Signing_Soft in dev branch - How to do?
-
@TheoL only problem is there is no config.h.
@Anticimex I checked everything again and compared to the 1.5 lib still in my download folder. There is an option#define MY_HMAC_KEYin the MyConfig.h which is not present in the version of the dev branch. Is that intended or only a mistake? -
On development branch, all secrets are either stored in the atsha204 or on eeprom/nonvolatile memory. They are not exposed in the sketch. The documentation is updated to reflect this. My signing forum post has a link to doxygen where this is explained. Please let me know if anything remain unclear.
-
I'm not able to get the signing to work on the ethernet gateway. The sketch is getting to big. I'll continue tomorrow.
-
Thanks a lot @Anticimex for your explanation, I tried to personalize one of my arduinos, but only got serial output of FFFFFF.... as keys for HMAC, Serial and AES. I have nothing connected to this Arduino Nano, so the seedpin should be floating. Anything I did wrong? I only activated
#define USE_SOFT_SIGNINGand nothing else. As far as I read your doxygen this should generate random key but not store them in eeprom. -
Thanks a lot @Anticimex for your explanation, I tried to personalize one of my arduinos, but only got serial output of FFFFFF.... as keys for HMAC, Serial and AES. I have nothing connected to this Arduino Nano, so the seedpin should be floating. Anything I did wrong? I only activated
#define USE_SOFT_SIGNINGand nothing else. As far as I read your doxygen this should generate random key but not store them in eeprom.@Anduril i am not sure the personolizer supports random key generation for sw signing as I consider it too predictable (I cannot as a sketch designer guarantee that you use a good seed for the rng). I suggest you fantasize together a key or generate it using some other tool when using soft signing and then store it in eeprom using the personalizer. FFFF:s looks a lot like eeprom reset values indicating nothing has been written.
-
Oh, and if you have that configuration, yes, you select not to store anything in eeprom. So naturally, the keys read out are FFFF:s as you have not stored any data.
-
@Anticimex I completely agree with you that this would not garantee a good random number. Thanks for explaining all this to me.
One point still open to me is the AES key. Is it only used for encryption (which does not give a real security in our case)? I suppose it should be also kind of pre shared key, so same value on all nodes? I don't want to enable encryption at the moment, but might be good to already write keys to all nodes in case I want to use it in future. -
@Anticimex I completely agree with you that this would not garantee a good random number. Thanks for explaining all this to me.
One point still open to me is the AES key. Is it only used for encryption (which does not give a real security in our case)? I suppose it should be also kind of pre shared key, so same value on all nodes? I don't want to enable encryption at the moment, but might be good to already write keys to all nodes in case I want to use it in future. -
@Anticimex I completely agree with you that this would not garantee a good random number. Thanks for explaining all this to me.
One point still open to me is the AES key. Is it only used for encryption (which does not give a real security in our case)? I suppose it should be also kind of pre shared key, so same value on all nodes? I don't want to enable encryption at the moment, but might be good to already write keys to all nodes in case I want to use it in future. -
@Anticimex of course they should be different. I will use my password safe to create independent and strong keys.
What length should the keys have? And how to add them in sketch? I tried with a 64 character hex key. But when adding it in as pure string or with 0x01,0x02,... the serial says all to be 0x00. -
@Anticimex of course they should be different. I will use my password safe to create independent and strong keys.
What length should the keys have? And how to add them in sketch? I tried with a 64 character hex key. But when adding it in as pure string or with 0x01,0x02,... the serial says all to be 0x00. -
@Anticimex yeah first flash the personalizer and afterwards my own sketch. But where in the personalizer.ino to add the key? I tried in line 162, but serial monitor shows only
#define MY_SOFT_HMAC_KEY 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 EEPROM configuration: SOFT_HMAC_KEY | 0000000000000000000000000000000000000000000000000000000000000000#define USER_SOFT_KEY 0xDC, 0x59, 0x84, 0xC0, 0x5E, 0xDA, 0xD3, 0x2C, 0x59, 0x12, 0xB0, 0xE3, 0x55, 0x75, 0x7C, 0x51, 0xDC, 0x59, 0x84, 0xC0, 0x5E, 0xDA, 0xD3, 0x2C, 0x59, 0x12, 0xB0, 0xE3, 0x55, 0x75, 0x7C, 0x51with this definition (only arbitrary key). Is that correct?
