System Specification
SecurityofEnOceanNetworksv2.51
Page1/63
SecurityofEnOceanRadioNetworks
V2.51
SanRamon,CA,USA,2019
ExecutiveSummary
Ver. Editor Change Date
1.0 MF Creation 05.03.2012
1.1 MF InclusionofAESCBC.
Securetelegramswith/withoutnon-secureRORG.
03.07.2012
1.2 MF Pagenumbering 31.07.2012
1.3 AP RemovingARC4andeditorialchanges 31.10.2012
1.4 MH EditorialonCMACcomputing 22.11.2012
1.5 MH AddedPSKTeachInandVAESextensionsabove16bytes. 17.06.2013
1.6 MF Abstractionfromtelegramtomessage 03.07.2013
1.7 MF Teach-inunidirectional/bidirectionalproceduredescribed 10.07.2013
1.8 MF RLCsynchronization.Message-to-ERP1andERP2conversion 11.07.2013
1.9 MF PSKCRCexplained.Descriptionofteach-inprocedureimproved 26.07.2013
2.0 MH AddedHighSecuritydefinition
-renamedpublickeytoVAESINITVector
-CMACinteach-intelegrameliminated
11.08.2014
2.1 FG AddedTestvectors 09.11.2016
2.2 MF TestvectorsencryptionandCMACcalculationsdescribedindetail 12.07.2017
2.3 MH Bestpracticeexamples,Securechaining,32bitRLC.RemovedMutualauthenticationwithRLCasNONCEfromhighsecurity..ChangedRLCdescription.
09.05.2018
2.4 TM Addsecurechainingexample,updatedthesec_cdmmechanism 27.11.2018
2.5 TM&MH BasedonAllianceTTGFedback:RecommendationsChapterchangedtoimplementationaspects.Formatting,andwording.RemovedAESCBC.
15.01.2019
2.51 MH&FS Re-enablingtheSLFRLCoption0b011(3)16bitRLCexplicitwithwindowalgorithmandrollover-PRELIMINARY
17.04.2019
Copyright©EnOceanAllianceInc.2012-2019.AllrightsReserved.
System Specification
SecurityofEnOceanNetworksv2.51
Page2/63
DISCLAIMER
This information within this document is the property of the EnOcean Alliance and its use anddisclosure are restricted. Elements of the EnOcean Alliance specifications may also be subject tothirdparty intellectualpropertyrights, includingwithout limitation,patent,copyrightortrademarkrights (such a third party may or may not be a member of the EnOcean Alliance.) The EnOceanAllianceisnotresponsibleandshallnotbeheldresponsibleinanymannerforidentifyingorfailingtoidentifyanyorallsuchthirdpartyintellectualpropertyrights.Thisdocumentandtheinformationcontainedhereinareprovidedonan“asis”basisandtheEnOceanAlliancedisclaimsallwarrantiesexpress or implied, including but not limited to (1) anywarranty that the use of the informationhereinwillnotinfringeanyrightsofthirdparties(includinganyintellectualpropertyrights,patent,copyright or trademark rights, or (2) any implied warranties of merchantability, fitness for aparticularpurpose,titleornon-infringement.
InnoeventwilltheEnOceanAlliancebeliableforanylossofprofits,lossofbusiness,lossofuseofdata, interruption of business, or for any other direct, indirect, special or exemplary, incidental,punitive or consequential damages of any kind, in contract or in tort, in connection with thisdocument or the information contained herein, even if advised of the possibility of such loss ordamage.AllCompany,brandandproductnamesmaybetrademarks thatare thesolepropertyoftheirrespectiveowners.
Theabovenoticeandthisparagraphmustbeincludedonallcopiesofthisdocumentthataremade.
The EnOcean Alliance Security of EnOcean networks Specification is available free of charge tocompanies, individuals and institutions for all non-commercial purposes (including educationalresearch,technicalevaluationanddevelopmentofnon-commercialtoolsordocumentation.)
Thisspecificationincludesintellectualproperty(„IPR“)oftheEnOceanAllianceandjointintellectualproperties(„jointIPR“)withcontributingmembercompanies.Nopartofthisspecificationmaybeused in development of a product or service for sale without being a participant or promotermemberoftheEnOceanAllianceand/orjointowneroftheappropriatejointIPR.EnOceanAlliancegrantsnorightstoanythirdpartyIP,patentsortrademarks.
These errata may not have been subjected to an Intellectual Property review, and as such, maycontainundeclaredNecessaryClaims.
EnOceanAllianceInc.5000ExecutiveParkway,Suite302SanRamon,CA94583GrahamMartinChairman&CEOEnOceanAlliance
System Specification
SecurityofEnOceanNetworksv2.51
Page3/63
TABLEOFCONTENTS
1 Introduction.....................................................................................................................................61.1 Terms&Abbreviations..................................................................................................................61.2 Definitionofrequirementslevels...................................................................................................6
2 Scenarios.........................................................................................................................................82.1 Attackerscenarios.........................................................................................................................82.2 SystemArchitecture.....................................................................................................................11
3 Securityforoperationmode.............................................................................................................123.1 Messagestructure........................................................................................................................13
3.1.1 R-ORG.........................................................................................................................133.1.2 DATA..........................................................................................................................133.1.3 RLC(ROLLINGCODE)...................................................................................................14
3.1.3.1SynchronizingRLCwhensynchronizationwindowislost.......................................143.1.4 CMAC.........................................................................................................................14
3.2 Transformingsecureandunsecuremessages................................................................................143.2.1 TransforminganunsecuremessageintoasecuremessagewithR-ORG
encapsulation.............................................................................................................153.2.2 TransformingasecuremessagewithR-ORGencapsulationintoanon-secure
message......................................................................................................................153.2.3 TransforminganunsecuremessagewithoutR-ORGencapsulationintoasecure
message......................................................................................................................163.2.4 TransformingasecuremessagewithoutR-ORGencapsulation......................................16
4 Securityforteach-inmode...............................................................................................................174.1 Messagestructure........................................................................................................................18
4.1.1 R-ORGTS....................................................................................................................184.1.2 TEACH-ININFO............................................................................................................19
4.1.2.1FieldIDX..............................................................................................................194.1.2.2FieldCNT.............................................................................................................194.1.2.3FieldPSK..............................................................................................................194.1.2.4FieldTYPE............................................................................................................194.1.2.5FieldINFO............................................................................................................20
4.1.3 SLF(Securitylevelformat)...........................................................................................204.1.3.1FieldRLC_ALGO...................................................................................................214.1.3.2FieldMAC_ALGO..................................................................................................214.1.3.3FieldDATA_ENC...................................................................................................21
4.1.4 RLC214.1.5 KEY21
4.2 Teach-inwithpre-sharedkey........................................................................................................214.2.1 PSKchecksum.............................................................................................................22
5 Securityalgorithms..........................................................................................................................235.1 VAES(variableAES)encryption.....................................................................................................235.2 VAES(variableAES)decryption.....................................................................................................255.3 VAESINITVector..........................................................................................................................265.4 PrivateKey..................................................................................................................................26
