|
35 | 35 | * Alice sends a message to Bob. This message can be heard by anyone who wants to listen (and also by anyone that is within “hearing” |
36 | 36 | * distance). Normally, this is perhaps not a big issue. Nothing Alice says to Bob may be secret or sensitive in any way. |
37 | 37 | * However, sometimes (or perhaps always) Bob want to be sure that the message Bob receives actually came from Alice. In cryptography, |
38 | | - * this is known as <i>authenticity</i>. Bob need some way of determining that the message is authentic from Alice, when Bob receives it. |
39 | | - * This prevent an eavesdropper, Eve, to trick Bob into thinking it was Alice that sent a message Eve in fact transmitted. Bob also need |
| 38 | + * this is known as <i>authenticity</i>. Bob needs some way of determining that the message is authentic from Alice, when Bob receives it. |
| 39 | + * This prevents an eavesdropper, Eve, to trick Bob into thinking it was Alice that sent a message Eve in fact transmitted. Bob also needs |
40 | 40 | * to know how to determine if the message has been repeated. Eve could record a message sent by Alice that Bob accepted and then send |
41 | 41 | * the same message again. Eve could also in some way prevent Bob from receiving the message and delay it in order to permit the message |
42 | 42 | * to arrive to Bob at a time Eve chooses, instead of Alice. Such an attack is known as a <b>replay attack</b>.<br> |
|
156 | 156 | * This has to be set by at least one of the node in a "pair" or nobody will actually start calculating a signature for a message. |
157 | 157 | * Just set the flag @ref MY_SIGNING_REQUEST_SIGNATURES and the node will inform the gateway that it expects the gateway to sign all |
158 | 158 | * messages sent to the node. If this is set in a gateway, it will @b NOT force all nodes to sign messages to it. It will only require |
159 | | - * signatures from nodes that in turn require signatures. |
| 159 | + * signatures from nodes that in turn require signatures.<br> |
| 160 | + * A node can have three "states" with respect to signing: |
| 161 | + * 1. Node does not support signing in any way (neither @ref MY_SIGNING_ATSHA204 nor @ref MY_SIGNING_SOFT is set) |
| 162 | + * 2. Node does support signing but don't require messages sent to it to be signed (@ref MY_SIGNING_REQUEST_SIGNATURES is not set) |
| 163 | + * 3. Node does support signing and require messages sent to it to be signed (@ref MY_SIGNING_REQUEST_SIGNATURES is set) |
160 | 164 | * |
161 | 165 | * <b>Secondly</b>, you need to verify the configuration for the backend.<br> |
162 | 166 | * For hardware backed signing it is the pin the device is connected to. In MyConfig.h there are defaults which you might need to adjust to |
|
180 | 184 | * @code{.cpp} |
181 | 185 | * #define MY_SIGNING_SOFT |
182 | 186 | * #define MY_SIGNING_SOFT_SERIAL 0x12,0x34,0x56,0x78,0x90,0x12,0x34,0x56,0x78 |
183 | | - * #defune MY_SIGNING_SOFT_RANDOMSEED_PIN 7 |
| 187 | + * #define MY_SIGNING_SOFT_RANDOMSEED_PIN 7 |
184 | 188 | * #define MY_SIGNING_SOFT_HMAC_KEY 0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x10,0x20,0x30,0x40,0x50,0x60,0x70,0x80,0x90,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,0xa0,0xb0,0xc0,0xd0,0xe0,0xf0,0x11,0x22 |
185 | 189 | * #define MY_SIGNING_REQUEST_SIGNATURES |
186 | 190 | * #include <MySensor.h> |
|
267 | 271 | * |
268 | 272 | * Consider the situation when you have set up your secure topology. We use the remotely operated garage door as an example: |
269 | 273 | * - You have a node inside your garage (therefore secure and out of reach from prying eyes) that controls your garage door motor.\n |
270 | | - * This node require signing since you do not want an unauthorized person sending it orders to open the door. |
| 274 | + * This node requires signing since you do not want an unauthorized person sending it orders to open the door. |
271 | 275 | * - You have a keyfob node with a signing backend that uses the same PSK as your door opener node. |
272 | 276 | * |
273 | 277 | * In this setup, your keyfob can securely transmit messages to your door node since the keyfob will sign the messages it sends and the door node |
|
276 | 280 | * |
277 | 281 | * One day your keyfob gets stolen or you lost it or it simply broke down. |
278 | 282 | * |
279 | | - * You know end up with a problem; you need some way of telling your door node that the keyfob in question cannot be trusted any more. Furthermore, |
| 283 | + * You now end up with a problem; you need some way of telling your door node that the keyfob in question cannot be trusted any more. Furthermore, |
280 | 284 | * you maybe locked the data region in your door nodes ATSHA device and is not able to revoke/change your PSK, or you have some other reason for |
