Zigbee security Device registration
Digi XBee® 3 Zigbee® RF Module
126
You can send the network key in the clear, but in most situations it will be encrypted with a link key. If
the link key is not preconfigured on both devices, the trust center must be told the link key the joining
device will be using to join. We call this process "registration" and is the method by which a link key
and serial number of the joining device is securely given to the trust center through the physical serial
interface. Because the registration information is not provided over-the-air, this is considered out-of-
band registration and provides the highest level of security since the credentials cannot be extracted
through RF channels.
Registration is performed using a Register Joining Device - 0x24 frame and is issued to the trust
center (either centralized or distributed). The registration frame is used to register a link key, register
an install code derived link key, or remove a previously registered device.
Centralized trust center
On a centralized trust center (EO = 2), registration is transient, meaning that the registered device
will only be authorized to join for a fixed period of time. This period is separate from the network join
window and is defined by the KT parameter on the centralized trust center. By default, a registered
device is authorized to join for a period of five minutes. If the device fails to join within this period, it
must be re-registered. After joining, it securely rejoins and does not need to be registered again
unless the device is explicitly removed from the network using an NR command or leave request. The
0x24 registration frame must be issued to the centralized trust center in this scenario, and routers
that are adjacent to the joining device route the join request to the trust center. The key table entries
on a centralized trust center is stored in RAM and is not preserved across a power cycle.
Distributed trust center
On a distributed trust center (EO = 0), registration is persistent, meaning that the registered device
will always be authorized to join as long as the join window is open. Registration information is not
shared to the rest of the network, so the 0x24 registration frame must be issued to a router that is
adjacent to the joining device. Because the link key table has a limited number of entries, you must
explicitly remove key table entries by deregistering devices using a 0x24 frame after they successfully
join to add subsequent devices. The key table on a distributed trust center is stored in flash and
persists across a power cycle.
Once a device joins the network and obtains a copy of the network key, it retains information about
the network and performs a secure rejoin, if power cycled. If you change a network parameter on the
device, it receives a leave request or a secure rejoin fails after three tries. The device must join the
network via association which requires registration.
Example: Form a secure network
The following example show how to form a secure Zigbee 3.0 network. This is the recommended
configuration for most networks, because it allows for ease of deployment while also maintaining a
moderate level of security.
Configure an XBee 3 device with the following parameters:
n CE = 1
This indicates that the device attempts to form a network rather than join an existing one.
n EE = 1
This enables encryption for the network.
To Next Page
Loading...
Need help?
General