System Specification
SecurityofEnOceanNetworksv2.51
Page4/63
5.5 RollingCode.................................................................................................................................265.6 CMACalgorithm...........................................................................................................................28
5.6.1 CMACcalculationforoperationmodetelegrams..........................................................285.6.2 Calculationofthesubkey(AES-CMAC,RFC4493)..........................................................30
6 EnOceanHighSecurity.....................................................................................................................326.1 UseCasedefinition......................................................................................................................326.2 ProtectionagainstRelayAttacks...................................................................................................32
6.2.1 AuthenticationbasedonCMAC...................................................................................336.2.2 Communicationscenarios............................................................................................33
6.2.2.1MutualauthenticationwithRNDasNONCE..........................................................346.2.2.2UnilateralauthenticationwithRNDasNONCE......................................................366.2.2.3Errorscenarios....................................................................................................38
6.3 HighSecurityinclusionintoexistingconcept.................................................................................396.3.1 SecurityLevelFormatextension..................................................................................396.3.2 MetaSecurityTelegram...............................................................................................396.3.3 Algorithmextension....................................................................................................40
6.3.3.1CMAC..................................................................................................................406.3.3.2VAES....................................................................................................................40
7 SEC_CDM–0x33chainedsecuremessages.........................................................................................428 ImplementationsAspects.................................................................................................................45
8.1 Rollingcode.................................................................................................................................458.2 Standardsecuritylevelformat......................................................................................................45
8.2.1 Forlinepowered,-anddeviceswithsufficientenergybudget.......................................458.2.2 ReducedSLF-exceptionsforenergylimitedapplications.............................................468.2.3 PushButtonTransmitterSLF-Exceptionsforkineticdeviceswithnoenergy
storage.......................................................................................................................468.3 SecureTeach-in...........................................................................................................................47
8.3.1 SecureTeach-inusingQRLabels(orNFC).....................................................................478.3.2 SecureTeach-inovertheAIRwithPSK.........................................................................47
8.4 AESKeySelectionandupdatemechanism.....................................................................................488.4.1 KeySelection..............................................................................................................48
8.5 Bidirectionalcommunication........................................................................................................489 Referenceddocuments.....................................................................................................................49AnnexAAppendix...................................................................................................................................50
A.1 ERP1securetelegrams.................................................................................................................51A.1.1 OperationmodewithEPR1..........................................................................................51A.1.2 Secureteach-inchainingwithERP1.............................................................................51
A.2 ERP2securetelegrams.................................................................................................................53A.2.1 OperationmodewithEPR2..........................................................................................53A.2.2 Secureteach-inwithERP2...........................................................................................53
A.2.2.1 Secureteach-inchainingwithERP2................................................................53A.3 PSKCRC8checksumalgorithm......................................................................................................55A.4 SecurityTestvectors....................................................................................................................57
A.4.1 SecureSTMwithID(019EB63B)................................................................................57
System Specification
SecurityofEnOceanNetworksv2.51
Page5/63
A.4.2 SecurePTM(withID0185E177)................................................................................60A.4.3 SecureChainedData...................................................................................................62
System Specification
SecurityofEnOceanNetworksv2.51
Page6/63
1 Introduction
ThisdocumentspecifiesthesecurityconceptforERP(1/2).ThisconceptwasspeciallydesignedfordevicespoweredbyenergyharvestersandisbasedontheERP.Theobjectiveofthedesignwastokeep the energy requirements andµC resources for the implementationof the security as lowaspossible.
Theimplementationaspects,whichdescribewhichsecurityshallbeused,arelistenedinthechapter8. Chapter 2 – 5 goes into technical details describing the scenario against which the EnOceansecurity protocol protects, technical background and possible security formats. Most of thepossibilities are not recommended and new design shall follow the SLF described in chapter 8.Chapter6describesEnOceanHighSecuritywhichuseschallengeandresponse.Chapter7explainstheusageofSecureChainedmessages,whichshallbeusedtosenddatalongerthanonetelegram.
1.1 Terms&Abbreviations
Term/Abbr. Description
µC Microcontroller(external)
API ApplicationProgrammingInterface
APP Application
Data PayloadofERPtelegram
EEP EnOceanEquipmentProfile
ERP1/2 EnOceanRadioProtocol1or2.Ifnonumberisused,theargumentisvalidforbothversions.
EO EnOcean
ESP3 EnOceanSerialProtocolV3
RLC RollingCode
CMAC CipherBasedMessageAuthenticationCode
Gateway ModulewithabidirectionalserialcommunicationconnectedtoaHOST
Device Customerend-devicewithanintegratedEnOceanradiomodule
Nonce Numberwhichisusedonce
SLF SecurityLevelFormat,describestheusedsecurityparameters
Table1.Abbreviationsusedinthisdocument.
1.2 Definitionofrequirementslevels
The usage of the keywords “must”,“shall”,”should” and so on follow the ones of the RFC2119.
System Specification
SecurityofEnOceanNetworksv2.51
Page7/63
1. MUSTThisword,ortheterms"REQUIRED"or"SHALL",meanthatthedefinitionisan
absoluterequirementofthespecification.
2. MUSTNOTThisphrase,orthephrase"SHALLNOT",meanthatthedefinitionisanabsoluteprohibitionofthespecification.
3. SHOULDThisword,ortheadjective"RECOMMENDED",meanthattheremayexistvalid
reasonsinparticularcircumstancestoignoreaparticularitem,butthefullimplicationsmustbeunderstoodandcarefullyweighedbeforechoosingadifferentcourse.
4. SHOULDNOTThisphrase,orthephrase"NOTRECOMMENDED"meanthattheremayexist
validreasonsinparticularcircumstanceswhentheparticularbehaviorisacceptableorevenuseful,butthefullimplicationsshouldbeunderstoodandthecasecarefullyweighedbeforeimplementinganybehaviordescribedwiththislabel.
5. MAYThisword,ortheadjective"OPTIONAL",meanthatanitemistrulyoptional.One
vendormaychoosetoincludetheitembecauseaparticularmarketplacerequiresitorbecausethevendorfeelsthatitenhancestheproductwhileanothervendormayomitthesameitem.AnimplementationwhichdoesnotincludeaparticularoptionMUSTbepreparedtointeroperatewithanotherimplementationwhichdoesincludetheoption,thoughperhapswithreducedfunctionality.InthesameveinanimplementationwhichdoesincludeaparticularoptionMUSTbepreparedtointeroperatewithanotherimplementationwhichdoesnotincludetheoption(except,ofcourse,forthefeaturetheoptionprovides.)
