Signing ATSHA Key?

Takero

Hello,

i try to personalized my Nodes. I follow the tut. but i am stuck on this point:
*
Execute the sketch on the “master” device to obtain a randomized key. Save this key to a secure location and keep it confidential so that you can retrieve it if you need to personalize more devices later on.

there can i found the randomized Key? !

My Output:

Personalization sketch for MySensors usage.
-------------------------------------------
Device revision: 00020009
Device serial:   {0x01,0x23,0x86,0x59,0x78,0xB5,0xB2,0xC3,0xEE}
0123865978B5B2C3EE
Chip configuration:
EEPROM DATA:
SOFT_HMAC_KEY | FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
SOFT_SERIAL   | FFFFFFFFFFFFFFFFFF
AES_KEY       | FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
ATSHA204A DATA:
           SN[0:1]           |         SN[2:3]           | 01   23 | 86   59   
                          Revnum                         | 00   09   04   00   
                          SN[4:7]                        | 78   B5   B2   C3   
    SN[8]    |  Reserved13   | I2CEnable | Reserved15    | EE | 12 | 00 | 00   
  I2CAddress |  TempOffset   |  OTPmode  | SelectorMode  | C8 | 00 | 55 | 00   
         SlotConfig00        |       SlotConfig01        | 8F   80 | 80   A1   
         SlotConfig02        |       SlotConfig03        | 82   E0 | A3   60   
         SlotConfig04        |       SlotConfig05        | 94   40 | A0   85   
         SlotConfig06        |       SlotConfig07        | 86   40 | 87   07   
         SlotConfig08        |       SlotConfig09        | 0F   00 | 89   F2   
         SlotConfig0A        |       SlotConfig0B        | 8A   7A | 0B   8B   
         SlotConfig0C        |       SlotConfig0D        | 0C   4C | DD   4D   
         SlotConfig0E        |       SlotConfig0F        | C2   42 | AF   8F   
  UseFlag00  | UpdateCount00 | UseFlag01 | UpdateCount01 | FF | 00 | FF | 00   
  UseFlag02  | UpdateCount02 | UseFlag03 | UpdateCount03 | FF | 00 | FF | 00   
  UseFlag04  | UpdateCount04 | UseFlag05 | UpdateCount05 | FF | 00 | FF | 00   
  UseFlag06  | UpdateCount06 | UseFlag07 | UpdateCount07 | FF | 00 | FF | 00   
                      LastKeyUse[0:3]                    | FF   FF   FF   FF   
                      LastKeyUse[4:7]                    | FF   FF   FF   FF   
                      LastKeyUse[8:B]                    | FF   FF   FF   FF   
                      LastKeyUse[C:F]                    | FF   FF   FF   FF   
  UserExtra  |    Selector   | LockValue |  LockConfig   | 00 | 00 | 55 | 55   
Send SPACE character now to lock the configuration...
Locking configuration...
Configuration locked.
Disable SKIP_KEY_STORAGE to store key.
Data not locked. Define LOCK_DATA to lock for real.
--------------------------------
Personalization is now complete.
Configuration is LOCKED
Data is UNLOCKED

alexsh1

@Takero said:

Locking configuration...
Configuration locked.
Disable SKIP_KEY_STORAGE to store key.
Data not locked. Define LOCK_DATA to lock for real.

This is the issue - please edit the sketch and change the lock. it will than generate and store the keys

Takero

I just follow the Tutorial:

Pick a “master” device with serial debug port.
Set the following sketch configuration of the personalizer:
Enable LOCK_CONFIGURATION
Disable LOCK_DATA
Enable SKIP_KEY_STORAGE
Disable SKIP_UART_CONFIRMATION
Disable USER_KEY
Execute the sketch on the “master” device to obtain a randomized key. Save this key to a secure location and keep it confidential so that you can retrieve it if you need to personalize more devices later on.
Now reconfigure the sketch with these settings:
Enable LOCK_CONFIGURATION
Enable LOCK_DATA (if you are sure you do not need to replace/revoke the key, this is the most secure option to protect from key readout according to Atmel, but they also claim that key is not readable even if data region remains unlocked from the slot we are using)
Disable SKIP_KEY_STORAGE
Enable SKIP_UART_CONFIRMATION
Enable USER_KEY
Put the saved key in the user_key_data variable.
Now execute the sketch on all devices you want to personalize with this secret key.

But i dont lock data for now . .

An other question, it is needed to store this Key in the Gateway too?

At the moment is my Gateway only set to SOFT_Sign

I read the Tut many times but some Informations are missing or i dont understood it. My plan is to implement new Nodes, but i want to activate HARD Signing on these Nodes. My Gateway and my Nodes still exisist jet, are only set to handle SoftSign.

