💬 Security & Signing

pepson

ok thanks

pepson

Ok i build my gateway on RPI on MySensors 2.2.0 with this configuration:

./configure --my-transport=rfm69 --my-rfm69-frequency=868 --my-is-rfm69hw --my-gateway=ethernet --my-port=5003 --my-signing=software --my-signing-request-signatures

Then generate 3 key and setup it on gateway.

Then clear_epprom on Arduino MIni Pro, and then send sketch security with add serial, HMAC, and AES. Then put sketch with add this on top sketch with my SERIAL generated on gateway RPI.

#define MY_SIGNING_SOFT
#define MY_SIGNING_SOFT_RANDOMSEED_PIN 7
#define MY_SIGNING_REQUEST_SIGNATURES
#define MY_SIGNING_NODE_WHITELISTING {{.nodeId = GATEWAY_ADDRESS,.serial = {0X2C,0X61,0X17,0X2E,0XEE,0XDD,0XCC,0XBB,0XAA}}} // got from gateway setup

After that i run HA and he not found my nodes...
WHat is wrondg ?

Anticimex

@pepson well for starters, don't start out with whitelisting unless you know exactly what you are doing. First you have to verify that your network is stable enough to handle the security protocol. The simplest option is to only enable encryption, or use the simple password flag options. Once you have established that your gw and nodes are capable of communicating securely you can move on to personalization and whitelisting.

pepson

@anticimex
What you mean white list?

Before adding all security my nodes and gateway works perfect.

Anticimex

@pepson you define whitelisting so I presume you use it. But I don't see your gw flags specifying it so of course it does not work. So get rid of that flag from your config unless you know what it mean so that you set it up properly.

pepson

@anticimex

What flag i must remove ?
This :
#define MY_SIGNING_NODE_WHITELISTING {{.nodeId = GATEWAY_ADDRESS,.serial = {0X2C,0X61,0X17,0X2E,0XEE,0XDD,0XCC,0XBB,0XAA}}} // got from gateway setup

But on GW i setup this:
sudo mysgw --set-soft-serial-key=2C61172EEEDDCCBBAA && sudo mysgw --set-aes-key=9D2AD43CF909875C4C77111111111111 && sudo mysgw --set-soft-hmac-key=A2A64C48EA6765C5DAEFA12A1E41E2F038515A9CAED9FED73D11111111111111

Anticimex

@pepson please just read the documentation. And more importantly, follow it.
Isn't it obvious that it is the flag that mention whitelisting that is supposed to be removed unless you intend to use whitelisting, in which case you ought to know how to set it up properly at both ends?

pepson

@anticimex

Sorry i dont undestand

Anticimex

@pepson https://www.mysensors.org/apidocs/group__MySigninggrpPub.html

Note that it is the documentation for the latest release (simple password flags work differently compared to previous releases, see release notes for the latest release).

pepson

HI
i don as describe...

install gateway on raspberry with this configuration:
./configure --my-transport=rfm69 --my-rfm69-frequency=868 --my-is-rfm69hw --my-gateway=ethernet --my-port=5003 --my-leds-err-pin=12 --my-leds-rx-pin=16 --my-leds-tx-pin=18 --my-signing=software --my-signing-request-signatures --my-signing-weak_security --my-signing-debug

and then generate serial, aes and hmac

pi@raspberrypi:~/MySensors $ sudo mysgw --gen-soft-serial-key
SOFT_SERIAL | 8FC828503E6EB14C5D

The next line is intended to be used in SecurityPersonalizer.ino:
#define MY_SOFT_SERIAL 0X8F,0XC8,0X28,0X50,0X3E,0X6E,0XB1,0X4C,0X5D

To use this key, run mysgw with:
--set-soft-serial-key=8FC828503E6EB14C5D
pi@raspberrypi:~/MySensors $ sudo mysgw --gen-soft-hmac-key
SOFT_HMAC_KEY | 0D682ED05106E5F361C64288D68AAE1B34F5FFB62B4E39773C9D92DED04B6514