System Specification
SecurityofEnOceanNetworksv2.51
Page8/63
2 Scenarios
TheERPisusedinavarietyofapplications.However,themajorusageisinproductswithinbuildingautomation.Sometypicalsituationswhereasecureprotocolcanberequiredare:
n Thermostat vacation mode - A family leaves their home for several weeks. They set theirthermostat in vacationmode. Obscuring data from the thermostatwill prevent an intruder toknowtheoccupancystateofthehouse.
n Windowcontrol–AbuildinghasawindowinstalledwhoseopeningiscontrolledbytemperatureandCO2sensors.Applyingasecureradioprotocolthewindowreceivershouldignoremessagesthat have been already used. Thiswill prevent an intruder to gain unauthorized access to thebuildingbyrecordingpacketsandreplayingthem.
Automated meter reading – Polling a thermostat per radio enables the collection of meterinformationwithout the necessity of a person entering the house. By obscuring data from thethermostatitwillbepreventedthatanintruderobtainsprivateinformationfromthetransmitteddata. To prevent an intruder forging the heating consumption the system must resist reply-attacks.
2.1 AttackerscenariosInsuchfashionscouldbecompromisedthenormaloperationofanEOradiosystem:
Figure 1. The picture shows the possible interferences and attacks in the actual EO radiocommunication. Attacks other than the ones shown in this figure will not be considered in this
System Specification
SecurityofEnOceanNetworksv2.51
Page9/63
documentation and in the implementation of a secure radio protocol. Attacks not consideredinclude,for instance,thephysicalmanipulationofasenderorareceivermodule;continuouswavesending;power-supplysabotage.Fromthefourscenariosdepicted,thefirst(CollisionwiththesameIDbase) corresponds to anunintentional control of a receiver by another EOuser. The last threescenarios represent, however, an intentional attack. Unauthorized listening of information that isbeingtransmittediscalledeavesdropping.
Figure2.This scenario isnotaproperattack. It’s simplyan IDduplicationwithin the rangeof thebase ID (see what is EnOcean Base ID). The duplication happens because two different usersprogrammedtheirsendermoduleswithidenticalIDwithinthebaseIDrange.Whentheuserinroom1 sends a signal with Sender 1 he controls unluckily also Receiver 2, in room 2. A symmetricalsituationhappenswhentheSender2inroom2isoperated.
System Specification
SecurityofEnOceanNetworksv2.51
Page10/63
Figure3. InthisscenarioanattackerprogramstheIDbasetakingintentionalcontrolofthesystemreceiver.Todothis,theintrudersimplylistenstothesenderID.ItprogramsthenthissameBaseIDinhis sendermodule, and controls the system receiver.All this is possibleusing EO toolswithoutperformingreverseengineering.
Figure4.WiththeonlyhelpofanEOreceiveritispossibletohearthecommunicationbetweenanEOsenderandareceiver.Thisisundesirediftheinformationbeingtransmittedisprivate.Thisisthecaseofmeteringreadingsystems.
System Specification
SecurityofEnOceanNetworksv2.51
Page11/63
Figure5. Inamoresophisticatedattackversiontheattackerlistenstothetelegramsintheair.TheattackersendsatelegramwiththesamechipID(replay)astheoneinthesystemsender.
2.2 SystemArchitecture
AtypicalsystemarchitectureusingERPisshownonthefigurebelow:
Figure6ERPsystemarchitecture
In an ERP system most common communication pattern is unidirectional. However there areinstallationswherebi-directionalcommunicationisrequiredforinstancebetweentwoGateways,inSmartACKorinRemoteManagementconcept.ThusthesecurityconcepthastobedesignedinawaythatitcanbeappliedtoN:Mcommunicationpatterns.
Telegram
EnOceanRFmodule
Gateway
EnOceanRFmodule
Sensor
EnOceanRFmodule
Sensor
EnOceanRFmodule
Sensor
EnOceanRFmodule
Gateway
System Specification
SecurityofEnOceanNetworksv2.51
Page12/63
3 Securityforoperationmode
RORG Description
0x30SEC
Secure telegram. This message was not created from a non-secure counterpart. Amessage with this RORG was created by the secure application and the data mayinterpretedbyaTeach-In-Processoutsideofthisspecification(i.e.EEPorGP).
0x31SEC_ENCAPS
SecuremessagethattransporttheoriginalR-ORGnonsecurecode.
0x32SECD
Non-securemessagetypethatresultsfromthedecryptionofasecuremessagewithR-ORG0x30.
0x33
SEC_CDM
SecurechainedMessages
0x35SEC_TI
Secure Teach-In telegrams transmit private key and rolling to the communicationpartner
Table2.SecureRORGs
TheERPsecurityisimplementedontheOSIpresentationlayeroftheERPprotocolstack.
The security strategiesdiscussed in thenext chaptersareapplied tomessages.Messagesabstracttheconceptoftelegrams.Messagesdonotspecifyacertainbyteorder.TheyaretobeimaginedasCstructureswithallnecessarymemberstocontaintheinformationstoredinatelegram.Amessageisageneralisationofserialandradiotelegrams.
Amessage contains all fields that a telegrammayhave: theR-ORG,DATA, Sender ID, receiver ID,repeatercounteraswellasthesecurityspecificmemberslikeRLC,CMAC,SLFthatwillbeexplainedinthenextchapters.
EO secure messages follow a flexible schema made up of different freely combinable securitymechanisms.TheSecurity level formatsdescribed in chapter8 shouldbeused.Thedescriptionofothercombinationstillexistsforlegacyproductsandmaybestillused1.
The security mechanism may transform the DATA and R-ORG fields of the non-secure message.Other fields like themessage sender ID, receiver ID, repeater counter arenot affectedor altered.The RLC and CMAC should be added. Notmodified fields like sender ID, received ID or repeatercounterarenotdepictedthroughthechapterwhenamessageisrepresented.
The following figure depicts the relevant secure radiomessage structuremembers, togetherwithexamplesofapplicationscenarios,attacksthatcanbeblocked.
—————————
1 As the different SLF allow significant freedom, and not all combinations can be seen as optimal secure solutions, and
somesolutionscouldcausedifferentproblemstheSLFshouldbeselectedaccordinglytochapter8.
System Specification
SecurityofEnOceanNetworksv2.51
Page13/63
Table3.ThetableshowsthedifferentsecuremessagesstructuresfortypicalEnOceanapplications..A securemessage is identifiedby specificR-ORGcodes representedasR-ORGS.Obscuredwill beonly the DATA of the message and optionally the original R-ORG. Any combination of DATAencrypted/not encrypted, RLC present/not present, and CMAC present/not present is technicalpossible.Butonlytheonementionedinchapter8shouldbeused.
