Payload Encryption¶
Obsolete: this encryption was proprietary design and is no longer supported in Homebase firmware.
Because of hardware limitations there is no standard asymmetric encryption used, thus MQTT packets are send in plaintext. Encryption is used only for MQTT payload, in this case JSON dictionary with measured data and configuration. AES128 (in CBC mode) is used for encryption and HMAC-SHA256 for message authentication. AES and HMAC keys are stored in device’s memory during manufacturing (this memory section is called secret).
Principles¶
Topic name is not encrypted.
Payload is encrypted and signed with:
Cipher: AES-128 (16B key), CBC
Align: with space (
0x20)Signature: HMAC-SHA-256
Part of the payload is the time of the transmittion and this time is validated upon receiving message.
All encrypted topics starts with
s/.
Structure of encrypted payload is:
Time (4B): transmission time, unix timestamp in seconds.
Content: message with measured data (in this case JSON string).
Alignment: AES128 is block cipher, thus all data has to be multiple of 128b. Content is aligned with spaces (
0x20) to cipher block size.Encrypted: time and content are encrypted with AES-128 in CBC mode (key and IV are part of device’s secret)
Signature (32B): encrypted data are signed with HMAC-SHA-256 (key is part of secret)
MQTT clock¶
Because Homebases does not contain realtime clock, there is specific way to sync time from server using clock application. This application has to have some special features for entryption to work. Firstly without time there is no other communication possible. Time inside homebase and cluster has to be synced. So time application works with encryption like this:
Time of the transmission to
s/sn/+/clock/initis ignored by cluster.Payload of
s/sn/+/clock/initcontains randomly generated token:{"token": "aabb1122"}.This token is used as time of the transmition of s/sn/+/clock/conf but only once. Than it is discarded by both sides.
Now time is synced and other messages can be produced.