• State Resolved
  • Locked Locked
  • Replies 7 replies
  • Subscribers 57 subscribers
  • Views 1045 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

About security behavior in Zstack

Joe Chen3
Intellectual 480 points

Other Parts Discussed in Thread: Z-STACK, CC2530, CC2530EM

Dears,

I has some questions about security behavior in Zstack after studying the Z-Stack Developer's Guide.pdf
Please provide the comment, thanks.

Q1: About zgPreConfigKeys
Coordinator setting:
SECURE=1;zgPreConfigKeys=TRUE;
DEFAULT_KEY="{0x01, 0x03, 0x05, 0x07, 0x09, 0x0B, 0x0D, 0x0F, 0x00, 0x02, 0x04, 0x06, 0x08, 0x0A, 0x0C, 0x0D}"

End-Device setting:
SECURE=1;zgPreConfigKeys=TRUE;
DEFAULT_KEY change to "{0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02}"

Expect:
The End-Device shouldn't join the Coordinator, due to DEFAULT_KEY didn't match, right?
If result is right, the mechanism couldn't implement in authenticating of product, right?

Q2: About Trust Center Link Key and zgApsLinkKeyType=ZG_GLOBAL_LINK_KEY
Coordinator setting:
SECURE=1;Enable TC_LINKKEY_JOIN;zgApsLinkKeyType=ZG_GLOBAL_LINK_KEY
// ZigBee Alliance Pre-configured TC Link Key - 'ZigBeeAlliance09'
#define DEFAULT_TC_LINK_KEY             { 0x5a, 0x69, 0x67, 0x42, 0x65, 0x65, 0x41, 0x6c,\
                                          0x6c, 0x69, 0x61, 0x6e, 0x63, 0x65, 0x30, 0x39 }
End-Device setting:
SECURE=1;Enable TC_LINKKEY_JOIN;

Expect:
The End-Device could join the Coordinator success, then Coordinator send network key(encrypted of DEFAULT_TC_LINK_KEY)to End-Device.
If Coordinator send the command to End-Device, that command need to be encrypted by DEFAULT_TC_LINK_KEY,
when End-Device receive the command to use network key to decode, right?

Q3: About Trust Center Link Key and zgApsLinkKeyType=ZG_UNIQUE_LINK_KEY
Coordinator setting:
SECURE=1;Enable TC_LINKKEY_JOIN;zgApsLinkKeyType=ZG_UNIQUE_LINK_KEY
// ZigBee Alliance Pre-configured TC Link Key - 'ZigBeeAlliance09'
#define DEFAULT_TC_LINK_KEY             { 0x5a, 0x69, 0x67, 0x42, 0x65, 0x65, 0x41, 0x6c,\
                                          0x6c, 0x69, 0x61, 0x6e, 0x63, 0x65, 0x30, 0x39 }
End-Device setting:
SECURE=1;Enable TC_LINKKEY_JOIN;
Expect:
The End-Device could join the Coordinator success, then Coordinator and End-Device to exchange the network key(encrypted of DEFAULT_TC_LINK_KEY).
If Coordinator send the command to End-Device, that command need to be encrypted by DEFAULT_TC_LINK_KEY of End-Device,
and End-Device send the command to Coordinator, that command need to be encrypted by DEFAULT_TC_LINK_KEY of Coordinator
when End-Device receive the command to use DEFAULT_TC_LINK_KEY of Coordinator to decode, right?
when Coordinator receive the command to use DEFAULT_TC_LINK_KEY of End-Device to decode, right?

B.R.
Joe

  • 0
    TI__Mastermind 35795 points

    Joe,

    1) In this case zgPreConfigKeys is set to true and there is a mismatch between the coordinator and end device network keys.  MAC association will pass but coordinator and end device will not be able to communicate since they won't be able to decrypt network payload.

    2) In this case coordinator will send network key (encrypted with default TCLK) to the end device and all subsequent packet network payload will be encrypted with that key.

    3) As mentioned in developer guide, in case zgApsLinkKeyType=ZG_UNIQUE_LINK_KEY, you will need to configure the keys in NV using SYS_OSAL_NV_WRITE

    Saurabh

  • 0 in reply to S
    Intellectual 480 points

    Dears,

    Thanks Saurabh help.

    1) In this case zgPreConfigKeys is set to true and there is a mismatch between the coordinator and end device network keys. MAC association will pass but coordinator and end device will not be able to communicate since they won't be able to decrypt network payload.

    [Joe] If the mechanism implement in authenticating of product that couldn't communicate with certificated zigbee product and has IOT problem, right?

    And, if my product want to pass the zigbee certification that I couldn’t implement the mechanism, right?

    2) In this case coordinator will send network key (encrypted with default TCLK) to the end device and all subsequent packet network payload will be encrypted with that key.

    [Joe] I got it, thanks Saurabh.

     

    3) As mentioned in developer guide, in case zgApsLinkKeyType=ZG_UNIQUE_LINK_KEY, you will need to configure the keys in NV using SYS_OSAL_NV_WRITE

    [Joe] The Coordinator need to enable NV setting to storage network key of the others node, right?

    And, if Coordinator send the command to End-Device, that command need to be encrypted by DEFAULT_TC_LINK_KEY of End-Device, and End-Device send the command to Coordinator, that command need to be encrypted by DEFAULT_TC_LINK_KEY of Coordinator.

    when End-Device receive the command to use DEFAULT_TC_LINK_KEY of Coordinator to decode, right?
    when Coordinator receive the command to use DEFAULT_TC_LINK_KEY of End-Device to decode, right?

     

    B.R.

    Joe

  • 0 in reply to Joe Chen3
    Intellectual 480 points

    Hi Saurabh&YiKai,

    I feel you are familiar with Zigbee, could you provide your comment for my question, thanks.

    B.R.

    Joe

  • 0 in reply to Joe Chen3
    Intellectual 480 points

    Dears,

    Our product use the CC2530 which need to pass the zigbee certification,

    And I need to make sure the Zstack behavior and understand the Zigbee knowledge,

    If you know the answer, please give me some comments, thanks.


    B.R.

    Joe

  • 0 in reply to Joe Chen3
    TI__Mastermind 35795 points

    Hi Joe,

    There are lots of products with TI CC2530 that are zigbee certified . You should not be concerned about the certification :). To answer you questions:

    A1) Yes, you are correct. Trust center link key is defined by zigbee alliance to make sure their is inter-operability  b/w zigbee products and even profiles. You should use TC Link key and not pre-configured network key.

    A3) This is used when coordinator doesn't use one common TC Link key for all connected devices - remember TC link key is used initially  to encrypt network key (sent by trust center/coordinator to connected device) , and for all subsequent transaction network key is used. In this scenario, for End device to be able to de-crypt the network key sent by coordinator , it's default TC Link key should match the TC Link key used by coordinator for that device 

    Thanks,

    Saurabh

  • 0 in reply to S
    Intellectual 480 points

    Hi Saurabh,

    Thanks your response :).

    B.R.

    Joe

  • 0 in reply to S
    Genius 3220 points
    Hi Saurabh,
    I am new to develop project using CC2530DK. I have two SMARTRF05EB with CC2530EM . One i made as ZED and other as ZC. Then i don't know how to proceed. ie. i nedd the values to be printed in my PC? how to do that?