Meshtastic Capabilities

You can add another layer of encryption by using any app that encrypts and decrypts text. You can then share this key with other users of your network.

1 Like

Do you know of an open souce app based on GNUpg that can run on andoid, or something similar?

@AndreK @garth @kokroo Thinking out loud, this is an interesting use case.

If Meshtastic were used for just the physical layer of which clients (like phones) use to transfer data, it would be possible for the clients to manage encryption outside of encryption provided by the transport.

It may end up being double encryption, but that’s not bad.

This would also mean that the devices can’t decode the payload and that’s ok.

This would need a dedicated port so the messages port isn’t cluttered, but that would be the only change required on the device.

If something like this, may be better using public/private key cryptography instead of pre shared key cryptography.

Now that I think of it, this is exactly like how our IP transport layer works.

MMMmmm…

This is what ATAK does without us doing anything right?

I view many of these security suggestions as theater, this thread and others like it are full of false security assumptions (encryption means end to end encryption, dev boards can be secured once someone has physical access)

This is the security that is actually in place now

There is a whole section that is several years old on possible future areas of work (if there is enough interest). There have been some additional suggestions / issues created in what I consider the theater category but nobody has ever dug in and done any of the actual work. I would suggest this is a pretty strong indication that there is not a lot of real interest in this, especially with ATAK being available.

What does a relay node need to change from a message payload before repeating it, beside the hop count ?

From what I understand so far, a relay needs to listen to a LoRa channel for incoming packets, then filter Meshtastic messages, and repeat them decreasing the hop count. In this case, it should be possible repeat messages whose payload can not be decoded, isn’t it ?

BTW, for those interested, here are some thoughts about more clear separation between LoRa channels and Meshtastic channels : Encryption / Secondary Channels - #9 by Eagle

Cheers

How is asking about keeping about keeping physical access to a node encrypted, theatre? Seems like a legit concern.

1 Like

Lol, yes. You are essentially talking about off grid decentralized internet.

Encrypting a string of text with a pre shared key is probably the fastest work around, assuming I can find a good open source app. Just copy and paste between encryption app and Meshtastic app.

I guess I could get a terminal shell and run gpg command line on the phone for encrypting and decrypting strings, but that would definitely hurt ease of use.

1 Like

@Edward you might find Reticulum Network Stack | unsigned.io interesting.

I’m hopeful Meshtastic might one day use it, but the C port needs to be completed first

1 Like

Okay found a great app for this.
Open key chain. It is open source and uses gpg encryption standards.

For predetermined passwords

1 Install and open app

2 Go to side menu. Hit encrypt/decrypt

3 Hit encrypt text

4 Change settings to “use password”

5 Enter password and the string of text to encrypt, and hit button to copy encrypted text to clipboard

To decrypt

1 copy encrypted text and open openkeychain

2 go to side menu, hit encrypt/decrypt

3 select read from clipboard. Enter in password

The app also supports signing with public and private keys etc. Their is also an app called pgp clipper that should integrate this more seamlessly with the clipboard, but I haven’t figured out how to use it yet.

It seems that running this setup on a secure hardened, degoogled, android, like GrapheneOS, should makes this Meshtastic use case pretty freaking end to end secure, without any “theatre”.

If I get physical access to your android phone or windows laptop with boot loader security, I still have a decent chance of being able to compromise your device. Pretending that a captured dev board with zero boot protections can be secured once somebody has physical access is theater.

The Android phone won’t be the device on a solar panel hidden in the woods. And hardened android with a secure boot loader, and enhanced verified boot is pretty good anyway. GrapheneOS uses an enhanced version of the modern filesystem-based disk encryption implementation in the Android Open Source Project. The officially supported devices have substantial hardware-based support for enhancing the security of the encryption implementation. GrapheneOS has full support for the hardware-based encryption features just as it does with other hardware-based security features.

The data partition stores all of the persistent state for the operating system. Full disk encryption is implemented via filesystem-based encryption with metadata encryption. All data, file names and other metadata is always stored encrypted. This is often referred to as file-based encryption but it makes more sense to call it filesystem-based encryption. It’s implemented by the Linux kernel as part of the ext4 / f2fs implementation rather than running a block-based encryption layer. The advantage of filesystem-based encryption is the ability to use fine-grained keys rather than a single global key that’s always in memory once the device is booted.

Disk encryption keys are randomly generated with a high quality CSPRNG and stored encrypted with a key encryption key. Key encryption keys are derived at runtime and are never stored anywhere.

File data is encrypted with AES-256-XTS and file names with AES-256-CTS. A unique key is derived using HKDF-SHA512 for each regular file, directory and symbolic link from the per-profile encryption keys, or the global encryption key for non-sensitive data stored outside of profiles. The directory key is used to encrypt the file names. GrapheneOS increases the file name padding from 16 bytes to 32 bytes. AES-256-XTS with the global encryption key is also used to encrypt filesystem metadata as a whole beyond the finer-grained file name encryption.

