2.0.6 Encryption

Just updated three T-Beam v1.1s and a G1 Nano from 1.2.65 to 2.0.6- using Edge, as the Flasher GUI on Windows/Python was detecting a RAK for some reason. I actually like the Browser based method - very polished.

I found the Channel Encryption Tab (Stacked Papers Icon) and was happy to see AES256 with a long key. My question is: Are these keys randomly generated upon channel creation, or are there a bunch of canned keys embedded in the firmware, kind of like the old versions? ‘Refresh’ generates a new key. Where is the entropy grabbed from?

On the old versions, in order get a 256 bit random key, you had to specify ‘Random’ in the GUI Flasher or CLI - if not, it would use a weak key baked into the firmware - obviously not secure against a sophisticated attacker.

I also experimented with Manual Key entry, and that seems to work, as long as you stick to some limits on characters, length, and special symbols.

Great work Team, thank you.

There are no changes to the encryption, the only “canned” key is the default

Thanks for the reply.

So if I’m a new user, and just go through the normal steps, create the first Channel 0 with the name and range/speed options, and then scan the QR Code from a second device - is that key randomly generated, or baked in?

When clicking Refresh in the appropriate tab using the Browser @client.meshtastic.org, is each successively generated key, random?

When I changed the existing key, to a manual entry - my network name changed from ‘Test-L’ to ‘Test-Y’ How is that appended letter related to the encryption key / what’s it for?

Thanks, I know most probably don’t care about the encryption, but certain groups (think Ukraine) absolutely need it to be as robust as it can be. If you ensure physical security of each device, Over The Air interception is the only attack surface.

When you scan the QR code it applies the settings from the device that you got the QR code from, not sure why android changes the channel name.

A huge number of users just use the default settings.

Even just for me as a prepper using Meshtastic for off grid comms, knowing how robust the encryption system is is essential. These are good questions.

Yes, I wonder if the #security section on Discord would be a better place to ask? It’s in the Dev section, and I’m not one - but I do know an intermediate level about securing communications on, and between, devices.

Out of the box setup would be fine, if someone could say “the encryption key you see, is randomly generated”. My worry, is that those character strings (even after clicking refresh to populate a new key) pre-exist somewhere in the code. That would be real bad, as all an attacker would need to do, is get the code, and build a Rainbow Table.

The best advice I can give you ATM, is take your ‘Master Device’ that you used to create the QR Code for your network, connect to a computer via USB, open Edge or Chrome (I use Windows), and go to client.meshtastic.org. Once in there, click the ‘Stacked Papers’ icon and you will see ‘AES 256’ and a key listed. Create your own key, the exact same length, using the same character set (it is real picky as to this - it seems to truncate if too long, or if using certain special characters) using A-Z, a-z, 0-9, and +, =, and-or / Then click save, make it visible, and make sure it’s what you want.

Your Network name will change from ‘Whatever-Some Letter’ to ‘Whatever-Another Letter’ - so rescan the new QR Code on all your other devices. That’s what worked for me, and that is a unique key. Good luck!

Edit: As a refresher, on 1.2.x, from what I can gather/is in the Docs - the OOB setup was 100% a weak encryption key. In order to change that, you had to go into either the GUI Flasher or CLI, and either click the ‘Random’ button, or type the Random command.

The long keys are random and not in the code, you can search the code, the code related to the encryption keys is unchanged in 2.0

That is good news, thank you Sir.