💬 Security & Signing

Anticimex

@sindrome73 I am afraid it will be difficult to help if you can't read the code. There is code in the documentation, and you ask for code? There is also a sequence of steps required to do personalization, so you have to be able to understand english to some extent, or find someone who can translate for you.

If it helps, I have pasted the code here in case you for some reason can't find it (I assume you use a official 2.0 release):

How to use this

Before we begin with the details, I just want to emphasize that signing is completely optional and not enabled by default. If you do want the additional security layer signing provides, you pick the backend of your choise in your sketch. Currently, two compatible backends are supported; MY_SIGNING_ATSHA204 (hardware backed) and MY_SIGNING_SOFT (software backed). You can either enable these globally in MyConfig.h or in your sketch for sketch specific/local use.

Firstly, you need to make sure to pick a backend to use as described above.

//#define MY_SIGNING_SOFT
#define MY_SIGNING_ATSHA204
#include <MySensors.h>
...

Make sure to set the define before the inclusion of MySensors.h. It is legal to mix hardware- and software-based backends in a network. They work together.

You also need to decide if the node (or gateway) in question require and verify signatures in addition to calculating them. This has to be set by at least one of the node in a "pair" or nobody will actually start calculating a signature for a message. Just set the flag MY_SIGNING_REQUEST_SIGNATURES and the node will inform the gateway that it expects the gateway to sign all messages sent to the node. If this is set in a gateway, it will NOT force all nodes to sign messages to it. It will only require signatures from nodes that in turn require signatures. If it is desired that the gateway should require signatures from all nodes, MY_SIGNING_GW_REQUEST_SIGNATURES_FROM_ALL can be set in the gateway sketch.
If you want to have two nodes communicate securely directly with each other, the nodes that require signatures must send a presentation message to all nodes it expect signed messages from (only the gateway is informed automatically). See signerPresentation().
A node can have three "states" with respect to signing:

Node does not support signing in any way (neither MY_SIGNING_ATSHA204 nor MY_SIGNING_SOFT is set)
Node does support signing but don't require messages sent to it to be signed (MY_SIGNING_REQUEST_SIGNATURES is not set)
Node does support signing and require messages sent to it to be signed (MY_SIGNING_REQUEST_SIGNATURES is set)

Secondly, you need to verify the configuration for the backend.
For hardware backed signing it is the pin the device is connected to. In MyConfig.h there are defaults which you might need to adjust to match your personal build. The setting is defined using MY_SIGNING_ATSHA204_PIN and the default is to use pin A3.
Similar to picking your backend, this can also be set in your sketch:

#define MY_SIGNING_ATSHA204
#define MY_SIGNING_ATSHA204_PIN 4
#define MY_SIGNING_REQUEST_SIGNATURES
#include <MySensors.h>
...

For the software backed signingbackend, an unconnected analog pin is required to set a random seed for the pseudo-random generator. It is important that the pin is floating, or the output of the pseudo-random generator will be predictable, and thus compromise the signatures. The setting is defined using MY_SIGNING_SOFT_RANDOMSEED_PIN and the default is to use pin A7. The same configuration possibilities exist as with the other configuration options.

Thirdly, if you use the software backend, you need to personalize the node (see personalization).

#define MY_SIGNING_SOFT
#define MY_SIGNING_SOFT_RANDOMSEED_PIN 7
#define MY_SIGNING_REQUEST_SIGNATURES
#include <MySensors.h>
...

An example of a node that require signatures is available in SecureActuator.ino.

sineverba

#define MY_SIGNING_SOFT_RANDOMSEED_PIN 7

I image not, but... the pin need to be to same in every node?

And.. will the library auto manage the PIN (in this case the #7) rendering it floating or need to explicity set it as INPUT on sketch?

Thank you!

Anticimex

@sineverba It is assumed that you do any configurations in your sketch, before including MySensors.h so no, it does not need to be the same on every node. It just need to be left unconnected. And yes, the library takes care of the rest.

mfalkvidd

The pin does not need to be the same.

The library will set it to the required mode, there is no need to do anything in the sketch.

pepson

Hi
I have a gateway mysensors on my RPI3 with radio RFM69HW. Is any chance to build gateway on RPI3 but also with chip ATSHA204A ? And how build it...

Anticimex

@pepson the driver has not been designed with rPi in mind. And you'd probably be better off with an I2C variant for rPi. But we currently don't offer a driver for that so you'd have to write it yourself.
But, for a gw, you typically keep those secured physically, so using a atsha device is less important, compared to "roaming" nodes.

pepson

@anticimex
I don't understand. I want secure my nodes... By Atsha204a. How I can secure it by other solution.

Anticimex

@pepson I have implemented a sw emulator for the atsha which offers compatible security infrastructure but without readout protection. Readout protection is needed if someone steals your node and extracts your hmac key. Your gw won't typically be stolen, so it don't need readout protection and can rely on the soft signing option which is compatible with nodes using atsha204a personalized with the same hmac key. The rPi port support the atsha204a emulator so you can use that to secure nodes that has a real atsha204a device.

pepson

@anticimex

Can you show me full manual how implement it on Gateway on RPI and how add this to sketch on nodes ? Please...
If you can describe me very good. I am begginer...

Anticimex

@pepson you have the links to the documentation in the article this thread is commenting on. At the very top.

pepson

@anticimex
But please show me as you have to have example...

