Better security without the need of a cryptoprocessor: out-of-band authentication
-
I was only presenting possible situations for discussing.
I'm analyst (processes, reliability and security). Perhaps I'm too anal with my profession. Also I'm not too good expressing myself in English.
I'm so sorry if I'm a hassle.
I'm on holidays, I should better come back to work ;)@Sergio-Rius you are not a hassle. And I am sure as a analyst you appreciate challenging and be challenged :)
I suggest if we should be a bit mot concrete, that you if you would like, describe your proposal or thoughts in the context of the bullet list I presented above.
For sure those bullets can all be addressed on various ways, but any security solution should adresse them all (and no, the proposal does not have to be fully documented from the start :)) -
@Eurbaix regarding asymmetric encryption, do you have something special in mind?
And I also have a few questions on your original proposal;GW generate random PSK for every new node? How? What prevents the GW from accepting "rogue" nodes and adding them? Inclusion mode?
After the node has authenticated with the GW and received a communication token, is it not possible for a different node to use that token (since the PSK can be assumed to be known as it is distributed OTA from the GW, right?) during the time window he token is valid?
Your proposal is interesting but let's discuss it some more :)
Edit: I also find the term PSK a bit misleading if the GW calculate and distribute them (or I misunderstood you). PSK suggests it is pre-shared and hence not distributed OTA (and therefore not subject to eavesdropping).
@Anticimex There are, in fact, three different keys in my proposal:
- A initialization PSK which should be stored in EEPROM, not the firmware, so it can be erased after the sensor registration. This PSK is common to all new sensors but only used once.
- A sensor PSK, which is sent over the air during the registration, encrypted with the initialization PSK.
- The sensor PSK is used to encrypt the token request and answer so another sensor cannot "read" the token since it doesn't have the same sensor PSK.
- The token is then used as an authentication and encryption key during the rest of the communication.
So here's a few more details about how it would work:
- When firmware is initially loaded on a new sensor, the initialization PSK is also loaded in the sensor EEPROM.
- The GW needs a "WPS" button (as modern routers have)
- Just before powering-up a sensor for the first time, press the GW's "WPS" button, the sensor will accept a connection with the initialization PSK for a few seconds (10-15s) and, along the normal sensor "registration", also send a new key to the sensor. The sensor will then erase the original PSK and replace it with this "sensor PSK", which is specific to this sensor. Since this original PSK is only used during the initial registration then deleted, it will only exist in the sensor memory while the sensor is in a secure location. In case this PSK is compromised, you only need to create a new key in the gateway, that will then be used when you load new sensors.
- This sensor PSK is then used to encrypt the token request since the GW knows each sensor key. The token is sent encrypted with this sensor PSK so another sensor cannot "read" this token. If the token is requested for a sensor-to-sensor communication, the GW will also send the token to the second sensor, encrypted with the second sensor PSK.
- For the rest of the communication (sensor to sensor, or sensor to GW), this token becomes the encryption key and authentication key.
This way, a common PSK is only used during the initialization and can only be used for initialization. This PSK is not accepted for regular communication with the GW (or other sensors). Also, a rogue sensor who have this initialization PSK can only request a "sensor PSK" when the WPS button is pressed. The chance of a rogue sensor sending a initialization request just after the WPS button has been pressed is minimal (except if you routinely initialized dozens of sensors everyday). If fact, the chances are low enough that the initialization PSK is even optional, in my opinion. After all, router use WPS without initialization PSK and this approach is considered reasonnably secure.
Last, if a "sensor PSK" is compromised, you only have to erase this entry in the sensor PSK table on the GW and the rest of your sensor network will be secure. If we are not using a cryptoprocessor to store the sensor PSK, the risk of the sensor PSK to be read in a stolen sensor exist, but the fact that sensor PSK are individuals make this risk easier to mitigate (as long as you notice that a sensor has been stolen of course).
-
@Anticimex There are, in fact, three different keys in my proposal:
- A initialization PSK which should be stored in EEPROM, not the firmware, so it can be erased after the sensor registration. This PSK is common to all new sensors but only used once.
- A sensor PSK, which is sent over the air during the registration, encrypted with the initialization PSK.
- The sensor PSK is used to encrypt the token request and answer so another sensor cannot "read" the token since it doesn't have the same sensor PSK.
