ZigBee Security

Robert Cragie Chair, ZigBee Alliance ZARC Securit y Task Group Principal Engineer, Jennic Ltd.

2009 ZigBee Alliance. All right s reserved.

Security in the ZigBee stack

2009 ZigBee Alliance. All right s reserved.

Specification constraints
The specificat ion assumes an 'open t rust ' model where t he prot ocol st ack layers t rust each ot her This is not unreasonable for t he t ype of devices ZigBee is aimed at , e.g. single-chip wireless microcont rollers ex ecut ing t he whole st ack on a single CPU This implies t hat crypt ographic prot ect ion only occurs bet ween devices The same securit y suit e level is used for all services
2009 ZigBee Alliance. All right s reserved.

Security services provided

The ZigBee Securit y Services provided in t he specificat ion are: Key est ablishment Key t ransport Frame prot ect ion Device aut horizat ion

2009 ZigBee Alliance. All right s reserved.

The Trust Center

To function securely in a network, a device must have a counterpart device which it can trust to obtain keys and which controls access ZigBee therefore introduces the concept of the Trust Center, which Stores the keys for the network Uses the security services to configure a device with its key(s) Uses the security services to authorize a device onto the network The ZigBee Coordinator is usually designated the Trust Center
2009 ZigBee Alliance. All right s reserved.

Sym metric key dist ribution

ZigBee securit y is based on symmet ric keys Bot h originat or and recipient of a prot ect ed t ransact ion need t o share t he same key That key is used direct ly in t he securit y t ransformat ion How does t his key get t o bot h ends? Three basic met hods Pre-inst allat ion Transport Est ablishment
2009 ZigBee Alliance. All right s reserved.

Distribution m ethods
Pre-inst allat ion is where keys are placed int o device using out -of-band met hod, e.g. commissioning t ool Transport is where t he Trust Cent er sends t he key (securely wherever possible) t o t he device Est ablishment is where t he device negot iat es wit h t he Trust Cent er and keys are est ablished at eit her end wit hout being t ransport ed SKKE (Symmet ric Key Key Est ablishment ) CBKE (Cert ificat e-based Key Est ablishment ) ASKE (Alpha-secure Key Est ablishment )
2009 ZigBee Alliance. All right s reserved.

Key types
There are t hree key t ypes: Mast er key Shared key for SKKE only Link key Net work key

2009 ZigBee Alliance. All right s reserved.

Link key
Key which is uniquely shared bet ween t wo and only t wo devices for prot ect ing frames at t he APS layer One of t hose devices is normally t he Trust Cent er Usually dynamically est ablished using key est ablishment service Can also be pre-inst alled or t ransport ed from t he Trust Cent er

2009 ZigBee Alliance. All right s reserved.

Network key
Global key which is used by all devices in t he net work A set of net work keys is held by t he Trust Cent er and current net work key is ident ified by a key sequence number Usually t ransport ed from t he Trust Cent er Can also be pre-inst alled Two st age updat e mechanism Updat e new key and associat ed key sequence number Swit ch t o new key sequence number
2009 ZigBee Alliance. All right s reserved.

10

Com m on Security Model

Some confusion due t o flex ibilit y in specificat ion A com m on secur it y m odel was developed Use of net work key wit h pre-configured Trust Cent er link keys Pre-configured TC link key prot ect s t he t ransport of t he net work key Addit ional link keys can be t ransport ed or est ablished using higher-layer mechanism Secure communicat ion clust er in SE/ HC profile
2009 ZigBee Alliance. All right s reserved.

11

Fram e protection
The securit y suit e used is AES-CCM* The securit y level used in ZigBee (level 5) means AES_CCM* is t he same as AES-CCM AES-CCM is NIST special publicat ion 800-38C Low-cost implement at ion in t erms of resources Some wireless microcont rollers have hardware support for AES-CCM or AES-CCM* Two part s t o prot ect ion Encrypt ion Int egrit y prot ect ion ZigBee securit y uses level 5 in t he AES-CCM* suit e Encrypt ed MIC lengt h 4 oct et s
2009 ZigBee Alliance. All right s reserved.

