Zigbee security Security overview
Digi XBee® 3 Zigbee® RF Module
123
Security overview
Zigbee security protects network traffic using 128-bit AES cryptography techniques. A standard
security model is defined for supporting authentication and key management. Security is a very
important factor in designing a mesh network. Digi makes it easy to find the right level of security for
your specific application, ranging from a completely open and unencrypted network to a high security
model with out-of-band device registration.
WARNING! The out-of-the-box default configuration is an unencrypted network with a
generous join window. These defaults are meant for ease of development and should not
be used on the finished product. Enabling security is highly recommended.
Enabling encryption also enables source routing with the coordinator acting as a high RAM
concentrator by default. For smaller networks (less than 40 nodes) and low-throughput applications,
this will not have a significant impact to the network, as source routing will automatically be handled
by the XBee application. If you are deploying a larger network, you will likely require a full source
routing implementation with the coordinator configured as a low RAM concentrator. For more
information, see Source routing.
Network key
The network key encrypts and decrypts over the air messages at the network layer. When you enable
encryption, each node on the network is required to have the network key to communicate with other
nodes. The network key is shared by every device on the network and only needs to be set on the
network coordinator. Use the NK parameter to set a user-defined network key; this parameter is only
applicable to a coordinator (CE = 1). In most situations, the network key should be randomly
generated (NK = 0) and managed by the network.
If you are running a centralized trust center, you can change the NK parameter on the trust center
which propagates to the rest of the network a few seconds later. This is useful for high-security
applications where regular network key rotation may be desired. In a distributed trust center, the key
is defined when the network is formed and cannot be changed without reforming the network.
Optionally, network keys can be sent and received in-the-clear by setting the EO bit 0 (EO = 1) on the
forming and joining nodes. Digi strongly discourages this setting, because it could allow unauthorized
devices to obtain a copy of the network key.
Link key
Link keys are used at the APS layer to provide an extra level of encryption for end-to-end security. The
XBee 3 Zigbee application uses global link keys for both joining and APS-encrypted transmissions.
When joining a network with encryption enabled, the network key is securely exchanged by encrypting
it with the link key.
When using a centralized trust center, the link key that is used to join is exchanged with a more
secure key that is randomly generated by the trust center.
This section provides information about the types of link keys.
Preconfigured link key - moderate security
Using a preconfigured global link key provides a very simple way to secure a network, which is
accomplished by configuring the same write-only KY value on every node on the network. Defining a
To Next Page
Loading...
Need help?
General
