Zigbee Security
This page is intended to give the user a better understanding of the security mechanisms utilized in a Zigbee 3.0 network.
Overview
Zigbee supports and single defined security mode called Standard Security, with various policies existing within this mode to control how devices behave or interact on the network. Zigbee implements security at the network and security layers only.
Standard security, introduced in the Zigbee 2007 specification along with Zigbee PRO, is the security model being used in all Zigbee application profiles and in Zigbee 3.0. It is the only security model supported by the EmberZNet stack libraries.
Standard security uses network keys and link keys to encrypt data at the network and application layers, respectively. The application support (APS) layer security allows the trust centre to securely transport the network key to joining or rejoining nodes, and it optionally allows applications to add additional security to their messages.
Network (NWK) layer security is used to secure all traffic sent on a Zigbee network, with the exception of basic MAC layer communication such as association, data requests (polling), and MAC ACKs.
Network Layer Security
This section describes the standard security Network Layer portion. Network security provides security independent of the applications that may be running on a Zigbee node. All Zigbee-certified devices must use network layer security.
The Network Key (128-bit AES)
Network security uses a network wide key for encryption and decryption. All devices that are permitted to join a network encrypt and decrypt network messages using the key. The network key also has a sequence number associated with it to identify a particular instance of the key. When the network key is updated, the sequence number is incremented to allow devices to identify which instance of the network key has been used to secure the packet data. The sequence number ranges from 0 to 255. When the sequence number reaches 255, it wraps back to 0.
All Zigbee keys are 128-bits in length and all devices that are part of a secured Zigbee network have a copy of the network key.
The trust centre may periodically update and switch to a new network key. The trust centre may use either a broadcast update or a unicast update. In the broadcast case, the trust centre first broadcasts a new network key encrypted with the old network key. In the unicast case, the trust centre sends a new network key to each device encrypted with that device’s corresponding Trust Centre Link Key.
In both cases, the trust centre later tells all devices to switch to using the new network key. The new network key has a sequence number that is one higher than the last sequence number.
Hop-by-hop Security
Network security in Zigbee is done on a hop-by-hop basis. Each router that relays an encrypted packet first verifies that it is a valid encrypted packet before any more processing is done. A router authenticates the packet by executing the Zigbee decryption mechanism and verifying the packet integrity. It then re-encrypts the packet with its own network parameters (such as source address and frame counter) before sending the message to the next hop.
Headers are sent in the clear but authenticated, while the network payload is authenticated and encrypted. AES-128 is used to create a hash of the entire network portion of the message (header and payload), which is appended to the end of the message. This hash is known as the Message Integrity Code (MIC) and is used to authenticate the message by insuring it has not been modified. A receiving device hashes the message and verifies the calculated MIC against the value appended to the message. Alterations to the message invalidate the MIC and the receiving node will discard the message entirely.
Packet Security
A packet secured at the network layer is composed of the following elements:
|------------------------------------------------------- Authenticated -------------------------------------------|
MAC Header 25 bytes | NWK Header 25 bytes | AUX Header 25 bytes | NWK Payload Variable | MIC 4bytes |
|----------------- Encrypted -----------------|
Auxilliary Header
The auxiliary header contains data about the security of the packet that a receiving node uses to correctly authenticate and decrypt the packet. This data includes the following:
- The type of key used
- The sequence number (if it is the network key)
- The IEEE address of the device that secured the data
- The frame counter.
Authentication and Encryption
Zigbee uses a 128-bit symmetric key to encrypt all transmissions at the network layer using AES-128. The network and auxiliary headers are sent in the clear but authenticated, while the network payload is authenticated and encrypted.
AES-128 is used to create a hash of the entire network portion of the message (header and payload), which is appended to the end of the message. This hash is known as the Message Integrity Code (MIC)(4-bytes) and is used to authenticate the message by insuring it has not been modified. A receiving device hashes the message and verifies the calculated MIC against the value appended to the message.
Alterations to the message invalidate the MIC and the receiving node will discard the message entirely.
Table 1. MIC Generation
The Network Security Frame Counter
A frame counter is included in the auxiliary headers as a means of protecting against replay attacks. All devices have their own outgoing frame counter and they maintain a list of their neighbour's and children's frame counters. The frame count is 32 bits and may not wrap to 0. The network key must be updated before the Frame Counter reaches it's max value.
Unencrypted Network Data
All normal network packets are required to have network security and a valid frame counter. The only exception for this is during joining the join mechanism, when devices do not yet have the network key. In that case a joining device's messages are relayed through its parent until it is fully joined and authenticated. Any other messages that are received without network layer security are silently discarded.