The next line is intended to be used in SecurityPersonalizer.ino:
#define MY_SOFT_HMAC_KEY 0XD,0X68,0X2E,0XD0,0X51,0X6,0XE5,0XF3,0X61,0XC6,0X42,0X88,0XD6,0X8A,0XAE,0X1B,0X34,0XF5,0XFF,0XB6,0X2B,0X4E,0X39,0X77,0X3C,0X9D,0X92,0XDE,0XD0,0X4B,0X65,0X14

To use this key, run mysgw with:
--set-soft-hmac-key=0D682ED05106E5F361C64288D68AAE1B34F5FFB62B4E39773C9D92DED04B6514
pi@raspberrypi:~/MySensors $ sudo mysgw --gen-aes-key
AES_KEY | 8FDB1EE8D0351CFF874D337731BF37AE

The next line is intended to be used in SecurityPersonalizer.ino:
#define MY_AES_KEY 0X8F,0XDB,0X1E,0XE8,0XD0,0X35,0X1C,0XFF,0X87,0X4D,0X33,0X77,0X31,0XBF,0X37,0XAE

To use this key, run mysgw with:
--set-aes-key=8FDB1EE8D0351CFF874D337731BF37AE
pi@raspberrypi:~/MySensors $

and setup it on my gateway

sudo mysgw --set-soft-serial-key=8FC828503E6EB14C5D && sudo mysgw --set-aes-key=8FDB1EE8D0351CFF874D337731BF37AE && sudo mysgw --set-soft-hmac-key=0D682ED05106E5F361C64288D68AAE1B34F5FFB62B4E39773C9D92DED04B6514

all is ok to this moment

Then

clear eeprom in node Arduino pro mini with this sketch:
https://github.com/sineverba/domoraspi/tree/master/utils/sketches
write sketch security with setup my serial, aes and hmac

https://github.com/sineverba/domoraspi/tree/master/utils/sketches

at the top setup...
/************************************ User defined key data ***************************************/

/** @brief The user-defined HMAC key to use unless @ref GENERATE_HMAC_KEY is set */
//#define MY_HMAC_KEY 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
#define MY_HMAC_KEY 0XD,0X68,0X2E,0XD0,0X51,0X6,0XE5,0XF3,0X61,0XC6,0X42,0X88,0XD6,0X8A,0XAE,0X1B,0X34,0XF5,0XFF,0XB6,0X2B,0X4E,0X39,0X77,0X3C,0X9D,0X92,0XDE,0XD0,0X4B,0X65,0X14

/** @brief The user-defined AES key to store in EEPROM unless @ref GENERATE_AES_KEY is set */
//#define MY_AES_KEY 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
#define MY_AES_KEY 0X8F,0XDB,0X1E,0XE8,0XD0,0X35,0X1C,0XFF,0X87,0X4D,0X33,0X77,0X31,0XBF,0X37,0XAE

/** @brief The user-defined soft serial to use for soft signing unless @ref GENERATE_SOFT_SERIAL is set */
#define MY_SOFT_SERIAL 0X8F,0XC8,0X28,0X50,0X3E,0X6E,0XB1,0X4C,0X5D

/***************************** Flags for guided personalization flow ******************************/

then write my sketch relay with added at the top this info:

#define MY_SIGNING_SOFT
#define MY_SIGNING_SOFT_RANDOMSEED_PIN 7
#define MY_SIGNING_REQUEST_SIGNATURES
#define MY_SIGNING_NODE_WHITELISTING {{.nodeId = GATEWAY_ADDRESS,.serial = {0X8F,0XC8,0X28,0X50,0X3E,0X6E,0XB1,0X4C,0X5D}}} // got from gateway setup

and now on my Home assistant in file
/home/homeassistant/.homeassistant/mysensors.json

found my node but wthout full information like name....
{
"0": {
"battery_level": 0,
"sketch_name": null,
"sketch_version": null,
"children": {},
"type": 18,
"protocol_version": "2.2.0",
"sensor_id": 0
},
"33": {
"battery_level": 0,
"sketch_name": null,
"sketch_version": "1.0",
"children": {
"1": {
"type": 3,
"id": 1,
"values": {
"2": "1"
},
"description": ""
}
},
"type": 17,
"protocol_version": "2.2.0",
"sensor_id": 33
}
}

and in Home Assistant is not show in devices this node. Not found it.
What i done wrong ?

