Soft Signing vs. the hardware ATSHA
-
Hi there,
I have recently studied the MySensors signing library and found it quite interesting. It might be helpful to build a secure, remote controlled garage door opener (the old one suffers from lack of RF range).
However I dont know if I should buy one of these ATSHA chips or just use the software library.
As far as I understood, the advantage of the ATSHA is, that it provides a secure vault for the private key, as well as a unique serial number and hardware RNG. Plus all the SHA operations are executed on the chip, so the private key never leaves the ATSHA during operation.So if nobody gets access to the MySensor device without breaking into my property, nobody can stole the private key anyway, even if it is stored unencrypted on an AVR EEPROM and could simply be dumped by an attacker. Thus an ATSHA would be pointless, if the device is operated in a safe location, am I right?
Then lets talk about MySensor nodes that might get stolen, for example a remote control for the above mentioned garage door.
If an attacker gets one of these nodes with the private key stored inside, he could steal it and create his own signed messages for my network. However, even if this remote would have an ATSHA inside, he could still make use of that chip and sign messages with it
This could of course be prohibited with node whitelisting, but that would work with the Soft Signing method as well - just remove the serial number of the lost node from the gateway and an attacker cant do anything with the stolen key.
The only attack I can think of, that can be prohibited by the ATSHA, is the brute-forcing of serial numbers with a known private key. But that would probably take a very long time. Plus if you change both the serial number and private key in your system after a lost device, that wouldnt work, too.So my question is whether using an ATSHA chip is worth the effort and really gives you extra security.
Thanks for your answers
ThetaDev -
Hi there,
I have recently studied the MySensors signing library and found it quite interesting. It might be helpful to build a secure, remote controlled garage door opener (the old one suffers from lack of RF range).
However I dont know if I should buy one of these ATSHA chips or just use the software library.
As far as I understood, the advantage of the ATSHA is, that it provides a secure vault for the private key, as well as a unique serial number and hardware RNG. Plus all the SHA operations are executed on the chip, so the private key never leaves the ATSHA during operation.So if nobody gets access to the MySensor device without breaking into my property, nobody can stole the private key anyway, even if it is stored unencrypted on an AVR EEPROM and could simply be dumped by an attacker. Thus an ATSHA would be pointless, if the device is operated in a safe location, am I right?
Then lets talk about MySensor nodes that might get stolen, for example a remote control for the above mentioned garage door.
If an attacker gets one of these nodes with the private key stored inside, he could steal it and create his own signed messages for my network. However, even if this remote would have an ATSHA inside, he could still make use of that chip and sign messages with it
This could of course be prohibited with node whitelisting, but that would work with the Soft Signing method as well - just remove the serial number of the lost node from the gateway and an attacker cant do anything with the stolen key.
The only attack I can think of, that can be prohibited by the ATSHA, is the brute-forcing of serial numbers with a known private key. But that would probably take a very long time. Plus if you change both the serial number and private key in your system after a lost device, that wouldnt work, too.So my question is whether using an ATSHA chip is worth the effort and really gives you extra security.
Thanks for your answers
ThetaDev@ThetaDev Hi, you are correct in your assumptions. It basically comes down to where you place your nodes and how much effort it would take to replace the hmac key on your network, if it was compromised.
As for the future, atsha204 based security will be obsolete in mysensors v3 (unless you plan to keep using atmga328p based devices).
More powerful chips give us the possibility to use better security schemes. -
Hi there,
I have recently studied the MySensors signing library and found it quite interesting. It might be helpful to build a secure, remote controlled garage door opener (the old one suffers from lack of RF range).
However I dont know if I should buy one of these ATSHA chips or just use the software library.
As far as I understood, the advantage of the ATSHA is, that it provides a secure vault for the private key, as well as a unique serial number and hardware RNG. Plus all the SHA operations are executed on the chip, so the private key never leaves the ATSHA during operation.So if nobody gets access to the MySensor device without breaking into my property, nobody can stole the private key anyway, even if it is stored unencrypted on an AVR EEPROM and could simply be dumped by an attacker. Thus an ATSHA would be pointless, if the device is operated in a safe location, am I right?
Then lets talk about MySensor nodes that might get stolen, for example a remote control for the above mentioned garage door.
If an attacker gets one of these nodes with the private key stored inside, he could steal it and create his own signed messages for my network. However, even if this remote would have an ATSHA inside, he could still make use of that chip and sign messages with it
This could of course be prohibited with node whitelisting, but that would work with the Soft Signing method as well - just remove the serial number of the lost node from the gateway and an attacker cant do anything with the stolen key.
The only attack I can think of, that can be prohibited by the ATSHA, is the brute-forcing of serial numbers with a known private key. But that would probably take a very long time. Plus if you change both the serial number and private key in your system after a lost device, that wouldnt work, too.So my question is whether using an ATSHA chip is worth the effort and really gives you extra security.