281 | 285 | * not wanting to replace the PSK. How do you make sure that the "rogue" keyfob can be removed from the "trusted chain"? |
282 | 286 | * |
|
290 | 294 | * The whitelist is stored on the node that require signatures. When a received message is verified, the serial of the sender is looked up in a |
291 | 295 | * list stored on the receiving node, and the corresponding serial stored in the list for that sender is then included in the signature verification |
292 | 296 | * process. The list is stored as the value of the flag that enables whitelisting, @ref MY_SIGNING_NODE_WHITELISTING.<br> |
293 | | - * For whitelisting to work, the sending node also need to have whitelisting enabled.<br> |
| 297 | + * For whitelisting to work, the sending node also needs to have whitelisting enabled.<br> |
294 | 298 | * |
295 | 299 | * Whitelisting is achieved by 'salting' the signature with some node-unique information known to the receiver. In the case of ATSHA204A this is the |
296 | 300 | * unique serial number programmed into the circuit. This unique number is never transmitted over the air in clear text, so Eve will not be able to |
|
317 | 321 | * @code{.cpp} |
318 | 322 | * #define MY_SIGNING_SOFT |
319 | 323 | * #define MY_SIGNING_SOFT_SERIAL 0x12,0x34,0x56,0x78,0x90,0x12,0x34,0x56,0x78 |
320 | | - * #defune MY_SIGNING_SOFT_RANDOMSEED_PIN 7 |
| 324 | + * #define MY_SIGNING_SOFT_RANDOMSEED_PIN 7 |
321 | 325 | * #define MY_SIGNING_SOFT_HMAC_KEY 0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x10,0x20,0x30,0x40,0x50,0x60,0x70,0x80,0x90,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,0xa0,0xb0,0xc0,0xd0,0xe0,0xf0,0x11,0x22 |
322 | 326 | * #define MY_SIGNING_REQUEST_SIGNATURES |
323 | 327 | * #define MY_SIGNING_NODE_WHITELISTING {{.nodeId = GATEWAY_ADDRESS,.serial = {0x09,0x08,0x07,0x06,0x05,0x04,0x03,0x02,0x01}},{.nodeId = 2,.serial = {0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09}}} |
|
369 | 373 | * |
370 | 374 | * Due to the limiting factor of our cheapest Arduino nodes, the use of diversified keys is not implemented. That mean that all nodes in your |
371 | 375 | * network share the same PSK (at least the ones that are supposed to exchange signed data). It is important to understand the implications of |
372 | | - * this, and that is covered in the "Typical usecases" chapter below.<br> |
| 376 | + * this, and that is covered in the "Typical use cases" chapter below.<br> |
373 | 377 | * Also be reminded that the strength of the signature is inversely proportional to the size of the message. The larger the message, the weaker |
374 | 378 | * the signature. |
375 | 379 | * |
376 | | - * @section MySigningusecases Typical usecases |
| 380 | + * @section MySigningusecases Typical use cases |
377 | 381 | * |
378 | 382 | * "Securely located" in this context mean a node which is not physically publicly accessible. Typically at least your gateway.<br> |
379 | 383 | * "Public" in this context mean a node that is located outside your "trusted environment". This includes sensors located outdoors, keyfobs etc. |
|
383 | 387 | * You have a securely located gateway and a lock somewhere inside your "trusted environment" (e.g. inside your house door, the door to your |
384 | 388 | * dungeon or similar).<br> |
385 | 389 | * You should then keep the data section of your gateway and your lock node unlocked. Locking the data (and therefore the PSK) will require you |
386 | | - * to replace at least the signing circuit in case you need to revoke the PSK because some other node in your network gets compromised. |
| 390 | + * to replace at least the signing circuit in case you need to revoke the PSK because some other node in your network gets compromised.<br> |
| 391 | + * You need to make your node require signed messages but you do not necessarily need to make your gateway require signed messsages (unless you |
| 392 | + * are concerned that someone might spoof the lock status of your lock).<br> |
| 393 | + * Configuration example for the secure lock node:<br> |
| 394 | + * @code{.cpp} |
| 395 | + * #define MY_SIGNING_ATSHA204 |
| 396 | + * #define MY_SIGNING_REQUEST_SIGNATURES |
| 397 | + * #include <MySensor.h> |
| 398 | + * ... |
| 399 | + * @endcode |
| 400 | + * If you do also want your gateway to require signatures from your lock you just enable the same (or similar if using software signing) settings |
| 401 | + * in the gateway. |
387 | 402 | * |
388 | 403 | * @subsection MySigningpatio Patio motion sensor |
389 | 404 | * |
390 | 405 | * Your gateway is securely located inside your house, but your motion sensor is located outside your house. You have for some reason elected |
391 | | - * that this node should sign the messages it send to your gateway.You should lock the data (PSK) in this node then, because if someone were |