The structure of the secure telegram is negotiated between the devices within the teach-inprocedure.See4.
3.1 Messagestructure
Figure 7. Relevantmessagemembers In the following chapters,wheneverDATA iswritten, DATAincludesOPTIONALDATA.
3.1.1 R-ORG
ThemessageR-ORG identifies the typeofmessage that isbeing sentor received.ThemessageR-ORGis1-bytelong.Securemessagesareidentifiedbythecodes0x30,0x31,0x33or0x35,denotedgenerallyR-ORGSintheTable3.
Acodedifferentfromthoseidentifiesanon-securemessage.
3.1.2 DATA
UnderDATAwillalwaysbeunderstoodthetelegramDATAfieldandtheOPTIONALDATA,ifitexists.TheDATAisabyteconcatenationofbothDATA+OPTIONALDATA.
Thedataisencryptedusinganyoftheencryptionalgorithmsdescribedinsection5.
TheDATAencryptionalgorithmisindicatedtothereceiverduringtheteach-inprocedure.
ThelengthoftheDATAandtheinterpretationisdefinedbytheapplication.
System Specification
SecurityofEnOceanNetworksv2.51
Page14/63
3.1.3 RLC(ROLLINGCODE)
Thisfieldcontainsacodethatchangesaccordingtoapredefinedalgorithm(see5.5).IftheRLCisnottransmitted,senderandreceivermustkeepthiscodesynchronize.Thecodeincreaseseverytimeamessageissentbytheradiotransmitter.IfamessageRLCdoesnotcoincidewiththeexpectedRLCvaluethereceiverrejectsthemessage.
• IftheRLCistransmittedviaamessage,itmustbehigherthanthepreviousreceivedRLC.• IftheRLCisnottransmitted,theRLCshallbeinRLCwindowrange.
RLCisMSBfirst.
Theteach-inproceduremaysynchronizetheRLCinthereceiverwiththeoneinthereceiver.
TheRLCfieldshouldbetransmittedbutcanbeomitted.AlthoughtheRLCmaynotbesentbythetransmitteritisusedinternallyinthetransmitterandreceivermodulestoperformthecalculationoftheCMACcodeandDATAfieldencryption(see5.6).ByreceptionoftheCMACthereceiverindirectlytestthecorrectnessoftheRLC.
RLC field format: RLC byte length, RLC algorithm and RLC presence in the telegram- arecommunicatedtothereceiverduringtheteach-inprocedureusingtheSLF.
DetailsoftheRLCalgorithmareexplainedinsection5.5
3.1.3.1 SynchronizingRLCwhensynchronizationwindowislost
IfthereceivermissesmoremessagesthenthedefinedRLCwindow,noadditionalmessageswillbedecrypted by the receiver. In this case the receiver needs to resynchronize the RLC. Differentapproaches can be used for this, one is that the sender retransmits a Teach-IN telegrams whichincludesthecurrentRLC.ThereceiverwillresynchronizeitselfafterreceivingthisTeach-IN.Anotherpossibilityise.g.ifthereceiverisalinepowereddeviceanddidsufferapowerlosstoincreasetheRLC window to a very large number one time – for one incoming telegram. In this case it isrecommendedtoensurethatnotaduplicatedRLChasbeenreceived.
3.1.4 CMAC
TheCMAC is thecipher-basedmessageauthenticationcode field–withMSB first. Itsmission is toguaranteethatthemessagehasnotbeentamperedwith.Thisconfirmsthatthesenderisthestatedone.
TheCMACisdependentontheprivatekey(see4.1.5),apublicvector,themessagebytesand,if itexists,therollingcode(see3.1.3).
TheMACfieldcodechangesforeverysentmessage.TheCMACchangesunpredictable,unlessthekeyandtheRLCstateareknown.
ThealgorithmtocalculateCMACisexplainedinthechapter5.6
3.2 Transformingsecureandunsecuremessages
Thischapterexplainshowtocreatesecuremessagestakingasbasisanunsecuremessageandviceversa.
System Specification
SecurityofEnOceanNetworksv2.51
Page15/63
In the explanation message fields such as sender ID, receiver ID and other message fields, notmodifiedbythesecuritytransformations,willbenotindicated.Thereadermustsupposethatthesefieldsarepartofthemessage.
3.2.1 TransforminganunsecuremessageintoasecuremessagewithR-ORGencapsulation
Figure8.Anunsecuremessage is transformed intoa securemessage that includes theoriginalR-ORGby1-transformingthemessageR-ORGcodeto0x31.2-TheunsecureR-ORGfieldcodeandtheunsecureDATAfieldsareconcatenatedandthenencrypted.3-Theresultoftheencryptionisstoredin themost significant bytes of the securemessage DATA field. 4- A rolling code, RLC, might becalculated (section5.5).5-Finally, it ispossible toaddaCMACcode (chapter5.6).OthermessagefieldslikesenderID,receiverIDorrepeatercounterarenotmodified.
3.2.2 TransformingasecuremessagewithR-ORGencapsulationintoanon-securemessage
In this case, a secure message with R-ORG 0x31 is transformed into a non-secure message. ThetransformationimpliesdecryptingtheencryptedR-ORGandDatainformationwhichistobefoundconcatenatedintheDATAfieldofthemessage.
Figure9.AsecuremessagewithR-ORG0x31containstheunsecuredR-ORGencryptedintheDATAfield.TheDATAfieldofthemessagemustbedecrypted,maybewiththehelpoftheRLC.ThefirstdecryptedbyterepresentsthemessageR-ORGoftheunsecuremessage.TherestofthedecryptedDATA field bytes represent the unsecuremessage DATA bytes. CMAC does not play a role in thedecryption.Thisfieldwillbecheckedforauthenticationofthetelegram.
System Specification
SecurityofEnOceanNetworksv2.51
Page16/63
3.2.3 TransforminganunsecuremessagewithoutR-ORGencapsulationintoasecuremessage
Figure 10. An unsecuremessage is transformed into a securemessage that does not include theoriginal R-ORG by 1- rewriting the message R-ORG code to 0x30. 2- The unsecure DATA field isencrypted.3-The resultof theencryption is stored in the securemessageDATA field.4-A rollingcodemightbecalculated.5-Finally,itispossibletoaddaCMACcode.Thepurposeofnotincludingtheoriginalunsecuremessage in the securemessageDATA field is to saveenergyat transmissiontime.
3.2.4 TransformingasecuremessagewithoutR-ORGencapsulation
In this case, a secure message with R-ORG 0x30 is transformed into a non-secure message. ThetransformationimpliesdecryptingtheDATAfieldinformation.