Anticimex

@pepson said in 💬 Security & Signing:

MY_SIGNING_NODE_WHITELISTING

How many times do I need to tell you to get rid of the whitelisting flag?

pepson

@anticimex
Ok read... but...
when i use MY_SIGNING_NODE_WHITELISTING i must on node in sketch add serial number my gateway and also serial number for node. But from where i can get serial number for my arduino pro mini ? I dont know...becasue i don use ATSHA204 but i use only soft signing....

sineverba

@pepson This is the serial OF GATEWAY. Not your Arduino. You need to put serial of GATEWAY.

Please, first of all, DONT' USE WHITELISTING. And pay attention: if you enabled it, remove it and:

1 - clear eeprom
2 - flash eeprom with keyes
3 - reload sketch (without whitelisting)

sineverba

@pepson Don't need all copy and paste, enough link :).

Btw, before move to Home Assistant, where is the output of debug of MySensors?

sudo mysgw -d

Of course, you need before stop service.

Resetting the node, what you get in debug?

When ALL ok, move to HomeAssistant.

And remember, after check that debug is ok...

sudo make install && sudo systemctl enable mysgw.service && sudo systemctl start mysgw.service

pepson

In my first time I use only serial number gateway in flag whitelistening and also not working.

sineverba

@pepson Last time. Please.
REMOVE
WHITELISTING
FROM
YOUR
SKETCH

Clear EEPROM and paste here output of debug. No other.

pepson

@sineverba
OK wait for info

pepson

@pepson

Ok i removed Whitelisting and switch is show in Hoem Assistant and works.

