• State TI Thinks Resolved
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 17 subscribers
  • Views 1622 views
  • Users 0 members are here
Support feedback
Options
Options
Similar topics

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

CC2538: Encryption using TIMAC (FEATURE_MAC_SECURITY) for beacon enabled network

Jackson Loh
Prodigy 80 points
Part Number: CC2538
Other Parts Discussed in Thread: TIMAC

Hi,

I would like to use the encryption feature () in the TIMAC for my application but I encounter some issue.

Using the MSA example, I manage to make the output data encrypted and this encrypted data can be communicated with other device with FEATURE_MAC_SECURITY enabled.

So I proceed to implement encryption for command frame type (Association Request & Association Response).

However, when these frame are encrypted, the other device seems unable to receive.

When I run in debug mode and put a breakpoint in MAC_MLME_ASSOCIATE_IND, it doesn't get there although from sniffer I saw that the other devices had sent an encrypted CMD type frame.

Anyone can guide me on how to implement encryption on Association Request frame and Association Response frame so that only devices with the encryption key able to join the network.

What currently I have done are added the new entries for CMD type frame to keyUsageDescriptor_t and securityLevelDescriptor_t as follow:

const keyUsageDescriptor_t app_keyUsageList[] = {
{MAC_FRAME_TYPE_COMMAND, MAC_ASSOC_REQ_FRAME},
{MAC_FRAME_TYPE_COMMAND, MAC_ASSOC_RSP_FRAME},
{MAC_FRAME_TYPE_DATA, MAC_DATA_REQ_FRAME}
};

const securityLevelDescriptor_t app_securityLevelTable[] = {
{MAC_FRAME_TYPE_COMMAND, MAC_ASSOC_REQ_FRAME, MAC_SEC_LEVEL_NONE, FALSE},
{MAC_FRAME_TYPE_COMMAND, MAC_ASSOC_RSP_FRAME, MAC_SEC_LEVEL_NONE, FALSE},
{MAC_FRAME_TYPE_DATA, MAC_DATA_REQ_FRAME, MAC_SEC_LEVEL_NONE, FALSE}
};

change the value KEY_USAGE_TABLE_ENTRIES and SECURITY_LEVEL_ENTRIES to 3;

and add the security parameters to the Association Request Package and Association Response Package:

osal_memcpy(AssociateRspPkg.sec.keySource, keySource, MAC_KEY_SOURCE_MAX_LEN);
AssociateRspPkg.sec.securityLevel = securityLevel;
AssociateRspPkg.sec.keyIdMode = keyIdMode;
AssociateRspPkg.sec.keyIndex = keyIndex;

osal_memcpy(AssociateReqPkg.sec.keySource, keySource, MAC_KEY_SOURCE_MAX_LEN);
AssociateReqPkg.sec.securityLevel = securityLevel;
AssociateReqPkg.sec.keyIdMode = keyIdMode;
AssociateReqPkg.sec.keyIndex = keyIndex;

Any help/guide would be much appreciate.

Thank you.

regards,

Jackson

 

  • 0
    TI__Genius 10650 points
    Hi Jackson, This question has been assigned internally we will provide a response early next week.
  • 0 in reply to Suyash Jain
    Prodigy 80 points

    Noted that.. Looking forward for your reply.

  • 0 in reply to Suyash Jain
    Prodigy 80 points

    Hi Suyash,

    Any update on the CMD frame encryption? 

    Even I just had the encryption on the Associate Response command only (so that I could update the device table with the coordinator details before sending Associate Request) but to no avail.

    Can you please let me know what can I do to have the encryption on the CMD frame type?

    Thank you. 

    Regards,

    Jackson

  • 0 in reply to Jackson Loh
    TI__Genius 12415 points

    Hi Jackson,

    The reason why the Association req and rsp are not getting decrypted are because the device table gets updated after the association process is over and neither of the devices can decrypt the data if the other device is not in their device table.

    I suggest you authenticate the devices on your application once they have finished the association process. You can do something like a challenge-response authentication by sending the devices an encrypted challenge and if you don't receive the correct response then remove the device from your device list. 

    Another thing to note here is when you add more elements to the "keyUsageList" and "securityLevelTable" make sure you increase the maximum capacity of these tables in the pib by modifying "MAX_SECURITY_LEVEL_TABLE_ENTRIES" and "MAX_KEY_USAGE_TABLE_ENTRIES" in the file mac_security_pib.h

    Regards,
    Hector