The OS derives a password token from the profile’s lock method credential using scrypt. This is used as the main input for key derivation.

The OS stores a high entropy random value as the Weaver token on the secure element (Titan M on Pixels) and uses it as another input for key derivation. The Weaver token is stored alongside a Weaver key derived by the OS from the password token. In order to retrieve the Weaver token, the secure element requires the correct Weaver key. A secure internal timer is used to implement hardware-based delays for each attempt at key derivation. It quickly ramps up to 1 day delays before the next attempt. Weaver also provides reliable wiping of data since the secure element can reliably wipe a Weaver slot. Deleting a profile will wipe the corresponding Weaver slot and a factory reset of the device wipes all of the Weaver slots. The secure element also provides insider attack resistance preventing firmware updates before authenticating with the owner profile.

Standard delays for encryption key derivation enforced by the secure element:

  • 0 to 4 failed attempts: no delay
  • 5 failed attempts: 30 second delay
  • 6 to 9 failed attempts: no delay
  • 10 to 29 failed attempts: 30 second delay
  • 30 to 139 failed attempts: 30 × 2⌊(n - 30) ÷ 10⌋ where n is the number of failed attempts. This means the delay doubles after every 10 attempts. There’s a 30 second delay after 30 failed attempts, 60s after 40, 120s after 50, 240s after 60, 480s after 70, 960s after 80, 1920s after 90, 3840s after 100, 7680s after 110, 15360s after 120 and 30720s after 130
  • 140 or more failed attempts: 86400 second delay (1 day)

Invalid input outside the minimum or maximum length limits of the UI won’t trigger an attempt at authentication or key derivation.

The password token, Weaver token and other values like the OS verified boot key are used by the TEE as inputs to a hardware-bound key derivation algorithm provided by the SoC. The general concept is having the SoC perform hardware accelerated key derivation using an algorithm like AES or HMAC keyed with a hard-wired hardware key inaccessible to software or firmware. This is meant to prevent offloading a brute force attack onto more powerful hardware without an expensive process of extracting the hardware key from the SoC.

But, the point is if someone captures the relay node when messages are encrypted with gpg the only thing they will see is:

-----BEGIN PGP MESSAGE-----

jA0ECQMCybZb1DYq079g0kMB/Brl/vkjVWQj84NhBkDHwrPT8jP7aryXS2Jn0oQk
K+u3L1OcC6lXcOMpAliW+bAQmq/gTKuwPt8zefzB9MEKiUHz
=vtLv
-----END PGP MESSAGE-----

The node will be the hardware hidden in the woods, not the android.

@Edward It’s not theater. I agree with you, this should work by default.

This app seems to be one that makes it easy to encrypt/decrypt: https://play.google.com/store/apps/details?id=com.deeppradhan.encrypt_decrypt&hl=en&gl=US

@garth A device physically captured may be breached with some effort, but I don’t think anyone reasonably expects safety at the time of physical capture of the phone.

@mc-hamster It needs to be implemented somewhat similarly to encryption. A layer of user-supplied encryption over the payload. The nodes themselves won’t be able to decode the message and display it.

That’s how proofs of concept and prototypes begin. Give it a shot. Use port “PRIVATE_APP” for the prototype (aka Port 256) and if this works out, we can allocate a more permanent port.

Roger that. I’ll have to l buy some hardware when I scrape together a few extra quid.

That app looks easy enough to use. It does however have some bad reviews on its encryption standard.

I have been playing around with open keychain all morning. I am starting to really like it because it is easy to use. It also has option between pass phase encryption and public/private key. Its is recommended by the guardian project, open source, and independently audited. It also integrates quite well with the clipboard.

Sorry to bring up my own message, but if someone knows the answer or can point me to the right documentation pages, I would be very thankful.

TLDR: Is there a technical reason why a repeater (relay node) needs to be able to decrypt the message payload ? If not, do we agree it would be a desirable feature to be able to configure a node as a relay-only, with parameters about what to repeat, but no key provided, so that hardware theft does NOT imply messages security break.

Cheers

@Eagle

Makes sense to me, but I am still trying to read up on all the specifics of Meshtastic.

Just thinking out loud, but it might require two sets of keys. One key for the relay node to authenticate that the the transmission is coming from an authorized user/transmitter on the network even though it can’t decrypt the payload, and then a separate key to finally decrypt message by the final recipient.

1 Like

This is interesting, however, I do feel like you’re kind of reinventing Nomad Network | unsigned.io but without the ~4yr development effort that’s gone into that project.

If the Meshtastic team are interested in exploring strong encryption, I wonder if working on the C port and then integrating Reticulum might be a good approach.

@Eagle It does not need to be able to decrypt the payload. As of now, each node has the key. In theory, the router can relay the payload without being able to decrypt it.

@Edward You are talking about an authorization key and a payload key. It can be done but someone will need to pick up this “feature”. The development targets for version 1.3 are locked if I am not wrong, so maybe this can be targeted for 1.4

Okay interesting. Thanks.