pi@raspberrypi:~/MySensors $ sudo ./bin/mysgw -d
mysgw: Starting gateway...
mysgw: Protocol version - 2.2.0
mysgw: MCO:BGN:INIT GW,CP=RPNGLS--,VER=2.2.0
mysgw: SGN:PER:OK
mysgw: SGN:INI:BND OK
mysgw: TSF:LRT:OK
mysgw: TSM:INIT
mysgw: TSF:WUR:MS=0
mysgw: TSM:INIT:TSP OK
mysgw: TSM:INIT:GW MODE
mysgw: TSM:READY:ID=0,PAR=0,DIS=0
mysgw: MCO:REG:NOT NEEDED
mysgw: Listening for connections on 0.0.0.0:5003
mysgw: MCO:BGN:STP
mysgw: MCO:BGN:INIT OK,TSP=1
mysgw: TSF:MSG:READ,3-3-0,s=255,c=3,t=1,pt=0,l=0,sg=0:
mysgw: !SGN:VER:NSG
mysgw: !TSF:MSG:SIGN VERIFY FAIL
mysgw: TSF:MSG:READ,33-33-0,s=255,c=3,t=16,pt=0,l=0,sg=1:
mysgw: SGN:SKP:MSG CMD=3,TYPE=16
mysgw: SGN:SKP:MSG CMD=3,TYPE=17
mysgw: TSF:MSG:SEND,0-0-33-33,s=255,c=3,t=17,pt=6,l=25,sg=1,ft=0,st=OK:<NONCE>
mysgw: SGN:NCE:XMT,TO=0
mysgw: TSF:MSG:READ,33-33-0,s=255,c=3,t=1,pt=0,l=0,sg=1:
mysgw: SGN:BND:NONCE=44E4127024F4EB1003DCBF3701D8469E4664CC454E2A20A257AAAAAAAAAAAAAA
mysgw: SGN:BND:HMAC=E1EE2D4046FEF0AEC323AA737A8367A2F290CCEFB7A4663448AD0B155FFD5A74
mysgw: SGN:VER:OK
mysgw: TSF:MSG:READ,33-33-0,s=1,c=3,t=16,pt=0,l=0,sg=1:
mysgw: SGN:SKP:MSG CMD=3,TYPE=16
mysgw: SGN:SKP:MSG CMD=3,TYPE=17
mysgw: TSF:MSG:SEND,0-0-33-33,s=255,c=3,t=17,pt=6,l=25,sg=1,ft=0,st=OK:<NONCE>
mysgw: SGN:NCE:XMT,TO=0
mysgw: TSF:MSG:READ,33-33-0,s=1,c=1,t=2,pt=1,l=1,sg=1:0
mysgw: SGN:BND:NONCE=4AD7D9430FA96BBD0B18D4F57480F009BE31C6F3821F182766AAAAAAAAAAAAAA
mysgw: SGN:BND:HMAC=3AADB41A42B91C0B2137BE2C2C76F57E3ADB7082F3669DECCA85B993C955D36E
mysgw: SGN:VER:OK
mysgw: TSF:MSG:READ,33-33-0,s=1,c=3,t=16,pt=0,l=0,sg=1:
mysgw: SGN:SKP:MSG CMD=3,TYPE=16
mysgw: SGN:SKP:MSG CMD=3,TYPE=17
mysgw: TSF:MSG:SEND,0-0-33-33,s=255,c=3,t=17,pt=6,l=25,sg=1,ft=0,st=OK:<NONCE>
mysgw: SGN:NCE:XMT,TO=0
mysgw: TSF:MSG:READ,33-33-0,s=1,c=1,t=2,pt=1,l=1,sg=1:1
mysgw: SGN:BND:NONCE=B272E537F5C6DAF21A0C5042078EFCFD3A02B5C61F698792AAAAAAAAAAAAAAAA
mysgw: SGN:BND:HMAC=5AF82BD16724069A436E0735229D32F532108A45407EF0DE7CABDADA1F7E39A0
mysgw: SGN:VER:OK
mysgw: TSF:MSG:READ,3-3-0,s=255,c=3,t=1,pt=0,l=0,sg=0:
mysgw: !SGN:VER:NSG
mysgw: !TSF:MSG:SIGN VERIFY FAIL
mysgw: TSF:MSG:READ,33-33-0,s=1,c=3,t=16,pt=0,l=0,sg=1:
mysgw: SGN:SKP:MSG CMD=3,TYPE=16
mysgw: SGN:SKP:MSG CMD=3,TYPE=17
mysgw: TSF:MSG:SEND,0-0-33-33,s=255,c=3,t=17,pt=6,l=25,sg=1,ft=0,st=OK:<NONCE>
mysgw: SGN:NCE:XMT,TO=0
mysgw: TSF:MSG:READ,33-33-0,s=1,c=1,t=2,pt=1,l=1,sg=1:0
mysgw: SGN:BND:NONCE=61F78D66E675349B8A63B1370E81D2D1AB44BC1D0BB1F988D6AAAAAAAAAAAAAA
mysgw: SGN:BND:HMAC=04EEE2B60E0C71CC092E13C68C07F3088D66F264A826C23426053C17C2353DED
mysgw: SGN:VER:OK
mysgw: TSF:MSG:READ,33-33-0,s=1,c=3,t=16,pt=0,l=0,sg=1:
