Starting a new discussion for this work. Been reading through the documentation to get familiar with the S2 spec and getting acclimated with the OH2 Zwave codebase.
@chris I see this note in the class javadoc of CommandClassSecurityV1:
Note that this code is autogenerated. Manual changes may be overwritten.
Do you have a tool that generates code/template from the C headers in the
Device and Command Class Types and Defines Specification ?
Or is that just wishful thinking? 
Update: my work on the S2 + Smart Start is going well, I almost to the point where I am ready to do some basic testing. But, I need to put this work on hold temporarily to give attention to the Lowes Iris shutdown work. Once I make some headway there I will resume this work.
Update and future plans for the S2 security work
Roadmap:
Help Wanted
Not ready for beta testing yet, but here is a list of areas that need attention
Is there any update on the progress of S2 or the status is the same as in April ?
Still in the āAlpha testing of S2 logic with ZLink ZL-PA-100 Plug Switchā stage.
One item that is slowing me down quite a bit is that the powers that be refuse to publish test vectors for the custom functions (CKDF-TempExpand and CKDF-TempExtract) of the ZWave S2 spec. This means Iām stuck testing everything at once without a way to narrow down problems. It would be great to have a second set of eyes to compare my code to whatās in the spec to look for problems.
Iām also working on rebasing my changes against Chrisā latest changes and migrating to the new OH build system. Last time I tried to move the new build system it didnāt go well, but itās probably time I try it again.
Hiā¦
Iām interested in giving you a hand.
I have OpenHAB 2.5.0M2 installed (Windows 10), with Zooz Z-Wave stick (Zooz Z-Wave Plus S2 USB Stick ZST10).
Also have 1 S2 enabled device (HomeSeer Z-Wave Plus Floodlight Sensor [HS-FLS199+])
Forgive me, but I havenāt sniffed any network traffic to see what (if anything) appears during pairing, but I was wondering if we could pair the device, but not āenableā it (without adding the DSK [Device Specific Key] via the Configuration of Things UI)?
That way, we would not have to intercept the pairing with a UI injection. Presumably (in my mind), if the DSK is needed to complete the pairing, a SUBSEQUENT pairing could look to see if we have that UID and thingTypeUID (for the device being paired), that already has the DSK key recorded (thereby allowing the pairing to complete).
Granted that would make pairing a multi-step process, but it would eliminate having to hack the pairing process and/or UI.
Can you point me to the S2 spec youāre basing your code on?
Great!
Looks good. My branch is still based on 2.4, but I should be able to rebase against 2.5 soon, now that I have a 2.5 eclipse dev environment working again
If I understand correctly, you are suggesting a way to avoid the user from having to enter a portion of the DSK. Couple of thoughts:
Itās here. IIRC, you just have to create a free account to download the docs
Hi,
Im new here and new to Zwave ā¦ Im already read a lot and try to use search function but didnāt find anything usefullā¦ I have Zwave Plus devices(Fibaro Walli series) and some of them are installed on places with hard/impossible access so pressing button to add them into network is not possibleā¦ They all have SmartStart function and I have DSK keys for them and I can also turn them off/on with fuse so this procedure is possible in case that something go wrong with zwave network or openhab settingsā¦
Does OpenHab already support S2 Security? As I know SmartStart is part of it. If not what is state of updated binding which will support S2 security?
If is supported where in openhab I can write that DSK key to add device?
I donāt know how exactly binding work on openhab but probably UI inserting DSK can be done by inserting DSK into database before we start initialization of device. So we write/scan DSK in Open hab and then restart zwave deviceā¦
Thanks for answers 
No - it supports S0 security.
ZWave have made things very problematic here now. It is no longer allowed to interface to the serial API, so certifying products in the way the binding currently works is not possible. This requires some significant rewrite of the binding.
Note that S0 should work with ALL devices - even those that state that they only support S2 since it is a requirement for S2 to be backward compatible with S0.
Hi @chris thanks for your answers and time for developing and improving this binding. How I can add some device to openhab if I donāt have physical access to it? SmartStart option solve that problemā¦ Can I add secondary controller into network which support SmarStart and then add device into network with SmartStart function? Will that option work? Something like connecting device to secondary controller(Windows PC) with S2 security using SmartStart and then when this new device is in network downgrade device S2 security to S0. Is this possible?
I can add device into network now and install it but later if something happen to network I canāt access to this device to press buton to re-add itā¦ It will be installed behind the closet in which will be installed refrigerator and taking everything apart will be time consuming taskā¦
Update on the S2 code Iāve been working on for a while now.
