[security] Introducing signing support to MySensors

alexsh1

@Anticimex Thanks - I am currently trying an Ethernet GW and a node (Sensebender Micro) with dev branch. I am stuck at personalisation. I cannot lock data. Any idea what I am doing wrong?

This is Sensebender (with ATSHA204):

Personalization sketch for MySensors usage.
-------------------------------------------
Device revision: 00020009
Device serial:   {0x01,0x23,0x53,0x3F,0x52,0x6A,0x1A,0x06,0xEE}
0123533F526A1A06EE
Skipping configuration write and lock (configuration already locked).
Chip configuration:
EEPROM DATA:
SOFT_HMAC_KEY | FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
SOFT_SERIAL   | FFFFFFFFFFFFFFFFFF
AES_KEY       | FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
ATSHA204A DATA:
           SN[0:1]           |         SN[2:3]           | 01   23 | 53   3F   
                          Revnum                         | 00   09   04   00   
                          SN[4:7]                        | 52   6A   1A   06   
    SN[8]    |  Reserved13   | I2CEnable | Reserved15    | EE | 13 | 00 | 00   
  I2CAddress |  TempOffset   |  OTPmode  | SelectorMode  | C8 | 00 | 55 | 00   
         SlotConfig00        |       SlotConfig01        | 8F   80 | 80   A1   
         SlotConfig02        |       SlotConfig03        | 82   E0 | A3   60   
         SlotConfig04        |       SlotConfig05        | 94   40 | A0   85   
         SlotConfig06        |       SlotConfig07        | 86   40 | 87   07   
         SlotConfig08        |       SlotConfig09        | 0F   00 | 89   F2   
         SlotConfig0A        |       SlotConfig0B        | 8A   7A | 0B   8B   
         SlotConfig0C        |       SlotConfig0D        | 0C   4C | DD   4D   
         SlotConfig0E        |       SlotConfig0F        | C2   42 | AF   8F   
  UseFlag00  | UpdateCount00 | UseFlag01 | UpdateCount01 | FF | 00 | FF | 00   
  UseFlag02  | UpdateCount02 | UseFlag03 | UpdateCount03 | FF | 00 | FF | 00   
  UseFlag04  | UpdateCount04 | UseFlag05 | UpdateCount05 | FF | 00 | FF | 00   
  UseFlag06  | UpdateCount06 | UseFlag07 | UpdateCount07 | FF | 00 | FF | 00   
                      LastKeyUse[0:3]                    | FF   FF   FF   FF   
                      LastKeyUse[4:7]                    | FF   FF   FF   FF   
                      LastKeyUse[8:B]                    | FF   FF   FF   FF   
                      LastKeyUse[C:F]                    | FF   FF   FF   FF   
  UserExtra  |    Selector   | LockValue |  LockConfig   | 00 | 00 | 55 | 00   
Take note of this key, it will never be the shown again:
#define MY_HMAC_KEY [deleted]
Writing key to slot 0...
Send SPACE character to lock data...
Data lock failed. Response: D3
Halting!

Anticimex

@alexsh1 actually, I have never actually locked data. Could be a bug there. But I also highly recommend that you don't. If you do, you will never be able to change hmac key in that device.

alexsh1

@Anticimex So this is no problem if the key is not locked? I was just following the manual

On a separate note, I cannot get soft_serial written into the EEPROM:

#define LOCK_CONFIGURATION
//#define LOCK_DATA
//#define SKIP_KEY_STORAGE
//#define USER_KEY
//#define SKIP_UART_CONFIRMATION
#define USE_SOFT_SIGNING
#define STORE_SOFT_KEY
#define USER_SOFT_KEY
#define STORE_SOFT_SERIAL
#define USER_SOFT_SERIAL
#define STORE_AES_KEY
#define USER_AES_KEY```

I have defined the key under #define MY_SOFT_SERIAL [key]

Personalization sketch for MySensors usage.
-------------------------------------------
This value will be stored in EEPROM as soft HMAC key:
#define MY_SOFT_HMAC_KEY [deleted]
Using this user supplied AES key:
#define MY_AES_KEY [deleted]
EEPROM configuration:
SOFT_HMAC_KEY | [deleted]
SOFT_SERIAL   | FFFFFFFFFFFFFFFFFF
AES_KEY       | [deleted]
--------------------------------
Personalization is now complete.

