LoRaWAN Security Q&A

Click the blue text above to join us!

In the world of the Internet and the Internet of Things, security is always one of the most concerning issues. LoRaWAN, which has a mature development in the LPWAN field, has special considerations and settings regarding security. Below are several questions and answers related to security.

1. How is the security mechanism of LoRaWAN described?

All security mechanisms are specifically described in the LoRa protocol. The current LoRaWAN standard protocols 1.0 and 1.0.2 have been officially released and can be downloaded. Version 1.1 is still under revision.

2. How does the security mechanism of LoRa ensure the secure operation of the LoRaWAN network?

LoRaWAN supports source authentication, integrity, and MAC architecture retransmission protection. LoRaWAN also supports end-to-end encryption of application payloads between terminal devices and application servers. LoRaWAN supports the encryption of MAC command operations. All these processes rely on the Advanced Encryption Standard (AES) and a 128-bit key algorithm.

3. What are the differences in security between the two network access methods: ABP (Activation-by-Personalization) and OTAA (Over-the-Air-Activation)?

LoRaWAN uses static root keys and dynamically generated session keys.

The root key only exists on OTAA terminal devices. When OTAA terminal devices perform the connection process in the network, they are used to generate session keys. Once installed, OTAA terminal devices will be able to connect to any network that has an interface with the key server (referred to as the Join Server in version 1.1 of the protocol), which is associated with the end device. Terminal devices use session keys to protect air communication.

ABP terminal devices are not equipped with root keys. Instead, they provide a set of session keys for a pre-selected network. Moreover, the session keys for ABP terminal devices remain unchanged throughout their lifecycle.

Thus, the continuously updated session keys make OTAA devices more suitable for application scenarios that require a higher level of security.

4. What type of identifier is used in LoRaWAN?

Each terminal device is identified by a 64-bit globally unique EUI identifier assigned by the device manufacturer. The assigner of the EUI identifier must obtain permission from the relevant IEEE registration authority.

The connection server (Join Server) responsible for managing terminal authentication is also identified by a globally unique 64-bit EUI identifier, which is assigned by the owner of this server.

Private LoRaWAN networks roaming in open networks are identified by a 24-bit globally unique identifier assigned by the LoRa Alliance. When a terminal device successfully joins the network, it receives a 32-bit temporary device address from the network server.

5. Can I randomly assign identifiers to my devices or networks?

The assignment of identifiers must follow the regulations mentioned in point four; arbitrary assignment can cause unnecessary confusion.

6. Are all terminal devices assigned the same default key at the factory?

Of course not. In LoRaWAN, there is no concept of a default key or default password. All terminal devices are assigned a default unique identifier at the factory. Therefore, extracting a key from one device does not affect other devices.

7. What type of keys are used?

An OTAA terminal device is equipped with a root key called AppKey. From the network’s perspective, the AppKey is provided by the Join Server, which can be either together with or separate from the network server. An ABP terminal is equipped with two session keys (Application Session Key APPSKey and Network Session Key NwkSKey), where NwkSKey is provided by the network server, and AppSKey is provided by the application server.

8. What encryption algorithm is used?

The AES-CMAC algorithm defined in RFC4493 is used for original authentication and integrity protection. The AES-CCM* defined in IEEE 802.15.4-2011 is used for encryption.

9. How does LoRaWAN prevent eavesdropping?

The MAC payload is encrypted during transmission between the terminal and the network. Additionally, the application payload between terminal devices and application servers is also encrypted. This ensures that only entities holding the key and authorized can access the plaintext content.

10. How does LoRaWAN prevent spoofing?

The original authentication and integrity protection of the MAC payload can be achieved through the Message Integrity Code (MIC) between the terminal device and the network. This ensures that only authorized entities (terminal, network server) with complete keys can generate valid frames.

11. How does LoRaWAN avoid retransmissions?

The integrity protection of the MAC payload uses a frame counter to ensure that the receiver does not receive a frame that has already been received.

12. How is the security of backend interfaces ensured?

Backend interfaces include control and data signals between the network server, Join Server, and application server. HTTPS and VPN technologies are applied to confirm the security of communications between these parts, used similarly to other communication systems. Backend interfaces are not within the scope of the LoRaWAN protocol.

13. Does LoRaWAN support hardware security?

The hardware security of terminal devices and server platforms is not directly related to communication protocols, including LoRaWAN.

14. What should I do if I face a security threat?

In general, a security threat may arise from the protocol itself (e.g., lack of retransmission protection), the implementation process (e.g., extraction of device keys), the deployment process (e.g., lack of firewalls), or a combination of the three. Therefore, when facing a security threat, the first step is to identify its source. The implementation process involves manufacturers, while the deployment process involves operators.

WeChat: LPWAN-NIOT

LoRaWAN Security Q&A LoRaWAN Security Q&A Long press to recognize the QR code to follow us.

Related posts

  1. Seven Methods for Implementing HTTP Calls in Spring Boot
  2. The Basic Framework for Designing Dynamic Encryption Algorithms with Malbolge
  3. Cloud Desktop Development and Security: Building an Efficient and Reliable Virtual Office Environment
  4. Practical Java Wastewater Monitoring: Optimizing Data Transmission with LoRaWAN Protocol
  5. LoRa Node Development: Modifying Parameters in LoRaWAN
  6. An Overview of LoRaWAN Roaming
  7. Using the Free LoRaWAN Server www.thethingsnetwork.org
  8. Research on HuiLian Applications | A Brief Discussion on LoRaWAN Multicast Technology and Applications (Market Perspective)
  9. An Overview of Public LoRaWAN Networks in China (April 2018)
  10. Comparison of LoRaWAN and NB-IoT Smart Water Meters
  11. Understanding the LoRaWAN Protocol: What Advantages Make It Stand Out?
  12. Development of LoRaWAN End Devices
  13. Comprehensive Solutions for Handling LoRaWAN Smart Water Meter Disconnection Issues
  14. Advantages of LoRaWAN Compared to LoRa Private Protocols
  15. Exploring Public LoRaWAN Networks in China
  16. Launch of LoRaWAN IoT Project in Jönköping, Sweden
  17. In-Depth Analysis of Security Features in HTTP/2 and HTTP/3: Strengthening Security in Protocol Evolution
  18. Three MIT Mathematicians Created This Powerful Cryptographic System
  19. Discussion on Information Security Awareness During Cybersecurity Week: Wi-Fi Security

Leave a Comment