* 802.15.4 security
@ 2015-05-21 13:23 Simon Vincent
2015-05-28 9:00 ` Phoebe Buckheister
0 siblings, 1 reply; 10+ messages in thread
From: Simon Vincent @ 2015-05-21 13:23 UTC (permalink / raw)
To: linux-wpan@vger.kernel.org
What is the status of the crypto-layer? I can see a lot of crypto
functionality in the mac layer but I can't work out how to setup the
keys and enable encryption/authentication. Will this be part of the
wpan-tools?
- Simon
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: 802.15.4 security
2015-05-21 13:23 802.15.4 security Simon Vincent
@ 2015-05-28 9:00 ` Phoebe Buckheister
2015-06-18 10:12 ` Simon Vincent
0 siblings, 1 reply; 10+ messages in thread
From: Phoebe Buckheister @ 2015-05-28 9:00 UTC (permalink / raw)
To: Simon Vincent; +Cc: linux-wpan@vger.kernel.org
Hi Simon,
sorry for taking so long to reply. Unfortunately, there's currently no
actual documentation for the crypto layer (and I probably won't come
around to write any sometime soon), but I have built an application
that works with llsec [1].
The process to set up a crypto config for a network is rougly outlined
in [2] and [3]. There are more options to the crypto layer than are used
there, but the process is pretty much the same: you add a number of
devices you want to securely communicate with, add the keys those
devices will use to communicate, and then set the general parameters
for llsec (like default llsec, enabling the crypto layer and such).
Hope that helps a little,
Phoebe
[1]
https://github.com/mysmartgrid/hexabus/blob/pb-crypto/hostsoftware/hxbnm
[2]
https://github.com/mysmartgrid/hexabus/blob/pb-crypto/hostsoftware/hxbnm/src/hxbnm.cpp#L160
[3]
https://github.com/mysmartgrid/hexabus/blob/pb-crypto/hostsoftware/hxbnm/src/hxbnm.cpp#L90
On Thu, 21 May 2015 14:23:10 +0100
Simon Vincent <simon.vincent@xsilon.com> wrote:
> What is the status of the crypto-layer? I can see a lot of crypto
> functionality in the mac layer but I can't work out how to setup the
> keys and enable encryption/authentication. Will this be part of the
> wpan-tools?
>
> - Simon
> --
> To unsubscribe from this list: send the line "unsubscribe linux-wpan"
> in the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: 802.15.4 security
2015-05-28 9:00 ` Phoebe Buckheister
@ 2015-06-18 10:12 ` Simon Vincent
2015-06-18 11:13 ` Phoebe Buckheister
0 siblings, 1 reply; 10+ messages in thread
From: Simon Vincent @ 2015-06-18 10:12 UTC (permalink / raw)
To: Phoebe Buckheister; +Cc: linux-wpan@vger.kernel.org
Hi Phoebe,
I am having some problems with the 802.15.4 security.
What kernel version/gitref did you last test the 802.15.4 security on?
What level of security are you using? (1-7)
I can then have a look what has changed since and try and debug the
problems I am seeing.
I find if I set the security level to 1,2,3 I get a kernel panic
whenever a packet is sent.
If I set the security level to 4 the packets sent are corrupt.
If I set the security level to 5-7 wireshark decodes the packets as MIC
check failed.
Regards
Simon
On 28/05/15 10:00, Phoebe Buckheister wrote:
> Hi Simon,
>
> sorry for taking so long to reply. Unfortunately, there's currently no
> actual documentation for the crypto layer (and I probably won't come
> around to write any sometime soon), but I have built an application
> that works with llsec [1].
>
> The process to set up a crypto config for a network is rougly outlined
> in [2] and [3]. There are more options to the crypto layer than are used
> there, but the process is pretty much the same: you add a number of
> devices you want to securely communicate with, add the keys those
> devices will use to communicate, and then set the general parameters
> for llsec (like default llsec, enabling the crypto layer and such).
