/* * The MySensors Arduino library handles the wireless radio link and protocol * between your home built sensors/actuators and HA controller of choice. * The sensors forms a self healing radio network with optional repeaters. Each * repeater and gateway builds a routing tables in EEPROM which keeps track of the * network topology allowing messages to be routed to nodes. * * Created by Henrik Ekblad * Copyright (C) 2013-2018 Sensnology AB * Full contributor list: https://github.com/mysensors/MySensors/graphs/contributors * * Documentation: http://www.mysensors.org * Support Forum: http://forum.mysensors.org * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License * version 2 as published by the Free Software Foundation. */ /** * @defgroup MySigninggrpPub Message signing * @ingroup publics * @{ * * @brief The message signing infrastructure provides message authenticity to users by signing * MySensors messages. * * Signing support created by Patrick "Anticimex" Fallberg. * * @section MySigninggrptoc Table of contents * * @ref MySigninggrphowuse
* @ref MySigningwhitelisting
* @ref MySigninglimitations
* @ref MySigningusecases
* @ref MySigningtechnical
* @ref MySigninggrpbackground
* @ref MySigninggrphow
* @ref MySigninggrpencryption
* * @section MySigninggrphowuse How to use this * * Before we begin with the details, I just want to emphasize that signing is completely optional * and not enabled by default. * * If you do want the additional security layer signing provides, you pick the backend of your * choice in your sketch. Currently, two compatible backends are supported; @ref MY_SIGNING_ATSHA204 * (hardware backed) and @ref MY_SIGNING_SOFT (software backed). There also exist a simplified * variant (@ref MY_SIGNING_SIMPLE_PASSWD) of the software backend which only require one setting * to activate. * * If you use hardware backed signing, then connect the device as follows: * @image html MySigning/wiring.png * @note The pull-up resistor is optional but recommended. * @note If you change the default pin (A3) make sure you use a pin that supports input/output * (ex. A6 & A7 on a Pro Mini are input only pins). * * To use signing, you need to perform three major steps which are described below. * * Firstly, you need to make sure to pick a backend to use. * @code{.cpp} * //#define MY_SIGNING_SOFT * //#define MY_SIGNING_SIMPLE_PASSWD * #define MY_SIGNING_ATSHA204 * #include * ... * @endcode * Make sure to set the define before the inclusion of MySensors.h. * It is ok to mix @ref MY_SIGNING_SOFT and @ref MY_SIGNING_ATSHA204 in a network. * They are fully compatible. It is however not recommended to use @ref MY_SIGNING_SOFT on nodes * that are publicly accessible (more on that later). * * If you use @ref MY_SIGNING_SOFT or @ref MY_SIGNING_ATSHA204 you also need to decide if the node * (or gateway) in question require messages to be signed in addition to the ability to generate * signatures for other nodes. * This has to be set by at least one of the nodes in a "pair" or nobody will actually start * calculating a signature for a message. * Just set the flag @ref MY_SIGNING_REQUEST_SIGNATURES and the node will inform the gateway that it * expects the gateway to sign all messages sent to the node. Note that when set in a gateway, the * gateway will require ALL nodes in the network to sign messages. * If this behaviour is undesired, enable the flag @ref MY_SIGNING_WEAK_SECURITY which will allow * the gateway to only require signatures from nodes that in turn require signatures. It will also * allow the gateway (and all nodes) to "downgrade" security by clearing the signing/whitelisting * requirements (whitelisting is described later on in the @ref MySigningwhitelisting section) in * the EEPROM if a node presents itself as not having any security requirements. * If @ref MY_SIGNING_WEAK_SECURITY is not set, any node that has presented itself with * signing/whitelisting requirements will be permanently marked as such by the receiver * (typically the gateway). The only way then to reset/revert this requirement is to clear the * EEPROM at the receiver (or disable @ref MY_SIGNING_REQUEST_SIGNATURES, but the preference will be * remembered if the request flag is re-enabled before EEPROM is cleared).
* If you want to have two nodes communicate securely directly with each other, the nodes that * require signatures must send a presentation message to all nodes it expect signed messages from * (only the gateway is informed automatically). See @ref signerPresentation().
* A node can have three "states" with respect to signing: * 1. Node does not support signing in any way (neither @ref MY_SIGNING_ATSHA204, * @ref MY_SIGNING_SOFT nor @ref MY_SIGNING_SIMPLE_PASSWD is set) * 2. Node does support signing but don't require messages sent to it to be signed (neither * @ref MY_SIGNING_REQUEST_SIGNATURES nor @ref MY_SIGNING_SIMPLE_PASSWD is set) * 3. Node does support signing and require messages sent to it to be signed (@ref * MY_SIGNING_SOFT or @ref MY_SIGNING_ATSHA204 together with @ref MY_SIGNING_REQUEST_SIGNATURES or * @ref MY_SIGNING_SIMPLE_PASSWD are set) * * Secondly, you need to verify the configuration for the backend.
* For hardware backed signing it is the pin the device is connected to. In MyConfig.h there are * defaults which you might need to adjust to match your personal build. The setting is defined * using @ref MY_SIGNING_ATSHA204_PIN.
