Secure access Secure Sessions
Digi XBee® 3 Zigbee® RF Module
42
Secure Sessions
Secure Sessions provide a way to password-protect communication between two nodes on a network
above and beyond the security of the network itself. With secure sessions, a device can 'log in', or
create a session with another device that is encrypted and only readable by the two nodes involved.
By restricting certain actions—such as remote AT commands or FOTA updates—to only be allowed
over one of these secure sessions, you can make it so access to the network does not allow network
configuration. A password must be set and the proper bits of SA (Secure Access) must be set to enable
this feature.
The following definitions relate to secure Sessions:
Term Definition
Client The device that is attempting to log in and send secured data or commands is
called the client.
Server The device that is being logged into and will receive secured data or commands
is called the server.
Secure Session A secure connection between a server and a client where the pair can send and
receive encrypted data that only they can decrypt.
Secure Remote
Password (SRP)
Name of the authentication protocol used to create the secure connection
between the nodes.
Salt A random value generated as part of the authentication process.
Verifier A value derived from a given salt and password.
Configure the secure session password for a device
For a device to act as a secure session server it needs to have a password configured. The password is
configured on the server in the form of a salt and verifier used for the SRP authentication process. The
salt and verifier can be configured in XCTU by selecting the Secure Session Authentication option.
We recommend using XCTU to set a password which will then generate the salt and verifier
parameters, although the salt and verifier values can also be set manually. See *S (Secure Session
Salt) and *V, *W, *X, *Y (Secure Session Verifier) for more information.
Note There is not an enforced password length. We recommend a minimum length of at least eight
characters. The password should not exceed 64 characters, as it will exceed the maximum length of
an API frame.
Start a secure session
A secure session can only be started in API mode. Once you have been authenticated you may send
data in API mode or Transparent mode, but API mode is the recommended way to communicate.
To start a secure session:
1. Send a type Secure Session Control frame - 0x2E to your local client device with the address of
the server device (not a broadcast address), the options bit field set to 0x00, the timeout for
the session, and the password that was previously set on the server.
2. The client and server devices will send/exchange several packets to authenticate the session.
To Next Page
Loading...
Need help?
General