>
> Hope that helps a little,
> Phoebe
>
>
> [1]
> https://github.com/mysmartgrid/hexabus/blob/pb-crypto/hostsoftware/hxbnm
> [2]
> https://github.com/mysmartgrid/hexabus/blob/pb-crypto/hostsoftware/hxbnm/src/hxbnm.cpp#L160
> [3]
> https://github.com/mysmartgrid/hexabus/blob/pb-crypto/hostsoftware/hxbnm/src/hxbnm.cpp#L90
>
> On Thu, 21 May 2015 14:23:10 +0100
> Simon Vincent <simon.vincent@xsilon.com> wrote:
>
>> What is the status of the crypto-layer? I can see a lot of crypto
>> functionality in the mac layer but I can't work out how to setup the
>> keys and enable encryption/authentication. Will this be part of the
>> wpan-tools?
>>
>> - Simon
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-wpan"
>> in the body of a message to majordomo@vger.kernel.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
> --
> To unsubscribe from this list: send the line "unsubscribe linux-wpan" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: 802.15.4 security
2015-06-18 10:12 ` Simon Vincent
@ 2015-06-18 11:13 ` Phoebe Buckheister
2015-06-18 11:40 ` Phoebe Buckheister
2015-06-18 11:42 ` Simon Vincent
0 siblings, 2 replies; 10+ messages in thread
From: Phoebe Buckheister @ 2015-06-18 11:13 UTC (permalink / raw)
To: Simon Vincent; +Cc: linux-wpan@vger.kernel.org
Hi Simon,
the last kernel I used this with was 3.15-rc8, so actually quite a while
ago. Unfortunately, I don't have the means to test things with a
current kernel right now, because I don't remember things failing that
hard when I last worked on that code. I usually used seclevel 5, which
worked fine with our devices.
@wireshark: by default, without further configuration, wireshark can't
check the MIC, because it doesn't have the necessary keys. There was a
way to give wireshark those keys, but I don't remember off hand how that
worked.
On Thu, 18 Jun 2015 11:12:19 +0100
Simon Vincent <simon.vincent@xsilon.com> wrote:
> Hi Phoebe,
>
> I am having some problems with the 802.15.4 security.
>
> What kernel version/gitref did you last test the 802.15.4 security on?
> What level of security are you using? (1-7)
>
> I can then have a look what has changed since and try and debug the
> problems I am seeing.
>
> I find if I set the security level to 1,2,3 I get a kernel panic
> whenever a packet is sent.
> If I set the security level to 4 the packets sent are corrupt.
> If I set the security level to 5-7 wireshark decodes the packets as
> MIC check failed.
>
> Regards
>
> Simon
>
> On 28/05/15 10:00, Phoebe Buckheister wrote:
> > Hi Simon,
> >
> > sorry for taking so long to reply. Unfortunately, there's currently
> > no actual documentation for the crypto layer (and I probably won't
> > come around to write any sometime soon), but I have built an
> > application that works with llsec [1].
> >
> > The process to set up a crypto config for a network is rougly
> > outlined in [2] and [3]. There are more options to the crypto layer
> > than are used there, but the process is pretty much the same: you
> > add a number of devices you want to securely communicate with, add
> > the keys those devices will use to communicate, and then set the
> > general parameters for llsec (like default llsec, enabling the
> > crypto layer and such).
> >
> > Hope that helps a little,
> > Phoebe
> >
> >
> > [1]
> > https://github.com/mysmartgrid/hexabus/blob/pb-crypto/hostsoftware/hxbnm
> > [2]
> > https://github.com/mysmartgrid/hexabus/blob/pb-crypto/hostsoftware/hxbnm/src/hxbnm.cpp#L160
> > [3]
> > https://github.com/mysmartgrid/hexabus/blob/pb-crypto/hostsoftware/hxbnm/src/hxbnm.cpp#L90
> >
> > On Thu, 21 May 2015 14:23:10 +0100
> > Simon Vincent <simon.vincent@xsilon.com> wrote:
> >
> >> What is the status of the crypto-layer? I can see a lot of crypto
> >> functionality in the mac layer but I can't work out how to setup
> >> the keys and enable encryption/authentication. Will this be part
> >> of the wpan-tools?