-
@Anticimex yeah first flash the personalizer and afterwards my own sketch. But where in the personalizer.ino to add the key? I tried in line 162, but serial monitor shows only
#define MY_SOFT_HMAC_KEY 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 EEPROM configuration: SOFT_HMAC_KEY | 0000000000000000000000000000000000000000000000000000000000000000#define USER_SOFT_KEY 0xDC, 0x59, 0x84, 0xC0, 0x5E, 0xDA, 0xD3, 0x2C, 0x59, 0x12, 0xB0, 0xE3, 0x55, 0x75, 0x7C, 0x51, 0xDC, 0x59, 0x84, 0xC0, 0x5E, 0xDA, 0xD3, 0x2C, 0x59, 0x12, 0xB0, 0xE3, 0x55, 0x75, 0x7C, 0x51with this definition (only arbitrary key). Is that correct?
-
OK i found the problem, I misunderstood something. I thought I have to add the keys to the enabling command of USER_SOFT_KEY. but there are the real keys some lines below that with correct example how to look like. Now it works and I personalized my first node. Thanks a lot @Anticimex
-
OK i found the problem, I misunderstood something. I thought I have to add the keys to the enabling command of USER_SOFT_KEY. but there are the real keys some lines below that with correct example how to look like. Now it works and I personalized my first node. Thanks a lot @Anticimex
-
@Anticimex Does this also work with a nodeMCU? I tried to personalize my ESP today and got an error:
C:\Dropbox\Projekt-Micha\Arduino Sketch\libraries\sha204\sha204_library.cpp: In constructor 'atsha204Class::atsha204Class(uint8_t)': C:\Dropbox\Projekt-Micha\Arduino Sketch\libraries\sha204\sha204_library.cpp:16:18: error: cannot convert 'volatile uint32_t* {aka volatile unsigned int*}' to 'volatile uint8_t* {aka volatile unsigned char*}' in assignment device_port_DDR = portModeRegister(port); ^ C:\Dropbox\Projekt-Micha\Arduino Sketch\libraries\sha204\sha204_library.cpp:18:18: error: cannot convert 'volatile uint32_t* {aka volatile unsigned int*}' to 'volatile uint8_t* {aka volatile unsigned char*}' in assignment device_port_OUT = portOutputRegister(port); ^ C:\Dropbox\Projekt-Micha\Arduino Sketch\libraries\sha204\sha204_library.cpp:20:17: error: cannot convert 'volatile uint32_t* {aka volatile unsigned int*}' to 'volatile uint8_t* {aka volatile unsigned char*}' in assignment device_port_IN = portInputRegister(port); ^ Bibliothek sha204 im Ordner: C:\Dropbox\Projekt-Micha\Arduino Sketch\libraries\sha204 (legacy) wird verwendet Bibliothek MySensors in Version 2.0.0-beta im Ordner: C:\Dropbox\Projekt-Micha\Arduino Sketch\libraries\MySensors wird verwendet Bibliothek EEPROM in Version 1.0 im Ordner: C:\Users\Mat\AppData\Local\Arduino15\packages\esp8266\hardware\esp8266\2.1.0\libraries\EEPROM wird verwendet exit status 1 Fehler beim Kompilieren. -
@Anticimex Does this also work with a nodeMCU? I tried to personalize my ESP today and got an error:
C:\Dropbox\Projekt-Micha\Arduino Sketch\libraries\sha204\sha204_library.cpp: In constructor 'atsha204Class::atsha204Class(uint8_t)': C:\Dropbox\Projekt-Micha\Arduino Sketch\libraries\sha204\sha204_library.cpp:16:18: error: cannot convert 'volatile uint32_t* {aka volatile unsigned int*}' to 'volatile uint8_t* {aka volatile unsigned char*}' in assignment device_port_DDR = portModeRegister(port); ^ C:\Dropbox\Projekt-Micha\Arduino Sketch\libraries\sha204\sha204_library.cpp:18:18: error: cannot convert 'volatile uint32_t* {aka volatile unsigned int*}' to 'volatile uint8_t* {aka volatile unsigned char*}' in assignment device_port_OUT = portOutputRegister(port); ^ C:\Dropbox\Projekt-Micha\Arduino Sketch\libraries\sha204\sha204_library.cpp:20:17: error: cannot convert 'volatile uint32_t* {aka volatile unsigned int*}' to 'volatile uint8_t* {aka volatile unsigned char*}' in assignment device_port_IN = portInputRegister(port); ^ Bibliothek sha204 im Ordner: C:\Dropbox\Projekt-Micha\Arduino Sketch\libraries\sha204 (legacy) wird verwendet Bibliothek MySensors in Version 2.0.0-beta im Ordner: C:\Dropbox\Projekt-Micha\Arduino Sketch\libraries\MySensors wird verwendet Bibliothek EEPROM in Version 1.0 im Ordner: C:\Users\Mat\AppData\Local\Arduino15\packages\esp8266\hardware\esp8266\2.1.0\libraries\EEPROM wird verwendet exit status 1 Fehler beim Kompilieren.@Anduril that's an error from the atsha driver. It is not adapted for "exotic" architectures. I recommend soft signing (or that you create a or with necessary adjustments that are backwards compatible with the Arduino boards currently in use).
