💬 Security & Signing
-
HI
i don as describe...- install gateway on raspberry with this configuration:
./configure --my-transport=rfm69 --my-rfm69-frequency=868 --my-is-rfm69hw --my-gateway=ethernet --my-port=5003 --my-leds-err-pin=12 --my-leds-rx-pin=16 --my-leds-tx-pin=18 --my-signing=software --my-signing-request-signatures --my-signing-weak_security --my-signing-debug
and then generate serial, aes and hmac
pi@raspberrypi:~/MySensors $ sudo mysgw --gen-soft-serial-key
SOFT_SERIAL | 8FC828503E6EB14C5DThe next line is intended to be used in SecurityPersonalizer.ino:
#define MY_SOFT_SERIAL 0X8F,0XC8,0X28,0X50,0X3E,0X6E,0XB1,0X4C,0X5DTo use this key, run mysgw with:
--set-soft-serial-key=8FC828503E6EB14C5D
pi@raspberrypi:~/MySensors $ sudo mysgw --gen-soft-hmac-key
SOFT_HMAC_KEY | 0D682ED05106E5F361C64288D68AAE1B34F5FFB62B4E39773C9D92DED04B6514The next line is intended to be used in SecurityPersonalizer.ino:
#define MY_SOFT_HMAC_KEY 0XD,0X68,0X2E,0XD0,0X51,0X6,0XE5,0XF3,0X61,0XC6,0X42,0X88,0XD6,0X8A,0XAE,0X1B,0X34,0XF5,0XFF,0XB6,0X2B,0X4E,0X39,0X77,0X3C,0X9D,0X92,0XDE,0XD0,0X4B,0X65,0X14To use this key, run mysgw with:
--set-soft-hmac-key=0D682ED05106E5F361C64288D68AAE1B34F5FFB62B4E39773C9D92DED04B6514
pi@raspberrypi:~/MySensors $ sudo mysgw --gen-aes-key
AES_KEY | 8FDB1EE8D0351CFF874D337731BF37AEThe next line is intended to be used in SecurityPersonalizer.ino:
#define MY_AES_KEY 0X8F,0XDB,0X1E,0XE8,0XD0,0X35,0X1C,0XFF,0X87,0X4D,0X33,0X77,0X31,0XBF,0X37,0XAETo use this key, run mysgw with:
--set-aes-key=8FDB1EE8D0351CFF874D337731BF37AE
pi@raspberrypi:~/MySensors $and setup it on my gateway
sudo mysgw --set-soft-serial-key=8FC828503E6EB14C5D && sudo mysgw --set-aes-key=8FDB1EE8D0351CFF874D337731BF37AE && sudo mysgw --set-soft-hmac-key=0D682ED05106E5F361C64288D68AAE1B34F5FFB62B4E39773C9D92DED04B6514
all is ok to this moment
Then
- clear eeprom in node Arduino pro mini with this sketch:
https://github.com/sineverba/domoraspi/tree/master/utils/sketches - write sketch security with setup my serial, aes and hmac
https://github.com/sineverba/domoraspi/tree/master/utils/sketches
at the top setup...
/************************************ User defined key data ***************************************//** @brief The user-defined HMAC key to use unless @ref GENERATE_HMAC_KEY is set */
//#define MY_HMAC_KEY 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
#define MY_HMAC_KEY 0XD,0X68,0X2E,0XD0,0X51,0X6,0XE5,0XF3,0X61,0XC6,0X42,0X88,0XD6,0X8A,0XAE,0X1B,0X34,0XF5,0XFF,0XB6,0X2B,0X4E,0X39,0X77,0X3C,0X9D,0X92,0XDE,0XD0,0X4B,0X65,0X14/** @brief The user-defined AES key to store in EEPROM unless @ref GENERATE_AES_KEY is set */
//#define MY_AES_KEY 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
#define MY_AES_KEY 0X8F,0XDB,0X1E,0XE8,0XD0,0X35,0X1C,0XFF,0X87,0X4D,0X33,0X77,0X31,0XBF,0X37,0XAE/** @brief The user-defined soft serial to use for soft signing unless @ref GENERATE_SOFT_SERIAL is set */
#define MY_SOFT_SERIAL 0X8F,0XC8,0X28,0X50,0X3E,0X6E,0XB1,0X4C,0X5D/***************************** Flags for guided personalization flow ******************************/
- then write my sketch relay with added at the top this info:
#define MY_SIGNING_SOFT
#define MY_SIGNING_SOFT_RANDOMSEED_PIN 7
#define MY_SIGNING_REQUEST_SIGNATURES
#define MY_SIGNING_NODE_WHITELISTING {{.nodeId = GATEWAY_ADDRESS,.serial = {0X8F,0XC8,0X28,0X50,0X3E,0X6E,0XB1,0X4C,0X5D}}} // got from gateway setupand now on my Home assistant in file
/home/homeassistant/.homeassistant/mysensors.jsonfound my node but wthout full information like name....