> >>
> >> - Simon
> >> --
> >> To unsubscribe from this list: send the line "unsubscribe
> >> linux-wpan" in the body of a message to majordomo@vger.kernel.org
> >> More majordomo info at http://vger.kernel.org/majordomo-info.html
> > --
> > To unsubscribe from this list: send the line "unsubscribe
> > linux-wpan" in the body of a message to majordomo@vger.kernel.org
> > More majordomo info at http://vger.kernel.org/majordomo-info.html
>
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: 802.15.4 security
2015-06-18 11:13 ` Phoebe Buckheister
@ 2015-06-18 11:40 ` Phoebe Buckheister
2015-06-18 11:43 ` Simon Vincent
2015-06-18 15:02 ` Simon Vincent
2015-06-18 11:42 ` Simon Vincent
1 sibling, 2 replies; 10+ messages in thread
From: Phoebe Buckheister @ 2015-06-18 11:40 UTC (permalink / raw)
To: Phoebe Buckheister; +Cc: Simon Vincent, linux-wpan@vger.kernel.org
Found the bug for levels 1,2,3:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/net/mac802154/llsec.c#n680
Scatterlist length 0 is invalid. If I had properly built the
scatterlists properly instead of setting single element lengths to 0
(because I thought that was allowed), things wouldn't die in a BUG().
Can't patch that now, though, I'm sorry :(
On Thu, 18 Jun 2015 13:13:30 +0200
Phoebe Buckheister <phoebe.buckheister@itwm.fraunhofer.de> wrote:
> Hi Simon,
>
> the last kernel I used this with was 3.15-rc8, so actually quite a
> while ago. Unfortunately, I don't have the means to test things with a
> current kernel right now, because I don't remember things failing that
> hard when I last worked on that code. I usually used seclevel 5, which
> worked fine with our devices.
>
> @wireshark: by default, without further configuration, wireshark can't
> check the MIC, because it doesn't have the necessary keys. There was a
> way to give wireshark those keys, but I don't remember off hand how
> that worked.
>
> On Thu, 18 Jun 2015 11:12:19 +0100
> Simon Vincent <simon.vincent@xsilon.com> wrote:
>
> > Hi Phoebe,
> >
> > I am having some problems with the 802.15.4 security.
> >
> > What kernel version/gitref did you last test the 802.15.4 security
> > on? What level of security are you using? (1-7)
> >
> > I can then have a look what has changed since and try and debug the
> > problems I am seeing.
> >
> > I find if I set the security level to 1,2,3 I get a kernel panic
> > whenever a packet is sent.
> > If I set the security level to 4 the packets sent are corrupt.
> > If I set the security level to 5-7 wireshark decodes the packets as
> > MIC check failed.
> >
> > Regards
> >
> > Simon
> >
> > On 28/05/15 10:00, Phoebe Buckheister wrote:
> > > Hi Simon,
> > >
> > > sorry for taking so long to reply. Unfortunately, there's
> > > currently no actual documentation for the crypto layer (and I
> > > probably won't come around to write any sometime soon), but I
> > > have built an application that works with llsec [1].
> > >
> > > The process to set up a crypto config for a network is rougly
> > > outlined in [2] and [3]. There are more options to the crypto
> > > layer than are used there, but the process is pretty much the
> > > same: you add a number of devices you want to securely
> > > communicate with, add the keys those devices will use to
> > > communicate, and then set the general parameters for llsec (like
> > > default llsec, enabling the crypto layer and such).
> > >
> > > Hope that helps a little,
> > > Phoebe
> > >
> > >
> > > [1]
> > > https://github.com/mysmartgrid/hexabus/blob/pb-crypto/hostsoftware/hxbnm
> > > [2]
> > > https://github.com/mysmartgrid/hexabus/blob/pb-crypto/hostsoftware/hxbnm/src/hxbnm.cpp#L160
> > > [3]
> > > https://github.com/mysmartgrid/hexabus/blob/pb-crypto/hostsoftware/hxbnm/src/hxbnm.cpp#L90
> > >
> > > On Thu, 21 May 2015 14:23:10 +0100
> > > Simon Vincent <simon.vincent@xsilon.com> wrote:
> > >
> > >> What is the status of the crypto-layer? I can see a lot of crypto
> > >> functionality in the mac layer but I can't work out how to setup
> > >> the keys and enable encryption/authentication. Will this be part
> > >> of the wpan-tools?
