Transport-Key Services - APS Layer Security

3.5 APS Layer Security

3.5.3 Transport-Key Services

4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54

3.5.2.6.4 On receipt of the SKKE-3 frame

If the responder address field of the SKKE-3 frame does not equal the local device address, the APSME shall perform the following steps:

1. If the device given by the responder address field is not a child of the local device, the SKKE-3 frame shall be discarded.

2. Otherwise, the device shall send the SKKE-3 to the responder device using the NLDE-DATA.request primitive with NWK layer security disabled.

Otherwise, the device shall process the SKKE-3 data field and if the protocol was not a success it shall issue an APSME-ESTABLISH-KEY.confirm primitive with the Address parameter set to the initiator’s address and the Status parameter set appropriately.

If, from the device’s perspective, the protocol was a success, the device shall construct an SKKE-4 frame as specified in sub-clause 3.5.9.1. If the source of the SKKE-3 frame is the same as the initiator address field of the SKKE-3 frame, the device shall send this SKKE-4 frame directly to the initiator device using the NLDE-DATA.request primitive with NWK layer security set to the default level. Otherwise, the device shall send the SKKE-4 frame to its parent using the NLDE-DATA.request primitive with NWK layer security disabled. Finally, the device shall issue an APSME-ESTABLISH-KEY.confirm primitive with the Address parameter set the initiator’s address and the Status parameter set to success.

3.5.2.6.5 On receipt of the SKKE-4 frame

If the initiator address field of the SKKE-4 frame does not equal the local device address, the APSME shall perform the following steps:

1. If the device given by the responder address field is not a child of the local device, the SKKE-4 frame shall be discarded.

2. Otherwise, the APSME of the local device shall send the SKKE-4 to the initiator device using the NLDE-DATA.request primitive with NWK layer set to the default level.

Otherwise, the APSME shall process the SKKE-4 frame and issue an APSME-ESTABLISH-KEY.confirm primitive with the Address parameter set the responder’s address and the Status parameter set appropriately.

3.5.3 Transport-Key Services

The APSME provides services that allow an initiator to transport keying material to a responder. The different types of keying material that can be transported are shown in Table 151.

3.5.3.1 APSME-TRANSPORT-KEY.request

The APSME-TRANSPORT-KEY.request primitive is used for transporting a key to another device.

3.5.3.1.1 Semantics of the service primitive This primitive shall provide the following interface:

APSME-TRANSPORT-KEY.request {

DestAddress, KeyType,

TransportKeyData }

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 Table 150 specifies the parameters for the APSME-TRANSPORT-KEY.request primitive.

Table 150 APSME-TRANSPORT-KEY.request parameters Parameter Name Type Valid Range Description

DestAddress Device address

Any valid 64-bit address

The extended 64-bit address of the destination device.

KeyType Integer 0x00 – 0x03 Identifies the type of key material that should be transported. See Table 151.

TransportKeyData Variable Variable

The key being transported along with identifi-cation and usage parameters. The type of this parameter depends on the KeyType parameter as follows:

KeyType = 0x00 see Table 152 KeyType = 0x01 see Table 153 KeyType = 0x02 see Table 154 KeyType = 0x03 see Table 154

Table 151 KeyType parameter of the transport-key primitive Enumeration Value Description

Trust-center master key 0x00 Indicates the key is a master key which is used to set up link keys between the trust center and another device.

Network key 0x01 Indicates the key is a Network key.

Application master key 0x02 Indicates the key is a master key which is used to set up link keys between two devices.

Application link key 0x03 Indicates the key is a link key which is used as a basis of security between two devices.

Table 152 TransportKeyData parameter for a trust-center master key Parameter Name Type Valid Range Description

ParentAddress Device address

Any valid 64-bit address

The extended 64-bit address of the parent of the destination device given by the DestAddress parameter.

TrustCenter-Master-Key

Set of 16

octets Variable The trust center master key.

ZigBee Specification

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54

3.5.3.1.2 When generated

The ZDO on an initiator device shall generate this primitive when it requires a key to be transported to a responder device.

3.5.3.1.3 Effect on receipt

The receipt of an APSME-TRANSPORT-KEY.request primitive shall cause the APSME to create a transport-key command packet (see sub-clause 3.5.9.2)

If the KeyType parameter is 0x00 (i.e., trust center master key), the key descriptor field of the transport-key command shall be set as follows. The key sub-field shall be set to the Key sub-parameter of the TransportKeyData parameter, the destination address sub-field shall be set to the DestinationAddress parameter, and the source address sub-field shall be set to the local device address. This command frame shall be security protected as specified in sub-clause 3.5.1.1 and then, if security processing succeeds, sent to

Table 153 TransportKeyData parameter for a Network key Parameter Name Type Valid Range Description

KeySeqNumber Octet 0x00-0xFF

A sequence number assigned to a Network key by the trust center and used to distinguish Network keys for purposes of key updates, and incoming frame security operations.

NetworkKey Set of 16

octets Variable The Network key.