{
"0": {
"battery_level": 0,
"sketch_name": null,
"sketch_version": null,
"children": {},
"type": 18,
"protocol_version": "2.2.0",
"sensor_id": 0
},
"33": {
"battery_level": 0,
"sketch_name": null,
"sketch_version": "1.0",
"children": {
"1": {
"type": 3,
"id": 1,
"values": {
"2": "1"
},
"description": ""
}
},
"type": 17,
"protocol_version": "2.2.0",
"sensor_id": 33
}
}and in Home Assistant is not show in devices this node. Not found it.
What i done wrong ?@pepson said in 💬 Security & Signing:
MY_SIGNING_NODE_WHITELISTING
How many times do I need to tell you to get rid of the whitelisting flag?
Do you feel secure today? No? Start requiring some signatures and feel better tomorrow ;)
- install gateway on raspberry with this configuration:
-
@pepson said in 💬 Security & Signing:
MY_SIGNING_NODE_WHITELISTING
How many times do I need to tell you to get rid of the whitelisting flag?
@anticimex
Ok read... but...
when i use MY_SIGNING_NODE_WHITELISTING i must on node in sketch add serial number my gateway and also serial number for node. But from where i can get serial number for my arduino pro mini ? I dont know...becasue i don use ATSHA204 but i use only soft signing.... -
@anticimex
Ok read... but...
when i use MY_SIGNING_NODE_WHITELISTING i must on node in sketch add serial number my gateway and also serial number for node. But from where i can get serial number for my arduino pro mini ? I dont know...becasue i don use ATSHA204 but i use only soft signing....@pepson This is the serial OF GATEWAY. Not your Arduino. You need to put serial of GATEWAY.
Please, first of all, DONT' USE WHITELISTING. And pay attention: if you enabled it, remove it and:
1 - clear eeprom
2 - flash eeprom with keyes
3 - reload sketch (without whitelisting) -
HI
i don as describe...- install gateway on raspberry with this configuration:
./configure --my-transport=rfm69 --my-rfm69-frequency=868 --my-is-rfm69hw --my-gateway=ethernet --my-port=5003 --my-leds-err-pin=12 --my-leds-rx-pin=16 --my-leds-tx-pin=18 --my-signing=software --my-signing-request-signatures --my-signing-weak_security --my-signing-debug
and then generate serial, aes and hmac
pi@raspberrypi:~/MySensors $ sudo mysgw --gen-soft-serial-key
SOFT_SERIAL | 8FC828503E6EB14C5DThe next line is intended to be used in SecurityPersonalizer.ino:
#define MY_SOFT_SERIAL 0X8F,0XC8,0X28,0X50,0X3E,0X6E,0XB1,0X4C,0X5DTo use this key, run mysgw with:
--set-soft-serial-key=8FC828503E6EB14C5D
pi@raspberrypi:~/MySensors $ sudo mysgw --gen-soft-hmac-key
SOFT_HMAC_KEY | 0D682ED05106E5F361C64288D68AAE1B34F5FFB62B4E39773C9D92DED04B6514The next line is intended to be used in SecurityPersonalizer.ino:
#define MY_SOFT_HMAC_KEY 0XD,0X68,0X2E,0XD0,0X51,0X6,0XE5,0XF3,0X61,0XC6,0X42,0X88,0XD6,0X8A,0XAE,0X1B,0X34,0XF5,0XFF,0XB6,0X2B,0X4E,0X39,0X77,0X3C,0X9D,0X92,0XDE,0XD0,0X4B,0X65,0X14To use this key, run mysgw with:
--set-soft-hmac-key=0D682ED05106E5F361C64288D68AAE1B34F5FFB62B4E39773C9D92DED04B6514
pi@raspberrypi:~/MySensors $ sudo mysgw --gen-aes-key
AES_KEY | 8FDB1EE8D0351CFF874D337731BF37AEThe next line is intended to be used in SecurityPersonalizer.ino:
#define MY_AES_KEY 0X8F,0XDB,0X1E,0XE8,0XD0,0X35,0X1C,0XFF,0X87,0X4D,0X33,0X77,0X31,0XBF,0X37,0XAETo use this key, run mysgw with:
--set-aes-key=8FDB1EE8D0351CFF874D337731BF37AE
pi@raspberrypi:~/MySensors $and setup it on my gateway
sudo mysgw --set-soft-serial-key=8FC828503E6EB14C5D && sudo mysgw --set-aes-key=8FDB1EE8D0351CFF874D337731BF37AE && sudo mysgw --set-soft-hmac-key=0D682ED05106E5F361C64288D68AAE1B34F5FFB62B4E39773C9D92DED04B6514
all is ok to this moment
Then
- clear eeprom in node Arduino pro mini with this sketch:
https://github.com/sineverba/domoraspi/tree/master/utils/sketches - write sketch security with setup my serial, aes and hmac
https://github.com/sineverba/domoraspi/tree/master/utils/sketches
at the top setup...
