Security Modes

To enable the ZigBee security mechanisms, three distinct Atmel BitCloud libraries are supplied in SDKs, for each of the supported security modes, which are shown inTable 6-1.

Table 6-1. Security Modes for ZigBee Networks Security mode Description

No security No authentication for network join required. Frames are not encrypted. Standard security Common network key is used to encrypt NWK payload of a frame. Standard security with link keys

(Stdlink security) In addition to the network key, each communicating pair of nodes may use a link key specific to the link to encrypt application payload of a frame destined to the peer device. Security modes that provide greater security level include all features of less secured modes and add their own. Stdlink security offers two levels of encryption of a data frame: on the network level and on the APS level, although the application is able to send an unencrypted frame as well.

6.1.1 Selecting Security Mode

To enable required security mode, the application must be compiled with the correct BitCloud library. The choice of a particular library can be specified using by selecting corresponding configuration from IDE (Atmel Studio or IAR Embedded Workbench®_{) or by specifying the CONFIG_NAME parameter in the application makefile used by the GCC or}

IAR™ compiler if command line compilation is applied. For example, having

CONFIG_NAME = Makefile_All_StdlinkSec_Atmega256rfr2_Atmega256rfr2_8Mhz_Gcc selected in the makefile means that the library with standard link security support will be used when compiling the application for the specified platform. If, however, _Sec_ is present in the selected CONFIG_NAME, then the library with standard security will be used.

After the appropriate library is chosen, the BitCloud stack should be configured properly to fit the application requirements for security.

For ZCL frames encryption level configurable per cluster side and is done in corresponding cluster header file. Consider following example that sets security level for On/Off client cluster in zclOnOffCluster.h file to network layer

encryption only (Section 6.2.2):

#define ONOFF_CLUSTER_ZCL_CLIENT_CLUSTER_TYPE(clattributes, clcommands) \ { \

.id = ONOFF_CLUSTER_ID, \ .options = { \

.type = ZCL_CLIENT_CLUSTER_TYPE, \

.security = ZCL_NETWORK_KEY_CLUSTER_SECURITY, \ }, \

.attributesAmount = ZCL_ONOFF_CLUSTER_CLIENT_ATTRIBUTES_AMOUNT, \ .attributes = (uint8_t *)clattributes, \

.commandsAmount = ZCL_ONOFF_CLUSTER_COMMANDS_AMOUNT, \ .commands = (uint8_t *)clcommands \

}

If encryption on the APS layer (See Section 6.3.3) is required as well then .options.security field shall be set to ZCL_APPLICATION_LINK_KEY_CLUSTER_SECURITY.

6.1.1.1 Switching Security Off

On a node with security support, the application can switch off the security (encryption/decryption and authentication procedures) at runtime by setting the CS_SECURITY_ON parameter to false. This should only be done before the device enters the network. After the device joins the network, CS_SECURITY_ON should not be changed. The parameter is applicable to both standard security and standard security with link keys.

6.1.2 Trust Center

Enabling security introduces an additional network role called the trust center. The trust center is responsible for device authentication, the distribution and management of encryption keys, and other security parameters.

ZigBee network can be operated in a distributed and centralized trust center mode. Centralized trust center network has a single device functioning as the network trust center. While in a network operating in distributed trust center mode all router devices play the trust center role for authenticating joining devices.

In BitCloud CS_APS_TRUST_CENTER_ADDRESS parameter is used to set the extended address of the trust center. In a centralized trust center operation actual trust center device shall set this parameter to the same value as own CS_UID. For cases when a joining device has to be bound to join to a particular trust center device it shall set

CS_APS_TRUST_CENTER_ADDRESS parameter to the extended address of the target trust center. In cases when target trust center is unknown the CS_APS_TRUST_CENTER_ADDRESS shall be assigned to the special universal extended address, APS_SM_UNIVERSAL_TRUST_CENTER_EXT_ADDRESS. Upon join and authentication to a network with centralized trust center stack will automatically overwrite CS_APS_TRUST_CENTER_ADDRESS parameter with a value that corresponds to the actual extended address of network trust center.

To operate in a distributed trust center mode all nodes in a network shall set CS_APS_TRUST_CENTER_ADDRESS to APS_SM_UNIVERSAL_TRUST_CENTER_EXT_ADDRESS.

6.1.3 Security Status

Another parameter to be taken into consideration for security configuration is CS_ZDO_SECURITY_STATUS. As shown in 0, it can take values 0 and 3 for standard security, and determines whether the network key is predefined on a device or not. Other values are not supported. The security status must be the same for all nodes in the network. A device is not able to join a network that employs a security status different from the one specified on the device.

Table 6-2. CS_ZDO_SECURITY_STATUS Parameter Values CS_ZDO_SECURITY_STATUS Security Mode Description

0 Standard security The network key is predefined.

1 Standard security

with link keys Authentication is performed with a predefined trust center link key. Network key is not predefined on joining devices and is delivered during authentication process.

Encryption on APS layer is performed with link key set for a particular pair of devices.

3 Standard security For standard security: the network key is not predefined, but rather transported from the trust center.

The CS_ZDO_SECURITY_STATUS value 2 is reserved for high security mode (which is not supported in public BitCloud packages).

Once the parameters are configured, the application can operate with a chosen security mode. When the device joins the network, it has to authenticate itself. If authentication fails, the device is not allowed to enter the network. Otherwise, it can start communicating with other nodes in the network after successful authentication.