- The token is then used as an authentication and encryption key during the rest of the communication.
So here's a few more details about how it would work:
- When firmware is initially loaded on a new sensor, the initialization PSK is also loaded in the sensor EEPROM.
- The GW needs a "WPS" button (as modern routers have)
- Just before powering-up a sensor for the first time, press the GW's "WPS" button, the sensor will accept a connection with the initialization PSK for a few seconds (10-15s) and, along the normal sensor "registration", also send a new key to the sensor. The sensor will then erase the original PSK and replace it with this "sensor PSK", which is specific to this sensor. Since this original PSK is only used during the initial registration then deleted, it will only exist in the sensor memory while the sensor is in a secure location. In case this PSK is compromised, you only need to create a new key in the gateway, that will then be used when you load new sensors.
- This sensor PSK is then used to encrypt the token request since the GW knows each sensor key. The token is sent encrypted with this sensor PSK so another sensor cannot "read" this token. If the token is requested for a sensor-to-sensor communication, the GW will also send the token to the second sensor, encrypted with the second sensor PSK.
- For the rest of the communication (sensor to sensor, or sensor to GW), this token becomes the encryption key and authentication key.
This way, a common PSK is only used during the initialization and can only be used for initialization. This PSK is not accepted for regular communication with the GW (or other sensors). Also, a rogue sensor who have this initialization PSK can only request a "sensor PSK" when the WPS button is pressed. The chance of a rogue sensor sending a initialization request just after the WPS button has been pressed is minimal (except if you routinely initialized dozens of sensors everyday). If fact, the chances are low enough that the initialization PSK is even optional, in my opinion. After all, router use WPS without initialization PSK and this approach is considered reasonnably secure.
Last, if a "sensor PSK" is compromised, you only have to erase this entry in the sensor PSK table on the GW and the rest of your sensor network will be secure. If we are not using a cryptoprocessor to store the sensor PSK, the risk of the sensor PSK to be read in a stolen sensor exist, but the fact that sensor PSK are individuals make this risk easier to mitigate (as long as you notice that a sensor has been stolen of course).
@Eurbaix sounds good. Just a few comments.
- WPS is considered broken (but I have not read up on the details, I am not sure it is due to the theory of operation as you outlined)
- if all communications are encrypted, is it the full payload or partial? Which algorithm do you suggest? Currently, we are limited to a full payload length of 32 bytes. Some bytes of these are for routing info so that repeater nodes can relay the message. I suppose these repeaters will be unable to decrypt messages not ment for them so at least the routing bytes need to be sent in plain text. And the algorithm block size might then be an issue given the current limitations of the payload size.
All in all I think the suggestion is sound and much in line with what we have already been theorizing around in the core team.
-
@Sergio-Rius you are not a hassle. And I am sure as a analyst you appreciate challenging and be challenged :)
I suggest if we should be a bit mot concrete, that you if you would like, describe your proposal or thoughts in the context of the bullet list I presented above.
For sure those bullets can all be addressed on various ways, but any security solution should adresse them all (and no, the proposal does not have to be fully documented from the start :))@Anticimex A few additional points to address the rest of the conversation:
- Since we are in a mesh network, I believe encrypting the routing information is not really an option as it would mean decrypting and reencrypting at each hop. Beside, if not using a common PSK, managing key exchange would become a nightmare. So, the security would only be end-to-end, with the intermediate node seeing the routing information (sensor IDs) but not the payload (sensor type and data).
- I agree that security should be handled entirely by the gateway and sensors, as it is the only nodes we fully control the firmware. Involving any external component like the controller would be this a nightmare to maintain since we do not have full control on the firmware evolution of anything outside the GW and sensors.
- Although new sensors will probably not be based on 8bits Atmegas, there are plenty of existing sensors that use 8bits Atmegas so I believe we should aim to implement a fully software solution, light enough to run on an 8bit Atmega. In my proposal, the only modification required would be to add a button on the gateway so it can still be easily implemented in an existing network. HW support (encryption or key generation) would be optional but I would keep the option to simply generate a key from an floating analog input.
- As for the encryption, I would simply choose one that is supported by most hardware platforms but light enough to be able to implement software encryption in existing 8bits sensors, although I'm not sure there is still enough flash available to add software encryption on legacy sensors.
