ZB security Implementing security on the XBee
XBee/XBee-PRO ZigBee RF Modules User Guide 79
Enabling security
To enable security on a device, the EE command must be set to 1. If the EE command value is changed and
changes are applied (for example AC command), the XBee module will leave the network (PAN ID and channel) it
was operating on, and attempt to form or join a new network.
If EE is set to 1, all data transmissions will be encrypted with the network key. When security is enabled, the
maximum number of bytes in a single RF transmission will be reduced. See the NP command for details.
Note The EE command must be set the same on all devices in a network. Changes to the EE command should
be written to non-volatile memory (to be preserved through power cycle or reset events) using the WR
command.
Setting the network security key
The coordinator must select the network security key for the network. The NK command (write-only) is used to
set the network key. If NK=0 (default), a random network key will be selected. (This should suffice for most
applications.) Otherwise, if NK is set to a non-zero value, the network security key will use the value specified by
NK. NK is only supported on the coordinator.
Routers and end devices with security enabled (ATEE=1) acquire the network key when they join a network. They
will receive the network key encrypted with the link key if they share a pre-configured link key with the
coordinator. See the following section for details.
Setting the APS trust center link key
The coordinator must also select the trust center link key, using the KY command. If KY=0 (default), the
coordinator will select a random trust center link key (not recommended). Otherwise, if KY is set greater than 0,
this value will be used as the pre-configured trust center link key. KY is write-only and cannot be read.
Note Application link keys (sent between two devices where neither device is the coordinator) are not
supported in ZB firmware at this time.
Random trust center link keys
If the coordinator selects a random trust center link key (KY=0, default), then it will allow devices to join the
network without having a pre-configured link key. However, this will cause the network key to be sent
unencrypted over-the-air to joining devices and is not recommended.
Pre-configured trust center link keys
If the coordinator uses a pre-configured link key (KY > 0), then the coordinator will not send the network key
unencrypted to joining devices. Only devices with the correct pre-configured link key will be able to join and
communicate on the network.
Enabling APS encryption
APS encryption is an optional layer of security that uses the link key to encrypt the data payload. Unlike network
encryption that is decrypted and encrypted on a hop-by-hop basis, APS encryption is only decrypted by the
destination device. The XBee must be configured with security enabled (EE set to 1) to use APS encryption.
To Next Page
Loading...
Need help?
General
