Re: 802.15.4 security - Simon Vincent

All the mail mirrored from lore.kernel.org
 help / color / mirror / Atom feed

From: Simon Vincent <simon.vincent@xsilon.com>
To: Phoebe Buckheister <phoebe.buckheister@itwm.fraunhofer.de>
Cc: "linux-wpan@vger.kernel.org" <linux-wpan@vger.kernel.org>
Subject: Re: 802.15.4 security
Date: Thu, 18 Jun 2015 16:02:19 +0100	[thread overview]
Message-ID: <5582DD7B.6090907@xsilon.com> (raw)
In-Reply-To: <20150618134013.2a035f46@zoidberg>

I have managed to get security working now in all modes.

I will submit a patch to fix the scatterlist bug.

The other problem I had was the IV was being generated incorrectly. This 
was because I had used the iwpan tools to set the mac address. This does 
not set the ieee802154_llsec_params.hwaddr[1] which is used for creating 
the IV.[2]

I am not sure the best way to fix this issue. Do we need to keep to keep 
a copy of the pan_id, hwaddr, coord_hwaddr, coord_shortaddr in the 
llsec_params? It seems like it could easily get missed and not updated 
if one of these parameters change.

Simon

[1] - 
http://lxr.free-electrons.com/source/include/net/ieee802154_netdev.h#L308
[2] - http://lxr.free-electrons.com/source/net/mac802154/llsec.c#L627 
and http://lxr.free-electrons.com/source/net/mac802154/llsec.c#L656

On 18/06/15 12:40, Phoebe Buckheister wrote:
> Found the bug for levels 1,2,3:
>
> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/net/mac802154/llsec.c#n680
>
> Scatterlist length 0 is invalid. If I had properly built the
> scatterlists properly instead of setting single element lengths to 0
> (because I thought that was allowed), things wouldn't die in a BUG().
> Can't patch that now, though, I'm sorry :(
>
> On Thu, 18 Jun 2015 13:13:30 +0200
> Phoebe Buckheister <phoebe.buckheister@itwm.fraunhofer.de> wrote:
>
>> Hi Simon,
>>
>> the last kernel I used this with was 3.15-rc8, so actually quite a
>> while ago. Unfortunately, I don't have the means to test things with a
>> current kernel right now, because I don't remember things failing that
>> hard when I last worked on that code. I usually used seclevel 5, which
>> worked fine with our devices.
>>
>> @wireshark: by default, without further configuration, wireshark can't
>> check the MIC, because it doesn't have the necessary keys. There was a
>> way to give wireshark those keys, but I don't remember off hand how
>> that worked.
>>
>> On Thu, 18 Jun 2015 11:12:19 +0100
>> Simon Vincent <simon.vincent@xsilon.com> wrote:
>>
>>> Hi Phoebe,
>>>
>>> I am having some problems with the 802.15.4 security.
>>>
>>> What kernel version/gitref did you last test the 802.15.4 security
>>> on? What level of security are you using? (1-7)
>>>
>>> I can then have a look what has changed since and try and debug the
>>> problems I am seeing.
>>>
>>> I find if I set the security level to 1,2,3 I get a kernel panic
>>> whenever a packet is sent.
>>> If I set the security level to 4 the packets sent are corrupt.
>>> If I set the security level to 5-7 wireshark decodes the packets as
>>> MIC check failed.
>>>
>>> Regards
>>>
>>> Simon
>>>
>>> On 28/05/15 10:00, Phoebe Buckheister wrote:
>>>> Hi Simon,
>>>>
>>>> sorry for taking so long to reply. Unfortunately, there's
>>>> currently no actual documentation for the crypto layer (and I
>>>> probably won't come around to write any sometime soon), but I
>>>> have built an application that works with llsec [1].
>>>>
>>>> The process to set up a crypto config for a network is rougly
>>>> outlined in [2] and [3]. There are more options to the crypto
>>>> layer than are used there, but the process is pretty much the
>>>> same: you add a number of devices you want to securely
>>>> communicate with, add the keys those devices will use to
>>>> communicate, and then set the general parameters for llsec (like
>>>> default llsec, enabling the crypto layer and such).
>>>>
>>>> Hope that helps a little,
>>>> Phoebe
>>>>
>>>>
>>>> [1]
>>>> https://github.com/mysmartgrid/hexabus/blob/pb-crypto/hostsoftware/hxbnm
>>>> [2]
>>>> https://github.com/mysmartgrid/hexabus/blob/pb-crypto/hostsoftware/hxbnm/src/hxbnm.cpp#L160
>>>> [3]
>>>> https://github.com/mysmartgrid/hexabus/blob/pb-crypto/hostsoftware/hxbnm/src/hxbnm.cpp#L90
>>>>
>>>> On Thu, 21 May 2015 14:23:10 +0100
>>>> Simon Vincent <simon.vincent@xsilon.com> wrote:
>>>>
>>>>> What is the status of the crypto-layer? I can see a lot of crypto
>>>>> functionality in the mac layer but I can't work out how to setup
>>>>> the keys and enable encryption/authentication. Will this be part
>>>>> of the wpan-tools?
>>>>>
>>>>> - Simon
>>>>> --
>>>>> To unsubscribe from this list: send the line "unsubscribe
>>>>> linux-wpan" in the body of a message to majordomo@vger.kernel.org
>>>>> More majordomo info at
>>>>> http://vger.kernel.org/majordomo-info.html
>>>> --
>>>> To unsubscribe from this list: send the line "unsubscribe
>>>> linux-wpan" in the body of a message to majordomo@vger.kernel.org
>>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-wpan"
>> in the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html

next prev parent reply	other threads:[~2015-06-18 15:02 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-05-21 13:23 802.15.4 security Simon Vincent
2015-05-28  9:00 ` Phoebe Buckheister
2015-06-18 10:12   ` Simon Vincent
2015-06-18 11:13     ` Phoebe Buckheister
2015-06-18 11:40       ` Phoebe Buckheister
2015-06-18 11:43         ` Simon Vincent
2015-06-18 15:02         ` Simon Vincent [this message]
2015-06-18 15:32           ` Alexander Aring
2015-06-18 11:42       ` Simon Vincent
2015-06-18 11:44         ` Phoebe Buckheister

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5582DD7B.6090907@xsilon.com \
    --to=simon.vincent@xsilon.com \
    --cc=linux-wpan@vger.kernel.org \
    --cc=phoebe.buckheister@itwm.fraunhofer.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.