> > >>
> > >> - Simon
> > >> --
> > >> To unsubscribe from this list: send the line "unsubscribe
> > >> linux-wpan" in the body of a message to majordomo@vger.kernel.org
> > >> More majordomo info at
> > >> http://vger.kernel.org/majordomo-info.html
> > > --
> > > To unsubscribe from this list: send the line "unsubscribe
> > > linux-wpan" in the body of a message to majordomo@vger.kernel.org
> > > More majordomo info at http://vger.kernel.org/majordomo-info.html
> >
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-wpan"
> in the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: 802.15.4 security
2015-06-18 11:13 ` Phoebe Buckheister
2015-06-18 11:40 ` Phoebe Buckheister
@ 2015-06-18 11:42 ` Simon Vincent
2015-06-18 11:44 ` Phoebe Buckheister
1 sibling, 1 reply; 10+ messages in thread
From: Simon Vincent @ 2015-06-18 11:42 UTC (permalink / raw)
To: Phoebe Buckheister; +Cc: linux-wpan@vger.kernel.org
Hi Phoebe,
I have added the key to wireshark so it should be able to do decryption
and MIC checks.
Edit -> Preferences -> Protocols -> IEEE 802.15.4 -> Decryption key.
I assume this works...
What devices were you running on? Just wondering if it is an endian issue.
I will have a dig into the kernel and see if I can work out what is
going wrong, I think a lot has changed since 3.15.
Simon
On 18/06/15 12:13, Phoebe Buckheister wrote:
> Hi Simon,
>
> the last kernel I used this with was 3.15-rc8, so actually quite a while
> ago. Unfortunately, I don't have the means to test things with a
> current kernel right now, because I don't remember things failing that
> hard when I last worked on that code. I usually used seclevel 5, which
> worked fine with our devices.
>
> @wireshark: by default, without further configuration, wireshark can't
> check the MIC, because it doesn't have the necessary keys. There was a
> way to give wireshark those keys, but I don't remember off hand how that
> worked.
>
> On Thu, 18 Jun 2015 11:12:19 +0100
> Simon Vincent <simon.vincent@xsilon.com> wrote:
>
>> Hi Phoebe,
>>
>> I am having some problems with the 802.15.4 security.
>>
>> What kernel version/gitref did you last test the 802.15.4 security on?
>> What level of security are you using? (1-7)
>>
>> I can then have a look what has changed since and try and debug the
>> problems I am seeing.
>>
>> I find if I set the security level to 1,2,3 I get a kernel panic
>> whenever a packet is sent.
>> If I set the security level to 4 the packets sent are corrupt.
>> If I set the security level to 5-7 wireshark decodes the packets as
>> MIC check failed.
>>
>> Regards
>>
>> Simon
>>
>> On 28/05/15 10:00, Phoebe Buckheister wrote:
>>> Hi Simon,
>>>
>>> sorry for taking so long to reply. Unfortunately, there's currently
>>> no actual documentation for the crypto layer (and I probably won't
>>> come around to write any sometime soon), but I have built an
>>> application that works with llsec [1].
>>>
>>> The process to set up a crypto config for a network is rougly
>>> outlined in [2] and [3]. There are more options to the crypto layer
>>> than are used there, but the process is pretty much the same: you
>>> add a number of devices you want to securely communicate with, add
>>> the keys those devices will use to communicate, and then set the
>>> general parameters for llsec (like default llsec, enabling the
>>> crypto layer and such).
>>>
>>> Hope that helps a little,
>>> Phoebe
>>>
>>>
>>> [1]
>>> https://github.com/mysmartgrid/hexabus/blob/pb-crypto/hostsoftware/hxbnm
>>> [2]
>>> https://github.com/mysmartgrid/hexabus/blob/pb-crypto/hostsoftware/hxbnm/src/hxbnm.cpp#L160
>>> [3]
>>> https://github.com/mysmartgrid/hexabus/blob/pb-crypto/hostsoftware/hxbnm/src/hxbnm.cpp#L90
>>>
>>> On Thu, 21 May 2015 14:23:10 +0100
>>> Simon Vincent <simon.vincent@xsilon.com> wrote:
>>>
>>>> What is the status of the crypto-layer? I can see a lot of crypto
>>>> functionality in the mac layer but I can't work out how to setup
>>>> the keys and enable encryption/authentication. Will this be part
>>>> of the wpan-tools?
