KNX Secure #418
Comments
|
The specification is publicly available. I might be working on this for my Master's thesis, this will be decided in the next couple of weeks. |
|
That would be awesome. If you do this, please consider replacing the current knxd-specific client protocol with something sensible, e.g. based on protobuf or msgpack. |
|
I'll see what I can do. Please be aware that this is still in very early stages of planning and requires the approval of a proposal by my professor and advisor. Therefore I can't promise that this will actually be the topic of my thesis. |
|
Of course. But you might tell them that you'll have my support. I don't know whether appealing to their better nature (i.e. it's an upgrade to some semi-critical infrastructure code, thus a public service and not just an academic exercise) would help. ;-) |
|
@smurfix I've got the OK for the project and if it goes well this will be continued in my thesis. Since this will be an academic project the main focus isn't on the implementation though, therefore I can't promise that this will result in a pull request with fully polished code. I will verify this anyway, but do you know if knxd is conforming to the entire KNXnet/IP Standard 01.04.02? |
|
Nice. Remote logging is not implemented, neither is remote diagnosis/config, and there's no such thing as an "object server". Also there's no TP bus enumeration. knxd also doesn't handle ROUTING_BUSY or ROUTING_LOST_MESSAGE indications which presumably should be used to slow down transmission. |
|
knxd also does not handle KNX RF USB sticks due to missing proper support of open media. |
|
The publicly available version of the specification from 2013 has an early draft of KNXnet/IP Secure, which has several security flaws. In the meantime there have been updates to the protocol's design, currently not released to the public, that are incompatible with the published version. Implementing the published draft likely doesn't allow communication with any certified KNX Secure devices. I just noticed that the title of this ticket and my replies have been a bit ambiguous and may have caused some confusion. I'm currently working on KNXnet/IP Security (AN 159/13) not KNX Data Security (AN 158/13). Due to the aforementioned changes in the protocol design, which I have been informed of today, it's currently unclear whether I will be able to implement a version in knxd that is compatible to the official implementation in certified devices during my Master's. |
|
I won't continue to work on this, but for reference KNXnet/IP Security is specified in ISO 22510:2019 since November 2019. |
|
While searching a bit on this topic I found this issue ... looking further it seems that calimero (which openHAB uses to access the knx bus) has support for both IP and Data secure. Just FYI in case that could be useful as inspiration: |
|
Fun part, the ISO wants €180 (CHF 198) for the standard paper. Even more fun part, the Serbian standards org wants €56 for the exact same privilege. I just bought a copy. :-/ |
|
@smurfix Able/willing to share the references to those documents/paper? Also interested in this, and find it interesting how those standards are priced differently in different regions :-). |
|
Just search for "ISO 22510:2019 download". |
|
Am 8. Januar 2021 18:44:21 MEZ schrieb "Robert Gützkow" <notifications@github.com>:
but it is not a state of the art cryptographic protocol.
Sorry to drop a sarcastic comment, but unfortunately this is exactly what I told them some years ago (!) during a VDE Congress in public while they presented it the first time 😜
And weak crypto "by design" didn't get better since then..
- sent by mobile K9 -
Mit freundlichen Grüssen
Michael Markstaller
Softwareentwicklung & IT-Dienstleistungen
Am Birkengarten 19b
82024 Taufkirchen
Tel: +49-89-21553825, Mobile: +49-179-2080789
USt-ID: DE293191950
|
|
Even better: Estonia has it for 52€ and Latvia for 38€. |
|
While it isn't the complete specification, you can see a majority of the interesting parts in my thesis as well without paying anything. |
|
Thanks. I guess that reading the last line of your abstract is quite sufficient for deciding that implementing this Secure Protocol probably is not what I'll be doing with my limited time, I'm afraid. That said, patches will gladly be accepted if somebody else does the work … |
|
That is completely understandable. |
Hi. Did anyone get the specs for KNX-Secure Protocol? I think its recommand in future to support it.
The text was updated successfully, but these errors were encountered: