Signing ATSHA Key?


  • Hardware Contributor

    Hello,

    i try to personalized my Nodes. I follow the tut. but i am stuck on this point:

    Execute the sketch on the “master” device to obtain a randomized key. Save this key to a secure location and keep it confidential so that you can retrieve it if you need to personalize more devices later on.

    there can i found the randomized Key? !

    My Output:

    Personalization sketch for MySensors usage.
    -------------------------------------------
    Device revision: 00020009
    Device serial:   {0x01,0x23,0x86,0x59,0x78,0xB5,0xB2,0xC3,0xEE}
    0123865978B5B2C3EE
    Chip configuration:
    EEPROM DATA:
    SOFT_HMAC_KEY | FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    SOFT_SERIAL   | FFFFFFFFFFFFFFFFFF
    AES_KEY       | FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    ATSHA204A DATA:
               SN[0:1]           |         SN[2:3]           | 01   23 | 86   59   
                              Revnum                         | 00   09   04   00   
                              SN[4:7]                        | 78   B5   B2   C3   
        SN[8]    |  Reserved13   | I2CEnable | Reserved15    | EE | 12 | 00 | 00   
      I2CAddress |  TempOffset   |  OTPmode  | SelectorMode  | C8 | 00 | 55 | 00   
             SlotConfig00        |       SlotConfig01        | 8F   80 | 80   A1   
             SlotConfig02        |       SlotConfig03        | 82   E0 | A3   60   
             SlotConfig04        |       SlotConfig05        | 94   40 | A0   85   
             SlotConfig06        |       SlotConfig07        | 86   40 | 87   07   
             SlotConfig08        |       SlotConfig09        | 0F   00 | 89   F2   
             SlotConfig0A        |       SlotConfig0B        | 8A   7A | 0B   8B   
             SlotConfig0C        |       SlotConfig0D        | 0C   4C | DD   4D   
             SlotConfig0E        |       SlotConfig0F        | C2   42 | AF   8F   
      UseFlag00  | UpdateCount00 | UseFlag01 | UpdateCount01 | FF | 00 | FF | 00   
      UseFlag02  | UpdateCount02 | UseFlag03 | UpdateCount03 | FF | 00 | FF | 00   
      UseFlag04  | UpdateCount04 | UseFlag05 | UpdateCount05 | FF | 00 | FF | 00   
      UseFlag06  | UpdateCount06 | UseFlag07 | UpdateCount07 | FF | 00 | FF | 00   
                          LastKeyUse[0:3]                    | FF   FF   FF   FF   
                          LastKeyUse[4:7]                    | FF   FF   FF   FF   
                          LastKeyUse[8:B]                    | FF   FF   FF   FF   
                          LastKeyUse[C:F]                    | FF   FF   FF   FF   
      UserExtra  |    Selector   | LockValue |  LockConfig   | 00 | 00 | 55 | 55   
    Send SPACE character now to lock the configuration...
    Locking configuration...
    Configuration locked.
    Disable SKIP_KEY_STORAGE to store key.
    Data not locked. Define LOCK_DATA to lock for real.
    --------------------------------
    Personalization is now complete.
    Configuration is LOCKED
    Data is UNLOCKED
    


  • @Takero said:

    Locking configuration...
    Configuration locked.
    Disable SKIP_KEY_STORAGE to store key.
    Data not locked. Define LOCK_DATA to lock for real.

    This is the issue - please edit the sketch and change the lock. it will than generate and store the keys


  • Hardware Contributor

    I just follow the Tutorial:

    Pick a “master” device with serial debug port.
    Set the following sketch configuration of the personalizer:
    Enable LOCK_CONFIGURATION
    Disable LOCK_DATA
    Enable SKIP_KEY_STORAGE
    Disable SKIP_UART_CONFIRMATION
    Disable USER_KEY
    Execute the sketch on the “master” device to obtain a randomized key. Save this key to a secure location and keep it confidential so that you can retrieve it if you need to personalize more devices later on.
    Now reconfigure the sketch with these settings:
    Enable LOCK_CONFIGURATION
    Enable LOCK_DATA (if you are sure you do not need to replace/revoke the key, this is the most secure option to protect from key readout according to Atmel, but they also claim that key is not readable even if data region remains unlocked from the slot we are using)
    Disable SKIP_KEY_STORAGE
    Enable SKIP_UART_CONFIRMATION
    Enable USER_KEY
    Put the saved key in the user_key_data variable.
    Now execute the sketch on all devices you want to personalize with this secret key.
    

    But i dont lock data for now . .

    An other question, it is needed to store this Key in the Gateway too?

