Meshtastic security concerns, constant key mismatch, unknown key, etc

[adrianTNT]

Hello.
Can someone help me clarify this please?
First of all, I am grateful for everyone working on this project and I realise it is not a commercial solution with any guarantees, but I do have some serious security concerns...

I have around 15-20 nodes and in the android app I constantly see key mismatch between nodes, I need to delete the node and then wait for it to "know" each other again.

• Why do these key mismatch errors appear?
• Considering this can be result of corrupted communication, does Meshtastic not have some checksum when sending data or node info?
• If 2 nodes are already properly communicating with valid key, why would it replace that with some corrupted one?
• If it replaced the working valid keys with bad ones by itself, why doesn't it update back later to the right keys by itself?
• If there is a "key mismatch" why does the Android app show red key icon but I cannot click it to see current "bad" key? (like I can click when key is green). Why is that a secret?

Today I tried generating keys outside of meshtastic and hand-pick the keys with easy to remember public key, e.g "mesh/abcd345435234efgh/etc". From my server, I get back this public key and private key, I paste the private key in meshtastic under security page. If I do this from Android over bluetooth, it shows my private key but the public string is not the one expect (mesh/abcd345435234efgh/etc). But ... if I do the same over USB serial, again under security page, as soon as I type my private key, the public one updates with my correct public one (e.g mesh/abcd345435234efgh/etc)

• So why does Android app use it's own public key when I am trying hard to use my own private key and public key?

Honestly it looks to me like Android just pretends to use the privcate keys I give it, but instead it uses other keys, that is why public key is not the one I expect (e.g mesh/abcd345435234efgh/etc).

In case the keys I generated are wrong format, below is the PHP code I used.

Thank you.

<?php 

$keypair = sodium_crypto_kx_keypair();              // X25519

$sk = sodium_crypto_kx_secretkey($keypair);         // 32 bytes
$pk = sodium_crypto_kx_publickey($keypair);         // 32 bytes

$public_key = base64_encode($pk);
$private_key = base64_encode($sk);


// Export as hex/base64 for storage or transfer
echo "\n";
echo "\nPublic (base64): ".$public_key;
echo "\nSecret (base64): ".$private_key;

// If a 32-byte raw key is needed, use $pk / $sk directly.

?>

[adrianTNT]

Looks like this below is the code I needed to generate the right kind of private/public keys.
My other questions remain if someone can advise.

	// Generate Ed25519 keypair (device identity)
	$sign_kp = sodium_crypto_sign_keypair();
	$ed_sk = sodium_crypto_sign_secretkey($sign_kp);  // 64 bytes
	$ed_pk = sodium_crypto_sign_publickey($sign_kp);  // 32 bytes
	
	// Convert to X25519 for DH (what Meshtastic uses internally)
	$x25519_secret_key = sodium_crypto_sign_ed25519_sk_to_curve25519($ed_sk);
	$x25519_public_key = sodium_crypto_sign_ed25519_pk_to_curve25519($ed_pk);
	
	$x25519_secret_key = base64_encode($x25519_secret_key);
	$x25519_public_key = base64_encode($x25519_public_key);

[WarHawk8080]

Does the webflasher randomly generate the public key at install time...
I use a program called meshmonitor...it is reporting over 190 individual users have Known low-entropy key detected - this key is compromised and should be regenerated
The security tab on the app only regenerates the private key...