135u5 / tinyos-main

Automatically exported from code.google.com/p/tinyos-main
1 stars 0 forks source link

CC2420 in-line security features are comprehensively broken #34

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?
1. Install tinyos-main/apps/tests/cc2420/TestSecurity/RadioCountToLeds1 on an 
appropriate mote (I've tested with telosbs and various shimmer revs).
2. Using a sniffer look at the transmitted data. Do not use a receiver mote as 
the receive side is equally broken and hides the problem.

What is the expected output? What do you see instead?
As CCM mode is selected the data should be encrypted and authenticated with a 
16byte MIC. Instead the data, i.e. the count, is transmitted in plain text, and 
only 4 bytes of the MIC are set. I haven't tested whether these 4 bytes are set 
correctly or not. I've checked this with each mode and there are serious 
problems with all of them. 

Specfically in CTR mode the data is sent in plain text instead of encrypted. 
Additionally the last 4 bytes of the data are truncated (related to the MIC 
issues in the other modes???). 
In CBC_MAC mode only the last 4 bytes of the MIC are over written by the CC2420 
driver (again I've not checked if this MIC is in any way correct) even if the 
MIC size is set to 8 or 16. 
And when no security is set only the very first packet seems to be sent after 
the mote boots up, I don't see any sign of any subsequent packet.

What version of the product are you using? On what operating system?
This is an issue with the current SVN head (rev 5538). I've tested as far back 
as SVN rev 5173, and while the problem is different, it is still very much 
broken. When I test with the final version of tinyos-2.x in sourceforge it 
works as expected.

Please provide any additional information below.
As an example here are 3 (full) subsequent packets from the RadioCountToLeds1 
application, using tinyos-main SVN rev 5538:
69 88 e3 22 00 ff ff 01 00 3f 00 00 0a e4 01 00 06 0a e4 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b9 0e 1c 60 18 ca ff

69 88 e4 22 00 ff ff 01 00 3f 00 00 0a e5 01 00 06 0a e5 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b9 0e 1c 60 11 4f ff

69 88 e5 22 00 ff ff 01 00 3f 00 00 0a e6 01 00 06 0a e6 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b9 0e 1c 60 d8 d8 ff

and here are 3 packets from the exact same applications using the last 
tinyos-2.x rev from sourceforge:
69 88 4d 22 00 ff ff 01 00 e8 00 00 00 4e 01 3f 06 23 0d 15 6c ca cd 0c d4 ba 
7e 17 a0 72 b6 ca 38 99 fa 1b 73 13 41 4e 92 6c 96 54 48 6e 20 c6 b4 09 f6 5c 
98 ef a1 58 6d 61 fb e2 70 b1 5b 6b dc 85 1e f3 d3 eb 7c 8d 5d 2c d5 80 2f ff

69 88 4e 22 00 ff ff 01 00 e8 00 00 00 4f 01 3f 06 63 1a 3f d0 65 6d 0d 84 df 
68 0f 07 bf 23 9d 88 4f cf 14 ef d0 c4 e8 c8 26 99 65 b9 57 31 d9 26 78 2b 1e 
a0 0b a2 45 d9 af e7 48 e4 8a 9d f4 56 eb df 53 35 36 43 0d d5 c7 b9 a7 36 ff

69 88 4f 22 00 ff ff 01 00 e8 00 00 00 50 01 3f 06 87 19 06 58 60 01 41 f7 76 
e1 69 77 ce b3 ed 65 aa 83 2a 27 1b 67 ea 06 0f dd 89 34 44 4b ae 11 ec cf 79 
ad bc cf 6f ce 5a a3 a9 d8 b1 98 6c d9 90 5b bb b1 60 d0 03 a3 cd 3a 51 47 ff

The count is obvious in the SVN rev 5538 version, i.e. 0xe4, 0xe5, 0xe6.

The count is impossible to determine from the data section of the tinyos-2.x 
sourceforge rev (even though from the sequence number it is obvious that it is 
0x4e, 0x4f, 0x50).

Original issue reported on code.google.com by mikeghe...@gmail.com on 18 Apr 2011 at 8:05

GoogleCodeExporter commented 8 years ago

Original comment by philip.l...@gmail.com on 20 Apr 2011 at 4:43

GoogleCodeExporter commented 8 years ago
The change for this is done now.

Original comment by jeonggil...@gmail.com on 27 Jul 2011 at 4:48

GoogleCodeExporter commented 8 years ago
Hello,
I'm having the same issue than in rev 5538 with the code is now (1-August-2013) 
on https://github.com/tinyos/tinyos-main and the mote I'm using is Z1.

Original comment by esterart...@gmail.com on 1 Aug 2013 at 12:56