>>>>
>>>> - Simon
>>>> --
>>>> To unsubscribe from this list: send the line "unsubscribe
>>>> linux-wpan" in the body of a message to majordomo@vger.kernel.org
>>>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>>> --
>>> To unsubscribe from this list: send the line "unsubscribe
>>> linux-wpan" in the body of a message to majordomo@vger.kernel.org
>>> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: 802.15.4 security
2015-06-18 11:40 ` Phoebe Buckheister
@ 2015-06-18 11:43 ` Simon Vincent
2015-06-18 15:02 ` Simon Vincent
1 sibling, 0 replies; 10+ messages in thread
From: Simon Vincent @ 2015-06-18 11:43 UTC (permalink / raw)
To: Phoebe Buckheister; +Cc: linux-wpan@vger.kernel.org
No worries I will fix it.
Simon
On 18/06/15 12:40, Phoebe Buckheister wrote:
> Found the bug for levels 1,2,3:
>
> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/net/mac802154/llsec.c#n680
>
> Scatterlist length 0 is invalid. If I had properly built the
> scatterlists properly instead of setting single element lengths to 0
> (because I thought that was allowed), things wouldn't die in a BUG().
> Can't patch that now, though, I'm sorry :(
>
> On Thu, 18 Jun 2015 13:13:30 +0200
> Phoebe Buckheister <phoebe.buckheister@itwm.fraunhofer.de> wrote:
>
>> Hi Simon,
>>
>> the last kernel I used this with was 3.15-rc8, so actually quite a
>> while ago. Unfortunately, I don't have the means to test things with a
>> current kernel right now, because I don't remember things failing that
>> hard when I last worked on that code. I usually used seclevel 5, which
>> worked fine with our devices.
>>
>> @wireshark: by default, without further configuration, wireshark can't
>> check the MIC, because it doesn't have the necessary keys. There was a
>> way to give wireshark those keys, but I don't remember off hand how
>> that worked.
>>
>> On Thu, 18 Jun 2015 11:12:19 +0100
>> Simon Vincent <simon.vincent@xsilon.com> wrote:
>>
>>> Hi Phoebe,
>>>
>>> I am having some problems with the 802.15.4 security.
>>>
>>> What kernel version/gitref did you last test the 802.15.4 security
>>> on? What level of security are you using? (1-7)
>>>
>>> I can then have a look what has changed since and try and debug the
>>> problems I am seeing.
>>>
>>> I find if I set the security level to 1,2,3 I get a kernel panic
>>> whenever a packet is sent.
>>> If I set the security level to 4 the packets sent are corrupt.
>>> If I set the security level to 5-7 wireshark decodes the packets as
>>> MIC check failed.
>>>
>>> Regards
>>>
>>> Simon
>>>
>>> On 28/05/15 10:00, Phoebe Buckheister wrote:
>>>> Hi Simon,
>>>>
>>>> sorry for taking so long to reply. Unfortunately, there's
>>>> currently no actual documentation for the crypto layer (and I
>>>> probably won't come around to write any sometime soon), but I
>>>> have built an application that works with llsec [1].
>>>>
>>>> The process to set up a crypto config for a network is rougly
>>>> outlined in [2] and [3]. There are more options to the crypto
>>>> layer than are used there, but the process is pretty much the
>>>> same: you add a number of devices you want to securely
>>>> communicate with, add the keys those devices will use to
>>>> communicate, and then set the general parameters for llsec (like
>>>> default llsec, enabling the crypto layer and such).
>>>>
>>>> Hope that helps a little,
>>>> Phoebe
>>>>
>>>>
>>>> [1]
>>>> https://github.com/mysmartgrid/hexabus/blob/pb-crypto/hostsoftware/hxbnm
>>>> [2]
>>>> https://github.com/mysmartgrid/hexabus/blob/pb-crypto/hostsoftware/hxbnm/src/hxbnm.cpp#L160
>>>> [3]
>>>> https://github.com/mysmartgrid/hexabus/blob/pb-crypto/hostsoftware/hxbnm/src/hxbnm.cpp#L90
>>>>
>>>> On Thu, 21 May 2015 14:23:10 +0100
>>>> Simon Vincent <simon.vincent@xsilon.com> wrote:
>>>>
>>>>> What is the status of the crypto-layer? I can see a lot of crypto
>>>>> functionality in the mac layer but I can't work out how to setup
>>>>> the keys and enable encryption/authentication. Will this be part
>>>>> of the wpan-tools?