Anticimex

@alexsh1 Hopefully the manual informs about the risks with locking data (that you cannot change the key afterwards). Atmel is somewhat vague on the security implications; they say that you can not read the key anyway but it is "more secure" to lock data. But personally, I have not found a way to read it, and I prefer to be able to change my HMAC key in my devices if it should be compromised.

Strange that you don't get the soft serial. I see nothing obviously wrong with your config. But I do see that you probably sensored your uart log a bit too hard because there are other lines missing there.
You should have seen this

Using this user supplied soft HMAC key:
#define MY_SOFT_HMAC_KEY [deleted]

if you have enabled this:

#define STORE_SOFT_KEY
#define USER_SOFT_KEY

You are sure you have no #undef or some accidental comment or similar. As you see in the personalizer code, it is not that complicated. If the flags are enabled, you should at least get some printouts. But since (if your UART dump is correct) you get nothing, I suspect the flags are not really "on".

alexsh1

@Anticimex said:

Strange that you don't get the soft serial. I see nothing obviously wrong with your config. But I do see that you probably sensored your uart log a bit too hard because there are other lines missing there.
You should have seen this

Using this user supplied soft HMAC key:
#define MY_SOFT_HMAC_KEY [deleted]

if you have enabled this:

#define STORE_SOFT_KEY
#define USER_SOFT_KEY

You are sure you have no #undef or some accidental comment or similar. As you see in the personalizer code, it is not that complicated. If the flags are enabled, you should at least get some printouts. But since (if your UART dump is correct) you get nothing, I suspect the flags are not really "on".

OK, it was Arduino glitch - any changes in the sketch were not reflected on the compilation. Rebooted my PC and restarted Arduino and all works as expected.

A few questions: Mixing ATSHA204 and soft signing - Does HMAC key (one stored in ATSHA204 of say a node and another one in GW's EEPROM) have to be the same? Also I understand one can store HMAC key on both ATSHA204 and EEPROM of one device (say, Sensebender)? I understand that SOFT_KEY has to be unique for every device?

Anticimex

@alexsh1 Ok, well Arduino IDE sucks totally.

You can mix ATSHA204A and soft signing as much as you like. But for any two nodes to exchange signed data the HMAC keys have to be identical.
Yes, you can store a HMAC key in both ATSHA204A and EEPROM. These can be different if you like (and I recommend they are as the EEPROM can be dumped if the node falls into the wrong hands).
However, if you want that node to communicate signed data to another node, that node must use a matching HMAC key.
SOFT_KEY is the HMAC key stored in EEPROM, it must not be unique for every device. If it is, no device will be able to sign data to any other node and expect that node to accept that data.
SOFT_SERIAL on the other hand, must be unique to serve any useful purpose for whitelisting. If you use the ATSHA204A, the serial fused in the device will be used and that cannot be changed, and is according to Atmel, unique.

alexsh1

@Anticimex Ok, but is there a reason why one would have HMAC key in both ATSHA204a and EEPROM?

Anticimex

@alexsh1 no, not really. If you have a atsha204a the only reason to not use it would be performance. Software signing executes slightly faster due to the single write protocol of the atsha.

alexsh1

@Anticimex Thanks very much for your help - I must admit it was a bit of a challenge to jump straight away from a stable 1.5.4 to 2.0 beta

Anticimex

@alexsh1 yes there have been a lot of changes but hopefully they are perceived as improvements. Feedback on signing usability is always welcome :)

alexsh1

@Anticimex BTW, is signing compatible between 1.5.4 and 2.0b?

Anticimex

@alexsh1 no, it is not

alexsh1

@Anticimex Right, this is why I am not able to sign 1.5.4 nodes with 2.0b GW.
In fact when I inserted #define MY_SIGNING_REQUEST_SIGNATURES into the GW code, some nodes stopped working and I think it has to be with signing as GW is throwing a lot of messages that signing failed.