Also note that my proposal does not aim at absolute perfect security, simply something that would allow to easily revoke a node so we don't need a cryptoprocessor to store authentication/encryption keys.
-
@Anticimex A few additional points to address the rest of the conversation:
- Since we are in a mesh network, I believe encrypting the routing information is not really an option as it would mean decrypting and reencrypting at each hop. Beside, if not using a common PSK, managing key exchange would become a nightmare. So, the security would only be end-to-end, with the intermediate node seeing the routing information (sensor IDs) but not the payload (sensor type and data).
- I agree that security should be handled entirely by the gateway and sensors, as it is the only nodes we fully control the firmware. Involving any external component like the controller would be this a nightmare to maintain since we do not have full control on the firmware evolution of anything outside the GW and sensors.
- Although new sensors will probably not be based on 8bits Atmegas, there are plenty of existing sensors that use 8bits Atmegas so I believe we should aim to implement a fully software solution, light enough to run on an 8bit Atmega. In my proposal, the only modification required would be to add a button on the gateway so it can still be easily implemented in an existing network. HW support (encryption or key generation) would be optional but I would keep the option to simply generate a key from an floating analog input.
- As for the encryption, I would simply choose one that is supported by most hardware platforms but light enough to be able to implement software encryption in existing 8bits sensors, although I'm not sure there is still enough flash available to add software encryption on legacy sensors.
Also note that my proposal does not aim at absolute perfect security, simply something that would allow to easily revoke a node so we don't need a cryptoprocessor to store authentication/encryption keys.
@Eurbaix your proposal is in my opinion fully adequate from a security point of view.
As for encryption on "legacy" hardware we already have a sw AES crypto driver (although weak).
The button on the GW actually already exist for "inclusion mode". And we also already have a software equivalent that is triggered from the controller for those who don't have or don't want a button on the GW.
A lightweight security personalizer should be enough to store the initial PSK in the nodes. For those who have used the current signing solution, that should not be a deterrent. Some new users might be annoyed by it but I don't see a good alternative. Sending it OTA is a big nono. And having it as an optional FW defined static is bad practice in case the FW leaks (even though we have inclusion mode).
If you want we can set up some shared document to flesh out the implementation details for this?
@d00616 do you have any additional input? -
@Eurbaix your proposal is in my opinion fully adequate from a security point of view.
As for encryption on "legacy" hardware we already have a sw AES crypto driver (although weak).
The button on the GW actually already exist for "inclusion mode". And we also already have a software equivalent that is triggered from the controller for those who don't have or don't want a button on the GW.
A lightweight security personalizer should be enough to store the initial PSK in the nodes. For those who have used the current signing solution, that should not be a deterrent. Some new users might be annoyed by it but I don't see a good alternative. Sending it OTA is a big nono. And having it as an optional FW defined static is bad practice in case the FW leaks (even though we have inclusion mode).
If you want we can set up some shared document to flesh out the implementation details for this?
@d00616 do you have any additional input?@Anticimex I believe the difficulty is not in making "out-of-band" secure, as it has been used and reviewed many times from a security point of view. My concern was more: can we keep it simple enough so it could be deployed on existing 8 bit platforms.
As for OTA, the initialization I proposed never send a clear key OTA. The initialization PSK is written on the sensor when you flash it (so, wired comms) and not part of the firmware. I was thinking something along the line of:
- Flash and run a small firmware (which has the initialization PSK hardcoded) that will just store the initialization PSK in the EEPROM.
- Flash and run the full MySensor firmware (which doesn't have the PSK hardcoded), then run the initialization using the PSK in the EEPROM.
This way, the full MySensor firmware, that will be updated OTA, never have to include a PSK so it can be sent in clear. Also, since comms are now encrypted, OTA updates could be encrypted although I don't see a need to encrypt firmware updates since they do not contain sensitive information.
As for packet size limitation, that's one of the reason I went with short TTL tokens that also act as nounce. The tokens are sent in a separate packet from the gateway so there is no need to exchange nounce for the rest of the communication as long as the token TTL is short enough. I would guess 5 or 10 packets using the same token should not be enough for a brute force attack. This leaves the entire packet free for payload (minus routing information), the usable payload is in fact the same as in non-secured comms.