>>>>>
>>>>> - Simon
>>>>> --
>>>>> To unsubscribe from this list: send the line "unsubscribe
>>>>> linux-wpan" in the body of a message to majordomo@vger.kernel.org
>>>>> More majordomo info at
>>>>> http://vger.kernel.org/majordomo-info.html
>>>> --
>>>> To unsubscribe from this list: send the line "unsubscribe
>>>> linux-wpan" in the body of a message to majordomo@vger.kernel.org
>>>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-wpan"
>> in the body of a message to majordomo@vger.kernel.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: 802.15.4 security
2015-06-18 11:42 ` Simon Vincent
@ 2015-06-18 11:44 ` Phoebe Buckheister
0 siblings, 0 replies; 10+ messages in thread
From: Phoebe Buckheister @ 2015-06-18 11:44 UTC (permalink / raw)
To: Simon Vincent; +Cc: linux-wpan@vger.kernel.org
On Thu, 18 Jun 2015 12:42:16 +0100
Simon Vincent <simon.vincent@xsilon.com> wrote:
> Hi Phoebe,
>
> I have added the key to wireshark so it should be able to do
> decryption and MIC checks.
> Edit -> Preferences -> Protocols -> IEEE 802.15.4 -> Decryption key.
> I assume this works...
>
> What devices were you running on? Just wondering if it is an endian
> issue.
Only our own Contiki devices, with a crypto layer that predates crypto
as it is implemented in Contiki right now and grew out of horrible code
and a lot of misunderstandings. May well be that the code is still
wrong, even though I tried to fix it, and the kernel code is now broken
to match.
> I will have a dig into the kernel and see if I can work out what is
> going wrong, I think a lot has changed since 3.15.
>
> Simon
>
> On 18/06/15 12:13, Phoebe Buckheister wrote:
> > Hi Simon,
> >
> > the last kernel I used this with was 3.15-rc8, so actually quite a
> > while ago. Unfortunately, I don't have the means to test things
> > with a current kernel right now, because I don't remember things
> > failing that hard when I last worked on that code. I usually used
> > seclevel 5, which worked fine with our devices.
> >
> > @wireshark: by default, without further configuration, wireshark
> > can't check the MIC, because it doesn't have the necessary keys.
> > There was a way to give wireshark those keys, but I don't remember
> > off hand how that worked.
> >
> > On Thu, 18 Jun 2015 11:12:19 +0100
> > Simon Vincent <simon.vincent@xsilon.com> wrote:
> >
> >> Hi Phoebe,
> >>
> >> I am having some problems with the 802.15.4 security.
> >>
> >> What kernel version/gitref did you last test the 802.15.4 security
> >> on? What level of security are you using? (1-7)
> >>
> >> I can then have a look what has changed since and try and debug the
> >> problems I am seeing.
> >>
> >> I find if I set the security level to 1,2,3 I get a kernel panic
> >> whenever a packet is sent.
> >> If I set the security level to 4 the packets sent are corrupt.
> >> If I set the security level to 5-7 wireshark decodes the packets as
> >> MIC check failed.
> >>
> >> Regards
> >>
> >> Simon
> >>
> >> On 28/05/15 10:00, Phoebe Buckheister wrote:
> >>> Hi Simon,
> >>>
> >>> sorry for taking so long to reply. Unfortunately, there's
> >>> currently no actual documentation for the crypto layer (and I
> >>> probably won't come around to write any sometime soon), but I
> >>> have built an application that works with llsec [1].
> >>>
> >>> The process to set up a crypto config for a network is rougly
> >>> outlined in [2] and [3]. There are more options to the crypto
> >>> layer than are used there, but the process is pretty much the
> >>> same: you add a number of devices you want to securely
> >>> communicate with, add the keys those devices will use to
> >>> communicate, and then set the general parameters for llsec (like
> >>> default llsec, enabling the crypto layer and such).
> >>>
> >>> Hope that helps a little,
> >>> Phoebe
> >>>
> >>>
> >>> [1]
> >>> https://github.com/mysmartgrid/hexabus/blob/pb-crypto/hostsoftware/hxbnm
> >>> [2]
> >>> https://github.com/mysmartgrid/hexabus/blob/pb-crypto/hostsoftware/hxbnm/src/hxbnm.cpp#L160
> >>> [3]
> >>> https://github.com/mysmartgrid/hexabus/blob/pb-crypto/hostsoftware/hxbnm/src/hxbnm.cpp#L90
> >>>
> >>> On Thu, 21 May 2015 14:23:10 +0100
> >>> Simon Vincent <simon.vincent@xsilon.com> wrote:
> >>>
> >>>> What is the status of the crypto-layer? I can see a lot of crypto
> >>>> functionality in the mac layer but I can't work out how to setup
> >>>> the keys and enable encryption/authentication. Will this be part
> >>>> of the wpan-tools?
