begin work on crypto

2020-05-09 16:15:01 -07:00 · 2020-05-09 16:15:01 -07:00 · 28d21ecdcc
commit 28d21ecdcc
--- a/docs/software/TODO.md
+++ b/docs/software/TODO.md
@ -29,7 +29,6 @@ fetches the fresh nodedb.
 - rx signal measurements -3 marginal, -9 bad, 10 great, -10 means almost unusable. So scale this into % signal strength. preferably as a graph, with an X indicating loss of comms.
 - assign every "channel" a random shared 8 bit sync word (per 4.2.13.6 of datasheet) - use that word to filter packets before even checking CRC. This will ensure our CPU will only wake for packets on our "channel"
 - Note: we do not do address filtering at the chip level, because we might need to route for the mesh
- add basic crypto - https://github.com/chegewara/esp32-mbedtls-aes-test/blob/master/main/main.c https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation - use ECB at first (though it is shit) because it doesn't require us to send 16 bytes of IV with each packet. Then OFB per example. Possibly do this crypto at the data payload level only, so that all of the packet routing metadata
  is in cleartext (so that nodes will route for other radios that are cryptoed with a key we don't know)
 - add frequency hopping, dependent on the gps time, make the switch moment far from the time anyone is going to be transmitting
 - share channel settings over Signal (or qr code) by embedding an an URL which is handled by the MeshUtil app.
--- a/docs/software/cypto.md
+++ b/docs/software/cypto.md
@ -0,0 +1,38 @@
+# Encryption in Meshtastic
+
+Cryptography is tricky, so we've tried to 'simply' apply standard crypto solutions to our implementation. However,
+the project developers are not cryptography experts. Therefore we ask two things:
+
+- If you are a cryptography expert, please review these notes and our questions below. Can you help us by reviewing our
+  notes below and offering advice? We will happily give as much or as little credit as you wish as our thanks ;-).
+- Consider our existing solution 'alpha' and probably fairly secure against an not very aggressive adversary. But until
+  it is reviewed by someone smarter than us, assume it might have flaws.
+
+## Notes on implementation
+
+- We do all crypto at the SubPacket (payload) level only, so that all meshtastic nodes will route for others - even those channels which are encrypted with a different key.
+- Mostly based on reading [Wikipedia](<https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Counter_(CTR)>) and using the modes the ESP32 provides support for in hardware.
+- We use AES256-CTR as a stream cypher (with zero padding on the last BLOCK) because it is well supported with hardware acceleration.
+
+Parameters for our CTR implementation:
+
+- Our AES key is 256 bits, shared as part of the 'Channel' specification.
+- Each SubPacket will be sent as a series of 16 byte BLOCKS.
+- The node number concatenated with the packet number is used as the NONCE. This counter will be stored in flash in the device and should essentially never repeat. If the user makes a new 'Channel' (i.e. picking a new random 256 bit key), the packet number will start at zero. The packet number is sent
+  in cleartext with each packet. The node number can be derived from the "from" field of each packet.
+- Each BLOCK for a packet has an incrementing COUNTER. COUNTER starts at zero for the first block of each packet.
+- The IV for each block is constructed by concatenating the NONCE as the upper 96 bits of the IV and the COUNTER as the bottom 32 bits. Note: since our packets are small counter will really never be higher than 32 (five bits).
+
+```
+You can encrypt separate messages by dividing the nonce_counter buffer in two areas: the first one used for a per-message nonce, handled by yourself, and the second one updated by this function internally.
+For example, you might reserve the first 12 bytes for the per-message nonce, and the last 4 bytes for internal use. In that case, before calling this function on a new message you need to set the first 12 bytes of nonce_counter to your chosen nonce value, the last 4 to 0, and nc_off to 0 (which will cause stream_block to be ignored). That way, you can encrypt at most 2**96 messages of up to 2**32 blocks each with the same key.
+
+The per-message nonce (or information sufficient to reconstruct it) needs to be communicated with the ciphertext and must be unique. The recommended way to ensure uniqueness is to use a message counter. An alternative is to generate random nonces, but this limits the number of messages that can be securely encrypted: for example, with 96-bit random nonces, you should not encrypt more than 2**32 messages with the same key.
+
+Note that for both stategies, sizes are measured in blocks and that an AES block is 16 bytes.
+```
+
+## Example code links
+
+- Example code for [NRF52](https://infocenter.nordicsemi.com/topic/com.nordic.infocenter.sdk5.v15.0.0/lib_crypto_aes.html#sub_aes_ctr)
+- Example code for [ESP32](https://github.com/chegewara/esp32-mbedtls-aes-test/blob/master/main/main.c)
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit b35e7fb17e80a9761145d69a288a9e87af862cab
+Subproject commit 1a5afe8f567866981ac0cd0a75a95503064d33c2
--- a/src/mesh/CryptoEngine.cpp
+++ b/src/mesh/CryptoEngine.cpp
@ -0,0 +1,16 @@
+#include "CryptoEngine.h"
+#include "configuration.h"
+
+void CryptoEngine::setKey(size_t numBytes, const uint8_t *bytes)
+{
+    DEBUG_MSG("WARNING: Using stub crypto - all crypto is sent in plaintext!\n");
+}
+
+/**
+ * Encrypt a packet
+ *
+ * @param bytes is updated in place
+ */
+void CryptoEngine::encrypt(uint32_t fromNode, uint64_t packetNum, size_t numBytes, uint8_t *bytes) {}
+
+void CryptoEngine::decrypt(uint32_t fromNode, uint64_t packetNum, size_t numBytes, uint8_t *bytes) {}
--- a/src/mesh/CryptoEngine.h
+++ b/src/mesh/CryptoEngine.h
@ -0,0 +1,31 @@
+#pragma once
+
+#include <Arduino.h>
+
+/**
+ * see docs/software/crypto.md for details.
+ *
+ * The NONCE is constructed by concatenating:
+ * a 32 bit sending node number + a 64 bit packet number + a 32 bit block counter (starts at zero)
+ */
+
+class CryptoEngine
+{
+  public:
+    /**
+     * Set the key used for encrypt, decrypt.
+     *
+     * As a special case: If all bytes are zero, we assume _no encryption_ and send all data in cleartext.
+     *
+     * @param numBytes must be 32 for now (AES256)
+     */
+    void setKey(size_t numBytes, const uint8_t *bytes);
+
+    /**
+     * Encrypt a packet
+     *
+     * @param bytes is updated in place
+     */
+    void encrypt(uint32_t fromNode, uint64_t packetNum, size_t numBytes, uint8_t *bytes);
+    void decrypt(uint32_t fromNode, uint64_t packetNum, size_t numBytes, uint8_t *bytes);
+};