/************************************ User defined key data ***************************************//** @brief The user-defined HMAC key to use unless @ref GENERATE_HMAC_KEY is set */
//#define MY_HMAC_KEY 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
#define MY_HMAC_KEY 0XD,0X68,0X2E,0XD0,0X51,0X6,0XE5,0XF3,0X61,0XC6,0X42,0X88,0XD6,0X8A,0XAE,0X1B,0X34,0XF5,0XFF,0XB6,0X2B,0X4E,0X39,0X77,0X3C,0X9D,0X92,0XDE,0XD0,0X4B,0X65,0X14/** @brief The user-defined AES key to store in EEPROM unless @ref GENERATE_AES_KEY is set */
//#define MY_AES_KEY 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
#define MY_AES_KEY 0X8F,0XDB,0X1E,0XE8,0XD0,0X35,0X1C,0XFF,0X87,0X4D,0X33,0X77,0X31,0XBF,0X37,0XAE/** @brief The user-defined soft serial to use for soft signing unless @ref GENERATE_SOFT_SERIAL is set */
#define MY_SOFT_SERIAL 0X8F,0XC8,0X28,0X50,0X3E,0X6E,0XB1,0X4C,0X5D/***************************** Flags for guided personalization flow ******************************/
- then write my sketch relay with added at the top this info:
#define MY_SIGNING_SOFT
#define MY_SIGNING_SOFT_RANDOMSEED_PIN 7
#define MY_SIGNING_REQUEST_SIGNATURES
#define MY_SIGNING_NODE_WHITELISTING {{.nodeId = GATEWAY_ADDRESS,.serial = {0X8F,0XC8,0X28,0X50,0X3E,0X6E,0XB1,0X4C,0X5D}}} // got from gateway setupand now on my Home assistant in file
/home/homeassistant/.homeassistant/mysensors.jsonfound my node but wthout full information like name....
{
"0": {
"battery_level": 0,
"sketch_name": null,
"sketch_version": null,
"children": {},
"type": 18,
"protocol_version": "2.2.0",
"sensor_id": 0
},
"33": {
"battery_level": 0,
"sketch_name": null,
"sketch_version": "1.0",
"children": {
"1": {
"type": 3,
"id": 1,
"values": {
"2": "1"
},
"description": ""
}
},
"type": 17,
"protocol_version": "2.2.0",
"sensor_id": 33
}
}and in Home Assistant is not show in devices this node. Not found it.
What i done wrong ?@pepson Don't need all copy and paste, enough link :).
Btw, before move to Home Assistant, where is the output of debug of MySensors?
sudo mysgw -dOf course, you need before stop service.
Resetting the node, what you get in debug?
When ALL ok, move to HomeAssistant.
And remember, after check that debug is ok...
sudo make install && sudo systemctl enable mysgw.service && sudo systemctl start mysgw.service - install gateway on raspberry with this configuration:
-
In my first time I use only serial number gateway in flag whitelistening and also not working.
-
@pepson Last time. Please.
REMOVE
WHITELISTING
FROM
YOUR
SKETCHClear EEPROM and paste here output of debug. No other.
-
@sineverba
OK wait for infoOk i removed Whitelisting and switch is show in Hoem Assistant and works.
pi@raspberrypi:~/MySensors $ sudo ./bin/mysgw -d
mysgw: Starting gateway...
mysgw: Protocol version - 2.2.0
mysgw: MCO:BGN:INIT GW,CP=RPNGLS--,VER=2.2.0
mysgw: SGN:PER:OK
mysgw: SGN:INI:BND OK
mysgw: TSF:LRT:OK
mysgw: TSM:INIT
mysgw: TSF:WUR:MS=0
mysgw: TSM:INIT:TSP OK
mysgw: TSM:INIT:GW MODE
mysgw: TSM:READY:ID=0,PAR=0,DIS=0
mysgw: MCO:REG:NOT NEEDED
mysgw: Listening for connections on 0.0.0.0:5003
mysgw: MCO:BGN:STP
mysgw: MCO:BGN:INIT OK,TSP=1
mysgw: TSF:MSG:READ,3-3-0,s=255,c=3,t=1,pt=0,l=0,sg=0:
mysgw: !SGN:VER:NSG
mysgw: !TSF:MSG:SIGN VERIFY FAIL