Figure 11. The secure message with R-ORG 0x30 does not include the non-secure R-ORGinformation inanyform. Intheconversionfromsecuretonon-securemessagethe latterbecomestheR-ORG=0x32.TheDATAfieldisdecrypted,maybeusingtheRLCfield.TheCMACdoesnotplayaroleinthedecryption.Itisonlyusedforauthenticationpurposes.
System Specification
SecurityofEnOceanNetworksv2.51
Page17/63
4 Securityforteach-inmode
Thischapterexplainstheexchangeofthesecurityinformationviatheradiointerface,whichmaybeomitted.EspeciallysendingtheAES-KeyincleartextshouldbeomittedandatleastaPSKshouldbeused.Theexchangeofthesecurityinformationmaybedonebyusingotherinterfaces,andthenbeadded into the device. This is not explained in details here. (E.g. ReCom, Serial interface or IPGateway)
Toconfigurethedetailsofthesecurecommunicationinoperationmodeateach-inproceduremodemustbeexecuted.Withintheteach-inprocedurethepartsinvolvedinthecommunicationtransmittoeachothertheencryptionmethod,key,rollingcode,rollingcodesizeandCMACsizethatwillbeusedduringtheoperationmode.
The teach-in procedure can be set up to be a unidirectional or bidirectional process. See 4.1.2 tolearnhowtoconfigurethisoption.
Figure12.Schematicrepresentationofthemostgeneralbidirectionalteach-inprocedure.Inthecaseofunidirectionalsecurityteach-inDeviceBdoesnotsendateach-inmessage.
Firstly, theDeviceBmustbeset in learningmodetoaccepttheteach-inmessages fromDeviceA.TheDeviceAsendsthesecurityteach-inmessage(aredescribedinchapter4.1)wheneveritsspecifictrigger is activated. After reception of the teach-in message the Device B stores the securityparametersofDeviceA:theseparametersincludetheDevice'sAprivatekey,KEY,currentRLC,RLC,RLCsizeandCMACsizeandwayofencryptinginformation.TheKEYandRLCcanbesentencryptedbythesenderusingthesocalledpre-sharedkey,PSK.Moredetailsunderchapters4.1.2.3and4.2.
If the process is bidirectional theDevice B, a gateway, for instance, answers backwith a securityteach-inmessage.Thisteach-inmessagecontainsasreceiver-IDtheIDoftheDeviceA.IftheDeviceBencryptsitsteach-inmessageitwillmakeuseofthesamePSKkeyoftheDeviceA.Inthesecondsecurityteach-indepictedinthepicturetheDeviceB informstheDeviceAof itsownKEYandRLC
andCMAC.Theformatoftheteach-inmessagessentbyDeviceAandDeviceBarethesame.
Theteach-indeliveredbyDeviceBmustoccurinworstcase500msafterthereceptionoftheteach-insentbyDeviceA.TheDevice'sAtime-outforthereceptionofateach-inis750ms.
Device A e.g. Sensor
Teach-in
Device B e.g. Gateway
Teach-in
Learn mode ON
Learn mode OFF
Teach-in trigger
System Specification
SecurityofEnOceanNetworksv2.51
Page18/63
BeforeDeviceAsendsthesecurityteach-inmessage,thereceiverisputintoteach-inmode–activelistening for teach-inmessages. The teach-inmethod is limited typically to 30 seconds. After thistime-outthemoduleleavesitsteach-inmode,andreturnstypicallytoitsoperationmode.Teach-inmessagesarenotaccepteduntilthenextactivationoftheteach-inmode.
Thepossiblemethodsfortheteach-inexecutionare:
• Viawirelessfromthetransmittertothereceiver• Viaserialinterfacetothereceiverthroughathirdparty• ViaReCom• Others
Execution via serial interface or other methods are not part of this specification and are ratherapplication/usecasespecific.
Theexecutionoftheteach-inprocessviawirelessleadstotwopossibilities:
o Teach-inmessageissentinplaintext(noencryptionintheinformationisperformed)..Thisshould not be used, as a third party could sniff the key and listens to all latercommunication.
o Partsof the teach-inmessageareencrypted.For theencryptionapre-sharedkey isused.Encrypted are the RLC and KEY. Message structure is listed below. Details about thisexecutioncanbefoundinchapter4.2
4.1 Messagestructure
Theteach-inmessagehasthefollowingsecure-specificfields:
Figure13.Secureteach-inmessage.Teach-inInfofieldcontainsinformationrelativetotheteach-inmessageitself.TheSLFfieldindicatestheformatofthesecurityparametersinoperationmode.TheRLCisthecurrentRLCinthetransmitter.TheKEYcontainstheprivatekeyusedforencryptioninoperationmode.RLCandKEYmaybeencryptedwithapre-sharedkey
Thissecureteach-inmessageonlytransfersthesecurityspecificdata.Thismessagedoesnotcontainthe informationabouthowthedatahastobe interpreted(exceptforfieldtypePTM)inoperationmode.
Toenableprofile interpretationaprofile-teach-inmessage(EEPorGP)hastobetransmittedafterthe secure teach-in. This profile teach-in is conducted already secured (encrypted) using thedecryptedkeythatthesecureteach-intransmitted.
4.1.1 R-ORGTS
Theonebytesecureteach-inR-ORGis0x35.
System Specification
SecurityofEnOceanNetworksv2.51
Page19/63
4.1.2 TEACH-ININFO
7 6 5 4 3 2 1 0
IDX CNT PSK TYPE INFO
0-NoPSK
1–PSK
0–NoPTM
1–PTM
InterpretationdependsonType.
