK_CONFIGURATION Enable LOCK_DATA (if you are sure you do not need to replace/revoke the key, this is the most secure option to protect from key readout according to Atmel, but they also claim that key is not readable even if data region remains unlocked from the slot we are using) Disable SKIP_KEY_STORAGE Enable SKIP_UART_CONFIRMATION Enable USER_KEY Put the saved key in the user_key_data variable. Now execute the sketch on all devices you want to personalize with this secret key.But i dont lock data for now . .
An other question, it is needed to store this Key in the Gateway too?
At the moment is my Gateway only set to SOFT_Sign
I read the Tut many times but some Informations are missing or i dont understood it. My plan is to implement new Nodes, but i want to activate HARD Signing on these Nodes. My Gateway and my Nodes still exisist jet, are only set to handle SoftSign.
What steps are nessecery to use the new HARD_Sign nodes? Any changes at the Gateway needed?
Thanks a lot!
-
I just follow the Tutorial:
Pick a “master” device with serial debug port. Set the following sketch configuration of the personalizer: Enable LOCK_CONFIGURATION Disable LOCK_DATA Enable SKIP_KEY_STORAGE Disable SKIP_UART_CONFIRMATION Disable USER_KEY Execute the sketch on the “master” device to obtain a randomized key. Save this key to a secure location and keep it confidential so that you can retrieve it if you need to personalize more devices later on. Now reconfigure the sketch with these settings: Enable LOCK_CONFIGURATION Enable LOCK_DATA (if you are sure you do not need to replace/revoke the key, this is the most secure option to protect from key readout according to Atmel, but they also claim that key is not readable even if data region remains unlocked from the slot we are using) Disable SKIP_KEY_STORAGE Enable SKIP_UART_CONFIRMATION Enable USER_KEY Put the saved key in the user_key_data variable. Now execute the sketch on all devices you want to personalize with this secret key.But i dont lock data for now . .
An other question, it is needed to store this Key in the Gateway too?
At the moment is my Gateway only set to SOFT_Sign
I read the Tut many times but some Informations are missing or i dont understood it. My plan is to implement new Nodes, but i want to activate HARD Signing on these Nodes. My Gateway and my Nodes still exisist jet, are only set to handle SoftSign.
What steps are nessecery to use the new HARD_Sign nodes? Any changes at the Gateway needed?
Thanks a lot!
Personally, I randomly generated the key myself and put it in the sketch.
Enable SKIP_KEY_STORAGE - this is a reason why it is not saving the key.
About your other questions. You can mix hard (ATSHA204A) and soft signing no problem. You need to do the same on every node AND GW. Every node AND the GW has to have MySensors V2. The same operation as above you did on the node, you do on the GW - in the sketch there are options for soft signing.
-
No Prob, i hate phone typing too :-)
I know it is possible to mix hard and soft. In my way i want to use hand signing only on my new nodes . . . i will not change all nodes yet.
If i understood you right i have to generate the Key on my node (Lock Data is optional / i dont want to do that).
Now i have a HARD Signing node, but Sign failed. So in my opinion i have to generate a Key on my GW too?! Right? Use this points, this the Random Key if i generate before?:
If you do not have the ATSHA204A device and need to generate random keys:
Enable USE_SOFT_SIGNINGIf you want to review existing EEPROM configuration to determine if anything needs to be updated:
Make sure to disable any ATSHA204A update features if you use it (enable SKIP_KEY_STORAGE, disable LOCK_CONFIGURATION and LOCK_DATA)
Disable STORE_SOFT_KEY
Disable STORE_SOFT_SERIAL
Disable STORE_AES_KEYAfter this, it it possible to communicate with the "old" Soft_Signing Nodes?
-
No Prob, i hate phone typing too :-)
I know it is possible to mix hard and soft. In my way i want to use hand signing only on my new nodes . . . i will not change all nodes yet.
If i understood you right i have to generate the Key on my node (Lock Data is optional / i dont want to do that).
Now i have a HARD Signing node, but Sign failed. So in my opinion i have to generate a Key on my GW too?! Right? Use this points, this the Random Key if i generate before?:
If you do not have the ATSHA204A device and need to generate random keys:
Enable USE_SOFT_SIGNINGIf you want to review existing EEPROM configuration to determine if anything needs to be updated:
Make sure to disable any ATSHA204A update features if you use it (enable SKIP_KEY_STORAGE, disable LOCK_CONFIGURATION and LOCK_DATA)
Disable STORE_SOFT_KEY
Disable STORE_SOFT_SERIAL
Disable STORE_AES_KEYAfter this, it it possible to communicate with the "old" Soft_Signing Nodes?
@Takero Firstly, using debug for signing is a must to understand what's going on.
In order to have signing you must have the same key on a node and the GW. For the first time, you can generate it, but later you have to put it in the sketch and use with every node or GW.
If you do not have it on your GW signing will fail!!! -
After you generated the keys and did your first node, do the following for soft signing:
Enable USE_SOFT_SIGNING
Enable LOCK_CONFIGURATION
Enable STORE_SOFT_KEY - must be the same
Enable STORE_SOFT_SERIAL - must be individual for each node/GW
Enable STORE_AES_KEY - must be the sameBelow the options above you have to insert your keys.
EDIT: just corrected what you should enable
-
Thanks! Now i am on the right way :-D
Finaly i'f got a HMAC_KEY.
On my Soft_Signing GW i have to enable USE_SOFT_SIGNING and STORE_SOFT_KEY (with the HMAC_KEY) and run the SercurePersonalizer.ino on my GW? Right?
-
ATSHA204A and soft signing are very similar in the sketch. You have to enable/disable corresponding options
-
Works :+1:
-
I'd like to ask a follow up question to this old topic:
I have been able to create a set of keys using my GW on a Moteino (16MHz).
Now I'd like to program the keys into a some nodes. A few of these are running a bare 328p at 1MHz as a battery sensor, but a baudrate of 115k is a bit high. I only get garbage in the serial window, so no checking if the keys are stored properly.
Wouldn't it be wise to lower the baudrate of that sketch to be able to accomodate slow battery sensors. I have looked to try to do it myself, but was unable to find where. -
I'd like to ask a follow up question to this old topic:
I have been able to create a set of keys using my GW on a Moteino (16MHz).
Now I'd like to program the keys into a some nodes. A few of these are running a bare 328p at 1MHz as a battery sensor, but a baudrate of 115k is a bit high. I only get garbage in the serial window, so no checking if the keys are stored properly.
Wouldn't it be wise to lower the baudrate of that sketch to be able to accomodate slow battery sensors. I have looked to try to do it myself, but was unable to find where. -
I had already tried that (I just did again, to be absolutely certain) but even at 4800 I still get garbage. I know 9600 baud works because of a test I had running before I tried the personalization sketch. I added the
#define MY_BAUD_RATE 4800before the inclusion of the MySensors.h file. -
I had already tried that (I just did again, to be absolutely certain) but even at 4800 I still get garbage. I know 9600 baud works because of a test I had running before I tried the personalization sketch. I added the
#define MY_BAUD_RATE 4800before the inclusion of the MySensors.h file. -
Thanks a bunch! That did it! I always forget to use the "find" when I'm doing things like this. And the
serial.beginwas in line 881, I didn't expect it to be that far down.