mysgw: TSF:MSG:READ,33-33-0,s=255,c=3,t=16,pt=0,l=0,sg=1:
mysgw: SGN:SKP:MSG CMD=3,TYPE=16
mysgw: SGN:SKP:MSG CMD=3,TYPE=17
mysgw: TSF:MSG:SEND,0-0-33-33,s=255,c=3,t=17,pt=6,l=25,sg=1,ft=0,st=OK:<NONCE>
mysgw: SGN:NCE:XMT,TO=0
mysgw: TSF:MSG:READ,33-33-0,s=255,c=3,t=1,pt=0,l=0,sg=1:
mysgw: SGN:BND:NONCE=44E4127024F4EB1003DCBF3701D8469E4664CC454E2A20A257AAAAAAAAAAAAAA
mysgw: SGN:BND:HMAC=E1EE2D4046FEF0AEC323AA737A8367A2F290CCEFB7A4663448AD0B155FFD5A74
mysgw: SGN:VER:OK
mysgw: TSF:MSG:READ,33-33-0,s=1,c=3,t=16,pt=0,l=0,sg=1:
mysgw: SGN:SKP:MSG CMD=3,TYPE=16
mysgw: SGN:SKP:MSG CMD=3,TYPE=17
mysgw: TSF:MSG:SEND,0-0-33-33,s=255,c=3,t=17,pt=6,l=25,sg=1,ft=0,st=OK:<NONCE>
mysgw: SGN:NCE:XMT,TO=0
mysgw: TSF:MSG:READ,33-33-0,s=1,c=1,t=2,pt=1,l=1,sg=1:0
mysgw: SGN:BND:NONCE=4AD7D9430FA96BBD0B18D4F57480F009BE31C6F3821F182766AAAAAAAAAAAAAA
mysgw: SGN:BND:HMAC=3AADB41A42B91C0B2137BE2C2C76F57E3ADB7082F3669DECCA85B993C955D36E
mysgw: SGN:VER:OK
mysgw: TSF:MSG:READ,33-33-0,s=1,c=3,t=16,pt=0,l=0,sg=1:
mysgw: SGN:SKP:MSG CMD=3,TYPE=16
mysgw: SGN:SKP:MSG CMD=3,TYPE=17
mysgw: TSF:MSG:SEND,0-0-33-33,s=255,c=3,t=17,pt=6,l=25,sg=1,ft=0,st=OK:<NONCE>
mysgw: SGN:NCE:XMT,TO=0
mysgw: TSF:MSG:READ,33-33-0,s=1,c=1,t=2,pt=1,l=1,sg=1:1
mysgw: SGN:BND:NONCE=B272E537F5C6DAF21A0C5042078EFCFD3A02B5C61F698792AAAAAAAAAAAAAAAA
mysgw: SGN:BND:HMAC=5AF82BD16724069A436E0735229D32F532108A45407EF0DE7CABDADA1F7E39A0
mysgw: SGN:VER:OK
mysgw: TSF:MSG:READ,3-3-0,s=255,c=3,t=1,pt=0,l=0,sg=0:
mysgw: !SGN:VER:NSG
mysgw: !TSF:MSG:SIGN VERIFY FAIL
mysgw: TSF:MSG:READ,33-33-0,s=1,c=3,t=16,pt=0,l=0,sg=1:
mysgw: SGN:SKP:MSG CMD=3,TYPE=16
mysgw: SGN:SKP:MSG CMD=3,TYPE=17
mysgw: TSF:MSG:SEND,0-0-33-33,s=255,c=3,t=17,pt=6,l=25,sg=1,ft=0,st=OK:<NONCE>
mysgw: SGN:NCE:XMT,TO=0
mysgw: TSF:MSG:READ,33-33-0,s=1,c=1,t=2,pt=1,l=1,sg=1:0
mysgw: SGN:BND:NONCE=61F78D66E675349B8A63B1370E81D2D1AB44BC1D0BB1F988D6AAAAAAAAAAAAAA
mysgw: SGN:BND:HMAC=04EEE2B60E0C71CC092E13C68C07F3088D66F264A826C23426053C17C2353DED
mysgw: SGN:VER:OK
mysgw: TSF:MSG:READ,33-33-0,s=1,c=3,t=16,pt=0,l=0,sg=1:
mysgw: SGN:SKP:MSG CMD=3,TYPE=16
mysgw: SGN:SKP:MSG CMD=3,TYPE=17
mysgw: TSF:MSG:SEND,0-0-33-33,s=255,c=3,t=17,pt=6,l=25,sg=1,ft=0,st=OK:<NONCE>
mysgw: SGN:NCE:XMT,TO=0
mysgw: TSF:MSG:READ,33-33-0,s=1,c=1,t=2,pt=1,l=1,sg=1:1
mysgw: SGN:BND:NONCE=627FAEEEFFFD6E55F371C07A54F785FDA3EE52EBD4092E0CE9AAAAAAAAAAAAAA
mysgw: SGN:BND:HMAC=65503227CDB04C1A2DCB03D0E5BAFD35A4EBA956E8EBA917B2DF40FB09520092
mysgw: SGN:VER:OK
mysgw: TSF:MSG:READ,33-33-0,s=1,c=1,t=2,pt=1,l=1,sg=1:1
mysgw: !SGN:BND:VER ONGOING
mysgw: !SGN:VER:FAIL
mysgw: !TSF:MSG:SIGN VERIFY FAIL
mysgw: TSF:MSG:READ,33-33-0,s=255,c=3,t=16,pt=0,l=0,sg=1:
mysgw: SGN:SKP:MSG CMD=3,TYPE=16
mysgw: SGN:SKP:MSG CMD=3,TYPE=17
mysgw: TSF:MSG:SEND,0-0-33-33,s=255,c=3,t=17,pt=6,l=25,sg=1,ft=0,st=OK:<NONCE>
mysgw: SGN:NCE:XMT,TO=0
mysgw: TSF:MSG:READ,33-33-0,s=255,c=3,t=1,pt=0,l=0,sg=1:
mysgw: SGN:BND:NONCE=32CE07784E14ED2B6D455C2C5C4D83E025185970838C0B743AAAAAAAAAAAAAAA
mysgw: SGN:BND:HMAC=F04885315D93DB7FC95F3B190D68009055495ECEE698E0ADF6F50292157A8927
mysgw: SGN:VER:OK
mysgw: TSF:MSG:READ,33-33-0,s=1,c=3,t=16,pt=0,l=0,sg=1:
mysgw: SGN:SKP:MSG CMD=3,TYPE=16
mysgw: SGN:SKP:MSG CMD=3,TYPE=17
