Key Management on Meshlium
Meshlium is a gateway which can contain 4 different radio interfaces: WiFi AP, 4G/3G/GPRS, Bluetooth and RF communications. RF communications may be implemented by several RF modules. Meshlium can also integrate a GPS module for mobile and vehicular applications. These features along with an aluminium IP65 enclosure allows Meshlium to be placed anywhere outdoor..
Encryption in this layer is provided through the AES 128b algorithm. Specifically through the type AES-CTR. Only XBee modules support encryption in the link layer. Encryption is done inside the XBees, in a transparent way for the user. The XBees take care of everything: the sender XBee gets the not-encrypted data to send, cyphers it and transmits the secret message. On the other hand, the receiver XBee receives the message, de-cyphers it and delivers not-encrypted data. In order to enable encryption in this layer and set the proper private AES key, Waspmote API provides the following functions to be applied in Waspmote codes (i.e. XBee-802.15.4):
In Meshlium's Manager System, inside Sensor Network section, users can set the encryption mode to the Meshlium's XBee module receiver for the link layer.
Depending on the kind of XBee model the parameters to be configured may vary.
- PAN ID: Personal Arena Network ID
- Channel: frequency channel used
- Network Address (4 hex digits): 16-bit address (only for 802.15.4)
- Node ID: maximum 20 characters
- Power level: [0..4] (by default 4)
- Encrypted mode: true/false (by default false)
- Encryption Key: 16 characters
- MAC: 64b hardware address. It is a read only value divided in two parts:
- MAC high: 32-bit (hex field)
- MAC low: 32-bit (hex field)
The parameters to enable AES-128 to link layer are: "Encrypted mode" and "Encrypted key":
Figure: XBee Plugin
Meshlium is capable to properly receive encrypted data from Waspmote. The coding process is made in the application layer, so it\'s Waspmote and Meshlium processors (and not the XBee module) which encrypt and decrypt the messages.
The user have to set a key for the encryption in Waspmote and Meshlium.
In the Manager System, inside section Tools, go to encryption section:
Figure : Key Management
For each Waspmote a new specific AES key must be specified. Thus, Waspmotes keys are added to a encryption Key file. In this interface, the user must specify both node ID and Waspmote AES secret key (128, 192 or 256 bits) for each Waspmote. On the other hand, in Waspmote codes the node ID is specified when
frame.setID()function is called.
After defining the above fields it is necessary to press the button "Save Waspmote". A new entry is generated in the list.
To delete Waspmotes from the list, select the Waspmote to be deleted and press "Delete Waspmote". After this step, the encrypted Waspmote frames received can not be decrypted anymore.
The AES secret key is necessary to recognize the frames sent by each Waspmote to Meshlium.
Figure: Waspmote to Meshlium with AES-128, AES-192 or AES-256
When an encrypted frame arrives to Meshlium, the sensorParser will consult the encryptionKey file for the AES secret key, and use the AES algorithm to decrypt the message.