💬 Security & Signing

sineverba

@pepson you can use a special flag define to "downgrade/reduce" security MY_WEAK_SECURITY

pepson

@sineverba

Ok summary
When i have setup on Raspberry Gateway , generate keys.

When i write in node all keys with sketches.... Node connect ok.

But when write to node only sketches without keys.,... node connect to gateway or not connect to gateway ?

sineverba

@pepson you need to setup gateway with weak security.

You need generate keyes and set in gateway.

You need to personalize nodes with the sketch and set keyes on Arduino EEPROM.

From now, you have two ways: Your node need security? Set use security bla-bla on top with other define(s).

Don't Need security? Don't define use security.

Simpler than ever.

Anticimex

@pepson if you find the security setup to be too complicated, I highly recommend sticking with the simple password flags. The documentation has it all.

pepson

@sineverba said in 💬 Security & Signing:

setup gateway with weak security.

But when configure my gateway without flag setup gateway with weak security i can only use nodes with setup in sketches keys. yes ?

pepson

@anticimex

Can you share me this document when is describe how define only pass ? I want also read this.

sineverba

@pepson

Let's summarize. Last time.

1. compile gateway with weak security (make your research, also in my github guide, there is ;) )
2. create the 3 keyes for gateway
3. set the 3 keyes for gateway.
4. clean your EEPROM arduinos with the sketch present in my guide and in examples of library
5. set the keyes in EEPROM arduinos.

Stop. End. Fin. Fine. These steps are MANDATARY. You NEED to do.

You will have in EEPROM the keyes (arduino) and in gateway.

From now, you select:

a) Do I need security? Perfect, in sketch arduino add #define bla bla bla on top with security and other stuff.
b) Do I NOT need security? Perfect, in sketch arduino DON'T ADD #define bla bla related to security.

sineverba

@pepson And, last all, you can use the mysensors debug options. Try. Try. Try! This is the best option offered to you to learn. Try!
At max, nothing works ;)

pepson

@sineverba
ok all is very good.

But what give me this if i can connect nodes also with defines bla bla bla in skethc and also without define bla bla bla in sketch?
But Do I think right ? In each of these accidents in the eeprom I need to have the keys loaded?

sineverba

@pepson only one word. Try. Really, you are lost in 1 cm of water. Try. And if it doesn't work, open your topic, showing exactly your sketches and what have you done.

pepson

ok thanks

pepson

Ok i build my gateway on RPI on MySensors 2.2.0 with this configuration:

./configure --my-transport=rfm69 --my-rfm69-frequency=868 --my-is-rfm69hw --my-gateway=ethernet --my-port=5003 --my-signing=software --my-signing-request-signatures

Then generate 3 key and setup it on gateway.

Then clear_epprom on Arduino MIni Pro, and then send sketch security with add serial, HMAC, and AES. Then put sketch with add this on top sketch with my SERIAL generated on gateway RPI.

#define MY_SIGNING_SOFT
#define MY_SIGNING_SOFT_RANDOMSEED_PIN 7
#define MY_SIGNING_REQUEST_SIGNATURES
#define MY_SIGNING_NODE_WHITELISTING {{.nodeId = GATEWAY_ADDRESS,.serial = {0X2C,0X61,0X17,0X2E,0XEE,0XDD,0XCC,0XBB,0XAA}}} // got from gateway setup

After that i run HA and he not found my nodes...
WHat is wrondg ?

Anticimex

@pepson well for starters, don't start out with whitelisting unless you know exactly what you are doing. First you have to verify that your network is stable enough to handle the security protocol. The simplest option is to only enable encryption, or use the simple password flag options. Once you have established that your gw and nodes are capable of communicating securely you can move on to personalization and whitelisting.

pepson

@anticimex
What you mean white list?

Before adding all security my nodes and gateway works perfect.

Anticimex

@pepson you define whitelisting so I presume you use it. But I don't see your gw flags specifying it so of course it does not work. So get rid of that flag from your config unless you know what it mean so that you set it up properly.

pepson

@anticimex

What flag i must remove ?
This :
#define MY_SIGNING_NODE_WHITELISTING {{.nodeId = GATEWAY_ADDRESS,.serial = {0X2C,0X61,0X17,0X2E,0XEE,0XDD,0XCC,0XBB,0XAA}}} // got from gateway setup

But on GW i setup this:
sudo mysgw --set-soft-serial-key=2C61172EEEDDCCBBAA && sudo mysgw --set-aes-key=9D2AD43CF909875C4C77111111111111 && sudo mysgw --set-soft-hmac-key=A2A64C48EA6765C5DAEFA12A1E41E2F038515A9CAED9FED73D11111111111111

Anticimex

@pepson please just read the documentation. And more importantly, follow it.
Isn't it obvious that it is the flag that mention whitelisting that is supposed to be removed unless you intend to use whitelisting, in which case you ought to know how to set it up properly at both ends?

pepson

@anticimex

Sorry i dont undestand

Anticimex

@pepson https://www.mysensors.org/apidocs/group__MySigninggrpPub.html

Note that it is the documentation for the latest release (simple password flags work differently compared to previous releases, see release notes for the latest release).

pepson

HI
i don as describe...

