Zigbee security Device registration
Digi XBee® 3 Zigbee® RF Module
130
proper management of the key table is required if more than 10 devices will be joining using
registration.
To deregister a device, issue a 0x24 registration frame on the trust center with the serial number of
the registered device and a null (blank) key.
Deregistration example
A device with the serial number 0013A200 12345678 that was previously registered has successfully
joined the network, and needs to be deregistered to make room for subsequently joining devices.
The following 0x24 frame is generated and passed into the UART of the trust center. Note, that there
is no key field, indicating that the key entry should be removed:
7E 00 0D 24 C4 00 13 A2 00 12 34 56 78 FF FE 00 51
The trust center will respond with the following 0xA4 registration response frame:
7E 00 03 A4 C4 00 86
Note The Frame ID (0xC4) in the response corresponds with the Frame ID of the registration attempt.
A 00 result indicates that the key was successfully removed from the table.
Registration scenario
It is possible to combine some of the previously mentioned security features to maintain a high level
of security with simplified deployment, while also providing a means for authorized devices to securely
join via registration.
For example, an established Zigbee network with a centralized trust center is exhibiting some issues
that require analysis by a network engineer. Due to the nature of the deployment, the end user does
not want to disclose any of the security credentials to the contracted network engineer.
To allow the network engineer onto the network, the end user must be authorized to join via
registration. The network administrator sets the KT parameter on the centralized trust center to
0x7080, which sets the registration timeout to 8 hours. Because the network engineer is not yet on-
site, the NJ parameter is set to 0xFF to allow open joining.
A 0x24 frame is issued to the trust center that contains the serial number of the network engineer's
device and a one-time-use link key. The network engineer can then use this link key to join the
network and perform whatever work is necessary.
After the analysis has been performed and the network engineer has left the site, the network
administrator closes the join window by setting NJ to 0. Additionally, the network key (NK) on the
trust center is updated, which then propagates to the rest of the network, further securing the
network. Deregistration is not needed, because this is a centralized trust center. The temporary link
key expires after KT seconds, or when the device joins the network through the centralized trust
center, the temporary link key will be removed from the table. Again, if the node is then removed from
the network, it will need to be registered again with the trust center.
To Next Page
Loading...
Need help?
General