> >>>>
> >>>> - Simon
> >>>> --
> >>>> To unsubscribe from this list: send the line "unsubscribe
> >>>> linux-wpan" in the body of a message to majordomo@vger.kernel.org
> >>>> More majordomo info at
> >>>> http://vger.kernel.org/majordomo-info.html
> >>> --
> >>> To unsubscribe from this list: send the line "unsubscribe
> >>> linux-wpan" in the body of a message to majordomo@vger.kernel.org
> >>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-wpan"
> in the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: 802.15.4 security
2015-06-18 11:40 ` Phoebe Buckheister
2015-06-18 11:43 ` Simon Vincent
@ 2015-06-18 15:02 ` Simon Vincent
2015-06-18 15:32 ` Alexander Aring
1 sibling, 1 reply; 10+ messages in thread
From: Simon Vincent @ 2015-06-18 15:02 UTC (permalink / raw)
To: Phoebe Buckheister; +Cc: linux-wpan@vger.kernel.org
I have managed to get security working now in all modes.
I will submit a patch to fix the scatterlist bug.
The other problem I had was the IV was being generated incorrectly. This
was because I had used the iwpan tools to set the mac address. This does
not set the ieee802154_llsec_params.hwaddr[1] which is used for creating
the IV.[2]
I am not sure the best way to fix this issue. Do we need to keep to keep
a copy of the pan_id, hwaddr, coord_hwaddr, coord_shortaddr in the
llsec_params? It seems like it could easily get missed and not updated
if one of these parameters change.
Simon
[1] -
http://lxr.free-electrons.com/source/include/net/ieee802154_netdev.h#L308
[2] - http://lxr.free-electrons.com/source/net/mac802154/llsec.c#L627
and http://lxr.free-electrons.com/source/net/mac802154/llsec.c#L656
On 18/06/15 12:40, Phoebe Buckheister wrote:
> Found the bug for levels 1,2,3:
>
> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/net/mac802154/llsec.c#n680
>
> Scatterlist length 0 is invalid. If I had properly built the
> scatterlists properly instead of setting single element lengths to 0
> (because I thought that was allowed), things wouldn't die in a BUG().
> Can't patch that now, though, I'm sorry :(
>
> On Thu, 18 Jun 2015 13:13:30 +0200
> Phoebe Buckheister <phoebe.buckheister@itwm.fraunhofer.de> wrote:
>
>> Hi Simon,
>>
>> the last kernel I used this with was 3.15-rc8, so actually quite a
>> while ago. Unfortunately, I don't have the means to test things with a
>> current kernel right now, because I don't remember things failing that
>> hard when I last worked on that code. I usually used seclevel 5, which
>> worked fine with our devices.
>>
>> @wireshark: by default, without further configuration, wireshark can't
>> check the MIC, because it doesn't have the necessary keys. There was a
>> way to give wireshark those keys, but I don't remember off hand how
>> that worked.
>>
>> On Thu, 18 Jun 2015 11:12:19 +0100
>> Simon Vincent <simon.vincent@xsilon.com> wrote:
>>
>>> Hi Phoebe,
>>>
>>> I am having some problems with the 802.15.4 security.
>>>
>>> What kernel version/gitref did you last test the 802.15.4 security
>>> on? What level of security are you using? (1-7)
>>>
>>> I can then have a look what has changed since and try and debug the
>>> problems I am seeing.
>>>
>>> I find if I set the security level to 1,2,3 I get a kernel panic
>>> whenever a packet is sent.
>>> If I set the security level to 4 the packets sent are corrupt.
>>> If I set the security level to 5-7 wireshark decodes the packets as
>>> MIC check failed.
>>>
>>> Regards
>>>
>>> Simon
>>>
>>> On 28/05/15 10:00, Phoebe Buckheister wrote:
>>>> Hi Simon,
>>>>
>>>> sorry for taking so long to reply. Unfortunately, there's
>>>> currently no actual documentation for the crypto layer (and I
>>>> probably won't come around to write any sometime soon), but I
>>>> have built an application that works with llsec [1].