| 406 | + * that this node should sign the messages it send to your gateway. You should lock the data (PSK) in this node then, because if someone were |
392 | 407 | * to steal your patio motion sensor, they could rewrite the firmware and spoof your gateway to use it to transmit a correctly signed message |
393 | 408 | * to your secure lock inside your house. But if you revoke your gateway (and lock) PSK the outside sensor cannot be used for this anymore. |
394 | 409 | * Nor can it be changed in order to do it in the future. You can also use whitelisting to revoke your lost node.<br> |
395 | | - * This is an unlikely usecase because it is really no reason to sign sensor values. If you for some reason want to obfuscate sensor data, |
396 | | - * encryption is a better alternative. |
| 410 | + * This is an unlikely use case because there really is no reason to sign sensor values. If you for some reason want to obfuscate sensor data, |
| 411 | + * encryption is a better alternative.<br> |
| 412 | + * Configuration example for a motion sensor with whitelisting (it has to have the gateway whitelisted since the gateway will send signed messages to the node):<br> |
| 413 | + * @code{.cpp} |
| 414 | + * #define MY_SIGNING_SOFT |
| 415 | + * #define MY_SIGNING_SOFT_SERIAL 0x12,0x34,0x56,0x78,0x90,0x12,0x34,0x56,0x78 |
| 416 | + * #define MY_SIGNING_SOFT_RANDOMSEED_PIN 7 |
| 417 | + * #define MY_SIGNING_SOFT_HMAC_KEY 0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x10,0x20,0x30,0x40,0x50,0x60,0x70,0x80,0x90,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,0xa0,0xb0,0xc0,0xd0,0xe0,0xf0,0x11,0x22 |
| 418 | + * #define MY_SIGNING_REQUEST_SIGNATURES |
| 419 | + * #define MY_SIGNING_NODE_WHITELISTING {{.nodeId = GATEWAY_ADDRESS,.serial = {0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77,0x88}}} |
| 420 | + * #include <MySensor.h> |
| 421 | + * ... |
| 422 | + * @endcode |
397 | 423 | * |
| 424 | + * The gateway needs to configured with a whitelist (and it have to have an entry for all nodes that send and/or require signed messages):<br> |
| 425 | + * @code{.cpp} |
| 426 | + * #define MY_SIGNING_SOFT |
| 427 | + * #define MY_SIGNING_SOFT_SERIAL 0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77,0x88 |
| 428 | + * #define MY_SIGNING_SOFT_RANDOMSEED_PIN 7 |
| 429 | + * #define MY_SIGNING_SOFT_HMAC_KEY 0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x10,0x20,0x30,0x40,0x50,0x60,0x70,0x80,0x90,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,0xa0,0xb0,0xc0,0xd0,0xe0,0xf0,0x11,0x22 |
| 430 | + * #define MY_SIGNING_REQUEST_SIGNATURES |
| 431 | + * #define MY_SIGNING_NODE_WHITELISTING {{.nodeId = MOTION_SENSOR_ID,.serial = {0x12,0x34,0x56,0x78,0x90,0x12,0x34,0x56,0x78}}} |
| 432 | + * #include <MySensor.h> |
| 433 | + * ... |
| 434 | + * @endcode |
| 435 | +
|
398 | 436 | * @subsection MySigningkeyfob Keyfob for garage door opener |
399 | 437 | * |
400 | 438 | * Perhaps the most typical usecase for signed messages. Your keyfob should be totally locked down. If the garage door opener is secured |
401 | 439 | * (and it should be) it can be unlocked. That way, if you loose your keyfob, you can revoke the PSK in both the opener and your gateway, |
402 | | - * thus rendering the keyfob useless without having to replace your nodes. You can also use whitelisting to revoke your lost keyfob. |
| 440 | + * thus rendering the keyfob useless without having to replace your nodes. You can also use whitelisting to revoke your lost keyfob.<br> |
| 441 | + * Configuration example for the keyfob (keyfob will only transmit to another node and not receive anything):<br> |
| 442 | + * @code{.cpp} |
| 443 | + * #define MY_SIGNING_ATSHA204 |
| 444 | + * #define MY_SIGNING_NODE_WHITELISTING {} |
| 445 | + * #include <MySensor.h> |
| 446 | + * ... |
| 447 | + * @endcode |
| 448 | + * Configuration example for the door controller node (should require signing from anyone who wants to control it):<br> |
| 449 | + * @code{.cpp} |
| 450 | + * #define MY_SIGNING_SOFT |
| 451 | + * #define MY_SIGNING_SOFT_SERIAL 0x12,0x34,0x56,0x78,0x90,0x12,0x34,0x56,0x78 |
| 452 | + * #define MY_SIGNING_SOFT_RANDOMSEED_PIN 7 |
| 453 | + * #define MY_SIGNING_SOFT_HMAC_KEY 0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x10,0x20,0x30,0x40,0x50,0x60,0x70,0x80,0x90,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,0xa0,0xb0,0xc0,0xd0,0xe0,0xf0,0x11,0x22 |
| 454 | + * #define MY_SIGNING_REQUEST_SIGNATURES |
| 455 | + * #define MY_SIGNING_NODE_WHITELISTING {{.nodeId = GATEWAY_ADDRESS,.serial = {0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77,0x88}},{.nodeId = KEYFOB_ID,.serial = {<FROM ATSHA ON KEYFOB>}}} |
| 456 | + * #include <MySensor.h> |
| 457 | + * ... |
| 458 | + * @endcode |
403 | 459 | * |
404 | 460 | * @subsection MySigningsketches Relevant sketches |
405 | 461 | * |
|
0 commit comments