* If you use an official MySensors board (like the SenseBender GW) you do not need to set the pin, * this is configured automatically by the Arduino board definition files. * * Similar to picking your backend, this can also be set in your sketch: * @code{.cpp} * #define MY_SIGNING_ATSHA204 * #define MY_SIGNING_ATSHA204_PIN 4 * #define MY_SIGNING_REQUEST_SIGNATURES * #include * ... * @endcode * For the software backed signing backend, an unconnected analog pin is required on boards that * does not provide a hardware based random generator unit to set a random seed for the * pseudo-random generator. * It is important that the pin is floating, or the output of the pseudo-random generator will be * predictable, and thus compromise the signatures. The setting is defined using * @ref MY_SIGNING_SOFT_RANDOMSEED_PIN. The same configuration possibilities exist as with the other * configuration options. * * @code{.cpp} * #define MY_SIGNING_SOFT * #define MY_SIGNING_SOFT_RANDOMSEED_PIN 7 * #define MY_SIGNING_REQUEST_SIGNATURES * #include * ... * @endcode * * An example of a node that require signatures is available in @ref SecureActuator.ino. * * Thirdly, if you use a signing backend and you don't use @ref MY_SIGNING_SIMPLE_PASSWD, you * need to personalize the node. * * @anchor personalization If you use the ATSHA204A (@ref MY_SIGNING_ATSHA204), before any signing * operations can be done, the device needs to be personalized. * This can be a daunting process as it involves irreversibly writing configurations to the device, * which cannot be undone. I have however tried to simplify the process as much as possibly by * creating a helper-sketch specifically for this purpose in @ref SecurityPersonalizer.ino * Note that you also need to do personalization for @ref MY_SIGNING_SOFT, but then the values are * stored in EEPROM. * * To personalize a ATSHA204A do the following procedure: * 1. Enable @ref GENERATE_KEYS_ATSHA204A
* This will lock the ATSHA204A and generate random keys for HMAC (signing) and %AES (encryption). * Copy the keys generated and replace the corresponding definitions under * "User defined key data", specifically @ref MY_HMAC_KEY and @ref MY_AES_KEY. * 2. Disable @ref GENERATE_KEYS_ATSHA204A and enable @ref PERSONALIZE_ATSHA204A
* This will store the HMAC key to the ATSHA204A and the %AES key to EEPROM. It will also write * a checksum of the personalization data in EEPROM to be able to detect if the data is * altered.
* Personalization is now complete. * * To personalize for software signing do the following procedure: * 1. Enable @ref GENERATE_KEYS_SOFT
* This will generate random keys for HMAC (signing) and %AES (encryption). * Copy the keys generated and replace the corresponding definitions under * "User defined key data", specifically @ref MY_HMAC_KEY and @ref MY_AES_KEY. * 2. Disable @ref GENERATE_KEYS_SOFT and enable @ref PERSONALIZE_SOFT
* This will store the HMAC key and the %AES key to EEPROM. It will also write * a checksum of the personalization data in EEPROM to be able to detect if the data is * altered.
* Personalization is now complete. * * If you want to use soft signing and you want to use whitelisting (the ability to revoke/ban * compromised nodes in the network) and your target does not provide a unique device ID, you have * to generate a unique serial and store it in EEPROM. This can be done by replacing * @ref PERSONALIZE_SOFT in step 2 above with @ref PERSONALIZE_SOFT_RANDOM_SERIAL. See the output * under "Hardware security peripherals" to determine if this is necessary. * * When you have personalized your first device after step 2 above, you can run the same sketch on * all devices in your network that needs to be personalized in a compatible manner. Pick * @ref PERSONALIZE_ATSHA204A or @ref PERSONALIZE_SOFT as needed by the hardware. When the * personalization has finished, you just program the sketch you plan to use (with the appropriate * signing flags set). * * If you are using a Raspberry PI-based gateway, personalizaion is done slightly differently: * 1. Generate keys, execute @c mysgw with arguments * * To generate HMAC key @verbatim --gen-soft-hmac-key @endverbatim * * To generate %AES key @verbatim --gen-aes-key @endverbatim * * To generate a soft serial number @verbatim --gen-soft-serial @endverbatim * 2. Update the gateway config file with the generated keys/valeus * * For HMAC key @verbatim soft_hmac_key= @endverbatim * * For %AES key @verbatim aes_key= @endverbatim * * For soft serial number @verbatim soft_serial_key= @endverbatim * * You are now set and ready to use message signing in your network. * As of now, the following restrictions will be applied to your nodes: * * If a node does require signing, any unsigned message sent to the node will be rejected. * This also applies to the gateway. * * Your radio communication quality is expected to work fine (if any NACK happen on a signing * related message, it will fail, and enabling signing will put maximum strain on your RF link as * maximum sized packets are transmitted in the network). See @ref MySigningTroubleshootinggrp. * * All nodes and gateways in a network maintain a table where the signing preferences of all nodes * are stored. This is also stored in EEPROM so if a node or gateway reboots, the other nodes does * not have to retransmit a signing presentation to the node for the node to start expecting signed * messages from other nodes.
* * By default, the signing preferences are not "downgradeable". That is, any node that at any * point in time has indicated a signing requirement will not be able to revert this requirement at * the receiving end (except by manual erase of the EEPROM).
* If you for some reason need to be able to downgrade the security requirements, you can set * @ref MY_SIGNING_WEAK_SECURITY at the receiver to allow it to downgrade the security expectations * of the node in question.
* You then need to reset your transmitting node, to force it to transmit updated signing * preferences. * * @section MySigningwhitelisting Whitelisting and node revocation * * Consider the situation when you have set up your secure topology. We use the remotely operated * garage door as an example: * * You have a node inside your garage (considered physically inaccessible) that controls your * garage door motor.
