There are various "security sensitive" pieces of data that need to be exchanged between Applications and the Bluetooth Mesh daemon. The following items will be encrypted before sending over D-Bus: token -- This is used by all nodes. net_keys, app_keys, dev_keys -- These will only typically be needed by Provisioner/Config Client nodes to extract the keys for purposes of Cponfiguration Database transfer. Methodology: ECC Public/Private pairs, and key exchanges which are set up for each Attach() Session, and a counting diversifier to be used as a Nonce. The App and Daemon will each generate a single session ECC pair, and will generate an ECDH Shared Secret, which will be used as the symetric encription key, for AES-CCM. For most nodes, these steps will be required only for Attaching, to authenticate the application to the daemon while obscuring the token from D-Bus sniffers. ECC and AES-CCM are both already natively supported by Mesh. Brian Gix (1): doc: Add Pub/Private ECC shared secret to obscure sensitive data doc/mesh-api.txt | 102 ++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 91 insertions(+), 11 deletions(-) -- 2.21.0
