Sonde Security Overhaul: Gateway Asymmetric Keys Replaced with AES-256-GCM for Pairing

A foundational security model for Sonde device pairing is being replaced. The proposal calls for the complete removal of the gateway's long-term asymmetric key pair, which has been the cornerstone for securing pairing requests. In its place, a new, simplified model will rely solely on AES-256-GCM encryption, authenticated directly by a pre-shared key (PSK) from the pairing tool. This shift makes the pairing tool's PSK the single, definitive trust anchor for the entire pairing process, fundamentally altering the security architecture.

The current, more complex system uses a layered approach where the gateway generates and stores its own identity key pair. The pairing tool must first enroll with this gateway, registering its PSK and obtaining credentials. The new model strips away this asymmetric cryptography layer entirely. Pairing requests will now be protected end-to-end by AES-256-GCM, where successful decryption with the correct PSK simultaneously verifies the request's authenticity and integrity. This design intentionally avoids additional key derivation steps like HKDF, aiming to reduce overall cryptographic complexity.

The implications are significant for system security and future-proofing. By eliminating the gateway's private key, the proposal removes a potential long-term attack vector and a point of key management overhead. The move to a symmetric cipher like AES-256-GCM, authenticated by a single PSK, is framed as a step toward improved post-quantum robustness, though it centralizes critical trust in the secrecy of that pre-shared key. This represents a deliberate trade-off, prioritizing operational simplicity and a streamlined trust model over the previous multi-key architecture.