1. install gateway on raspberry with this configuration:
   ./configure --my-transport=rfm69 --my-rfm69-frequency=868 --my-is-rfm69hw --my-gateway=ethernet --my-port=5003 --my-leds-err-pin=12 --my-leds-rx-pin=16 --my-leds-tx-pin=18 --my-signing=software --my-signing-request-signatures --my-signing-weak_security --my-signing-debug

and then generate serial, aes and hmac

pi@raspberrypi:~/MySensors $ sudo mysgw --gen-soft-serial-key
SOFT_SERIAL | 8FC828503E6EB14C5D

The next line is intended to be used in SecurityPersonalizer.ino:
#define MY_SOFT_SERIAL 0X8F,0XC8,0X28,0X50,0X3E,0X6E,0XB1,0X4C,0X5D

To use this key, run mysgw with:
--set-soft-serial-key=8FC828503E6EB14C5D
pi@raspberrypi:~/MySensors $ sudo mysgw --gen-soft-hmac-key
SOFT_HMAC_KEY | 0D682ED05106E5F361C64288D68AAE1B34F5FFB62B4E39773C9D92DED04B6514

The next line is intended to be used in SecurityPersonalizer.ino:
#define MY_SOFT_HMAC_KEY 0XD,0X68,0X2E,0XD0,0X51,0X6,0XE5,0XF3,0X61,0XC6,0X42,0X88,0XD6,0X8A,0XAE,0X1B,0X34,0XF5,0XFF,0XB6,0X2B,0X4E,0X39,0X77,0X3C,0X9D,0X92,0XDE,0XD0,0X4B,0X65,0X14

To use this key, run mysgw with:
--set-soft-hmac-key=0D682ED05106E5F361C64288D68AAE1B34F5FFB62B4E39773C9D92DED04B6514
pi@raspberrypi:~/MySensors $ sudo mysgw --gen-aes-key
AES_KEY | 8FDB1EE8D0351CFF874D337731BF37AE

The next line is intended to be used in SecurityPersonalizer.ino:
#define MY_AES_KEY 0X8F,0XDB,0X1E,0XE8,0XD0,0X35,0X1C,0XFF,0X87,0X4D,0X33,0X77,0X31,0XBF,0X37,0XAE

To use this key, run mysgw with:
--set-aes-key=8FDB1EE8D0351CFF874D337731BF37AE
pi@raspberrypi:~/MySensors $

and setup it on my gateway

sudo mysgw --set-soft-serial-key=8FC828503E6EB14C5D && sudo mysgw --set-aes-key=8FDB1EE8D0351CFF874D337731BF37AE && sudo mysgw --set-soft-hmac-key=0D682ED05106E5F361C64288D68AAE1B34F5FFB62B4E39773C9D92DED04B6514

all is ok to this moment

Then

2. clear eeprom in node Arduino pro mini with this sketch:
   https://github.com/sineverba/domoraspi/tree/master/utils/sketches
3. write sketch security with setup my serial, aes and hmac

https://github.com/sineverba/domoraspi/tree/master/utils/sketches

at the top setup...
/************************************ User defined key data ***************************************/

/** @brief The user-defined HMAC key to use unless @ref GENERATE_HMAC_KEY is set */
//#define MY_HMAC_KEY 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
#define MY_HMAC_KEY 0XD,0X68,0X2E,0XD0,0X51,0X6,0XE5,0XF3,0X61,0XC6,0X42,0X88,0XD6,0X8A,0XAE,0X1B,0X34,0XF5,0XFF,0XB6,0X2B,0X4E,0X39,0X77,0X3C,0X9D,0X92,0XDE,0XD0,0X4B,0X65,0X14

/** @brief The user-defined AES key to store in EEPROM unless @ref GENERATE_AES_KEY is set */
//#define MY_AES_KEY 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
#define MY_AES_KEY 0X8F,0XDB,0X1E,0XE8,0XD0,0X35,0X1C,0XFF,0X87,0X4D,0X33,0X77,0X31,0XBF,0X37,0XAE

/** @brief The user-defined soft serial to use for soft signing unless @ref GENERATE_SOFT_SERIAL is set */
#define MY_SOFT_SERIAL 0X8F,0XC8,0X28,0X50,0X3E,0X6E,0XB1,0X4C,0X5D

/***************************** Flags for guided personalization flow ******************************/

4. then write my sketch relay with added at the top this info:

#define MY_SIGNING_SOFT
#define MY_SIGNING_SOFT_RANDOMSEED_PIN 7
#define MY_SIGNING_REQUEST_SIGNATURES
#define MY_SIGNING_NODE_WHITELISTING {{.nodeId = GATEWAY_ADDRESS,.serial = {0X8F,0XC8,0X28,0X50,0X3E,0X6E,0XB1,0X4C,0X5D}}} // got from gateway setup

and now on my Home assistant in file
/home/homeassistant/.homeassistant/mysensors.json

found my node but wthout full information like name....
{
"0": {
"battery_level": 0,
"sketch_name": null,
"sketch_version": null,
"children": {},
"type": 18,
"protocol_version": "2.2.0",
"sensor_id": 0
},
"33": {
"battery_level": 0,
"sketch_name": null,
"sketch_version": "1.0",
"children": {
"1": {
"type": 3,
"id": 1,
"values": {
"2": "1"
},
"description": ""
}
},
"type": 17,
"protocol_version": "2.2.0",
"sensor_id": 33
}
}

and in Home Assistant is not show in devices this node. Not found it.
What i done wrong ?