* This node requires signing since you do not want an unauthorized person sending it orders to * open the door. * * You have a keyfob node with a signing backend that uses the same PSK as your door opener node. * * In this setup, your keyfob can securely transmit messages to your door node since the keyfob will * sign the messages it sends and the door node will verify that these were sent from a trusted node * (since it used the correct PSK). If the keyfob does not sign the messages, the door node * will not accept them. Optionally, your keyfob sends a signed message to your gateway (which * require signatures) and the gateway in turn sends a signed message to your garage door. * * One day your keyfob gets stolen or you lost it or it simply broke down. * * You now end up with a problem; you need some way of telling your door node that the keyfob in * question cannot be trusted any more. You could now repersonalize all your node to switch to a * different PSK but this obviously is a hassle. How do you make sure that the "rogue" keyfob can be * removed from the "trusted chain"? * * The answer to this is whitelisting. You let your door node keep a whitelist of all nodes it * trusts. If you stop trusting a particular node, you remove it from the nodes whitelist * (by uploading a new sketch), and it will no longer be able to communicate signed messages to the * door node. * * In case you want to be able to "whitelist" trusted nodes (in order to be able to revoke them in * case they are lost) you also need to take note of the serial number of the ATSHA device or the * software value stored in EEPROM. This is unique for each device. The serial number is printed * in a copy+paste friendly format by the personalizer for this purpose.
* The whitelist is stored on the node that require signatures. When a received message is * verified, the serial of the sender is looked up in a list stored on the receiving node, and the * corresponding serial stored in the list for that sender is then included in the signature * verification process. The list is stored as the value of the flag that enables whitelisting, * @ref MY_SIGNING_NODE_WHITELISTING.
* * Whitelisting is achieved by 'salting' the signature with some node-unique information known to * the receiver. In the case of @ref MY_SIGNING_ATSHA204 this is the unique serial number programmed * into the circuit. This unique number is never transmitted over the air in clear text, so Eve will * not be able to figure out a "trusted" serial by snooping on the traffic.
* Instead the value is hashed together with the senders NodeId into the HMAC signature to produce * the final signature. The receiver will then take the originating NodeId of the signed message and * do the corresponding calculation with the serial it has stored in it's whitelist if it finds a * matching entry in it's whitelist. * * Whitelisting is an optional alternative because it adds some code and configuration options which * might not be desirable for every user. So if you want the ability to use whitelists, you need to * enable @ref MY_SIGNING_NODE_WHITELISTING. You need to remember that the gateway will remember if * a node has presented it with a whitelisting requirement as described above, if you at some point * decide to remove the whitelist requirement.
* The whitelist is provided as value of the flag that enable it as follows (example is a node that * require signing as well): * @code{.cpp} * #define MY_SIGNING_ATSHA204 * #define MY_SIGNING_REQUEST_SIGNATURES * #define MY_SIGNING_NODE_WHITELISTING {{.nodeId = GATEWAY_ADDRESS,.serial = {0x09,0x08,0x07,0x06,0x05,0x04,0x03,0x02,0x01}},{.nodeId = 2,.serial = {0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09}}} * #include * ... * @endcode * In this example, there are two nodes in the whitelist; the gateway, and a separate node that * communicates directly with this node (with signed messages). You do not need to do anything * special for the sending nodes, apart from making sure they support signing. * * The "soft" backend of course also support whitelisting. Example: * @code{.cpp} * #define MY_SIGNING_SOFT * #define MY_SIGNING_SOFT_RANDOMSEED_PIN 7 * #define MY_SIGNING_REQUEST_SIGNATURES * #define MY_SIGNING_NODE_WHITELISTING {{.nodeId = GATEWAY_ADDRESS,.serial = {0x09,0x08,0x07,0x06,0x05,0x04,0x03,0x02,0x01}},{.nodeId = 2,.serial = {0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09}}} * #include * ... * @endcode * * For a node that should transmit whitelisted messages but not receive whitelisted messages, you do * not need any special configurations: * @code{.cpp} * #define MY_SIGNING_SOFT * #define MY_SIGNING_SOFT_RANDOMSEED_PIN 7 * @endcode * Remember that you always need to select a signing backend for all nodes that communicate to a * node that require whitelisting. Also, note that a node that use whitelisting will not accept * messages from nodes that are not present in it's whitelist. * And you have to personalize all nodes that use signing with a common HMAC key but different * serial numbers (@ref MY_SIGNING_ATSHA204 always has unique serials). * * @section MySigninglimitations Known limitations * * Due to the limiting factor of our cheapest Arduino nodes, the use of diversified keys is not * implemented. That mean that all nodes in your network share the same PSK (at least the ones that * are supposed to exchange signed data). It is important to understand the implications of * this, and that is covered in the "Typical use cases" chapter below.
* Most importantly, if you use @ref MY_SIGNING_SOFT your PSK will be stored in EEPROM and will * therefore be accessible by anyone with physical access to your node. Therefore it is NOT * recommended to use @ref MY_SIGNING_SOFT on nodes that are placed in a public place or worn on * on your person (like a keyfob).
* Also be reminded that the strength of the signature is inversely proportional to the size of the * message. The larger the message, the weaker the signature. * * @section MySigningusecases Typical use cases * * "Securely located" in this context mean a node which is not physically publicly accessible. * Typically at least your gateway.
* "Public" in this context mean a node that is located outside your "trusted environment". This * includes sensors located outdoors, keyfobs etc. * * @subsection MySigninglock Securely located lock * * You have a securely located gateway and a lock somewhere inside your "trusted environment" (e.g. * inside your house door, the door to your dungeon or similar).
* You need to make your node require signed messages but you do not necessarily need to make your * gateway require signed messages (unless you are concerned that someone might spoof the lock * status of your lock).
