Post has attachment
LoRaWAN Security Model:

LoRa specifies two types of symmetric session keys for security that are unique to each LoRa device. The NwkSkey is used for network layer message integrity from the LoRa device to LoRa network server. The AppSkey is used for application layer end-to-end AES-128 encryption from the LoRa device to the application server. See the diagrams below.

There are two ways for LoRa devices to join the network. The first is Over-the-Air Activation (OTAA). The LoRa device and network server are first provisioned with a 128-bit AppKey. When the LoRa device is first powered a join-request is sent to the LoRa network server. The AppKey is used to create a message integrity code (MIC) on a number of parameters including device ID and a device nonce. The server checks the MIC with the AppKey. If valid the LoRa network server generates two new 128-bit device keys: the app session key (AppSKey) and the network session key (NwkSKey). The keys are sent back to the LoRa device using the AppKey as an encryption key. The LoRa device decrypts and installs the session keys.

The second method is Activation by Personalization (ABP). In this case the LoRa device is provisioned with session keys NwkSkey and AppSkey. This could be done in a manufacturing environment, for example. These LoRa devices can begin communicating with the LoRa network server.
Photo

LoRa Network Threats & Mitigation

Once LoRa devices are provisioned with unique session keys, there should be no way for a man-in-the-middle attack that would affect data integrity or confidentiality. There are other threats at a system level that should be considered.

ABP Key Provisioning: Activation by Personalization (ABP) calls for creating session keys for the LoRa device, possibly at manufacturing. In that case, session keys have to be injected into the device and securely transported to the LoRa network server. Hardware Security Module (HSM) at the manufacturing site would be the best way to do this so that keys are not exposed during LoRa device programming.

OTAA Key Provisioning: Over-The-Air-Activation (OTAA) uses a secure process for generating session keys; however, the AppKey must be provisioned in a secure manner and securely transported to the LoRa Network Server. This could be done over HTTPS in a secure web client/server model.

Post has attachment
Photo
Photo
2017/8/8
2 Photos - View album
Wait while more posts are being loaded