What steps are nessecery to use the new HARD_Sign nodes? Any changes at the Gateway needed?

Thanks a lot!

alexsh1

@Takero

Personally, I randomly generated the key myself and put it in the sketch.

Enable SKIP_KEY_STORAGE - this is a reason why it is not saving the key.

About your other questions. You can mix hard (ATSHA204A) and soft signing no problem. You need to do the same on every node AND GW. Every node AND the GW has to have MySensors V2. The same operation as above you did on the node, you do on the GW - in the sketch there are options for soft signing.

alexsh1

Apologies for being brief but typing from the phone is no fun
Let us know how you get on

Takero

No Prob, i hate phone typing too

I know it is possible to mix hard and soft. In my way i want to use hand signing only on my new nodes . . . i will not change all nodes yet.

If i understood you right i have to generate the Key on my node (Lock Data is optional / i dont want to do that).

Now i have a HARD Signing node, but Sign failed. So in my opinion i have to generate a Key on my GW too?! Right? Use this points, this the Random Key if i generate before?:

If you do not have the ATSHA204A device and need to generate random keys:
Enable USE_SOFT_SIGNING

If you want to review existing EEPROM configuration to determine if anything needs to be updated:
Make sure to disable any ATSHA204A update features if you use it (enable SKIP_KEY_STORAGE, disable LOCK_CONFIGURATION and LOCK_DATA)
Disable STORE_SOFT_KEY
Disable STORE_SOFT_SERIAL
Disable STORE_AES_KEY

After this, it it possible to communicate with the "old" Soft_Signing Nodes?

alexsh1

@Takero Firstly, using debug for signing is a must to understand what's going on.
In order to have signing you must have the same key on a node and the GW. For the first time, you can generate it, but later you have to put it in the sketch and use with every node or GW.
If you do not have it on your GW signing will fail!!!

Takero

Thanks! Now i am on the right way

Finaly i'f got a HMAC_KEY.

On my Soft_Signing GW i have to enable USE_SOFT_SIGNING and STORE_SOFT_KEY (with the HMAC_KEY) and run the SercurePersonalizer.ino on my GW? Right?

alexsh1

After you generated the keys and did your first node, do the following for soft signing:

Enable USE_SOFT_SIGNING
Enable LOCK_CONFIGURATION
Enable STORE_SOFT_KEY - must be the same
Enable STORE_SOFT_SERIAL - must be individual for each node/GW
Enable STORE_AES_KEY - must be the same

Below the options above you have to insert your keys.

EDIT: just corrected what you should enable

alexsh1

@Takero said:

Thanks! Now i am on the right way

Finaly i'f got a HMAC_KEY.

On my Soft_Signing GW i have to enable USE_SOFT_SIGNING and STORE_SOFT_KEY (with the HMAC_KEY) and run the SercurePersonalizer.ino on my GW? Right?

Yes

alexsh1

ATSHA204A and soft signing are very similar in the sketch. You have to enable/disable corresponding options

Takero

@alexsh1 Thanks! I will try it later if my doughter is sleeping.

Takero

Works

DavidZH

I'd like to ask a follow up question to this old topic:

I have been able to create a set of keys using my GW on a Moteino (16MHz).

Now I'd like to program the keys into a some nodes. A few of these are running a bare 328p at 1MHz as a battery sensor, but a baudrate of 115k is a bit high. I only get garbage in the serial window, so no checking if the keys are stored properly.
Wouldn't it be wise to lower the baudrate of that sketch to be able to accomodate slow battery sensors. I have looked to try to do it myself, but was unable to find where.

mfalkvidd

@DavidZH I think you can add

#define MY_BAUD_RATE 9600

before including MySensors.h to set baud rate to 9600bps (change to even lower if you need to)

DavidZH

I had already tried that (I just did again, to be absolutely certain) but even at 4800 I still get garbage. I know 9600 baud works because of a test I had running before I tried the personalization sketch. I added the
#define MY_BAUD_RATE 4800 before the inclusion of the MySensors.h file.

mfalkvidd

@DavidZH 115200 seems to be hardcoded in the sketch. Try changing it. Search for 115200 https://github.com/mysensors/MySensors/blob/8e1ef13804f2737079298c63bd0d8aa7b82e7f73/examples/SecurityPersonalizer/SecurityPersonalizer.ino#L717

DavidZH

Thanks a bunch! That did it! I always forget to use the "find" when I'm doing things like this. And the serial.begin was in line 881, I didn't expect it to be that far down.

mfalkvidd

@DavidZH great, thanks for verifying! I have created an issue on github https://github.com/mysensors/MySensors/issues/758