[solved] Need help for signing messages between nodes



  • I have two nodes:
    Node 20: an relays switch
    Node 19: Motion detector

    Both nodes could communicated with signing with the gateway. Bit if i want so send a message from node 19 to node 20 it doesn't work.
    So i found the signerPresentation function. I tried to call it in node 20 and 19 but it didn't worked.

    At which device do I have to call the function?
    I thought about device 19 in the presentation function with the MyMessage from the Motion sensor and node 20 as destination to inform the library that the destination node needs signing. But the destination node says:

    551439 Message is not signed, but it should have been!
    

    Could anyone help me?



  • So i tried something and i found a useful macro:
    SET_SIGN(20); So with this macro i tell the mysensors signing library that the node 20 need signed messages.

    But Node 20 says:

    Signature bad: [signature]
    1245835 Signature verification failed!
    1245852 !TSF:MSG:SIGN VERIFY FAIL
    

    With MY_DEBUG_VERBOSE_SIGNING i saw that the Current nonce and HMAC output on both nodes are the same. But the signatur in message is not the same.
    So what is going wrong?

    Both nodes are able to receive signed messages from the same master. The master and both nodes have the same HMAC key.


  • Contest Winner

    Are you using whitelisting?


  • Contest Winner

    You also need to inform other nodes about your nodes signing preferences if you want to transmit node-to-node signed messages. This is done using signerPresentation(). It is automatically done for node-to-gateway, but you have to do it youself for node-to-node. It is NOT recommended to manipulate the signing tables directly using the SET_ macros.


  • Contest Winner

    For debugging purposes, could you post whether you use official or beta release? And also the signature calculated by the sender and the signature calculated by the receiver? The signatures generated are not secret. Only your HMAC key (which is never printed on UART) and your serial (if you use whitelisting) should be protected.



  • Thanks for your help @Anticimex. But nowit works. The solution was to clear the eeprom on both nodes.

    @Anticimex said in Need help for signing messages between nodes:

    Are you using whitelisting?

    Yes i'm using whitlisting.

    @Anticimex said in Need help for signing messages between nodes:

    You also need to inform other nodes about your nodes signing preferences if you want to transmit node-to-node signed messages. This is done using signerPresentation(). It is automatically done for node-to-gateway, but you have to do it youself for node-to-node. It is NOT recommended to manipulate the signing tables directly using the SET_ macros.

    Yes I know that it is not cemommended to use the macros but in my case it is the only solution.
    Because my battery powerd node is sleeping in deep sleep mode and can only wake up on an external interrupt.
    The interrupt from the NRF24l01 is disabled, otherwise the node wakes up every second (mybe a bug in version 2.1.1 ?).
    So if the other node try to inform the battery node for signing messages, the information will not reached the battery node.
    The current MySensors implementation with signerPresentation works only if the actuator node is on bevor the battery node. But this is not always the case.

    All nodes in my system have fixed ids. So it is no problem to tell my battery node that the actuator node needs signed messages. So it would be nice if we add a mysensors function to do that and not using the SET macros.


  • Contest Winner

    @hugch Ah I see.
    For whitelisting, it is important that your whitelists are matching with serials and node id:s.
    If it worked after clearing EEPROM, perhaps your serials were out of sync.
    You are correct with the sleeping part. The presentation message has to reach the receiver for it to configure the settings.
    However, when the message is received, the properties in it is stored in EEPROM, so the node only has to receive it once to save the preferences of your other node.
    So you only need to make sure your battery node receives the signing-presentation message from your other node once.
    The node will parse the EEPROM tables at startup to get the signing preferences of all the nodes that has "presented" themselves to it.



  • @Anticimex It was not a whitlesiting problem. But i think there was a wrong serial in the EEPROM. So i use the serial from the ATSHA device now.
    It is new for me, that the signer information are stored in the EEPROM. I will try it with the presentation function again.


  • Contest Winner

    @hugch It depends on what backend you use.
    If you use soft signing, all secrets and state-flags/preferences are in EEPROM. If you use ATSHA204A secrets are in the ATSHA204A while the state-flags/preferences are in EEPROM.
    The secrets are specific to the security infrastructure (HMAC, serial). The state-flags/preferences are specific to the MySensors library (node signing requirements).

    And if it was the wrong serial in the EEPROM, it was a whitelisting problem, as the serial is only used for whitelisting. If you use soft signing, your serial will be fetched from EEPROM (currently). If you use ATSHA204A serial will be fetched from ATSHA204A.


Log in to reply
 

Suggested Topics

  • 3
  • 3
  • 1
  • 2
  • 2
  • 24

0
Online

11.2k
Users

11.1k
Topics

112.5k
Posts