mysgw: TSF:MSG:SEND,0-0-33-33,s=255,c=3,t=17,pt=6,l=25,sg=1,ft=0,st=OK:<NONCE>
mysgw: SGN:NCE:XMT,TO=0
mysgw: TSF:MSG:READ,33-33-0,s=1,c=1,t=2,pt=1,l=1,sg=1:0
mysgw: SGN:BND:NONCE=3DAAB19C10BB3CB8A08CDAACED4BFB385F1EB22AA9F926F940AAAAAAAAAAAAAA
mysgw: SGN:BND:HMAC=392AB4EAFDE59AC0CC9BE6EE667FC33A69A33E86AD5CB3EC49C6C114722941F5
mysgw: SGN:VER:OK
mysgw: TSF:MSG:READ,33-33-0,s=1,c=3,t=16,pt=0,l=0,sg=1:
mysgw: SGN:SKP:MSG CMD=3,TYPE=16
mysgw: SGN:SKP:MSG CMD=3,TYPE=17
mysgw: TSF:MSG:SEND,0-0-33-33,s=255,c=3,t=17,pt=6,l=25,sg=1,ft=0,st=OK:<NONCE>
mysgw: SGN:NCE:XMT,TO=0
mysgw: TSF:MSG:READ,33-33-0,s=1,c=1,t=2,pt=1,l=1,sg=1:1
mysgw: SGN:BND:NONCE=CF101801DA5324E2F66C3B9350E8FC2BCCBD337E3F588EBE2FAAAAAAAAAAAAAA
mysgw: SGN:BND:HMAC=53795E79C8FE9D599D1A88363F7E2BA607ADBB265E4E99356886B65C3D0A06D0
mysgw: SGN:VER:OK
mysgw: TSF:MSG:READ,3-3-0,s=255,c=3,t=1,pt=0,l=0,sg=0:
mysgw: !SGN:VER:NSG
mysgw: !TSF:MSG:SIGN VERIFY FAIL -
Ok i removed Whitelisting and switch is show in Hoem Assistant and works.
pi@raspberrypi:~/MySensors $ sudo ./bin/mysgw -d
mysgw: Starting gateway...
mysgw: Protocol version - 2.2.0
mysgw: MCO:BGN:INIT GW,CP=RPNGLS--,VER=2.2.0
mysgw: SGN:PER:OK
mysgw: SGN:INI:BND OK
mysgw: TSF:LRT:OK
mysgw: TSM:INIT
mysgw: TSF:WUR:MS=0
mysgw: TSM:INIT:TSP OK
mysgw: TSM:INIT:GW MODE
mysgw: TSM:READY:ID=0,PAR=0,DIS=0
mysgw: MCO:REG:NOT NEEDED
mysgw: Listening for connections on 0.0.0.0:5003
mysgw: MCO:BGN:STP
mysgw: MCO:BGN:INIT OK,TSP=1
mysgw: TSF:MSG:READ,3-3-0,s=255,c=3,t=1,pt=0,l=0,sg=0:
mysgw: !SGN:VER:NSG
mysgw: !TSF:MSG:SIGN VERIFY FAIL
mysgw: TSF:MSG:READ,33-33-0,s=255,c=3,t=16,pt=0,l=0,sg=1:
mysgw: SGN:SKP:MSG CMD=3,TYPE=16
mysgw: SGN:SKP:MSG CMD=3,TYPE=17
mysgw: TSF:MSG:SEND,0-0-33-33,s=255,c=3,t=17,pt=6,l=25,sg=1,ft=0,st=OK:<NONCE>
mysgw: SGN:NCE:XMT,TO=0
mysgw: TSF:MSG:READ,33-33-0,s=255,c=3,t=1,pt=0,l=0,sg=1:
mysgw: SGN:BND:NONCE=44E4127024F4EB1003DCBF3701D8469E4664CC454E2A20A257AAAAAAAAAAAAAA
mysgw: SGN:BND:HMAC=E1EE2D4046FEF0AEC323AA737A8367A2F290CCEFB7A4663448AD0B155FFD5A74
mysgw: SGN:VER:OK
mysgw: TSF:MSG:READ,33-33-0,s=1,c=3,t=16,pt=0,l=0,sg=1:
mysgw: SGN:SKP:MSG CMD=3,TYPE=16
mysgw: SGN:SKP:MSG CMD=3,TYPE=17
mysgw: TSF:MSG:SEND,0-0-33-33,s=255,c=3,t=17,pt=6,l=25,sg=1,ft=0,st=OK:<NONCE>
mysgw: SGN:NCE:XMT,TO=0
mysgw: TSF:MSG:READ,33-33-0,s=1,c=1,t=2,pt=1,l=1,sg=1:0
mysgw: SGN:BND:NONCE=4AD7D9430FA96BBD0B18D4F57480F009BE31C6F3821F182766AAAAAAAAAAAAAA
mysgw: SGN:BND:HMAC=3AADB41A42B91C0B2137BE2C2C76F57E3ADB7082F3669DECCA85B993C955D36E
mysgw: SGN:VER:OK
mysgw: TSF:MSG:READ,33-33-0,s=1,c=3,t=16,pt=0,l=0,sg=1:
mysgw: SGN:SKP:MSG CMD=3,TYPE=16
mysgw: SGN:SKP:MSG CMD=3,TYPE=17
mysgw: TSF:MSG:SEND,0-0-33-33,s=255,c=3,t=17,pt=6,l=25,sg=1,ft=0,st=OK:<NONCE>
mysgw: SGN:NCE:XMT,TO=0
mysgw: TSF:MSG:READ,33-33-0,s=1,c=1,t=2,pt=1,l=1,sg=1:1
mysgw: SGN:BND:NONCE=B272E537F5C6DAF21A0C5042078EFCFD3A02B5C61F698792AAAAAAAAAAAAAAAA
mysgw: SGN:BND:HMAC=5AF82BD16724069A436E0735229D32F532108A45407EF0DE7CABDADA1F7E39A0
mysgw: SGN:VER:OK
mysgw: TSF:MSG:READ,3-3-0,s=255,c=3,t=1,pt=0,l=0,sg=0:
mysgw: !SGN:VER:NSG
mysgw: !TSF:MSG:SIGN VERIFY FAIL
mysgw: TSF:MSG:READ,33-33-0,s=1,c=3,t=16,pt=0,l=0,sg=1:
mysgw: SGN:SKP:MSG CMD=3,TYPE=16
mysgw: SGN:SKP:MSG CMD=3,TYPE=17
mysgw: TSF:MSG:SEND,0-0-33-33,s=255,c=3,t=17,pt=6,l=25,sg=1,ft=0,st=OK:<NONCE>
mysgw: SGN:NCE:XMT,TO=0
mysgw: TSF:MSG:READ,33-33-0,s=1,c=1,t=2,pt=1,l=1,sg=1:0
mysgw: SGN:BND:NONCE=61F78D66E675349B8A63B1370E81D2D1AB44BC1D0BB1F988D6AAAAAAAAAAAAAA
mysgw: SGN:BND:HMAC=04EEE2B60E0C71CC092E13C68C07F3088D66F264A826C23426053C17C2353DED
mysgw: SGN:VER:OK
mysgw: TSF:MSG:READ,33-33-0,s=1,c=3,t=16,pt=0,l=0,sg=1:
mysgw: SGN:SKP:MSG CMD=3,TYPE=16
mysgw: SGN:SKP:MSG CMD=3,TYPE=17
mysgw: TSF:MSG:SEND,0-0-33-33,s=255,c=3,t=17,pt=6,l=25,sg=1,ft=0,st=OK:<NONCE>
mysgw: SGN:NCE:XMT,TO=0
mysgw: TSF:MSG:READ,33-33-0,s=1,c=1,t=2,pt=1,l=1,sg=1:1
mysgw: SGN:BND:NONCE=627FAEEEFFFD6E55F371C07A54F785FDA3EE52EBD4092E0CE9AAAAAAAAAAAAAA
mysgw: SGN:BND:HMAC=65503227CDB04C1A2DCB03D0E5BAFD35A4EBA956E8EBA917B2DF40FB09520092
mysgw: SGN:VER:OK
mysgw: TSF:MSG:READ,33-33-0,s=1,c=1,t=2,pt=1,l=1,sg=1:1
mysgw: !SGN:BND:VER ONGOING
mysgw: !SGN:VER:FAIL
mysgw: !TSF:MSG:SIGN VERIFY FAIL
mysgw: TSF:MSG:READ,33-33-0,s=255,c=3,t=16,pt=0,l=0,sg=1:
mysgw: SGN:SKP:MSG CMD=3,TYPE=16
mysgw: SGN:SKP:MSG CMD=3,TYPE=17
mysgw: TSF:MSG:SEND,0-0-33-33,s=255,c=3,t=17,pt=6,l=25,sg=1,ft=0,st=OK:<NONCE>
mysgw: SGN:NCE:XMT,TO=0
mysgw: TSF:MSG:READ,33-33-0,s=255,c=3,t=1,pt=0,l=0,sg=1:
mysgw: SGN:BND:NONCE=32CE07784E14ED2B6D455C2C5C4D83E025185970838C0B743AAAAAAAAAAAAAAA
mysgw: SGN:BND:HMAC=F04885315D93DB7FC95F3B190D68009055495ECEE698E0ADF6F50292157A8927
mysgw: SGN:VER:OK
mysgw: TSF:MSG:READ,33-33-0,s=1,c=3,t=16,pt=0,l=0,sg=1:
mysgw: SGN:SKP:MSG CMD=3,TYPE=16
mysgw: SGN:SKP:MSG CMD=3,TYPE=17
mysgw: TSF:MSG:SEND,0-0-33-33,s=255,c=3,t=17,pt=6,l=25,sg=1,ft=0,st=OK:<NONCE>
mysgw: SGN:NCE:XMT,TO=0
mysgw: TSF:MSG:READ,33-33-0,s=1,c=1,t=2,pt=1,l=1,sg=1:0
mysgw: SGN:BND:NONCE=3DAAB19C10BB3CB8A08CDAACED4BFB385F1EB22AA9F926F940AAAAAAAAAAAAAA
mysgw: SGN:BND:HMAC=392AB4EAFDE59AC0CC9BE6EE667FC33A69A33E86AD5CB3EC49C6C114722941F5
mysgw: SGN:VER:OK
mysgw: TSF:MSG:READ,33-33-0,s=1,c=3,t=16,pt=0,l=0,sg=1:
mysgw: SGN:SKP:MSG CMD=3,TYPE=16
mysgw: SGN:SKP:MSG CMD=3,TYPE=17
mysgw: TSF:MSG:SEND,0-0-33-33,s=255,c=3,t=17,pt=6,l=25,sg=1,ft=0,st=OK:<NONCE>
mysgw: SGN:NCE:XMT,TO=0
mysgw: TSF:MSG:READ,33-33-0,s=1,c=1,t=2,pt=1,l=1,sg=1:1
mysgw: SGN:BND:NONCE=CF101801DA5324E2F66C3B9350E8FC2BCCBD337E3F588EBE2FAAAAAAAAAAAAAA
mysgw: SGN:BND:HMAC=53795E79C8FE9D599D1A88363F7E2BA607ADBB265E4E99356886B65C3D0A06D0
mysgw: SGN:VER:OK
mysgw: TSF:MSG:READ,3-3-0,s=255,c=3,t=1,pt=0,l=0,sg=0:
mysgw: !SGN:VER:NSG
mysgw: !TSF:MSG:SIGN VERIFY FAIL@pepson your gw is configured to require signing from all nodes.
Your node 33 is set up to use signing. Your node 3 is not. Hence messages from node 3 will be rejected by the GW.
Either set up all nodes to use signing or set up weak security on the GW to only require signing from nodes that require it in turn.
This is documented behaviour. Please read the documentation. That is what it is for. -
@pepson I suggest you avoid it. It require good tracking of all serials in your network and is part of the more advanced security mechanisms. And I suspect you will get issues when you add new nodes to your network as you cannot get it to work with just two nodes (you still have not enabled it on your gw). So just avoid whitelisting all together.