* Configuration example for the secure lock node:
* @code{.cpp} * #define MY_SIGNING_ATSHA204 * #define MY_SIGNING_REQUEST_SIGNATURES * #include * ... * @endcode * If you do also want your gateway to require signatures from your lock you just enable the same * (or similar if using software signing) settings in the gateway. * * @subsection MySigningpatio Patio motion sensor * * Your gateway is securely located inside your house, but your motion sensor is located outside * your house. You have for some reason elected that this node should sign the messages it send to * your gateway. You should lock the data (PSK) in this node then, because if someone were to steal * your patio motion sensor, they could rewrite the firmware and spoof your gateway to use it to * transmit a correctly signed message to your secure lock inside your house. But if you revoke your * gateway (and lock) PSK the outside sensor cannot be used for this anymore. Nor can it be changed * in order to do it in the future. You can also use whitelisting to revoke your lost node.
* This is an unlikely use case because there really is no reason to sign sensor values. If you for * some reason want to obfuscate sensor data, encryption is a better alternative.
* Configuration example for a motion sensor:
* @code{.cpp} * #define MY_SIGNING_SOFT * #define MY_SIGNING_SOFT_RANDOMSEED_PIN 7 * #define MY_SIGNING_REQUEST_SIGNATURES * #include * ... * @endcode * * The gateway needs to be configured with a whitelist (and it has to have an entry for all nodes * that send and/or require signed messages):
* @code{.cpp} * #define MY_SIGNING_SOFT * #define MY_SIGNING_SOFT_RANDOMSEED_PIN 7 * #define MY_SIGNING_REQUEST_SIGNATURES * #define MY_SIGNING_NODE_WHITELISTING {{.nodeId = MOTION_SENSOR_ID,.serial = {0x12,0x34,0x56,0x78,0x90,0x12,0x34,0x56,0x78}}} * #include * ... * @endcode * @subsection MySigningkeyfob Keyfob for garage door opener * * Perhaps the most typical usecase for signed messages. Your keyfob should be totally locked down. * If the garage door opener is secured (and it should be) it can be unlocked. That way, if you * loose your keyfob, you can revoke the PSK in both the opener and your gateway, * thus rendering the keyfob useless without having to replace your nodes. You can also use * whitelisting to revoke your lost keyfob.
* Configuration example for the keyfob (keyfob will only transmit to another node and not receive * anything):
* @code{.cpp} * #define MY_SIGNING_ATSHA204 * #include * ... * @endcode * * Configuration example for the door controller node (should require signing from anyone who wants * to control it):
* @code{.cpp} * #define MY_SIGNING_SOFT * #define MY_SIGNING_SOFT_RANDOMSEED_PIN 7 * #define MY_SIGNING_REQUEST_SIGNATURES * #define MY_SIGNING_NODE_WHITELISTING {{.nodeId = GATEWAY_ADDRESS,.serial = {0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77,0x88}},{.nodeId = KEYFOB_ID,.serial = {}}} * #include * ... * @endcode * * @subsection MySigningsketches Relevant sketches * * - @ref SecureActuator.ino * - @ref SecurityPersonalizer.ino * * @section MySigningtechnical The technical stuff * * The following sequence diagram illustrate how messages are passed in a MySensors network with * respect to signing: * @image html MySigning/signingsequence.png * * None of this activity is “visible” to you (as the sensor sketch implementor). All you need to do * is to set your preferences in your sketch and personalize accordingly. * That is enough to enable protection from both Eve and Mallory in your network * although if you do not also enable encryption, Eve can eavesdrop, but not do anything about, * your messages (except possibly preventing them from arriving). * * How are the messages actually affected by the signing?
* The following illustration shows what part of the message is signed, and where the signature is * stored: * @image html MySigning/signingillustrated1.png * * The first byte of the header is not covered by the signature, because in the network, this byte * is used to track hops in the network and therefore might change if the message is passing a relay * node. So it cannot be part of the signature, or the signature would be invalid when it arrives to * its destination. The signature also carries a byte with a signing identifier to prevent false * results from accidental mixing of incompatible signing backends in the network. Thus, the maximum * size for a payload is 29-7 bytes. Larger payloads are not possible to sign at the moment. Another * thing to consider is that the strength of the signature is inversely proportional to the payload * size. * * As for the software backend, it turns out that the ATSHA does not do “vanilla” HMAC processing. * Fortunately, Atmel has documented exactly how the circuit processes the data and hashes thus * making it possible to generate signatures that are identical to signatures generated by the * circuit. * * The signatures are calculates in the following way: * @image html MySigning/signingillustrated2.png * * Exactly how this is done can be reviewed in the source for the software backend * (MySigningAtsha204Soft.cpp) and the ATSHA204A * datasheet * . In the MySensors protocol, the following internal messagetypes handles signature * requirements and nonce requests:
* @ref I_SIGNING_PRESENTATION
* @ref I_NONCE_REQUEST
* @ref I_NONCE_RESPONSE
* * Also, the version field in the header has been reduced from 3 to 2 bits in order to fit a single * bit to indicate that a message is signed. * * @section MySigninggrpbackground Background and concepts * * Suppose two participants, Alice and Bob, wants to exchange a message. Alice sends a message to * Bob. In MySensors “language” Alice could be a gateway and Bob an actuator (light switch, * electronic lock, etc). But to be generic, we will substitute the term “gateway” with Alice and a * “node” with Bob (although the reverse relationship is also supported). * * Alice sends a message to Bob. This message can be heard by anyone who wants to listen (and also * by anyone that is within “hearing” distance). Normally, this is perhaps not a big issue. Nothing * Alice says to Bob may be secret or sensitive in any way. However, sometimes (or perhaps always) * Bob want to be sure that the message Bob receives actually came from Alice. In cryptography, * this is known as authenticity. Bob needs some way of determining that the message is * authentic from Alice, when Bob receives it. This prevents an eavesdropper, Eve, to trick Bob into * thinking it was Alice that sent a message Eve in fact transmitted. Bob also needs to know how to * determine if the message has been repeated. Eve could record a message sent by Alice that Bob * accepted and then send the same message again. Eve could also in some way prevent Bob from * receiving the message and delay it in order to permit the message to arrive to Bob at a time Eve * chooses, instead of Alice. Such an attack is known as a replay attack.