-
@Anticimex I thought to be using only soft signing...
#include <sha204_library.h> #include <sha204_lib_return_codes.h> #define MY_CORE_ONLY #include <MySensor.h> #if DOXYGEN #define LOCK_CONFIGURATION #define LOCK_DATA #define SKIP_KEY_STORAGE #define USER_KEY #define SKIP_UART_CONFIRMATION #define USE_SOFT_SIGNING #define STORE_SOFT_KEY #define USER_SOFT_KEY #define STORE_SOFT_SERIAL #define USER_SOFT_SERIAL #define STORE_AES_KEY #define USER_AES_KEY #endif //#define LOCK_CONFIGURATION //#define LOCK_DATA //#define SKIP_KEY_STORAGE //#define USER_KEY //#define SKIP_UART_CONFIRMATION #define USE_SOFT_SIGNING #define STORE_SOFT_KEY #define USER_SOFT_KEY #define STORE_SOFT_SERIAL #define USER_SOFT_SERIAL #define STORE_AES_KEY #define USER_AES_KEY #if defined(SKIP_UART_CONFIRMATION) && !defined(USER_KEY) #error You have to define USER_KEY for boards that does not have UART #endif #ifdef USER_KEY /** @brief The user-defined HMAC key to use for personalization */ #define MY_HMAC_KEY 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 /** @brief The data to store in key slot 0 */ const uint8_t user_key_data[32] = {MY_HMAC_KEY}; #endif #ifdef USER_SOFT_KEYI copied the header of the SecurityPersonalizer (just stripped the comments to make it shorter). Do I have activated atsh somewhere without noticing?
-
@Anticimex I thought to be using only soft signing...
#include <sha204_library.h> #include <sha204_lib_return_codes.h> #define MY_CORE_ONLY #include <MySensor.h> #if DOXYGEN #define LOCK_CONFIGURATION #define LOCK_DATA #define SKIP_KEY_STORAGE #define USER_KEY #define SKIP_UART_CONFIRMATION #define USE_SOFT_SIGNING #define STORE_SOFT_KEY #define USER_SOFT_KEY #define STORE_SOFT_SERIAL #define USER_SOFT_SERIAL #define STORE_AES_KEY #define USER_AES_KEY #endif //#define LOCK_CONFIGURATION //#define LOCK_DATA //#define SKIP_KEY_STORAGE //#define USER_KEY //#define SKIP_UART_CONFIRMATION #define USE_SOFT_SIGNING #define STORE_SOFT_KEY #define USER_SOFT_KEY #define STORE_SOFT_SERIAL #define USER_SOFT_SERIAL #define STORE_AES_KEY #define USER_AES_KEY #if defined(SKIP_UART_CONFIRMATION) && !defined(USER_KEY) #error You have to define USER_KEY for boards that does not have UART #endif #ifdef USER_KEY /** @brief The user-defined HMAC key to use for personalization */ #define MY_HMAC_KEY 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 /** @brief The data to store in key slot 0 */ const uint8_t user_key_data[32] = {MY_HMAC_KEY}; #endif #ifdef USER_SOFT_KEYI copied the header of the SecurityPersonalizer (just stripped the comments to make it shorter). Do I have activated atsh somewhere without noticing?
@Anduril try ditching the SHA204 library includes at the top. Not sure if they are required for soft signing. Can't remember if I put them there for a reason.... Long time ago I coded for MySensors :(
Do you feel secure today? No? Start requiring some signatures and feel better tomorrow ;)
-
@Anduril try ditching the SHA204 library includes at the top. Not sure if they are required for soft signing. Can't remember if I put them there for a reason.... Long time ago I coded for MySensors :(