Anticimex

@pepson I don't run on raspberry pi so I don't. But the documentation does have specific configuration examples for raspberry pi, so you have all information needed listed there in "how to use this" section.

sineverba

@pepson see here for 2.2.0 and on left menu for 2.3.0

https://github.com/sineverba/domapi/wiki/MySensors-2.2.0-Security-and-signin

pepson

@sineverba
Very very good manuals...
But i dont understand what i must type number in this placeand how get it ? It is MAC number network from RPI ?:

#define MY_SIGNING_NODE_WHITELISTING {{.nodeId = GATEWAY_ADDRESS,.serial = {0Xaa,0Xbb,0Xcc,0XF9,0X82,0XB2,0X50,0XF2,0XAB}}} // got from gateway setup

And what is diffrent with MySensors 2.3.0 ?
I must do all point from MySensors 2.2.0 and additional point for 2.3.0 ?

After got your ./configure instruction, type
sudo nano /etc/mysensors.conf
And add your KEYs to the specific section on bottom of the file.
To get your first KEYs follow guide for 2.2.0

And in version 2.3.0 i must do this under building gateway ?

And add serial,HMAC,AES in this place in mysensors.conf

Software signing settings

Note: The gateway must have been built with signing

support to use the options below.

To generate a HMAC key run mysgw with: --gen-soft-hmac-key

copy the new key in the line below and uncomment it.

#soft_hmac_key=

To generate a serial key run mysgw with: --gen-soft-serial-key

copy the new key in the line below and uncomment it.

#soft_serial_key=

Encryption settings

Note: The gateway must have been built with encryption

support to use the options below.

To generate a AES key run mysgw with: --gen-aes-key

copy the new key in the line below and uncomment it.

#aes_key=

and then build gateway ?

sineverba

@pepson You use RFM69(H/W/HW). So I. My hint is remain with 2.2.0. I got so many issues with 2.3.0 and RFM that I reverted to 2.2.0 in 1 minute.

HMAC is not LAN MAC, is HMAC got from MYsensors gateway. Same for other 2 keyes.

I think that in long explain on my guide you have all info to get your keyes. I follow my same guide everytime I need to reinstall mysensors / domoticz / an entire PI. It is fully tested :)

pepson

@sineverba
Hi
Yes i use radio RFM69HW. I also on 2.3.0 have big problem... and back to 2.2.0. What you have problem on 2.3.0 with radio RFM69 ?

I read all your guide and it is ok. But i dont know what i must put in place:
#define MY_SIGNING_NODE_WHITELISTING {{.nodeId = GATEWAY_ADDRESS,.serial = {0Xaa,0Xbb,0Xcc,0XF9,0X82,0XB2,0X50,0XF2,0XAB}}} // got from gateway setup

Put serial from this:
sudo mysgw --gen-soft-serial-key

We will get:

SOFT_SERIAL | 7850987FA6601F6538

The next line is intended to be used in SecurityPersonalizer.ino:
#define MY_SOFT_SERIAL 0X78,0X50,0X98,0X7F,0XA6,0X60,0X1F,0X65,0X38

To use this key, run mysgw with:
--set-soft-serial-key=7850987FA6601F6538

And i must put my keys to mysensors.conf when i use version 2.2.0 ? Or only when use 2.3.0 ?

Software signing settings
Note: The gateway must have been built with signing
support to use the options below.
To generate a HMAC key run mysgw with: --gen-soft-hmac-key
copy the new key in the line below and uncomment it.
#soft_hmac_key=

To generate a serial key run mysgw with: --gen-soft-serial-key
copy the new key in the line below and uncomment it.
#soft_serial_key=

Encryption settings
Note: The gateway must have been built with encryption
support to use the options below.
To generate a AES key run mysgw with: --gen-aes-key
copy the new key in the line below and uncomment it.
#aes_key=

or only send command

sudo mysgw --set-soft-serial-key=7850987FA6601F6538 && sudo mysgw --set-aes-key=768859210B4A75FACC78B757ADAFE75B && sudo mysgw --set-soft-hmac-key=0298FF121DD3194BCC33DC8185055B9D981EBE0A90D847A4777A9E65CCE4F524 ?

sineverba

@pepson

Too many ack lost and slow communication. And other that I don't remember.

That line on the sketches means that you need add on the node that you want whitelist the serial of gateway.

You got serial gateway on the steps for 2.2.0.

You have it.

You don't need to put anything in no file with 2.2.0. In my guide is NOT mentioned. In my guide, at the bottom, there is the final "set keyes" with only a line OR you can set them everytime you get them.

Please, take your time to read 1, 2, 3 times before type anything. I think it is very clear, and every step is write down for you.

;) Enjoy :)

PS Don't offend, I want help you, 'cause I used a bit of times before getting security working. And I used so many time write down a guide. But you need to read and follow carefully

pepson

@sineverba I also have the same problem with communication. But tell me you send issue to developer ? I send but nothing done.

Ok in point 4 in your guide in sketch for node i must put serial key from gateway ? Yes ?

And tell me how remove setup serial, HMAC and AES when i dont want to use it ? How remove it from gateway ?
Thanks

pepson

Any help ?

sineverba

@pepson no need to remove. Simply, in your sketches, don't use signing at all.