* Authenticity permits Bob to determine if Alice is the true sender of a message. * @image html MySigning/alicenfriends.png * * It can also be interesting for Bob to know that the message Alice sent has not been tampered with * in any way. This is the integrity of the message. We now introduce Mallory, who could be * intercepting the communication between Alice and Bob and replace some parts of the message but * keeping the parts that authenticate the message. That way, Bob still trusts Alice to be the * source, but the contents of the message was not the content Alice sent. Bob needs to be able to * determine that the contents of the message was not altered after Alice sent it.
* Mallory would in this case be a man-in-the-middle attacker.
* Integrity permits Bob to verify that the messages received from Alice has not been * tampered with.
* This is achieved by adding a signature to the message, which Bob can inspect to validate * that Alice is the author. * @image html MySigning/alicenfriends2.png * * The signing scheme used, needs to address both these attack scenarios. Neither Eve nor Mallory * must be permitted to interfere with the message exchange between Alice and Bob. * * The key challenge to implementing a secure signing scheme is to ensure that every signature is * different, even if the message is not. If not, replay attacks would be very hard to * prevent.
* One way of doing this is to increment some counter on the sender side and include it in the * signature. This is however predictable.
* A better option would be to introduce a random number to the signature. That way, it is * impossible to predict what the signature will be. The problem is, that also makes it impossible * for the receiver (Bob) to verify that the signature is valid.
* A solution to this is to let Bob generate the random number, keep it in memory and send it to * Alice. Alice can then use the random number in the signature calculation and send the signed * message back to Bob who can validate the signature with the random number used. * This random number is in cryptography known as a * nonce or * salt. * * However, Mallory might be eavesdropping on the communication and snoop up the nonce in order to * generate a new valid signature for a different message. To counter this, both Alice and Bob keep * a secret that only they know. This secret is never transmitted over the air, * nor is it revealed to anybody. This secret is known as a * pre-shared key (PSK). * * If Eve or Mallory are really sophisticated, he/she might use a delayed replay attack. * This can be done by allowing Bob to transmit a nonce to Alice. But when Alice transmits the * uniquely signed message, Mallory prevents Bob from receiving it, to a point when Mallory * decides Bob should receive it. An example of such an attack is described * * here.
* This needs to be addressed as well, and one way of doing this is to have Bob keep track of time * between a transmitted nonce and a signed message to verify. If Bob is asked for a nonce, Bob * knows that a signed message is going to arrive “soon”. Bob can then decide that if the signed * message does not arrive within a predefined timeframe, Bob throws away the generated nonce and * thus makes it impossible to verify the message if it arrives late. * * The flow can be described like this: * @image html MySigning/alicenbob.png * The benefits for MySensors to support this are obvious. Nobody wants others to be able to control * or manipulate any actuators in their home. * * @section MySigninggrphow How this is done * * There exist many forms of message signature solutions to combat Eve and Mallory.
* Most of these solutions are quite complex in term of computations, so I elected to use an * algorithm that an external circuit is able to process. This has the added benefit of protecting * any keys and intermediate data used for calculating the signature so that even if someone were to * actually steal a sensor and disassembled it, they would not be able to extract the keys and other * information from the device.
* A common scheme for message signing (authenticity and integrity) is implemented using * HMAC which in * combination with a strong hash function * provides a very strong level of protection.
* The Atmel ATSHA204A is a low-cost, * low-voltage/current circuit that provides HMAC calculation capabilities with SHA256 hashing which * is a (currently) virtually unbreakable combination. If SHA256 were to be hacked, a certain * cryptocurrency would immediately be rendered * worthless.
* The ATSHA device also contain a random number generator (RNG) which enables the generation of a * good nonce, as in, non-predictable.
* As I acknowledge that some might not want to use an additional external circuit, I have also * implemented a software version of the ATSHA device, capable of generating the same signatures as * the ATSHA device does. Because it is pure-software however, it does not provide as good nonces * (it uses the Arduino pseudo-random generator) * and the HMAC key is stored in SW and is therefore readable if the memory is dumped. It also * naturally claims more flash space due to the more complex software. But for indoor * sensors/actuators this might be good enough for most people. * * @section MySigninggrpencryption Why encryption is not part of this * * Well, some could be uncomfortable with somebody being able to snoop temperatures, motion or the * state changes of locks in the environment. * Signing does not address these issues. Encryption is needed to prevent this.
