Security and data encryption

IEEE 802.15.4 security and data encryption overview

The encryption algorithm used in 802.15.4 is AES (Advanced Encryption Standard) with a 128b key length (16 Bytes). The AES algorithm is not only used to encrypt the information but to validate the data which is sent. This concept is called Data Integrity and it is achieved using a Message Integrity Code (MIC) also named as Message Authentication Code (MAC) which is appended to the message. This code ensures integrity of the MAC header and payload data attached.

It is created encrypting parts of the IEEE MAC frame using the Key of the network, so if we receive a message from a non trusted node we will see that the MAC generated for the sent message does not correspond to the one what would be generated using the message with the current secret Key, so we can discard this message. The MAC can have different sizes: 32, 64, 128 bits, however it is always created using the 128b AES algorithm. Its size is just the bits length which is attached to each frame. The more large the more secure (although less payload the message can take). Data Security is performed encrypting the data payload field with the 128b Key.

Security in API libraries

As explained previously, IEEE 802.15.4 provides secure communications inside a network using 128-bit AES encryption. The API functions enable using security and data encryption.

Encryption enable

Enables the 128-bit AES encryption in the modules.

When encryption is enabled, the module will always use its 64-bit address as the source address for RF packets. With encryption enabled and a 16-bit address set, receiving modules will only be able to issue receive 64-bit indicators.

Example of use:

{
xbee802.setEncryptionMode(0); // Disable encryption mode
xbee802.setEncryptionMode(1); // Enable encryption mode
xbee802.getEncryptionMode(); // Get encryption mode
}

Related variables:

xbee802.encryptMode // stores if security is enabled or not

XBee configuration example: https://development.libelium.com/802-01-configure-xbee-parameters/

The mode used to encrypt the information is AES-CTR. In this mode all the data is encrypted using the defined 128b key and the AES algorithm. The Frame Counter sets the unique message ID and the Key Counter (Key Control subfield) is used by the application layer if the Frame Counter max value is reached.

Encryption key

128-bit AES encryption key used to encrypt/decrypt data.

The entire payload of the packet is encrypted using the key and the CRC is computed across the ciphertext. When encryption is enabled, each packet carries an additional 16 Bytes to convey the random CBC Initialization Vector (IV) to the receivers.

A module with the wrong key (or no key) will receive encrypted data, but the data driven out the serial port will be meaningless. A module with a key and encryption enabled will receive data sent from a module without a key and the correct unencrypted data output will be sent out the serial port.

Example of use:

{
char KEY[]= "WaspmoteLinkKey!"
xbee802.setLinkKey(KEY);
}

Related variables:

xbee802.linkKey // stores the key that has been set in the network

XBee configuration example: https://development.libelium.com/802-01-configure-xbee-parameters/

Security in a network

When creating or joining a network, using security is highly recommended to prevent the network from attacks or intruder nodes.

It is necessary to enable security and set the same encryption key in all nodes in order to set security in a network. If not, it won't be possible to communicate between different XBee modules.