Start using IV in AES encryption?
-
I share your view.
-
Well thanks for identifying the issue and a good explanation on why it is an issue.
Having read through your initial posts once more, however, I think I found a minor detail that you may have gotten wrong.
The message header also contain sender, so although you would be able to recognize ON command from a particular bode, you would not automatically know the command from other nodes as the header would differ. -
I believe the entire message is encrypted. As far as I know the physical parts of both radio are multicast, and all data transfered, that is visible in the MySensors library, is MySensors specific and used for MySensors specific routing and such.
-
No knowledge in this but i appreciate you guys (which know more) are having this discussion.
Not Mysensors, but it could be i guess - yesterday my RFLink (433mhz) told me it found a new device, a code for a on command. A quick search on the internet revealed it belong to a home alarm manufacturer which has 2 items sending 433mhz, their wireless motion detectors and a on/off remote for the alarm...
I guess I could do some damage with this...
Controller: Proxmox VM - Home Assistant
MySensors GW: Arduino Uno - W5100 Ethernet, Gw Shield Nrf24l01+ 2,4Ghz
MySensors GW: Arduino Uno - Gw Shield RFM69, 433mhz
RFLink GW - Arduino Mega + RFLink Shield, 433mhz -
No knowledge in this but i appreciate you guys (which know more) are having this discussion.
Not Mysensors, but it could be i guess - yesterday my RFLink (433mhz) told me it found a new device, a code for a on command. A quick search on the internet revealed it belong to a home alarm manufacturer which has 2 items sending 433mhz, their wireless motion detectors and a on/off remote for the alarm...
I guess I could do some damage with this...
@sundberg84 yet another example of the incompetence of security providers for private homes. They are useless.
-
I am not an expert in encryption but I really like your discussion.
I believe as you have said, signing is the most critical issue to focus on now, and also we can't neglect encryption in the future.
Thanks for your effort.
@ahmedadelhosni signing just underwent a major overhaul recently on development branch. We are also looking into a node locking mechanism when the node suspects it is under attack from someone trying to brute force a signed message or trying to predict nonces calculated from a bad rng implementation. So security is very much being looked at. And even with missing IV, AES encryption would add some obfuscation to the messages and will in combination with signing still deter a lot of potential attackers.