See4.1.2.5
Table4.Teach-ininfobytefields
4.1.2.1 FieldIDX
A tech-in message can be divided in several telegrams. This field indicates the order of thosetelegrams. The first telegram receives the IDX = 0. In the case that the teach-in message is notdividedtheIDXshallbesetto0andthismessageistheonlyone..ChainingisexplainedinchapterA.1.2
4.1.2.2 FieldCNT
IfIDX=0
CNTindicatesthenumberoftelegramsthatthemessageisdividedinto
IfIDXnot0
Thisfieldisreserved
4.1.2.3 FieldPSK
IfIDX=0
0 TheRLCandtheKEYarenotencrypted
1 TheRLCandtheKEYareencryptedwiththepre-sharedkey.See4.2
IfIDXnot0
Thisfieldisreserved
4.1.2.4 FieldTYPE
IfIDX=0
IndicatesiftheapplicationisaPTMornot
1) Non-specifictype
2) PTM
IfIDXnot0
Thisfieldisreserved
System Specification
SecurityofEnOceanNetworksv2.51
Page20/63
4.1.2.5 FieldINFO
TheinterpretationofthisfielddependsonthecodeinField(4.1.2.1)
IfIDX=0andTYPE=0
0 Unidirectionalsecurityteach-inprocedure
1 Bidirectionalteach-inprocedure
IfIDX=0andTYPE=1
0 ROCKERAnormalTeachIn
1 ROCKERBnormalTeachIn
Inothercasesthisfieldisreserved
4.1.3 SLF(Securitylevelformat)
Withtheinformationcontainedintheteach-inSLFbytethereceiverisinformedaboutthedetailsofthesecuremessages inoperationmode:what fields,how longtheyare,andwhataretheappliedsecurityalgorithms.2
7 6 5 4 3 2 1 0
RLC_ALGO3 MAC_ALGO DATA_ENC
0:NoRLC1:Reservedforfutureuse2:16BitimplicitRLCRollOver/WindowAlgorithm
3:16BitexplicitRLCRollOver/WindowAlgorithm
4:24BitimplicitRollOver/WindowAlgorithm
5:24BitexplicitRLC[24Bittransmitted]NoRollOver/NoWindowAlgorithm
6:32BitexplicitRLC[24Bittransmitted]NoRollOver/NoWindowAlgorithm
7:32BitexplicitRLC[32Bittransmitted]NoRollOver/NoWindowAlgorithm
0–NoMAC
1–AES1283byte
2–AES1284byte
3–N/A
0–Nodataencryption
1–Seechapter6
2–N/A
3–VAES–AES128
4–N/A
Table 5. Security Level Format fields and its interpretation.When RLC_ALGO is 1 or 2 the secure teach-inmessagecontainstherollingcodewhosesizecorrespondstotheonedescribedbythatbitfield.—————————
2Thecodes6&7shouldbeusedinnewdesigns.3 In older specification the RLC_ALGO field was split into RLC_ALGO + RLC_TX. The same functionality of the old
specificationisstillpossible,case0,2,3,4,5.Onlycase6,7areactuallynewanddefinedanewbehaviour
System Specification
SecurityofEnOceanNetworksv2.51
Page21/63
4.1.3.1 FieldRLC_ALGO
Defines the type of the rolling code algorithm used during secure communication. More detailsunderRollingCode.
0 NoRLC1 Reservedforfutureuse2 16BitimplicitRLCwhichallowsarolloverandusesawindowalgorithmatthereceiverside
toensurethatbothdevicesareinsync.3 16BitexplicitRLCwhichallowsarolloverandusesawindow.4 24BitimplicitRLCwhichallowsarolloverandusesawindowalgorithmatthereceiverside
toensurethatbothdevicesareinsync.SeeRollingCode.5 24bitexplicitRLC,theRLCwillbetransmitted.Rolloverisnotallowedandnowindow
algorithmisused6 32bitexplicitRLConly24bitofitwillbetransmitted.Rolloverisnotallowedandno
windowalgorithmisused7 32bitexplicitRLC,thefullRLCwillbetransmitted.Rolloverisnotallowedandnowindow
algorithmisused
4.1.3.2 FieldMAC_ALGO
DefinesthetypeofalgorithmfortheCMACcalculation
0 NoMACincludedinthesecuretelegram1 CMACisa3-byte-longcode.MACiscalculatedusingAES128asdescribedinthe5.6chapter2 MACisa4-byte-longcode.MACiscalculatedusingAES128asdescribedinthe5.6chapter3 N/A
4.1.3.3 FieldDATA_ENC
DefinesthetypeofalgorithmforDATAencryptionduringsecurecommunicationinoperationmode.
0 DATAnotencrypted1 Challenge-Response2 Reserved.Notdefined3 DATAwillbeencrypted/decryptedXORingwithastringobtainedfromanAES128.See5.14 Reserved.Notdefined
4.1.4 RLC
Contains the rolling code needed for the transmitter-receiver RLC synchronization.). See chapter4.1.3.
4.1.5 KEY
ContainstheprivatekeyusedfortheencryptionofDATAandCMACgenerationinoperationmode.
4.2 Teach-inwithpre-sharedkeyIncasea teach-in isexecutedwithapre-sharedkeythe fieldsRLCandKEYareencrypted.For themessagestructureofateach-inpleaserefertotheFigure13.
System Specification
SecurityofEnOceanNetworksv2.51
Page22/63
Thepre-sharedkeyofthesendermodulemusthavebeencommunicatedtothereceiver(agateway)via serial interface in advance. The pre-shared key is typically written on a sticker on the sendermodule.Thepre-sharedkeyisnottransmittedthroughtheEnOceanairinterface.
WhenTEACH_IN_INFO.PSK=1thefieldsRLCandKEYwillbeencryptedusingtheVAESencryption.Seechapter5.1fordetails.ThefollowingparametersareusedintheVAESalgorithm:
• VAESDATA = concatenationofRLC+KEYbytes• VAESRLC = 0x0000(Rollingcodeisnotexchangedatthismoment,
thereforeitmustbeinitializedtoadefaultvalue)• VAESPRIVATEKEY = PRE-SHAREDKEY
4.2.1 PSKchecksum
ThePSKcode(16bytes)comestogetherwithanextrabyte,CRCchecksum,whichisusedtoverifythatthe installer/userwritescorrectlythe16-bytePSKcode intotheDeviceB(seeFigure12).ThechecksumusesaCRC8algorithmthatisexplainedinchapterA.3.
System Specification
SecurityofEnOceanNetworksv2.51
Page23/63
5 Securityalgorithms
This section describes the security algorithms for the ERP that are used to secure the telegramcontent.
5.1 VAES(variableAES)encryptionAmore secureway to encrypt data is using the 128-bit AES algorithm(1) in combinationwith therolling code. Themechanismdescribed here allowsDATA lengths from1 toN,whereN does nothave to benecessarily amultiple of 16. Thanks to the rolling code the generated encrypted codevaries, although the DATA input is constant. This feature improves the obscurity of the originalinformationandavoidsreplayattacks.Encryptionisdonein16byteschunks,similartothepreviousalgorithm.But the lengthof the resultingcipher text is the sameas the lengthofplain text.AftertransmittingeachmessagetheRLCisincreased.
Figure14.EncryptionoftelegramDATAusingvariableXORAES128forDATAequalor lessthan16bytes.TheAES128 isusedtoperformapseudorandomgenerator.TheplussymbolwithinacirclerepresentsabitwiseXORoperation.OneDATAchunkcanhaveamaximumof16bytes.ThelengthofDATA_ENC is equal to the lengthofDATA.VAES INITVector is a constant16-bytehexadecimalstringarray.TheRLCisXORedwiththeVAESINITVectorbeforeenteringtheAES128algorithm.TheVAES INIT VECTOR byte array first element, VEAS_INIT_VECTOR [0], is XORed with the RLCmostsignificantbyte.VEAS_INIT_VECTOR[1]isXORedwiththeRLC2ndmostsignificantbyteandsoon.
