Skip to content

MySensors 2.2.0 Security and signin

sineverba edited this page Jul 6, 2018 · 3 revisions

MySensors 2.2.0 Security and signin

TL;DR Steps to follow

  1. Setup your gateway with AES Key + HMAC Key + get a unique serial
  2. Clean your Arduino (see clear_eeprom.ino in https://github.com/sineverba/domoraspi/tree/master/utils/sketches
  3. Set your keys in secure_node.ino in https://github.com/sineverba/domoraspi/tree/master/utils/sketches
  4. In sketches to protect, add at top:
#define MY_SIGNING_SOFT
#define MY_SIGNING_SOFT_RANDOMSEED_PIN 7
#define MY_SIGNING_REQUEST_SIGNATURES
#define MY_SIGNING_NODE_WHITELISTING {{.nodeId = GATEWAY_ADDRESS,.serial = {0Xaa,0Xbb,0Xcc,0XF9,0X82,0XB2,0X50,0XF2,0XAB}}} // got from gateway setup

End!

Long explain

At first look, enable security seems difficult. In reality it is not. I would protect my heater, so only my gateway can power on - power off it. So we will use:

  1. Whitelisting
  2. AES Key

Other nodes (temperature, mainly) don't need security at all, for this reason we have the flag --my-signing-weak_security

So, we need to get:

  1. Unique serial for our gateway
  2. HMAC Key
  3. AES Key

Get unique serial

sudo mysgw --gen-soft-serial-key

We will get:

SOFT_SERIAL   | 7850987FA6601F6538

The next line is intended to be used in SecurityPersonalizer.ino:
#define MY_SOFT_SERIAL 0X78,0X50,0X98,0X7F,0XA6,0X60,0X1F,0X65,0X38

To use this key, run mysgw with:
 --set-soft-serial-key=7850987FA6601F6538
  1. Save this on a txt because will use also for personalize nodes
  2. Follow on-screen instructions, so set it with sudo mysgw --set-soft-serial-key=7850987FA6601F6538

Get HMAC Key

sudo mysgw --gen-soft-hmac-key

We will get:

SOFT_HMAC_KEY | 0298FF121DD3194BCC33DC8185055B9D981EBE0A90D847A4777A9E65CCE4F524

The next line is intended to be used in SecurityPersonalizer.ino:
#define MY_SOFT_HMAC_KEY 0X2,0X98,0XFF,0X12,0X1D,0XD3,0X19,0X4B,0XCC,0X33,0XDC,0X81,0X85,0X5,0X5B,0X9D,0X98,0X1E,0XBE,0XA,0X90,0XD8,0X47,0XA4,0X77,0X7A,0X9E,0X65,0XCC,0XE4,0XF5,0X24

To use this key, run mysgw with:
 --set-soft-hmac-key=0298FF121DD3194BCC33DC8185055B9D981EBE0A90D847A4777A9E65CCE4F524

Warning!

Atm, there is a "bug" with this text. In effect, on Security_personalizer.ino we don't have MY_SOFT_HMAC_KEY definition but MY_SOFT_HMAC_KEY, so right usage (copy and paste) is:

#define MY_HMAC_KEY 0X2,0X98,0XFF,0X12,0X1D,0XD3,0X19,0X4B,0XCC,0X33,0XDC,0X81,0X85,0X5,0X5B,0X9D,0X98,0X1E,0XBE,0XA,0X90,0XD8,0X47,0XA4,0X77,0X7A,0X9E,0X65,0XCC,0XE4,0XF5,0X24

  1. Save this on a txt because will use also for personalize nodes
  2. Follow on-screen instructions, so set it with sudo mysgw --set-soft-hmac-key=0298FF121DD3194BCC33DC8185055B9D981EBE0A90D847A4777A9E65CCE4F524

Get AES Key

sudo mysgw --gen-aes-key

We will get:

AES_KEY       | 768859210B4A75FACC78B757ADAFE75B

The next line is intended to be used in SecurityPersonalizer.ino:
#define MY_AES_KEY 0X76,0X88,0X59,0X21,0XB,0X4A,0X75,0XFA,0XCC,0X78,0XB7,0X57,0XAD,0XAF,0XE7,0X5B

To use this key, run mysgw with:
 --set-aes-key=768859210B4A75FACC78B757ADAFE75B
  1. Save this on a txt because will use also for personalize nodes
  2. Follow on-screen instructions, so set it with sudo mysgw --set-aes-key=768859210B4A75FACC78B757ADAFE75B

Bonus

You can save the values and re-use on another installation (e.g. if you update MySensors). Save the chain of set commands:

sudo mysgw --set-soft-serial-key=7850987FA6601F6538 && sudo mysgw --set-aes-key=768859210B4A75FACC78B757ADAFE75B && sudo mysgw --set-soft-hmac-key=0298FF121DD3194BCC33DC8185055B9D981EBE0A90D847A4777A9E65CCE4F524
You can’t perform that action at this time.