Do you feel secure today? No? Start requiring some signatures and feel better tomorrow ;)
-
@pepson I suggest you avoid it. It require good tracking of all serials in your network and is part of the more advanced security mechanisms. And I suspect you will get issues when you add new nodes to your network as you cannot get it to work with just two nodes (you still have not enabled it on your gw). So just avoid whitelisting all together.
-
@anticimex
OK but how I can get serial from my Node on Arduino Pro Mini?And when I want use chip AtSHA204A what I must change on my GW and on Node?
Can I build GW on Rpi with this chip AtSHA204A? -
@pepson Please. Read. The. Documentation.
And no, atsha204a is not supported on rPi. Nor does it need to be. -
@anticimex
But still I don't know how read serial number from Node on Arduino Mini Pro when I want use White Listening...@pepson have you read the documentation? Do you understand the concept of personalization? Where have you found information on from where the serial number is obtained?
I will only say this once more: don't use whitelisting unless you know these things. Serial is only used for whitelisting. Don't use something you do not understand.
All your questions so far can be answered by citing the documentation so please read it! -
-
I have my network with NRF24+'s with HW signing. Now, due to performance limitations of the NRF's I'll move to RFM69's which supports encryption.
How can I set encryption in Mysensors? Is it already available? Can I have both signing and Encryption? -
Hi,
I've been a while on MySensors forum, most time as a reader. Read the docs about signing and have a couple of questions - possibly stupid as I might not understand well the docs.- I'd like to ask if the flags --my-signing-weak_security and --my-signing-request-signatures (yes I have RPi gw) are complementary or separate: if I define both, do I get a "weak security" feature or the "request security" is on top of that and only signed messages would be accepted? Or maybe I need to define one of them only depending on security level I want to achieve?
- Whitelisting - many things were said here, I am not planning to use it for now nor anytime for gateway on nodes as I do not find it necessary as gw is not supposed to be compromised, but did a quick test following the @sineverba tutorial and it failed indeed as pepson said. The serial which I provided in sketch in #define MY_SIGNING_NODE_WHITELISTING {{.nodeId = GATEWAY_ADDRESS,.serial = {myserial}}} was the one generated by mysgq --gen-soft-serial-key (and then applied by --set-soft-serial-key ofc) - is that correct? I also tried to replace GATEWAY_ADDRESS with 0 and no success. Maybe there are some other steps that I should take (@Anticimex said something like "But I don't see your gw flags specifying it" which I dont understand in this context)
- Is the encryption possible to be enabled only by compiling the gw with --my-rf24-encryption-enabled (for my nrf24) and personalizing gw and node with the same AES key obtained in this docs and by defining the proper flags in sketches on all nodes or is this procedure is more complicated? If this is not the subject for the scope of this thread please tell me I will search more.
