Re: 802.15.4 security

[Phoebe Buckheister <phoebe.buckheister@itwm.fraunhofer.de>]

On Thu, 18 Jun 2015 12:42:16 +0100
Simon Vincent <simon.vincent@xsilon.com> wrote:

> Hi Phoebe,
> 
> I have added the key to wireshark so it should be able to do
> decryption and MIC checks.
> Edit -> Preferences -> Protocols -> IEEE 802.15.4 -> Decryption key.
> I assume this works...
> 
> What devices were you running on? Just wondering if it is an endian
> issue.

Only our own Contiki devices, with a crypto layer that predates crypto
as it is implemented in Contiki right now and grew out of horrible code
and a lot of misunderstandings. May well be that the code is still
wrong, even though I tried to fix it, and the kernel code is now broken
to match.

> I will have a dig into the kernel and see if I can work out what is 
> going wrong, I think a lot has changed since 3.15.
> 
> Simon
> 
> On 18/06/15 12:13, Phoebe Buckheister wrote:
> > Hi Simon,
> >
> > the last kernel I used this with was 3.15-rc8, so actually quite a
> > while ago. Unfortunately, I don't have the means to test things
> > with a current kernel right now, because I don't remember things
> > failing that hard when I last worked on that code. I usually used
> > seclevel 5, which worked fine with our devices.
> >
> > @wireshark: by default, without further configuration, wireshark
> > can't check the MIC, because it doesn't have the necessary keys.
> > There was a way to give wireshark those keys, but I don't remember
> > off hand how that worked.
> >
> > On Thu, 18 Jun 2015 11:12:19 +0100
> > Simon Vincent <simon.vincent@xsilon.com> wrote:
> >
> >> Hi Phoebe,
> >>
> >> I am having some problems with the 802.15.4 security.
> >>
> >> What kernel version/gitref did you last test the 802.15.4 security
> >> on? What level of security are you using? (1-7)
> >>
> >> I can then have a look what has changed since and try and debug the
> >> problems I am seeing.
> >>
> >> I find if I set the security level to 1,2,3 I get a kernel panic
> >> whenever a packet is sent.
> >> If I set the security level to 4 the packets sent are corrupt.
> >> If I set the security level to 5-7 wireshark decodes the packets as
> >> MIC check failed.
> >>
> >> Regards
> >>
> >> Simon
> >>
> >> On 28/05/15 10:00, Phoebe Buckheister wrote:
> >>> Hi Simon,
> >>>
> >>> sorry for taking so long to reply. Unfortunately, there's
> >>> currently no actual documentation for the crypto layer (and I
> >>> probably won't come around to write any sometime soon), but I
> >>> have built an application that works with llsec [1].
> >>>
> >>> The process to set up a crypto config for a network is rougly
> >>> outlined in [2] and [3]. There are more options to the crypto
> >>> layer than are used there, but the process is pretty much the
> >>> same: you add a number of devices you want to securely
> >>> communicate with, add the keys those devices will use to
> >>> communicate, and then set the general parameters for llsec (like
> >>> default llsec, enabling the crypto layer and such).
> >>>
> >>> Hope that helps a little,
> >>> Phoebe
> >>>
> >>>
> >>> [1]
> >>> https://github.com/mysmartgrid/hexabus/blob/pb-crypto/hostsoftware/hxbnm
> >>> [2]
> >>> https://github.com/mysmartgrid/hexabus/blob/pb-crypto/hostsoftware/hxbnm/src/hxbnm.cpp#L160
> >>> [3]
> >>> https://github.com/mysmartgrid/hexabus/blob/pb-crypto/hostsoftware/hxbnm/src/hxbnm.cpp#L90
> >>>
> >>> On Thu, 21 May 2015 14:23:10 +0100
> >>> Simon Vincent <simon.vincent@xsilon.com> wrote:
> >>>
> >>>> What is the status of the crypto-layer? I can see a lot of crypto
> >>>> functionality in the mac layer but I can't work out how to setup
> >>>> the keys and enable encryption/authentication. Will this be part
> >>>> of the wpan-tools?
> >>>>
> >>>> - Simon
> >>>> --
> >>>> To unsubscribe from this list: send the line "unsubscribe
> >>>> linux-wpan" in the body of a message to majordomo@vger.kernel.org
> >>>> More majordomo info at
> >>>> http://vger.kernel.org/majordomo-info.html
> >>> --
> >>> To unsubscribe from this list: send the line "unsubscribe
> >>> linux-wpan" in the body of a message to majordomo@vger.kernel.org
> >>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-wpan"
> in the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html