    At the moment is my Gateway only set to SOFT_Sign

    I read the Tut many times but some Informations are missing or i dont understood it. My plan is to implement new Nodes, but i want to activate HARD Signing on these Nodes. My Gateway and my Nodes still exisist jet, are only set to handle SoftSign.

    What steps are nessecery to use the new HARD_Sign nodes? Any changes at the Gateway needed?

    Thanks a lot!



  • @Takero

    Personally, I randomly generated the key myself and put it in the sketch.

    Enable SKIP_KEY_STORAGE - this is a reason why it is not saving the key.

    About your other questions. You can mix hard (ATSHA204A) and soft signing no problem. You need to do the same on every node AND GW. Every node AND the GW has to have MySensors V2. The same operation as above you did on the node, you do on the GW - in the sketch there are options for soft signing.



  • Apologies for being brief but typing from the phone is no fun 😧
    Let us know how you get on


  • Hardware Contributor

    No Prob, i hate phone typing too 🙂

    I know it is possible to mix hard and soft. In my way i want to use hand signing only on my new nodes . . . i will not change all nodes yet.

    If i understood you right i have to generate the Key on my node (Lock Data is optional / i dont want to do that).

    Now i have a HARD Signing node, but Sign failed. So in my opinion i have to generate a Key on my GW too?! Right? Use this points, this the Random Key if i generate before?:

    If you do not have the ATSHA204A device and need to generate random keys:
    Enable USE_SOFT_SIGNING

    If you want to review existing EEPROM configuration to determine if anything needs to be updated:
    Make sure to disable any ATSHA204A update features if you use it (enable SKIP_KEY_STORAGE, disable LOCK_CONFIGURATION and LOCK_DATA)
    Disable STORE_SOFT_KEY
    Disable STORE_SOFT_SERIAL
    Disable STORE_AES_KEY

    After this, it it possible to communicate with the "old" Soft_Signing Nodes?



  • @Takero Firstly, using debug for signing is a must to understand what's going on.
    In order to have signing you must have the same key on a node and the GW. For the first time, you can generate it, but later you have to put it in the sketch and use with every node or GW.
    If you do not have it on your GW signing will fail!!!


  • Hardware Contributor

    Thanks! Now i am on the right way 😄

    Finaly i'f got a HMAC_KEY.

    On my Soft_Signing GW i have to enable USE_SOFT_SIGNING and STORE_SOFT_KEY (with the HMAC_KEY) and run the SercurePersonalizer.ino on my GW? Right?



  • After you generated the keys and did your first node, do the following for soft signing:

    Enable USE_SOFT_SIGNING
    Enable LOCK_CONFIGURATION
    Enable STORE_SOFT_KEY - must be the same
    Enable STORE_SOFT_SERIAL - must be individual for each node/GW
    Enable STORE_AES_KEY - must be the same

    Below the options above you have to insert your keys.

    EDIT: just corrected what you should enable



  • @Takero said:

    Thanks! Now i am on the right way 😄

    Finaly i'f got a HMAC_KEY.

    On my Soft_Signing GW i have to enable USE_SOFT_SIGNING and STORE_SOFT_KEY (with the HMAC_KEY) and run the SercurePersonalizer.ino on my GW? Right?

    Yes



  • ATSHA204A and soft signing are very similar in the sketch. You have to enable/disable corresponding options


  • Hardware Contributor

    @alexsh1 Thanks! I will try it later if my doughter is sleeping.


  • Hardware Contributor

    Works 👍



  • I'd like to ask a follow up question to this old topic:

    I have been able to create a set of keys using my GW on a Moteino (16MHz).

    Now I'd like to program the keys into a some nodes. A few of these are running a bare 328p at 1MHz as a battery sensor, but a baudrate of 115k is a bit high. I only get garbage in the serial window, so no checking if the keys are stored properly.
    Wouldn't it be wise to lower the baudrate of that sketch to be able to accomodate slow battery sensors. I have looked to try to do it myself, but was unable to find where.


  • Mod

    @DavidZH I think you can add

    #define MY_BAUD_RATE 9600
    

    before including MySensors.h to set baud rate to 9600bps (change to even lower if you need to)



  • I had already tried that (I just did again, to be absolutely certain) but even at 4800 I still get garbage. I know 9600 baud works because of a test I had running before I tried the personalization sketch. I added the
    #define MY_BAUD_RATE 4800 before the inclusion of the MySensors.h file.


  • Mod



  • Thanks a bunch! That did it! I always forget to use the "find" when I'm doing things like this. And the serial.begin was in line 881, I didn't expect it to be that far down.


  • Mod

    @DavidZH great, thanks for verifying! I have created an issue on github https://github.com/mysensors/MySensors/issues/758


 

326
Online

7.7k
Users

8.6k
Topics

92.4k
Posts