UseParent Boolean TRUE | FALSE

This parameter indicates if the destination device’s parent shall be used to forward the key to the des-tination device:

TRUE: Use parent FALSE: Do not use parent

ParentAddress Device address

Any valid 64-bit address

If the UseParent is TRUE, then ParentAddress parameter shall contain the extended 64-bit address of the destination device’s parent device.

Otherwise, this parameter is not used and need not be set.

Table 154 TransportKeyData parameter for an application master or link key Parameter Name Type Valid Range Description

PartnerAddress Device address

Any valid 64-bit address

The extended 64-bit address of the device that was also sent this master key.

Initiator Boolean TRUE | FALSE

This parameter indicates if the destination device of this master key requested it:

TRUE: If the destination requested the key.

FALSE: otherwise.

Key Set of 16

octets Variable The master or link key (as indicated by the Key-Type parameter).

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 the device specified by the ParentAddress sub-parameter of the TransportKeyData parameter by issuing a

NLDE-DATA.request primitive.

If the KeyType parameter is 0x01 (i.e., Network key), the key descriptor field of the transport-key command shall be set as follows. The key sub-field shall be set to the Key sub-parameter of the TransportKeyData parameter, the sequence number sub-field shall be set to the KeySeqNumber sub-parameter of the TransportKeyData parameter, the destination address sub-field shall be set to the DestinationAddress parameter, and the source address sub-field shall be set to the local device address. This command frame shall be security protected as specified in sub-clause 3.5.1.1 and then, if security processing succeeds, sent to the device specified by the ParentAddress sub-parameter of the TransportKeyData parameter (if the UseParent sub-parameter of the TransportKeyData parameter is TRUE¹⁸³) or the DestinationAddress parameter (if the UseParent sub-parameter of the TransportKeyData parameter is FALSE¹⁸⁴) by issuing a NLDE-DATA.request primitive.

If the KeyType parameter is 0x02 or 0x03 (i.e., an application master or link key), the key descriptor field of the transport-key command shall be set as follows. The key sub-field shall be set to the Key sub-parameter of the TransportKeyData parameter, the partner address field shall be set to the PartnerAddress parameter of the TransportKeyData parameter, and the initiator field shall be set 1 (if the Initiator sub-parameter of the TransportKeyData sub-parameter is TRUE) or 0 (if the Initiator sub-sub-parameter of the TransportKeyData parameter is FALSE). This command frame shall be security protected as specified in sub-clause 3.5.1.1 and then, if security processing succeeds, sent to the device specified by the DestinationAddress parameter by issuing a NLDE-DATA.request primitive.

3.5.3.2 APSME-TRANSPORT-KEY.indication

The APSME-TRANSPORT-KEY.indication primitive is used to inform the ZDO of the receipt of keying material.

3.5.3.2.1 Semantics of the service primitive This primitive shall provide the following interface:

Table 155 specifies the parameters of the APSME-TRANSPORT-KEY.indication primitive.

183CCB Comment #141 184Ibid

APSME-TRANSPORT-KEY.indication {

SrcAddress, KeyType,

TransportKeyData }

Table 155 APSME-TRANSPORT-KEY.indication parameters

Name Type Valid Range Description

ZigBee Specification

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54

3.5.3.2.2 When generated

The APSME shall generate this primitive when it receives a transport-key command that is successfully decrypted and authenticated, as specified in sub-clause 3.5.1.2, that has the key type field set to 2 or 3 (i.e., application link or master key).

Alternatively, the APSME shall generate this primitive when it receives a transport-key command that is successfully decrypted and authenticated, as specified in sub-clause 3.5.1.2, that has the key type field set to 0 or 1 (i.e., a trust center master key or Network key) and the destination address sub-field of the key descriptor field is equal to the local address.

3.5.3.2.3 Effect on receipt

Upon receipt of this primitive, the ZDO is informed of the receipt of the keying material.

SrcAddress Device Address

Any valid 64-bit address

The extended 64-bit address of the device that is the original source of the transported key.

KeyType Octet 0x00 – 0x03 Identifies the type of key material that was be trans-ported. See Table 151.

TransportKeyData Variable Variable

The key that was transported along with identifica-tion and usage parameters. The type of this parame-ter depends on the KeyType parameparame-ter as follows:

KeyType = 0x00 see Table 156.

KeyType = 0x01 see Table 157.

KeyType = 0x02 see Table 154.

KeyType = 0x03 see Table 154.

Table 156 TransportKeyData parameter for a trust-center master key Parameter Name Type Valid Range Description

TrustCenter-Master-Key

Set of 16

octets Variable The trust center master key.

Table 157 TransportKeyData parameter for a Network key Parameter Name Type Valid Range Description

KeySeqNumber Octet 0x00-0xFF

A sequence number assigned to a Network key by the trust center and used to distinguish Network keys for purposes of key updates, and incoming frame security operations.

NetworkKey Set of 16

octets Variable The Network key.

Table 155 APSME-TRANSPORT-KEY.indication parameters

1 2

In document In order to transmit this command using the MAC data service, specified in [B1], the following information shall be included in the MAC frame header. (Page 78-83)