Thank you for understanding my possibly dumb questions :) I try my best but I am a beginner iot, but work in IT so not a total newbe in programming or technologies.
-
Hi,
I've been a while on MySensors forum, most time as a reader. Read the docs about signing and have a couple of questions - possibly stupid as I might not understand well the docs.- I'd like to ask if the flags --my-signing-weak_security and --my-signing-request-signatures (yes I have RPi gw) are complementary or separate: if I define both, do I get a "weak security" feature or the "request security" is on top of that and only signed messages would be accepted? Or maybe I need to define one of them only depending on security level I want to achieve?
- Whitelisting - many things were said here, I am not planning to use it for now nor anytime for gateway on nodes as I do not find it necessary as gw is not supposed to be compromised, but did a quick test following the @sineverba tutorial and it failed indeed as pepson said. The serial which I provided in sketch in #define MY_SIGNING_NODE_WHITELISTING {{.nodeId = GATEWAY_ADDRESS,.serial = {myserial}}} was the one generated by mysgq --gen-soft-serial-key (and then applied by --set-soft-serial-key ofc) - is that correct? I also tried to replace GATEWAY_ADDRESS with 0 and no success. Maybe there are some other steps that I should take (@Anticimex said something like "But I don't see your gw flags specifying it" which I dont understand in this context)
- Is the encryption possible to be enabled only by compiling the gw with --my-rf24-encryption-enabled (for my nrf24) and personalizing gw and node with the same AES key obtained in this docs and by defining the proper flags in sketches on all nodes or is this procedure is more complicated? If this is not the subject for the scope of this thread please tell me I will search more.
Thank you for understanding my possibly dumb questions :) I try my best but I am a beginner iot, but work in IT so not a total newbe in programming or technologies.
@damian There are no stupid questions on complex matters. Security is a complex matter (unfortunately).
-
The weak security flag allows a node to inform a GW that it no longer require signing. Thus, an attacker might "take over" a node and replace it with a non-secure one possibly without you noticing.
The request signature flag lets a node (or GW) informe a GW (or node) that it require signatures. That allows the other side to understand that it has to sign messages sent to the destination. It is therefore not to be confused with "weak security". It is more a "enable security". -
Writing #define MY_SIGNING_NODE_WHITELISTING {{.nodeId = GATEWAY_ADDRESS,.serial = {myserial}}} in a node, tells the node to requrie the GW to salt the signatures with it's serial (that should match the serial you entered in the node).
If the messages fail to verify, it suggests that the GW either has not realized it is expected to salt the signatures, or it uses the wrong serial to do it. Unfortunately I do not have a rPi setup to check this, so any help in troubleshooting that would be appreciated. -
Yes, just make sure to also enable encryption on the node. Also, do notice that ALL nodes on the same network needs to use encryption with the same key.
I hope this clarifies the things a bit :)
-
@damian There are no stupid questions on complex matters. Security is a complex matter (unfortunately).
-
The weak security flag allows a node to inform a GW that it no longer require signing. Thus, an attacker might "take over" a node and replace it with a non-secure one possibly without you noticing.
The request signature flag lets a node (or GW) informe a GW (or node) that it require signatures. That allows the other side to understand that it has to sign messages sent to the destination. It is therefore not to be confused with "weak security". It is more a "enable security". -
Writing #define MY_SIGNING_NODE_WHITELISTING {{.nodeId = GATEWAY_ADDRESS,.serial = {myserial}}} in a node, tells the node to requrie the GW to salt the signatures with it's serial (that should match the serial you entered in the node).
If the messages fail to verify, it suggests that the GW either has not realized it is expected to salt the signatures, or it uses the wrong serial to do it. Unfortunately I do not have a rPi setup to check this, so any help in troubleshooting that would be appreciated. -
Yes, just make sure to also enable encryption on the node. Also, do notice that ALL nodes on the same network needs to use encryption with the same key.
I hope this clarifies the things a bit :)
@anticimex thanks for the answer.
- I understand the idea. However, I think I might asked not clear enough. I would like to know how the mysgw daemon would work after the compilation depending on the flags I provide.
I understand that when I compile my gw with only --my-signing-request-signatures it will require all nodes in the network to sign messages. But if I want only some of them to sign messages and some not, do I have to compile the gw with both flags: --my-signing-request-signatures AND --my-signing-weak_security or only: --my-signing-weak_security ? - I think it might be an RPi issue, because the idea and setup seems to be correct. I'll try one day to test it in node-to-node communication or some test serial gw on Arduino. This is not so important to me as the signing itself works fine, just was curious.
- clear, hope it work. In the meantime I found: https://forum.mysensors.org/topic/2005/software-aes-encryption-for-nrf24 which looks worth testing as well. TL;DR carefully yet.
-