* It is my personal standpoint that encryption should not be part of the MySensors “protocol”. The * reason is that a gateway and a node does not really care about messages being readable or not by * “others”. It makes more sense that such guarantees are provided by the underlying transmission * layer (RF solution in this case). It is the information transmitted over the air that needs to be * secret (if user so desires). The “trust” level on the other hand needs to go all the way into the * sketches (who might have different requirements of trust depending on the message participant), * and for this reason, it is more important (and less complicated) to ensure authenticity and * integrity at protocol-level as message contents is still readable throughout the protocol * stack. But as soon as the message leaves the “stack” it can be scramble into “garbage” when * transmitted over the air and then reassembled by a receiving node before being fed in “the clear” * up the stack at the receiving end. * * There are methods and possibilities to provide encryption also in software, but if this is done, * it is my recommendation that this is done after integrity- and authentication information has * been provided to the message (if this is desired). Integrity and authentication is of course not * mandatory and some might be happy with only having encryption to cover their need for security. * I, however, have only focused on integrity and authenticity while at the same time * keeping the current message routing mechanisms intact and therefore leave the matter of * secrecy to be implemented in the “physical” transport layer. With the integrity and * authenticity handled in the protocol it ought to be enough for a simple encryption * (nonce-less %AES with a PSK for instance) on the message as it is sent to the RF backend. Atmel * does provide such circuits as well but I have not investigated the matter further as it given the * current size of the ethernet gateway sketch is close to the size limit on an Arduino Nano, so it * will be difficult to fit this into some existing gateway designs.
* Also it is worth to consider that the state of a lock can just as readily be determined by simply * looking at the door in question or attempting to open it, so obfuscating this information will * not necessarily deter an attacker in any way.
* Nevertheless, I do acknowledge that people find the fact that all information is sent “in the * clear” even if it require some technical effort for an intruder to obtain and inspect this * information. So I do encourage the use of encrypting transport layers.
* This is however not covered by this implementation.
* This might change in the future as more powerful platforms emerge which permit more complex * security schemes and better hardware acceleration. */ /** @}*/ /** * @defgroup MySigninggrp MySigning * @ingroup internals * @{ * * @brief API declaration for MySigning signing backend * * @see MySigninggrpPub */ /** * @file MySigning.h * * @brief API declaration for MySigning signing backend */ #ifndef MySigning_h #define MySigning_h #include "MySensorsCore.h" #include "drivers/ATSHA204/ATSHA204.h" #ifdef MY_SIGNING_NODE_WHITELISTING typedef struct { uint8_t nodeId; /**< @brief The ID of the node */ uint8_t serial[SHA204_SERIAL_SZ]; /**< @brief Node specific serial number */ } whitelist_entry_t; #endif /** @brief Helper macro to determine the number of elements in a array */ #define NUM_OF(x) (sizeof(x)/sizeof(x[0])) /** * @brief Initializes signing infrastructure and associated backend. * * This function makes sure that the internal states of the signing infrastructure * is set to a known initial state. * \n@b Usage: This function should be called before any signing related operations take place. */ void signerInit(void); /** * @brief Does signing specific presentation for a node. * * This function makes sure any signing related presentation info is shared with the other part. * The presentation of the gateways signing preferences is done in @ref signerProcessInternal(). * \n@b Usage: This function should be called by the presentation routine of the MySensors library. * You only need to call this directly from a sketch to set up a node to node signed message exchange. * If you do call this directly from a sketch, and you at some point change your sketch to go from * requiring signing to not requiring signatures, you need to present this change to the node at least * once, so it can update its requirements tables accordingly. Or it will keep believing that this node * require signatures and attempt to send signed messages to it. * * @param msg Message buffer to use. * @param destination Node ID of the destination. */ void signerPresentation(MyMessage &msg, uint8_t destination); /** * @brief Manages internal signing message handshaking. * * This function takes care of signing related message handshaking such as nonce exchange. * \n@b Usage: This function should be called by the incoming message handler before any further message * processing is performed on internal messages. This function should only be called for @ref C_INTERNAL class * messages. * * @param msg Message buffer to process. * @returns @c true if caller should stop further message processing. */ bool signerProcessInternal(MyMessage &msg); /** * @brief Check timeout of verification session. * * Nonce will be purged if it takes too long for a signed message to be sent to the receiver. * \n@b Usage: This function should be called on regular intervals, typically within some process loop. * * @returns @c true if session is still valid. */ bool signerCheckTimer(void); /** * @brief Get nonce from provided message and store for signing operations. * * Returns @c false if subsystem is busy processing an ongoing signing operation.
* Returns @c false if signing identifier found in message is not supported by the used backend.
* If successful, this marks the start of a signing operation at the sending side so * implementation is expected to do any necessary initializations within this call. * \n@b Usage: This function is typically called as action when receiving a @ref I_NONCE_RESPONSE * message. * * @param msg The message to get the nonce from. * @returns @c true if successful, else @c false. */ bool signerPutNonce(MyMessage &msg); /** * @brief Signs provided message. All remaining space in message payload buffer is used for * signing identifier and signature. * * Nonce used for signature calculation is the one generated previously within @ref signerProcessInternal().
* Nonce will be cleared when this function is called to prevent re-use of nonce.
* Returns @c false if subsystem is busy processing an ongoing signing operation.
* Returns @c false if not two bytes or more of free payload space is left in provided message.
* This ends a signing operation at the sending side so implementation is expected to do any * deinitializations and enter a power saving state within this call. * \n@b Usage: This function is typically called as action when receiving a @ref I_NONCE_RESPONSE * message and after @ref signerPutNonce() has successfully been executed. * * @param msg The message to sign. * @returns @c true if successful, else @c false. */ bool signerSignMsg(MyMessage &msg); /** * @brief Verifies signature in provided message. * * Nonce used for verification is the one previously set using @ref signerPutNonce().
* Nonce will be cleared when this function is called to prevent re-use of nonce.
* Returns @c false if subsystem is busy processing an ongoing signing operation.
* Returns @c false if signing identifier found in message is not supported by the used backend.