Last: Yes, a shared document would be a good idea so we don't have go through all the posts to remember what we already discussed. I have Google Docs and One Drive accounts, but can also register on another collaboration platform.
-
@Anticimex I believe the difficulty is not in making "out-of-band" secure, as it has been used and reviewed many times from a security point of view. My concern was more: can we keep it simple enough so it could be deployed on existing 8 bit platforms.
As for OTA, the initialization I proposed never send a clear key OTA. The initialization PSK is written on the sensor when you flash it (so, wired comms) and not part of the firmware. I was thinking something along the line of:
- Flash and run a small firmware (which has the initialization PSK hardcoded) that will just store the initialization PSK in the EEPROM.
- Flash and run the full MySensor firmware (which doesn't have the PSK hardcoded), then run the initialization using the PSK in the EEPROM.
This way, the full MySensor firmware, that will be updated OTA, never have to include a PSK so it can be sent in clear. Also, since comms are now encrypted, OTA updates could be encrypted although I don't see a need to encrypt firmware updates since they do not contain sensitive information.
As for packet size limitation, that's one of the reason I went with short TTL tokens that also act as nounce. The tokens are sent in a separate packet from the gateway so there is no need to exchange nounce for the rest of the communication as long as the token TTL is short enough. I would guess 5 or 10 packets using the same token should not be enough for a brute force attack. This leaves the entire packet free for payload (minus routing information), the usable payload is in fact the same as in non-secured comms.
Last: Yes, a shared document would be a good idea so we don't have go through all the posts to remember what we already discussed. I have Google Docs and One Drive accounts, but can also register on another collaboration platform.
@Eurbaix I know. Hence my connection to the existing security personalizer which does the exact same thing.
The packet size concern is more about that certain crypto algorithms produce a ciphertext of a specific size, which had to fit in the message frame. So if parts of the buffer is in plain text, some limitation is put in the allowed size of the ciphertext (and the original plaintext which could produce a ciphertext spanning multiple crypto blocks which then would not fit the message buffer). But this is specific to the chosen algorithm.I'll look into facilitating some document sharing later. A bit busy right now and out of computers reach.
-
@Eurbaix I know. Hence my connection to the existing security personalizer which does the exact same thing.
The packet size concern is more about that certain crypto algorithms produce a ciphertext of a specific size, which had to fit in the message frame. So if parts of the buffer is in plain text, some limitation is put in the allowed size of the ciphertext (and the original plaintext which could produce a ciphertext spanning multiple crypto blocks which then would not fit the message buffer). But this is specific to the chosen algorithm.I'll look into facilitating some document sharing later. A bit busy right now and out of computers reach.
@Anticimex You raise a good point regarding cyphertext size. I was thinking initially AES 128 would be a good choice but, if routing is in clear, the encrypted part of the packet is now reduced to 16 bytes. Something to look at... or may be 16 bytes is acceptable in the use case scenario of MySensors since not all information is necessarily sensitive.
Also, what are you referring to when you say "security personalizer"? I don't remember something with this name in the current security in MySensors?
P.S.: No rush for the document sharing. It will take a while anyway to come up with something that covers all the basics so a few days more or less won't make a real difference.
I
-
@Anticimex You raise a good point regarding cyphertext size. I was thinking initially AES 128 would be a good choice but, if routing is in clear, the encrypted part of the packet is now reduced to 16 bytes. Something to look at... or may be 16 bytes is acceptable in the use case scenario of MySensors since not all information is necessarily sensitive.
Also, what are you referring to when you say "security personalizer"? I don't remember something with this name in the current security in MySensors?
P.S.: No rush for the document sharing. It will take a while anyway to come up with something that covers all the basics so a few days more or less won't make a real difference.
I
-
@Eurbaix security personalization is the corner stone of the current signing solution :) you can't use it without personalization (except for the simplified security flag on the development branch).
@Anticimex Well, it seems I missed something important in the current signing implementation. I'll have a second look.
-
I had similar ideas with two firmwares. One for initialization and one running MySensors.