>>>>
>>>> The process to set up a crypto config for a network is rougly
>>>> outlined in [2] and [3]. There are more options to the crypto
>>>> layer than are used there, but the process is pretty much the
>>>> same: you add a number of devices you want to securely
>>>> communicate with, add the keys those devices will use to
>>>> communicate, and then set the general parameters for llsec (like
>>>> default llsec, enabling the crypto layer and such).
>>>>
>>>> Hope that helps a little,
>>>> Phoebe
>>>>
>>>>
>>>> [1]
>>>> https://github.com/mysmartgrid/hexabus/blob/pb-crypto/hostsoftware/hxbnm
>>>> [2]
>>>> https://github.com/mysmartgrid/hexabus/blob/pb-crypto/hostsoftware/hxbnm/src/hxbnm.cpp#L160
>>>> [3]
>>>> https://github.com/mysmartgrid/hexabus/blob/pb-crypto/hostsoftware/hxbnm/src/hxbnm.cpp#L90
>>>>
>>>> On Thu, 21 May 2015 14:23:10 +0100
>>>> Simon Vincent <simon.vincent@xsilon.com> wrote:
>>>>
>>>>> What is the status of the crypto-layer? I can see a lot of crypto
>>>>> functionality in the mac layer but I can't work out how to setup
>>>>> the keys and enable encryption/authentication. Will this be part
>>>>> of the wpan-tools?
>>>>>
>>>>> - Simon
>>>>> --
>>>>> To unsubscribe from this list: send the line "unsubscribe
>>>>> linux-wpan" in the body of a message to majordomo@vger.kernel.org
>>>>> More majordomo info at
>>>>> http://vger.kernel.org/majordomo-info.html
>>>> --
>>>> To unsubscribe from this list: send the line "unsubscribe
>>>> linux-wpan" in the body of a message to majordomo@vger.kernel.org
>>>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-wpan"
>> in the body of a message to majordomo@vger.kernel.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: 802.15.4 security
2015-06-18 15:02 ` Simon Vincent
@ 2015-06-18 15:32 ` Alexander Aring
0 siblings, 0 replies; 10+ messages in thread
From: Alexander Aring @ 2015-06-18 15:32 UTC (permalink / raw)
To: Simon Vincent; +Cc: Phoebe Buckheister, linux-wpan@vger.kernel.org
On Thu, Jun 18, 2015 at 04:02:19PM +0100, Simon Vincent wrote:
> I have managed to get security working now in all modes.
>
> I will submit a patch to fix the scatterlist bug.
>
> The other problem I had was the IV was being generated incorrectly. This was
> because I had used the iwpan tools to set the mac address. This does not set
> the ieee802154_llsec_params.hwaddr[1] which is used for creating the IV.[2]
>
Yea, I actually also know that using both netlink interfaces and only
the old one for security is broken, see [0]:
---
... I know currently there is some function
"mac802154_wpan_update_llsec" which makes the security layer to work,
because it's not called when setting short/panid anywhere else.
---
What I meant there was that if using nl802154 and updating address it
will not call mac802154_wpan_update_llsec. If you like you can set
patches for that.
> I am not sure the best way to fix this issue. Do we need to keep to keep a
> copy of the pan_id, hwaddr, coord_hwaddr, coord_shortaddr in the
> llsec_params? It seems like it could easily get missed and not updated if
> one of these parameters change.
>
Well, I think there exists now better ways of course. But I would not
trust the implementation and we _maybe_ overlooked more than just the
missing calling of "mac802154_wpan_update_llsec".
We should go the way to support the crypto layer inside nl802154 and
then removing the old interface stuff.
- Alex
[0] http://www.spinics.net/lists/linux-wpan/msg02098.html
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2015-06-18 15:32 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-05-21 13:23 802.15.4 security Simon Vincent
2015-05-28 9:00 ` Phoebe Buckheister
2015-06-18 10:12 ` Simon Vincent
2015-06-18 11:13 ` Phoebe Buckheister
2015-06-18 11:40 ` Phoebe Buckheister
2015-06-18 11:43 ` Simon Vincent
2015-06-18 15:02 ` Simon Vincent
2015-06-18 15:32 ` Alexander Aring
2015-06-18 11:42 ` Simon Vincent
2015-06-18 11:44 ` Phoebe Buckheister
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.