* This ends a signing operation at the receiving side so implementation is expected to do any * deinitializations and enter a power saving state within this call. * \n@b Usage: This function is typically called when receiving a message that is flagged as signed * and @ref MY_SIGNING_REQUEST_SIGNATURES is activated. * * @param msg The message to verify. * @returns @c true if successful, else @c false. */ bool signerVerifyMsg(MyMessage &msg); /** * @brief Do a timing neutral memory comparison. * * The function behaves similar to memcmp with the difference that it will * always use the same number of instructions for a given number of bytes, * no matter how the two buffers differ and the response is either 0 or -1. * * @param a First buffer for comparison. * @param b Second buffer for comparison. * @param sz The number of bytes to compare. * @returns 0 if buffers match, -1 if they do not. */ int signerMemcmp(const void* a, const void* b, size_t sz); #endif /** @}*/ /** * @defgroup MySigningDebugMessages Signing related debug messages * @ingroup MySigninggrpPub * @{ * * @brief Explanation of the abstract signing related debug messages * * MySigning-related log messages, format: [!]SYSTEM:SUB SYSTEM:MESSAGE * - [!] Exclamation mark is prepended in case of error or warning * - SYSTEM: * - SGN messages emitted by MySigning * - SUB SYSTEMS: * - SGN:INI from @ref signerInit * - SGN:PER from @ref signerInit * - SGN:PRE from @ref signerPresentation * - SGN:SGN from @ref signerSignMsg * - SGN:VER from @ref signerVerifyMsg * - SGN:SKP from @ref signerSignMsg or @ref signerVerifyMsg (skipSign) * - SGN:NCE from @ref signerProcessInternal (signerInternalProcessNonceRequest) * - SGN:BND from the signing backends * * MySigning debug log messages: * * |E| SYS | SUB | Message | Comment * |-|-----|-----|--------------------------|---------------------------------------------------------------------------- * | | SGN | INI | BND OK | Backend has initialized ok * |!| SGN | INI | BND FAIL | Backend has not initialized ok * | | SGN | PER | OK | Personalization data is ok * |!| SGN | PER | TAMPERED | Personalization data has been tampered * | | SGN | PRE | SGN REQ | Signing required * | | SGN | PRE | SGN REQ,TO='node' | Tell 'node' that we require signing * | | SGN | PRE | SGN REQ,FROM='node' | Node 'node' require signing * | | SGN | PRE | SGN NREQ | Signing not required * | | SGN | PRE | SGN REQ,TO='node' | Tell 'node' that we do not require signing * | | SGN | PRE | SGN NREQ,FROM='node' | Node 'node' does not require signing * |!| SGN | PRE | SGN NREQ,FROM='node' REJ | Node 'node' does not require signing but used to (requirement remain unchanged) * | | SGN | PRE | WHI REQ | Whitelisting required * | | SGN | PRE | WHI REQ;TO='node' | Tell 'node' that we require whitelisting * | | SGN | PRE | WHI REQ,FROM='node' | Node 'node' require whitelisting * | | SGN | PRE | WHI NREQ | Whitelisting not required * | | SGN | PRE | WHI NREQ,TO='node' | Tell 'node' that we do not require whitelisting * | | SGN | PRE | WHI NREQ,FROM='node' | Node 'node' does not require whitelisting * |!| SGN | PRE | WHI NREQ,FROM='node' REJ | Node 'node' does not require whitelisting but used to (requirement remain unchanged) * | | SGN | PRE | XMT,TO='node' | Presentation data transmitted to 'node' * |!| SGN | PRE | XMT,TO='node' FAIL | Presentation data not properly transmitted to 'node' * | | SGN | PRE | WAIT GW | Waiting for gateway presentation data * |!| SGN | PRE | VER='version' | Presentation version 'version' is not supported * | | SGN | PRE | NSUP | Received signing presentation but signing is not supported * | | SGN | PRE | NSUP,TO='node' | Informing 'node' that we do not support signing * | | SGN | SGN | NCE REQ,TO='node' | Nonce request transmitted to 'node' * |!| SGN | SGN | NCE REQ,TO='node' FAIL | Nonce request not properly transmitted to 'node' * |!| SGN | SGN | NCE TMO | Timeout waiting for nonce * | | SGN | SGN | SGN | Message signed * |!| SGN | SGN | SGN FAIL | Message failed to be signed * | | SGN | SGN | NREQ='node' | 'node' does not require signed messages * | | SGN | SGN | 'sender'!='us' NUS | Will not sign because 'sender' is not 'us' (repeater) * |!| SGN | SGN | STATE | Security system in a invalid state (personalization data tampered) * |!| SGN | VER | NSG | Message was not signed, but it should have been * |!| SGN | VER | FAIL | Verification failed * | | SGN | VER | OK | Verification succeeded * | | SGN | VER | LEFT='number' | 'number' of failed verifications left in a row before node is locked * |!| SGN | VER | STATE | Security system in a invalid state (personalization data tampered) * | | SGN | SKP | MSG CMD='cmd',TYPE='type'| Message with command 'cmd' and type 'type' does not need to be signed * | | SGN | SKP | ACK CMD='cmd',TYPE='type'| ACK messages does not need to be signed * | | SGN | NCE | LEFT='number' | 'number' of nonce requests between successful verifications left before node is locked * | | SGN | NCE | XMT,TO='node' | Nonce data transmitted to 'node' * |!| SGN | NCE | XMT,TO='node' FAIL | Nonce data not properly transmitted to 'node' * |!| SGN | NCE | GEN | Failed to generate nonce * | | SGN | NCE | NSUP (DROPPED) | Ignored nonce/request for nonce (signing not supported) * | | SGN | NCE | FROM='node' | Received nonce from 'node' * | | SGN | NCE | 'sender'!='dst' (DROPPED)| Ignoring nonce as it did not come from the designation of the message to sign * |!| SGN | BND | INIT FAIL | Failed to initialize signing backend * |!| SGN | BND | PWD<8 | Signing password too short * |!