12

Encryption and Integrity protection

Encrypt ion scrambles t he original dat a (called plaint ext in 'securit y speak') int o cipher t ext Encrypt ion prevent s an eavesdropper from being able t o int erpret frame payload Int egrit y protect ion adds a Message Int egrit y Code (MIC) t o be t ransport ed along wit h t he dat a t o be prot ect ed The MIC 'signs' t he dat a and allows t he recipient t o verify t hat t he dat a has not been t ampered wit h The MIC is also bound t o t he ident it y (IEEE address) of t he originat or and t hus provides origin aut hent icit y Without int egrit y prot ect ion, a rogue device could modify a t ransmit t ed frame and t he modificat ion may not be det ected by t he recipient
2009 ZigBee Alliance. All right s reserved.

13

Protecting at NWK layer

PHY PDU
SYNC PHY HDR MAC HDR

Plaintext MAC Payload

FCS

Unsecured NWK PDU

NWK HDR

Plaintext NWK Payload

PHY PDU

SYNC

PHY HDR

MAC HDR

Plaintext MAC Payload

FCS

Secured NWK PDU

NWK HDR

Auxiliary Header

Ciphertext NWK Payload

MIC

2009 ZigBee Alliance. All right s reserved.

14

Protecting at APS layer

PHY PDU
SYNC PHY HDR MAC HDR

Plaintext MAC Payload

FCS

Unsecured NWK PDU

NWK HDR

Plaintext NWK Payload

Unsecured APS PDU

APS HDR

Plaintext APS Payload

PHY PDU

SYNC

PHY HDR

MAC HDR

Plaintext MAC Payload

FCS

Unsecured NWK PDU

NWK HDR

Plaintext NWK Payload

Secured APS PDU

APS HDR

Auxiliary Header

Ciphertext APS Payload

MIC

2009 ZigBee Alliance. All right s reserved.

15

Protecting at NWK and APS layer

PHY PDU
SYNC PHY HDR MAC HDR

Plaintext MAC Payload

FCS

Unsecured NWK PDU

NWK HDR

Plaintext NWK Payload

Unsecured APS PDU

APS HDR

Plaintext APS Payload

PHY PDU

SYNC

PHY HDR

MAC HDR

Plaintext MAC Payload

FCS

Secured NWK PDU

NWK HDR

Auxiliary Header

Ciphertext NWK Payload

MIC

Secured APS PDU

APS HDR

Auxiliary Header

Ciphertext APS Payload

MIC

2009 ZigBee Alliance. All right s reserved.

16

Joining scenario
ZigBee Coordinat or normally act s as Trust Cent er Walk t hrough device wit hout net work key and wit h preconfigured TC link key Common securit y model
Coordinator Router End Device Mesh link End device star link

2009 ZigBee Alliance. All right s reserved.

17

Joining scenario walkthrough

1: Device does unsecured join 3
2

2: Router sends device update to TC for authorization 4 1 5 3: TC prepares network key transport for joining device secured with pre-configured TC link key shared between TC and joining device and tunnels it to router 4: Router unpacks tunneled network key transport and sends to device unsecured at network layer 5: Device retrieves network key from network key transport using pre-configured TC link key

Trust Center Router End Device Mesh link End device star link APSME commands
2009 ZigBee Alliance. All right s reserved.

18

ZigBee SE 2.0 security requirem ents

SE 2.0 requires a more flex ible securit y implementation Both federated and end-to-end models need to be considered Ex isting standards from IETF, IEEE, IEC etc. need to be used Multiple sources for implement ation and multiple CAs required

2009 ZigBee Alliance. All right s reserved.

19

ZigBee SE 2.0 security initial technical requirem ents

Link layer securit y provided by 802.15.4-2006 frame prot ection EAP (Ex t ensible Aut hent icat ion Prot ocol) used for net work admission Cert ificat es Passphrases PINs TLS (Transport Layer Securit y) used for secure associat ions at applicat ion level Locally wit hin HAN Across t he wider net work t o ut ilit y TRD available on ZigBee/ Homeplug document server
2009 ZigBee Alliance. All right s reserved.

20