VAES INIT Vector
++
RLC
AES128 ENC
ENC
DATA +
DATA_ENC
PRIVATE KEY
System Specification
SecurityofEnOceanNetworksv2.51
Page24/63
TheRLCispaddedwith0untilafull16byteblockisreached.InthesamewayDATAandENCarraysareXORedtoproducetheoutputcode.
Figure15.EncryptionoftelegramDATAusingvariableXORAES128forDATAlongerthan16bytes.EncryptionisrepeatedbutinallfollowingcyclestheENCfieldfrompreviouscycleisXORedwiththeencryption input for theactualcycle.TheRollingCode is thesameforall cycles.Byusing theENCfieldinallfollowingcyclestheencryptioninputwillchangeandsotheENCfieldforDATA.Otherwisesamerulesapplyasinencryptionwithlessthan16bytes.
System Specification
SecurityofEnOceanNetworksv2.51
Page25/63
5.2 VAES(variableAES)decryption
Figure 16. Decryption algorithm of the received telegram. DATA_ENC is the received encryptedDATA.DATAislessthan16bytes.Note:TheAESalgorithmrequiredisthesameasintheencryptionalgorithm.TheRLCvalueinthereceivermustbethesameasinthetransmittermodule.Otherwisethe decryptedDATAwill not correspond to theDATA in the transmitter. TheDATA has the samelengthastheDATA_ENC.TheXORbitalignmentfollowstheideasdescribedin
Figure14.
VAES INIT Vector
+ RLC
AES128 ENC
ENC
DATA_ENC +
DATA
PRIVATE KEY
System Specification
SecurityofEnOceanNetworksv2.51
Page26/63
Figure17.Decryptionalgorithmofthereceivedtelegram.DATA_ENCisthereceivedencryptedDATAfromthetransmitter.DATAismorethan16bytes.
ForthisalgorithmtoworkcorrectlythereceivermustcheckfirstthatitsinternalRLCiscorrect.Thiscanbedonebycomparing the internalRLCagainst the telegramRLCor, if there isnotransmittedRLC,bycomparingtheMAC(see5.6).
5.3 VAESINITVectorTheVAESINITVectorisaknownconstantvalueusedasinputtotheAESalgorithm.
Itsvalueisthehex3410de8f1aba3eff9f5a117172eacabd.
Seenasa16-bytearray,theVEAS_INIT_VECTORfirstelement,VEAS_INIT_VECTOR[0]=0x34.
ThearraylastelementisVEAS_INIT_VECTOR[15]=0xbd.
5.4 PrivateKeyTheprivatekeyisasecretconstantvalueusedasinputtotheAESalgorithm.Itslengthis128bits(16bytes).
5.5 RollingCodeThe rolling code is a value stored in the sender and transmittermodule independently. The codechanges for every sent/received telegramaccording to apredefinedalgorithm. The rolling code isusedas toobtaindifferentCMACcodes (5.6) andVAESencryption values (5.1) although telegramDATAremainsconstant.
System Specification
SecurityofEnOceanNetworksv2.51
Page27/63
ExplicitRLCstrategy-TheRLCshallbetransmittedaspartofthetelegraminformation.
ImplicitRLCstrategy-ItispossibleforthetransmittermodulenottosendRLCinthetelegram(See5.6)todecreasetheneededenergy.
IftheRLCistransmittedornotisindicatedbytheSLF(Securitylevelformat)
Therollingcodealgorithmisthesimplestpossible:itisacounterthatisincrementedby1whenthetransmitter/receiversends/receivesatelegram.ARLCvalueshallnotbeduplicated.Toensurethisthefollowingstrategiesshallbeused.
• If theRLC is send, rolloverof theRLC isnotallowedandwindowalgorithm isnotused.AreceivershallblockmessageswithalowerRLC.TheRLCshallonlyberesetwhenanewkeyisused.
• IftheRLCisnotsend,theRLCwindowshallbeused.AreceivermaystorethefirstreceivedRLCandinformtheuserifsamevaluesareusedagain.
IftheimplicitRLCstrategyisused,awindowisusedtoensuresynchronizationbetweenreceiverandtransmitter.
Figure 18. Rolling Window of Acceptance for Counter Values (AVR411: Secure Rolling CodeAlgorithm).
The RLCwindow is amechanism that ensures that even if the transmitter and receiver lost theirsynchronization(transmitterwasoperatedoutsidetherangeofthereceiverortelegramswerelost),telegramswillbestillaccepted.Thedifferencebetweentherollingcodecountersinthesenderandreceivermustnotbebiggerthantherollingcodewindowsize.WhenthereceivermodulereceivesawrongRLC it tests thenextrollingcode. If this test failsagain, it tests thenextrollingcode.Thesetestscontinueuntil theRLCmatch,oranumberofRLCwindowsize testswereperformed. In thislastcasethereceiverreturnstoitsoriginalRLCandrejectsthetelegram.
OncethereceivercannotmatchthetransmitterrollingcodeintherangeofthewindowsizeitmayblocktheTXIDofthetransmitter.
IfsenderandreceiverRLCweredesynchronizedwithaRLCdifferencebiggerthantheRLCwindowsize,theycanbesynchronizedagainbymeansoftheteach-inprocedure(section4)orwritingtheRLCdirectlyintothereceiver.
System Specification
SecurityofEnOceanNetworksv2.51
Page28/63
ThewindowsizeforincorrectRLCshouldbe128.Othervaluesmaybeused.
5.6 CMACalgorithm
Thegeneralalgorithm(see[3])tocalculatetheCMACofamessagetosendisthefollowing.
Ifmessagespayloadisalignedby16bytes,thecase(a) isused.SubkeyK1isusedinthiscase.See5.6.2 for details about the subkey generation. The case (b) applies for messages that are notmultipleof16bytes.SubkeyK2isusedthen.
M_iare16-bytelongarrayofthemessagebyteswhoseCMACistobecalculated.M_1..M_n-1are16-byte long arrays. In case of (b) the last byte of the message is concatenated with the bitsequence10…0,toobtaina16byte-longarray.
TheAES_Kusesasinputthe16-byteM_iarrayandtheKkey.
Thelast16-byteM_iarrayrequiresthesubkeyK1–case(a)-orthesubkeyK2-case(b).
Themessage is composedof theRORG-S field, theDATA fieldandoptionally theRLC (in case it isbeingusedexplicitlyinthetelegramorimplicitly).