If asymetric encryption is used, there is no need for an PSK for encryption. A key is calculated on both sides this can be used as a node key. A library supporting 8 bit and 32 bit MCU is micro-ecc. The problem is, the key must be compared on both sides to detect man in the middle attacks. This could be by synchronous LED blinking the hash of the calculated key and accepting the key on the gateway. This allows to integrate sensors without the need of the SecurityPersonalizer.
The 32 byte package size can be extended by an nRF24/ECB protocol extension. First packet is send without ACK and when a second packet is received the ACK payload reports if the first packet is received. Then we have 64 byte packages, compatible with classic hardware.
I'm unsure if routing encrypted packages is a good idea. An attacker can force the relay to route invalid packages. On the other side the attacker can block the complete channel by sending invalid data.
When the motivation of the new security scheme is to reduce the cost. There are nRF51822 boards starting at less than 2.50€ and nRF52832 boards for less than 4.50€.
Compared the Arduino Pro Mini + nRF24 solution with the nRF51 you get ~100 times more performance without the 2k RAM limit and a lot of Flash for 0.50€ more costs. The nRF51 has an better range compared with the nrf24, allows to implement better radio protocols or switching to BLE (actually without MySensors) and it's possible to connect RFM modules. I think in six month the pricing is eqal.
With an bootloader like mcuboot, which needs porting to MySensors the key can be protected by disallowing flashing unsigned firmware and disable debugging.
I think we shouldn't do compromises to support 8 bit MCUs.
-
@Anticimex There are, in fact, three different keys in my proposal:
- A initialization PSK which should be stored in EEPROM, not the firmware, so it can be erased after the sensor registration. This PSK is common to all new sensors but only used once.
- A sensor PSK, which is sent over the air during the registration, encrypted with the initialization PSK.
- The sensor PSK is used to encrypt the token request and answer so another sensor cannot "read" the token since it doesn't have the same sensor PSK.
- The token is then used as an authentication and encryption key during the rest of the communication.
So here's a few more details about how it would work:
- When firmware is initially loaded on a new sensor, the initialization PSK is also loaded in the sensor EEPROM.
- The GW needs a "WPS" button (as modern routers have)
- Just before powering-up a sensor for the first time, press the GW's "WPS" button, the sensor will accept a connection with the initialization PSK for a few seconds (10-15s) and, along the normal sensor "registration", also send a new key to the sensor. The sensor will then erase the original PSK and replace it with this "sensor PSK", which is specific to this sensor. Since this original PSK is only used during the initial registration then deleted, it will only exist in the sensor memory while the sensor is in a secure location. In case this PSK is compromised, you only need to create a new key in the gateway, that will then be used when you load new sensors.
- This sensor PSK is then used to encrypt the token request since the GW knows each sensor key. The token is sent encrypted with this sensor PSK so another sensor cannot "read" this token. If the token is requested for a sensor-to-sensor communication, the GW will also send the token to the second sensor, encrypted with the second sensor PSK.
- For the rest of the communication (sensor to sensor, or sensor to GW), this token becomes the encryption key and authentication key.
This way, a common PSK is only used during the initialization and can only be used for initialization. This PSK is not accepted for regular communication with the GW (or other sensors). Also, a rogue sensor who have this initialization PSK can only request a "sensor PSK" when the WPS button is pressed. The chance of a rogue sensor sending a initialization request just after the WPS button has been pressed is minimal (except if you routinely initialized dozens of sensors everyday). If fact, the chances are low enough that the initialization PSK is even optional, in my opinion. After all, router use WPS without initialization PSK and this approach is considered reasonnably secure.
Last, if a "sensor PSK" is compromised, you only have to erase this entry in the sensor PSK table on the GW and the rest of your sensor network will be secure. If we are not using a cryptoprocessor to store the sensor PSK, the risk of the sensor PSK to be read in a stolen sensor exist, but the fact that sensor PSK are individuals make this risk easier to mitigate (as long as you notice that a sensor has been stolen of course).
@Eurbaix said in Better security without the need of a cryptoprocessor: out-of-band authentication:
There are, in fact, three different keys in my proposal
Here you're basically proposing a handshake system, but, what you talk about in the first section of points, are you referring to the GW or nodes?