mysgw: SGN:SKP:MSG CMD=3,TYPE=16
mysgw: SGN:SKP:MSG CMD=3,TYPE=17
mysgw: TSF:MSG:SEND,0-0-33-33,s=255,c=3,t=17,pt=6,l=25,sg=1,ft=0,st=OK:<NONCE>
mysgw: SGN:NCE:XMT,TO=0
mysgw: TSF:MSG:READ,33-33-0,s=1,c=1,t=2,pt=1,l=1,sg=1:1
mysgw: SGN:BND:NONCE=627FAEEEFFFD6E55F371C07A54F785FDA3EE52EBD4092E0CE9AAAAAAAAAAAAAA
mysgw: SGN:BND:HMAC=65503227CDB04C1A2DCB03D0E5BAFD35A4EBA956E8EBA917B2DF40FB09520092
mysgw: SGN:VER:OK
mysgw: TSF:MSG:READ,33-33-0,s=1,c=1,t=2,pt=1,l=1,sg=1:1
mysgw: !SGN:BND:VER ONGOING
mysgw: !SGN:VER:FAIL
mysgw: !TSF:MSG:SIGN VERIFY FAIL
mysgw: TSF:MSG:READ,33-33-0,s=255,c=3,t=16,pt=0,l=0,sg=1:
mysgw: SGN:SKP:MSG CMD=3,TYPE=16
mysgw: SGN:SKP:MSG CMD=3,TYPE=17
mysgw: TSF:MSG:SEND,0-0-33-33,s=255,c=3,t=17,pt=6,l=25,sg=1,ft=0,st=OK:<NONCE>
mysgw: SGN:NCE:XMT,TO=0
mysgw: TSF:MSG:READ,33-33-0,s=255,c=3,t=1,pt=0,l=0,sg=1:
mysgw: SGN:BND:NONCE=32CE07784E14ED2B6D455C2C5C4D83E025185970838C0B743AAAAAAAAAAAAAAA
mysgw: SGN:BND:HMAC=F04885315D93DB7FC95F3B190D68009055495ECEE698E0ADF6F50292157A8927
mysgw: SGN:VER:OK
mysgw: TSF:MSG:READ,33-33-0,s=1,c=3,t=16,pt=0,l=0,sg=1:
mysgw: SGN:SKP:MSG CMD=3,TYPE=16
mysgw: SGN:SKP:MSG CMD=3,TYPE=17
mysgw: TSF:MSG:SEND,0-0-33-33,s=255,c=3,t=17,pt=6,l=25,sg=1,ft=0,st=OK:<NONCE>
mysgw: SGN:NCE:XMT,TO=0
mysgw: TSF:MSG:READ,33-33-0,s=1,c=1,t=2,pt=1,l=1,sg=1:0
mysgw: SGN:BND:NONCE=3DAAB19C10BB3CB8A08CDAACED4BFB385F1EB22AA9F926F940AAAAAAAAAAAAAA
mysgw: SGN:BND:HMAC=392AB4EAFDE59AC0CC9BE6EE667FC33A69A33E86AD5CB3EC49C6C114722941F5
mysgw: SGN:VER:OK
mysgw: TSF:MSG:READ,33-33-0,s=1,c=3,t=16,pt=0,l=0,sg=1:
mysgw: SGN:SKP:MSG CMD=3,TYPE=16
mysgw: SGN:SKP:MSG CMD=3,TYPE=17
mysgw: TSF:MSG:SEND,0-0-33-33,s=255,c=3,t=17,pt=6,l=25,sg=1,ft=0,st=OK:<NONCE>
mysgw: SGN:NCE:XMT,TO=0
mysgw: TSF:MSG:READ,33-33-0,s=1,c=1,t=2,pt=1,l=1,sg=1:1
mysgw: SGN:BND:NONCE=CF101801DA5324E2F66C3B9350E8FC2BCCBD337E3F588EBE2FAAAAAAAAAAAAAA
mysgw: SGN:BND:HMAC=53795E79C8FE9D599D1A88363F7E2BA607ADBB265E4E99356886B65C3D0A06D0
mysgw: SGN:VER:OK
mysgw: TSF:MSG:READ,3-3-0,s=255,c=3,t=1,pt=0,l=0,sg=0:
mysgw: !SGN:VER:NSG
mysgw: !TSF:MSG:SIGN VERIFY FAIL

Anticimex

@pepson your gw is configured to require signing from all nodes.
Your node 33 is set up to use signing. Your node 3 is not. Hence messages from node 3 will be rejected by the GW.
Either set up all nodes to use signing or set up weak security on the GW to only require signing from nodes that require it in turn.
This is documented behaviour. Please read the documentation. That is what it is for.

pepson

But still I don't know how use white listening...?

💬 Security & Signing

22

11.7k

11.2k

113.1k