• State Resolved
  • Locked Locked
  • Replies 3 replies
  • Subscribers 56 subscribers
  • Views 575 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

CC2652R: ZigBee network messages before sending the nwtwork key

Michael Henriksson
Prodigy 70 points

Part Number: CC2652R

Hi,

I'm trying do add my own authentication process before sending the network key to validate if the device is authorized to my system and allowed into the network.

I'm trying to start this process in the ZStatus_t ZDSecMegrDeviceValidate( function in z_sec_mgr.c before validating and setting the ZStatus_t. A'm also trying to extend the events in the OsalPort_EvenHdr to handle the authentication, a three-way handshake, and through this events do the procedure needed depending on the message.

The three-way handshake is based on the Challange Handshake Authentication (CHAP) protocol and consists of:

  1. A challenge which will be initiated from the ZStatus_t ZDSecMegrDeviceValidate( ) function and sent from the coordinator to the joining device.
  2. A response sent from the joining device to the coordinator based on the challenge.
  3. A Success or Failure indication sent to the joining device from the coordinator

After this is a variable set to "true" to indicate a successful authentication or false if it is unsuccessful. This variable will be checked in the if statement deciding if ZStatus for the validation will be ZSuccessful or not.

My question is how can I send these messages for the handshake between the joining device and the coordinator before the network key is sent to the joining device?

  • 0
    TI__Mastermind 35070 points

    Hi,

    In general, Zigbee messages sent over the air will be encrypted with the NWK key, so a handshake protocol like the one you've mentioned would assume that both devices already have the NWK key.

    Perhaps you could consider use of Install Codes?
    At a high level, this process involves providing the Trust Center some information (install code and IEEE MAC address of joining device) which it will use to derive a link key that it encrypts the NWK key with, when the respective device attempts to join.
    If this is of interest, here is a relevant tutorial on how you could use this feature (see part 1): http://dev.ti.com/tirex/explore/node?node=AES5VdxyX-.OXxWoIFsyPg__pTTHBmu__LATEST



    Regards,
    Toby

  • 0 in reply to Toby
    Prodigy 70 points

    Hi Toby,

    Thank you for your reply. I will look into Install Codes and see if it is of interest.

    The main idea with the authentication is that an unauthorized device should not be able to obtain any information such as keys before a successful authentication process has been performed. If there is no way to send messages to an device (using any layer) I'll thank you for your response and your suggestions.

    Best regards,

    Michael

  • 0 in reply to Michael Henriksson
    Guru 735695 points

    As I know, there is no way to send messages to device when a device is unauthorized with Zigbee security.