Bottom line is that I need to upgrade pretty much all sensors :-(

Anticimex

@alexsh1 yes, Unfortunately. But it is a huge release upcoming. And a major version step, hence the incompatibilities. Hopefully, the changes made will make it easier to do future maintenance.

cingolanifede

Hi. Is there any difference in using RFM69? Signing is supported using that radio? Thanks

Anticimex

@cingolanifede signing has nothing to to with which radio you choose so yes. It supports any transport, but to my knowledge it has only been actually tested with nrf24 and rfm69.

alexsh1

@Anticimex I must admit that signing is working really-really nicely on my custom made nodes (Soft sign and ATSHA204A)

Apart from a small issue with the sensebender, which I believe is not a signing issue, it is working like a charm. All credit to you! Thank you

Starting sensor (RNNNAS, 2.0.0-beta)
Radio init successful.
HTU21D Sensor1.1 - Online!
isMetric: 1
TempDiff :1098.00
HumDiff  :136.75
T: 998.00
H: 36.75
send: 5-5-0-0 s=0,c=1,t=0,pt=7,l=5,sg=0,st=ok:998.0
send: 5-5-0-0 s=1,c=1,t=1,pt=7,l=5,sg=0,st=ok:36.7
send: 5-5-0-0 s=2,c=1,t=38,pt=7,l=5,sg=0,st=ok:3.29
send: 5-5-0-0 s=255,c=3,t=0,pt=1,l=1,sg=0,st=ok:106
Signing required
send: 5-5-0-0 s=255,c=3,t=15,pt=0,l=2,sg=0,st=ok:


Waiting for GW to send signing preferences...
Skipping security for command 3 type 15
read: 0-0-5 s=255,c=3,t=15,pt=0,l=2,sg=0:

Mark node 0 as one that do not require signed messages
Mark node 0 as one that do not require whitelisting
send: 5-5-0-0 s=255,c=0,t=17,pt=0,l=10,sg=0,st=ok:2.0.0-beta
send: 5-5-0-0 s=255,c=3,t=6,pt=1,l=1,sg=0,st=ok:0
Skipping security for command 3 type 16
read: 0-0-5 s=255,c=3,t=16,pt=0,l=0,sg=0:
Signing backend: ATSHA204Soft
SHA256: 2C4A871ACCAE26760F41E547DD39B7B816FE22EEBCD8DFA2FE00000000000000
Transmittng nonce
send: 5-5-0-0 s=255,c=3,t=17,pt=6,l=25,sg=0,st=ok:2C4A871ACCAE26760F41E547DD39B7B816FE22EEBCD8DFA2FE
Signature in message: 01C31110DAE29D5DCD3771F68B6F29B5CCCF43A3D5397CC8
Message to process: 00050E0306FF4D
Current nonce: 2C4A871ACCAE26760F41E547DD39B7B816FE22EEBCD8DFA2FEAAAAAAAAAAAAAA
HMAC: 0CC31110DAE29D5DCD3771F68B6F29B5CCCF43A3D5397CC89A82A89D87E931B8
Signature OK
read: 0-0-5 s=255,c=3,t=6,pt=0,l=1,sg=0:M
send: 5-5-0-0 s=255,c=3,t=11,pt=0,l=24,sg=0,st=ok:Temp/Hum Sensor - HTU21D
send: 5-5-0-0 s=255,c=3,t=12,pt=0,l=3,sg=0,st=ok:1.1
send: 5-5-0-0 s=0,c=0,t=6,pt=0,l=0,sg=0,st=ok:
send: 5-5-0-0 s=1,c=0,t=7,pt=0,l=0,sg=0,st=ok:
send: 5-5-0-0 s=2,c=0,t=13,pt=0,l=0,sg=0,st=ok:
Init complete, id=5, parent=0, distance=1
TempDiff :971.94
HumDiff  :0.02
T: 26.06
H: 36.72
send: 5-5-0-0 s=0,c=1,t=0,pt=7,l=5,sg=0,st=ok:26.1
send: 5-5-0-0 s=1,c=1,t=1,pt=7,l=5,sg=0,st=ok:36.7

Anticimex

@alexsh1 I'm really glad to hear that. Thank you! Glad that signing is being used and is perceived as something not to complicated to bother with. It sets us apart from many other projects dealing with the same thing :)

alexsh1

@Anticimex I did not say it was not complicated :)
Just kidding - speaking just for myself, it did require some time investment to understand the concept and then upgrading my gateway and my nodes (I am still in the process of rolling signing across the rest of my nodes) to MySensors 2.0b. I probably spent more time upgrading MySensors lib and breaking some hardware in the meantime (the SMA connector on the nrf24l01+ PA+LNA) than the actual signing.

Anticimex

@alexsh1 yeah, well if there is room for improvement in the documentation then feel free to help put with suggestions if there is anything unclear about that :) I use doxygen to document signing features, and a link is available on the GitHub "front-page" (the readme.md)