| SGN | BND | PER | Backend not personalized * |!| SGN | BND | SER | Could not get device unique serial from backend * |!| SGN | BND | TMR | Backend timed out * |!| SGN | BND | SIG,SIZE,'message'>'max' | Refusing to sign 'message' because it is bigger than 'max' allowed size * | | SGN | BND | SIG WHI,ID='id' | Salting message with our 'id' * | | SGN | BND | SIG WHI,SERIAL='serial' | Salting message with our 'serial' * |!| SGN | BND | VER ONGOING | Verification failed, no ongoing session * |!| SGN | BND | VER,IDENT='identifier' | Verification failed, 'identifier' is unknown * | | SGN | BND | VER WHI,ID='sender' | 'sender' found in whitelist * | | SGN | BND | VER WHI,SERIAL='serial' | Expecting 'serial' for this sender * |!| SGN | BND | VER WHI,ID='id' MISSING | 'id' not found in whitelist * | | SGN | BND | NONCE='nonce' | Calculating signature using 'nonce' * | | SGN | BND | HMAC='hmac' | Calculated signature is 'hmac' */ /** @}*/ /** * @defgroup MySigningTroubleshootinggrp Signing troubleshooting * @ingroup MySigninggrpPub * @{ * * @brief Typical signing related failure cases and how to solve them * * @section MySigningTroubleshootingSymptoms Symptoms and solutions * * The first thing to do if you suspect signing is causing problems, is to enable the verbose debug * flag for the signing backend. @see MY_DEBUG_VERBOSE_SIGNING * * If you are having trouble getting signing to work, please see the following troubleshooting tips. * * @subsection MySigningTroubleshootingSymptomStFail Signing fails and logs show st=fail on transmissions * * This is actually not a signing problem, although often st=fail becomes st=ok when signing is disabled. * This is by far the most commonly reported problem with signing, but the problems is not with signing, * it is with radio performance.
* This is a typical log which might look like a signing related issue but isn't: * @code{.unparsed} * 0;255;3;0;9;Skipping security for command 3 type 16 * 0;255;3;0;9;read: 3-3-0 s=255,c=3,t=16,pt=0,l=0,sg=0: * 0;255;3;0;9;Signing backend: ATSHA204Soft * 0;255;3;0;9;SHA256: 86DEAE1DAF50D577A4E2262B33ABF9DEE05DD8FAF84F94F50900000000000000 * 0;255;3;0;9;Skipping security for command 3 type 17 * 0;255;3;0;9;send: 0-0-3-3 s=255,c=3,t=17,pt=6,l=25,sg=0,st=fail:86DEAE1DAF50D577A4E2262B33ABF9DEE05DD8FAF84F94F509 * 0;255;3;0;9;Failed to transmit nonce! * 0;255;3;0;9;Message is not signed, but it should have been! * 0;255;3;0;9;verify fail * @endcode * * The reason for this is that when signing is used, the messages transmitted become relatively large.
* Because of this, the message is more sensitive to noise, and the chance for a message to get scrambled * increase with the message size. Please refer to the troubleshooting section at the MySensors forum for * information on how to improve radio performance.
* This is a good place to start: https://forum.mysensors.org/topic/666/debug-faq-and-how-ask-for-help * * @subsection MySigningTroubleshootingSymptomNonce Failed to generate nonce * * The signing backend failed to generate the nonce needed to sign a message. This indicate a hardware * problem. Please post the debug info on the forum together with a description of your hardware setup. * * @subsection MySigningTroubleshootingSymptomSign Failed to sign message * * The signing backend failed to sign the message. Typically this happens if your message is so large, * that there is no room left in the buffer to store a signature. * * @subsection MySigningTroubleshootingSymptomWrongSource Nonce did not come from the destination (XX) of the message to be signed! It came from YY * * This should not really happen. The reason for this message is that the signing backend is only capable * of handling one signed message session at any time. If for some reason multiple nodes send a nonce message to * the same node, only the nonce from a node that is the destination of the current message signing session will be * accepted. Any other nonces will be dropped. This should not happen as no node should send a nonce unless asked to, * and a node will only ask for a nonce to one destination for every signing session.
* If you see this message, please post the debugging details on the MySensors forum so it can be investigated further * together with a description of your setup. * * @subsection MySigningTroubleshootingSymptomNotSigned Message is not signed, but it should have been * * A node has failed to comply with the signing preferences of this node. Check that the node has received a * signing presentation message from this node. This is automatically transmitted to gateways. For other nodes, * you need to transmit the presentation from the sketch. @see signerPresentation * * @subsection MySigningTroubleshootingSymptomNotSignedGeneral "Messages do not appear to be signed but I think they should be..." * * Make sure you have enabled the flag to require signatures to require signatures and have enabled one of the signing * backends. @see MY_SIGNING_REQUEST_SIGNATURES @see MY_SIGNING_ATSHA204 @see MY_SIGNING_SOFT * * @subsection MySigningTroubleshootingSymptomNotWorkingWhitelisting Signature verification failed! * * Make sure both source and destination of the signed message has undergone @ref personalization with the same HMAC key.
* Also, if whitelisting is used, make sure the proper serial is paired with the proper node ID at the destination. * Whitelisting preferences are communicated with the signing presentation (done automatically from nodes to gateway but * has to be explicitly done by sketch for node to node communication). @see signerPresentation */ /** @}*/