I don't see the need of this first key. Anything that identifies the sensor, like it's name would serve the same purpose. Or I understand it wrong?I think that if you have two networks/channels, as I have, sensors from the two networks would have different keys. Then if we wanted to add a new sensor to one of the networks, what prevents the GW1 to see a sensor from the second network (that may have connectivity issues, alias it may be asking for reconnection) as a new sensor?
-
For an mixed network with classic hardware and new hardware we can work with two address ranges. This is possible for nRF networks.
-
I see, but I always try to address security and script burning in general trying to arrive an scenario where programming knowledge isn't necessary. Like choosing from a web page the sensor I want, connecting it to the computer via usb and letting the page/program/whatever to do it all.
WPS was considered insecure because there where ways of wirelessly force the router to start the WPS procedure. Then added a password to the WPS process and now they're removing this support, whats I think it's an error.
-
@Anticimex I believe the difficulty is not in making "out-of-band" secure, as it has been used and reviewed many times from a security point of view. My concern was more: can we keep it simple enough so it could be deployed on existing 8 bit platforms.
As for OTA, the initialization I proposed never send a clear key OTA. The initialization PSK is written on the sensor when you flash it (so, wired comms) and not part of the firmware. I was thinking something along the line of:
- Flash and run a small firmware (which has the initialization PSK hardcoded) that will just store the initialization PSK in the EEPROM.
- Flash and run the full MySensor firmware (which doesn't have the PSK hardcoded), then run the initialization using the PSK in the EEPROM.
This way, the full MySensor firmware, that will be updated OTA, never have to include a PSK so it can be sent in clear. Also, since comms are now encrypted, OTA updates could be encrypted although I don't see a need to encrypt firmware updates since they do not contain sensitive information.
As for packet size limitation, that's one of the reason I went with short TTL tokens that also act as nounce. The tokens are sent in a separate packet from the gateway so there is no need to exchange nounce for the rest of the communication as long as the token TTL is short enough. I would guess 5 or 10 packets using the same token should not be enough for a brute force attack. This leaves the entire packet free for payload (minus routing information), the usable payload is in fact the same as in non-secured comms.
Last: Yes, a shared document would be a good idea so we don't have go through all the posts to remember what we already discussed. I have Google Docs and One Drive accounts, but can also register on another collaboration platform.
@Eurbaix said in Better security without the need of a cryptoprocessor: out-of-band authentication:
As for OTA, the initialization I proposed never send a clear key OTA. The initialization PSK is written on the sensor when you flash it (so, wired comms) and not part of the firmware. I was thinking something along the line of:
Flash and run a small firmware (which has the initialization PSK hardcoded) that will just store the initialization PSK in the EEPROM.
Flash and run the full MySensor firmware (which doesn't have the PSK hardcoded), then run the initialization using the PSK in the EEPROM.
This way, the full MySensor firmware, that will be updated OTA, never have to include a PSK so it can be sent in clear. Also, since comms are now encrypted, OTA updates could be encrypted although I don't see a need to encrypt firmware updates since they do not contain sensitive information.Why not having mysensors framework generating this key on the first start-up? If you're concerned about some-one getting through the algorithm, it could require some seed from the user that may be common for him. That's still compatible with my approach of a code generator if the generator asks for the seed.
Also, I don't understand why the repeaters are a problem. I don't see why they have to read all the messages, hence being deciphered. Why they don't just "relay" them?
-
@Eurbaix said in Better security without the need of a cryptoprocessor: out-of-band authentication:
As for OTA, the initialization I proposed never send a clear key OTA. The initialization PSK is written on the sensor when you flash it (so, wired comms) and not part of the firmware. I was thinking something along the line of:
Flash and run a small firmware (which has the initialization PSK hardcoded) that will just store the initialization PSK in the EEPROM.
Flash and run the full MySensor firmware (which doesn't have the PSK hardcoded), then run the initialization using the PSK in the EEPROM.
This way, the full MySensor firmware, that will be updated OTA, never have to include a PSK so it can be sent in clear. Also, since comms are now encrypted, OTA updates could be encrypted although I don't see a need to encrypt firmware updates since they do not contain sensitive information.Why not having mysensors framework generating this key on the first start-up? If you're concerned about some-one getting through the algorithm, it could require some seed from the user that may be common for him. That's still compatible with my approach of a code generator if the generator asks for the seed.
