How to acquire Mesh keys API

RE: How to acquire Mesh keys API

leonwj — Thu, 22 Feb 2018 20:37:55 GMT

Thanks Dash... It would be interesting to get your initial take on the product if you ever get the time. We attended a webinar on its features a few months ago when it was a work-in-progress just so we could gauge how it went about decoding mesh messages etc.

RE: How to acquire Mesh keys API

tesc — Thu, 22 Feb 2018 12:19:32 GMT

There is no API for the root key, so if you need that one you will have to add that functionality yourself.

Yes, derivation of the keys is deterministic. All encryption functions are described in chapter 3.8.2 Security toolbox of the Bluetooth Mesh specification, and the keys are described in details in chapter 3.8.6 Keys.

The encryption functions are part of internal mesh APIs which are not documented on Infocenter, but the source is part of the mesh SDK. (You find them in mesh/core/include/enc.h and mesh/core/src/enc.c.)

RE: How to acquire Mesh keys API

Dash — Wed, 21 Feb 2018 18:16:16 GMT

The call dsm_net_secmat_from_keyindex_get() returns a structure that has two keys in it (encryption and privacy). According to bluetooth.com

"All nodes in a Bluetooth mesh network possess one or more Network Keys (NetKey), each corresponding to a subnet which may be the primary subnet. It’s possession of a network key which makes a node a member of the network. Network Encryption Keys and Privacy Keys are derived directly from the NetKey."

We are using the Sodera Frontline which looks like it wants the root netkey in its INI file. Is there a way to get the root net key that the Network Encryption Keys and Privacy Keys are derived from?

Is the derivation of the Network Encryption Keys and Privacy Keys standardized where anyone with the root netkey will always be able to derive the same Network Encryption Keys and Privacy Keys?

RE: How to acquire Mesh keys API

Dash — Wed, 21 Feb 2018 17:43:42 GMT

We are using the Sodera/Frontline

RE: How to acquire Mesh keys API

leonwj — Wed, 21 Feb 2018 15:41:21 GMT

Thanks tesc,

I somehow completely missed the dsm_devkey_handle_get() API function call.

RE: How to acquire Mesh keys API

tesc — Wed, 21 Feb 2018 11:40:43 GMT

Yes. The DevKey is stored with the AppKeys.

You can use dsm_devkey_handle_get() for getting the handle, then fetch the DevKey using dsm_tx_secmat_get(). No need to traverse on your own.

RE: How to acquire Mesh keys API

leonwj — Tue, 20 Feb 2018 18:09:50 GMT

Hello,

My understanding is that the devkey (device key) is simply a special form of appkey (application key) known only between each specific node and the provisioner.

I believe that the nrf_mesh_application_secmat_t struct has a boolean indicating whether the stored key in that index is an appkey or devkey. So traversing through should yield the correct devkey (either on the node and/or provisioner)

/**
 * Application security material structure.
 *
 * This structure is required for the encryption of the application data.
 *
 * @note This is intended to be managed by the device_state_manager.c, and the setters and getters
 * in that module should be used and no direct accesses should be made to this structure.
 */
typedef struct
{
    /** Indicates whether the device key or the application is used. */
    bool is_device_key;
    /** Application ID. Calculated and used internally. */
    uint8_t aid;
    /** Application or device key storage. */
    uint8_t key[NRF_MESH_KEY_SIZE];
} nrf_mesh_application_secmat_t;

Notwithstanding the above, it would be good for confirmation of this from Nordic to ascertain whether there is/they plan a direct API to obtain the devkey.

(Also, as a matter of interest, do you mind mentioning which Bluetooth protocol analyzer you are using, we're looking at one from Sodera/Frontline but haven't decided as yet, Thanks in advance)

Regards,

RE: How to acquire Mesh keys API

Dash — Tue, 20 Feb 2018 16:51:54 GMT

The calls provided above get the netkey and appkey. The protocol analyzer also needs the devkey. I have found calls to get the devkey handle but nothing for the actual devkey. Please let me know how I can obtain the devkey.

RE: How to acquire Mesh keys API

tesc — Mon, 19 Feb 2018 11:11:27 GMT

Hi,

Keys are stored by the Device State Manager, and can be read using the dsm_tx_secmat_get() and dsm_net_secmat_from_keyindex_get() API calls.

Regards,
Terje