Filter by label
There are no items with the selected labels at this time.
Trust Centre Networks
Authentication in a secure network may be controlled by means of a central authority known as a trust center. All devices entering the network are temporarily joined to the network until the trust center is contacted and decides whether or not to allow the new device into the network. The parent of the newly joined device acts as a relay between the trust center and the joining device. Only authentication messages can be sent to or from the device until it is fully joined and authenticated.
The trust center has the option of doing one of three things when a device joins:
- Send a copy of the current network key, which the parent relays to the joining device.
- Send the parent a command to remove the device from the network, thereby disallowing it from joining.
- Ignore the request. Parents will silently remove the device from the network if it does not receive a network key within 2 seconds.
Once the node has the network key, it is considered fully joined and authenticated, and may communicate with any device on the network.
A network operating with a trust center always needs a trust center to authenticate any new devices. Normal messages between two devices do not require the trust center to get involved.
Note: Normal messages between two devices do not require the trust centre to get involved.
APS Layer Security
This section describes how Zigbee implements security at the Application Support (APS) layer.
End-to-End Security
APS security is intended to provide a way to send messages securely within a Zigbee network such that no other devices on the network can decrypt the data except the source and destination. This is different than network security, which provides only hop-by-hop security. In hop-by-hop security, every device that is part of the network and hears the packet being relayed to its destination, decrypts it.
APS security uses a shared key that only the source and destination know about, thus providing end-to-end security.
Both APS layer and network layer encryption can be used simultaneously to encrypt the contents of a message. In that case APS layer security is applied first, and then network layer security.
A packet secured at the APS layer is composed of the following elements:
|------------------------------------------------------- Authenticated -----------------------------------------|
MAC Header 9 bytes | NWK Header 8 bytes | AUX Header 2-8 bytes | AUX Header 5 or 13 bytes | APS Payload Variable | APS MIC 4 bytes | MAC CRC 2 bytes |
|----------------- Encrypted -----------------|
Link Keys
APS security uses a peer-to-peer key known as the link key. Both devices must have already established this key with one another before sending APS-secured data.
There are two types of link keys:
- Trust Centre Link Keys
- Application Link Keys
Trust Centre Link Keys
Link key for when one of the devices is the Trust Centre. The stack uses this key to send and receive APS command messages to and from the trust centre. The application may also use this key to send APS-encrypted data messages. All devices in a Zigbee network must have link keys. The trust centre link key is used in these cases:
- Encrypting the initial transfer of the network key to a joining node.
- Encrypting an updated copy of the network key to a rejoining node that does not have the current network key.
- Routers sending or receiving APS security messages to or from the trust centre. These may be updates informing the trust centre of a joining or rejoining node, or a command sent by the trust centre to a router to perform some security function.
- Application unicast messages that enable APS encryption, where either the sending or receiving device is the trust centre.
The trust centre has the option of deciding how to manage the trust centre link keys. It may choose unique keys for each device in the network, keys derived from a common piece of shared data (the IEEE address of the device), or a global key that is the same for all devices in the network. Trust centre link keys may also be negotiated at the application layer using a key establishment protocol like Certificate-Based Key Establishment (CBKE).
Application Link Keys
Application link keys are shared keys that may be established between any two nodes in the network, where neither device is a trust centre. They may be used to add additional security to messages being sent to or from the application running on a node. Devices can have a different application link key for each device with which they communicate.
A device may preconfigure an application link key or request a link key between itself and another device. In the latter case it issues a request to the trust centre encrypted with its trust centre link key. The trust centre acts as a trusted third party to both devices, so they can securely establish communications with one another.
References
Zigbee: UG1035: Application Development Fundamentals - Security
Legal Notices
Copyright © 2020 MMB Networks, Inc. All rights reserved.
Confidential materials prepared and delivered by MMB Networks for receipt and review only by any partner subject to a valid and enforceable MMB Networks confidentiality agreement. Any receipt, review, or misuse of any of the content exchanged hereunder by any party not a party to this confidential exchange shall be subject to any and all rights available under the law. All rights, title and interest to the materials shall remain with MMB Networks.
Any suggestions provided to MMB Networks with respect to MMB Networks' products or services shall be collectively deemed “Feedback.” You, on behalf of yourself, or if you are providing Feedback on behalf of your employer or another entity, represent and warrant that you have full legal authority to bind such entity to these terms, agree to grant and hereby grant to MMB Networks a nonexclusive, perpetual, irrevocable, royalty free, worldwide license to use and otherwise exploit such Feedback within any MMB Networks products and services.