Also, I don't understand why the repeaters are a problem. I don't see why they have to read all the messages, hence being deciphered. Why they don't just "relay" them?
@Sergio-Rius if the message is fully encrypted, how would the repeaters know how to route?
Do you feel secure today? No? Start requiring some signatures and feel better tomorrow ;)
-
@Sergio-Rius if the message is fully encrypted, how would the repeaters know how to route?
@Anticimex It may not be fully encrypted, but having description packets. Other protocols do like this.
I understand that the repeaters should only care for messages directly sent to them. Like a remote-button to a garage door node. Other messages should then be relayed to the network. I think that is more productive and increase performance.Perhaps I miss a more complex scenario.
-
@Anticimex It may not be fully encrypted, but having description packets. Other protocols do like this.
I understand that the repeaters should only care for messages directly sent to them. Like a remote-button to a garage door node. Other messages should then be relayed to the network. I think that is more productive and increase performance.Perhaps I miss a more complex scenario.
@Sergio-Rius no that is correct. But repeaters to understand if a message is directed for them or to be repeated, part of the message need to be in plain text and then we need to mind the crypto algorithm vs payload limitations.
There are many solutions to this, I am just saying that it has to be taken into account as well.
This is not an issue when encryption is handled by the physical layer (the radio itself) but then security is specific to the radio. And we don't want that. -
I had similar ideas with two firmwares. One for initialization and one running MySensors.
If asymetric encryption is used, there is no need for an PSK for encryption. A key is calculated on both sides this can be used as a node key. A library supporting 8 bit and 32 bit MCU is micro-ecc. The problem is, the key must be compared on both sides to detect man in the middle attacks. This could be by synchronous LED blinking the hash of the calculated key and accepting the key on the gateway. This allows to integrate sensors without the need of the SecurityPersonalizer.
The 32 byte package size can be extended by an nRF24/ECB protocol extension. First packet is send without ACK and when a second packet is received the ACK payload reports if the first packet is received. Then we have 64 byte packages, compatible with classic hardware.
I'm unsure if routing encrypted packages is a good idea. An attacker can force the relay to route invalid packages. On the other side the attacker can block the complete channel by sending invalid data.
When the motivation of the new security scheme is to reduce the cost. There are nRF51822 boards starting at less than 2.50€ and nRF52832 boards for less than 4.50€.
Compared the Arduino Pro Mini + nRF24 solution with the nRF51 you get ~100 times more performance without the 2k RAM limit and a lot of Flash for 0.50€ more costs. The nRF51 has an better range compared with the nrf24, allows to implement better radio protocols or switching to BLE (actually without MySensors) and it's possible to connect RFM modules. I think in six month the pricing is eqal.
With an bootloader like mcuboot, which needs porting to MySensors the key can be protected by disallowing flashing unsigned firmware and disable debugging.
I think we shouldn't do compromises to support 8 bit MCUs.
@d00616 asymetric encryption has some advantages but ECC is more computing intensive and asymetric encryption needs double decryption compared to single decryption with a symetric algorithm. I went with symetric because it's usually lighter and faster. Also, you would still need an initializing PSK to be able to differentiate a rogue sensor trying to register on your network vs. one of your own sensors. I don't thing a LED flashing a hash is really practical.
P.S.: I know that current cheap platforms, like NRF5, are much more powerful for not much more money, but we should also keep in mind that a lot of existing sensors have already been deployed. If we drop the Atmega328 support, anyone who want to benefit of the new security solution will have to throw away all its existing sensor and rebuild new ones. That's why I am a strong advocate of legacy support, I hate throwing away something that could still works just because there is something new and shinner available for the same price.
-
In fact I initially thought that more than one GW was possible in a MyS network. That messages where broadcast until a receiver ACK-ed for it.
@Anticimex I totally agree with you.
@Eurbaix Not only the hardware. Some people are doing a great job in NodeManager that could need re-adaptations (dunno).I almost always work with async encryption. Well... I think a mixed, cascaded solution may be ideal on this scenario. Just use sha256 ciphered key, surrounded by more packets sync-ciphered and wrapped together.
I don't know if the hardware may support it, but could be like peeling an onion, if you understand. Only the GW knows the key and deciphers the message.Payload is hardly inescapable.