I wrote the majority of the code to handle the S2 negotiation in software in 2018/2019, but there are a few major barriers to moving forward with the software solution:
The powers that be technically open sourced the spec which theoretically include details of how to execute S2. BUT, they refuse to publish test vectors (you need an account to see the thread. Thereās not much to see other than them saying they wonāt do it). Which is clear signal that they donāt actually want anyone to implement it.
Parts of the spec are ambiguous when it comes to implementing the crypto, so itās a slow, trial and error process getting this to work without test vectors or a reference implementation.
The alternate is to find a stick that implements most of the S2 stuff in hardware (handshake requires user input, so there would still be some software to write). Aeotec to the rescue!! (or so I thought)
The new Aeotec Z-Stick Gen5+ claims ānative S2 supportā. I ordered a stick as soon as they announced it. First one got lost in the mail. They sent me another which arrived yesterday.
While I was waiting, I asked Aeotec for the actual commands to use to invoke the native S2 operations and how to pass the user input data.
The support guy reached out to engineering but never got a clear answer
Then told me it needs to be done in software. This seems quite contradictory, but I will say the support guy Iām working with seems to be doing his best given that he hasnāt gotten a clear answer from the engineering dept.
If anyone has some pull or clout with Aeotec, please help as this is our best bet. Iām not sure why it would be marketed as having native support if doesnāt. Iām convinced it does, although maybe thatās just wishful thinking.
Iām getting my OH3 development env setup and Iāll play around with the new stick a little this weekend to see if I can find anything that way
The S2 keys are in the controller firmware and most recent firmwares have the capability. A simple uzb3 does and you can set the key from the standard programmer app.
You can test using PC Controller.
your test devices will nee 6.71 or greater
Hey Dave,
Thanks for the update. Iām a bit surprised that Silabs wonāt publish test vectors. In theory this is meant to be opened up - although they also state that if a system implements its own S2 implementation then certification will be more difficult due to additional testing.
I assume this is your ticket, so only you can view this.
As far as I know (from my discussions with Silabs) S2 is not implemented in the stick. I made this recommendation about a year ago during some discussions with Silabs and one of my customers, but it was clear that they were on a certain path, and changing that would be difficult. This is fair enough, but unfortunate as it still requires ZIP for an easy route through certification.
I have contacts at Aeon, so Iāll ask, but I very much doubt that it will be implemented in their stick firmware. Iām pretty sure they are just using the standard firmware.
Just looked in the Z/IP source for S2 tests. This is latest distributed release.
S0 tests but canāt see any S2 tests.
S2 works from Z/IP but it is interesting that there are no tests in the source distribution.
Ah ok, so I guess the ticket is private. My first request was for test vectors.
They replied: " This is not something we have"
I pushed a little further and then got this response:
āSince we have already implemented S2 in our solution, we do not provide any kind of test vectors as our customers would not have to implement S2 themself.ā
Ah, nteresting. I download the source and found some S2 stuff under /usr/local/libs2/inclusion. I see what appears to be test cases (6000 lines long 
) and the implementation itself. That should give me what I need. Well, that and a lot of time, lol.
One thing thatās odd. I download zipgateway-2.81.03-Source.tar.bz2 from here which has files from April 2019. I see your screenshot had version 7.15.02. Did they really bump the versions that quickly in less than 2 years or are we looking at two completely different things?
Lots of small changes. The early version had distributed encryption even if you intended to run all locally. Each release makes small improvements and wraps all the complexity. I think a lot of the objections to it are because it has forced a vast change from the old direct to serial but that interface is not that easy and the way they have wrapped that and managed the queues is very effective. The latest release brought in 16 bit node id rather than 8 bit support of the past and as all is designed for backward compatibility must have the code to check what the z-wave firmware supports .
When I first installed I thought it was underwhelming but now I can see it has a lot of advantages and it performs very well. It also has taken away the need to write a lot of code like S2 handling and 6000 lines of test cases.
Hi. I am going to user roller shutter from Fibaro and hide in flush-mounted box so I will not have access to it. Seems like S2 and SmartStart is something that can save me in future.
I just wanted to ask how things are going on? I will scan and write down all codes from devices but so if you can confirm it will work in future for sure - I am fine with that!
Regards
You donāt need S2 just because youāre going to hide the device in a flush box. Presumably there will still be buttons available so you can control the device so normally these can be used.
I donāt think S2 or SmartStart really helps and in general I would advise not to bury any electronic device into a wall where it canāt be accessed - things can always fail 
To answer your question about S2 though - I donāt think there is any real progress on this.
So if the S2 handling logic went away, where did it go?
Probably a dumb questionā¦ I know a lot about java and a lot about cryptoā¦ but not much about the nuts and bolts of zwave 
