How to make secure communication with NRF24L01+ modules and RF24Mesh 2.4Ghz

Hello,
I'm doing a project that needs sensors connected with modules NRF24L01 + 2.4GHz.
I'd like to know if it is possible, through the library RF24Mesh (RF24 and RF24Network), have a secure connection like wifi (with a password or an authentication or encryption algorithm).
Thanks for the answer in advance :slight_smile:

This is RF24Mesh Library on GitHub

Encryption would have to be done by software (in arduino) prior to transition NRF24L01. Not sure if enough processing power and RAM is available for real time encryption algorithms. The same issue came up regarding the need for secure web server pages (https) and the issue of limited resources also came up.
Maybe the latest arduinos can handle this better...

Did you ever get anything working here? I'm also need something similar. My system will comprise a Raspberry Pi (Master) and several Arduinos (Slaves) and I'm more interested in Authentication than Encryption - I need to be sure that the Arduinos are only executing commands which have come from the Raspberry Pi and there is no way for anyone to record and playback commands.

Based very losley on Satellite TC Authentication (c.f. http://public.ccsds.org/sites/cwe/rids/Lists/CCSDS%203550R3/Attachments/355x0r3.pdf), the idea would be that the Master and Slave would both store the same hard coded fixed key. The Master would create a Message Authentication Code (MAC) from the desired command and an Anti-Replay Counter (ARC). The MAC and ARC would be appended to the command. On the Receiving side, the Arduinos will check

a) the MAC is consistent with the Command, ARC and Key combination
b) the ARC is 1 higher than the last successfully handled command

They then need to send the ARC back to the RPi and forward the command on to the function which will deal with it.

The Arduino will also need to accept a benign command that causes it to transmit it's ARC in case of loss of synch.

From the description of AES, it's designed to work on 8-bit smart cards and it looks computationally light.

...I reckon I'll get this working, but I'm saving it for the long dark winter nights....

richdyer_2000:
My system will comprise a Raspberry Pi (Master) and several Arduinos (Slaves) and I'm more interested in Authentication than Encryption - I need to be sure that the Arduinos are only executing commands which have come from the Raspberry Pi and there is no way for anyone to record and playback commands.

The nRF24L01+ modules use a 5 byte (40 bit) address - that gives VERY LARGE number of options. Is it likely that someone will figure out the address and mimic it?

If you use the ackPayload feature an Arduino will only reply as a response to the master and there will be no opportunity for any Arduino to send data unless the RPi has first sent a messaage to the Arduino.

The pair of programs in this link demonstrate the use of ackPayload and the master program could easily be extended to communicate with several slaves. I presume you can implement an equivalent program on an RPi.

Note that the examples require the TMRh20 version of the RF24 library

...R

Hi Robin2,

I understand the address protects against accidentally addressing the Arduino, or blindly trying to command it. At 1TC a second it would take 34,000 years to go through all the addresses. On top of that you've then got to send a message will would cause the arduino to do something. This is many orders of magnitude harder as you don't even know the length of the message.

However, my concern is replay attacks whereby someone listens in to the right frequency, records the communication and replays it. Thus opening my garage door, for example.

I think there's adequate security in obscurity, so it's more of an academic challenge

Cheers

Rich

Presumably if the master includes in its message to a slave an number (or string of characters) and the slave has a "secret" algorithm to modify that number and send it back it would be more difficult for someone who had the facility to receive thee signals but did not know the algorithm.

If the master only listens and the slave only transmits a brief message when it wishes to gain access it will be more difficult to capture the signal.

I am no expert at this. I don't own anything that needs that level of protection. And a ram-raid with a stolen 4x4 will defeat most electronics.

...R

Robin2:
And a ram-raid with a stolen 4x4 will defeat most electronics.

Exactly! I still think it's worth getting something working even if it's more of an academic exercise, but as I said it'll have to wait until the long winter evenings. I'll do something based loosely based on CCSDS so it will be robust. With symmetric fixed keys, it should be quite straightforward.

Will post back when it's done...

Cheers

Rich