Thanks for your answers
ThetaDev -
@ThetaDev Hi, you are correct in your assumptions. It basically comes down to where you place your nodes and how much effort it would take to replace the hmac key on your network, if it was compromised.
As for the future, atsha204 based security will be obsolete in mysensors v3 (unless you plan to keep using atmga328p based devices).
More powerful chips give us the possibility to use better security schemes.@Anticimex said in Soft Signing vs. the hardware ATSHA:
As for the future, atsha204 based security will be obsolete in mysensors v3 (unless you plan to keep using atmga328p based devices).
More powerful chips give us the possibility to use better security schemes.What mpu's other than the atmega328p does version 3 envision might be used?
-
@Anticimex said in Soft Signing vs. the hardware ATSHA:
As for the future, atsha204 based security will be obsolete in mysensors v3 (unless you plan to keep using atmga328p based devices).
More powerful chips give us the possibility to use better security schemes.What mpu's other than the atmega328p does version 3 envision might be used?
-
@NeverDie Not much different than we already support right now. So there are plenty (nrf5, SAMD, ESP, etc).
@Anticimex Do you happen to know whether the nrf5 has this sort of capability built into it already? It's already so integrated that it would be great if it did.
-
@Anticimex Do you happen to know whether the nrf5 has this sort of capability built into it already? It's already so integrated that it would be great if it did.
@NeverDie What sort of capability?
We are completely rethinking security for v3, and it will be a cross-device compatible format. However, atmega328p is too resource limited to be able to handle this in a good way, so we will not support that particular chip-set. The legacy signing options will remain for those devices. -
So what would be the microcontroller of choice for MySensors V3?
Using an ESP or NRF5 would be useless if you dont need WIFI or bluetooth (which isnt much use for home automation anyway, because bluetooth has a low range and wifi is a power hog).
Maybe the new 32bit ARM stuff?
-
So what would be the microcontroller of choice for MySensors V3?
Using an ESP or NRF5 would be useless if you dont need WIFI or bluetooth (which isnt much use for home automation anyway, because bluetooth has a low range and wifi is a power hog).
Maybe the new 32bit ARM stuff?
@ThetaDev There is no recommended one, since it is totally up to you and your specific needs. What we aim for from a security point of view (and this thread is dealing with that, and not general v3 discussions) is a solution that is device independent (to some extent, it does put requirements on memory and performance, hence the support for atmega328p is dropped from this new security feature).
It will be HW independent in the sense that it won't support any specific security devices, like the ATSHA. It will be a purely software implemented feature. It may leverage chipset features, such as RNGs or HW accelerated calculators though. -
And if it is still undesirable there is always the samd which the SenseBender gateway is based on. Then you get the same freedom of choice as with a atmega since the radio is not built in.
Do you feel secure today? No? Start requiring some signatures and feel better tomorrow ;)
-
And if it is still undesirable there is always the samd which the SenseBender gateway is based on. Then you get the same freedom of choice as with a atmega since the radio is not built in.
@Anticimex said in Soft Signing vs. the hardware ATSHA:
Then you get the same freedom of choice
Actually you still have freedom of choice with the nRF5. You can use its mpu to control other radios, just as you would with an atmega. You could either ignore its existing radio, or you could have a node with two different kinds of radios (i.e. built-in plus add-on). That's the beauty of it. You can learn just one mpu and be done.
-
@Anticimex said in Soft Signing vs. the hardware ATSHA:
Then you get the same freedom of choice
Actually you still have freedom of choice with the nRF5. You can use its mpu to control other radios, just as you would with an atmega. You could either ignore its existing radio, or you could have a node with two different kinds of radios (i.e. built-in plus add-on). That's the beauty of it. You can learn just one mpu and be done.
@NeverDie yes of course. Just seem a bit excessive to drag in a complicated chip if you don't intend to use all of it. Especially for battery powered applications.
But from a security point of view (again, which is what this thread is all about) it does not matter what chip you stick to. But if you want to use the "next level" security, don't expect it to support atmga328p.Do you feel secure today? No? Start requiring some signatures and feel better tomorrow ;)
-
@NeverDie yes of course. Just seem a bit excessive to drag in a complicated chip if you don't intend to use all of it. Especially for battery powered applications.
But from a security point of view (again, which is what this thread is all about) it does not matter what chip you stick to. But if you want to use the "next level" security, don't expect it to support atmga328p.@Anticimex So, to sum it up, will the "next level" be doing all the security inside a more more advanced mpu, or do you envision it will still involve the use of external chips, like the ATSHA chip or similar?
-
@Anticimex So, to sum it up, will the "next level" be doing all the security inside a more more advanced mpu, or do you envision it will still involve the use of external chips, like the ATSHA chip or similar?