5.6.1 CMACcalculationforoperationmodetelegrams
ToillustratetheCMACcalculationamessage<=16byteswillbeused:
System Specification
SecurityofEnOceanNetworksv2.51
Page29/63
Figure19.CMACgenerationalgorithmforamessage<=16bytes.TheR-ORG-S isthesecureradiomessageR-ORGcode.DATAisthesecuremessageDATAfield.WhenR-ORGS=0x31,DATAincludesthe encrypted non-secure R-ORG asmost significant byte.When R-ORG S= 0x30, DATA does notincludetheencryptednon-secureR-ORG.IfnoRLCisused(eitherinthemessageorinternally)thefield RLC is not included for the CMAC calculation. IMPORTANT: if the RLC is used but nottransmitted with the telegram then the RLC is included in the CMAC calculation. In this way theCMACchangesforeachtransmittedmessage.FromtheAES-generatedarraythebyteswithindex0,1,...,(CMAC_size-1)aretakenasCMAC.Thepaddingbytesareonlynecessaryforthecasethattheinputinformationis<16bytes.
Whenthemessagefields(R-ORGS,DATA-andoptionallyRLC-)doesnotadd16bytesforapplyingtheAES128algorithm,abitsequence100…0(paddingbits)isconcatenatedtoformatotalbitstringof16bytes.
TheR-ORGS,DATA–optionallyRLCandPADDINGBITS-areXORedwiththe16-byteSubkeyderivedfromtheprivatekey.R-ORGSXORsSubkey_Kn[0]andsoon.
IftheR-ORGS+DATA+RLCfieldsadd16bytesthenthesubkeyK1willbeused.
OtherwisethesubkeyK2isused.
WhenperformingAES,thebyteR-ORGScorrespondstothestringarraybytewithindex0.
A four byte CMAC corresponds to the string array bytes 0 (MSB), 1, 2, 3 (LSB) generated by theAES128 algorithm. A three byte CMAC corresponds to the string array bytes 0(MSB), 1, 2 (LSB)generatedbytheAES128algorithm.
System Specification
SecurityofEnOceanNetworksv2.51
Page30/63
Note:WhentheR-ORGS+DATA+RLC>16bytethemessagehastobespittedlikeindicatedin5.1.TheR-ORGwillonlybepresentasfirstbyteintheM_1whiletheRLCwillonlybepresentonlywithinM_n.
5.6.2 Calculationofthesubkey(AES-CMAC,RFC4493)
AlgorithmGenerate_Subkey
n Instep1,AES-128withkeyKisappliedtoanall-zeroinputblock
n Instep2,K1isderivedthroughthefollowingoperation:
o IfthemostsignificantbitofLisequalto0,K1istheleft-shiftofLby1bit
o Otherwise,K1istheexclusive-ORofconst_Rbandtheleft-shiftofLby1bit
n Instep3,K2isderivedthroughthefollowingoperation:
o IfthemostsignificantbitofK1isequalto0,K2istheleft-shiftofK1by1bit
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ Algorithm Generate_Subkey +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ +
+ Input : K (128-bit key) +
+ Output : K1 (128-bit first subkey) +
+ K2 (128-bit second subkey) +
+-------------------------------------------------------------------+
+ +
+ Constants: const_Zero is 0x00000000000000000000000000000000 +
+ const_Rb is 0x00000000000000000000000000000087 +
+ Variables: L for output of AES-128 applied to 0^128 +
+ +
+ Step 1. L := AES-128(K, const_Zero); +
+ Step 2. if MSB(L) is equal to 0 +
+ then K1 := L << 1; +
+ else K1 := (L << 1) XOR const_Rb; +
+ Step 3. if MSB(K1) is equal to 0 +
+ then K2 := K1 << 1; +
+ else K2 := (K1 << 1) XOR const_Rb; +
+ Step 4. return K2; +
+ +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
System Specification
SecurityofEnOceanNetworksv2.51
Page31/63
o Otherwise,K2istheexclusive-ORofconst_Rbandtheleft-shiftofK1by1bit.
n InthecasethatpaddingbitswherenecessaryusetheK2assubkey.OtherwiseK1
System Specification
SecurityofEnOceanNetworksv2.51
Page32/63
6 EnOceanHighSecurity
EnOceanHighsecurityisanextensionoftheexistingsecurityconcept.Itsmainaimisto:
n Enableprotectionagainstspecialman-in-middleattack(relayattack)
n Enablemoreflexiblehandlingfordevicescommunicatingbidirectionalwithencryption
Tohandlefirstrequirementisitsuitabletoapplythechallenge&responseprocesswithtimelimitedauthentication. This implies that both communication devices are bidirectional. All the followingdefinitionsarebasedonthatconstrain.
6.1 UseCasedefinitionHighsecurityspecificationisdevelopedforspecificdesignedapplicationswherethiskindofsecurityis required (e.g. doorlock, access control, safety applications). It is not the baseline for securityapplicationbutthehighestgradeandshouldbeappliedonly inapplicationswhere it isavalidusecase.
ForhighSecuritytheseusecasesaredefined:
1. Bidirectionaldataflow–bothdevicesareline-powered
Bothdeviceshaveenoughcomputingcapabilitiesandenergytoperformsecurityrelevanttasks.Data telegrams are exchanged in both ways e.g. communication between smart plug andgateway.
2. Bidirectionaldataflow–onedeviceisenergyautarkicandoneisline-powered
Onedevice isdoingenergyharvestingandthesecond is line-powered.Dataflowisexecuted inbothdirections.Theautarkicdevice initializes the communicationand thenexpectsa responsefromtheline-powereddevicei.e.SmartAcknowledgeprocess.
3. Unidirectionaldataflow(bothdeviceshavebidirectionalcapabilities)–onedeviceisenergyautarkicandoneisline-powered
One device is energy harvesting and the second is line-powered. Data flow is executed in onedirection – from the autarkic device to the line-powered. Bidirectionality is only required toexecutehighsecurityfeaturesnotforactualapplicationusecase.InthiscaseSmartAcknowledgewillbeusedtoo.
6.2 ProtectionagainstRelayAttacksRelay attacks are special man-in-the-middle attack scenarios. The intruder intercepts thecommunicationandblocksthetargetedreceiver.Thenhecanreplaythecommunicationtoa latermoment.WiththisscenariohewillevenbypasstheRLCCounterchecking,becausethereceiverhasnotupdatedhiscounterandsoacceptsthereplayedmessage.
Topreventthisattackscenariothemessagevaliditymustbetimelimitedand/orthereceivermustbe aware of transmission process ongoing. Time limitations are ensured by performing anauthenticationbychallengeandresponsewhichvalidonly limitedtime(500ms).DuringchallengeandresponseaNonceisusedaschallenge.
System Specification
SecurityofEnOceanNetworksv2.51
Page33/63
6.2.1 AuthenticationbasedonCMAC
Authenticationcanbe:
n Unilateral – only one of the communication partners is authenticated and his outgoingcommunicationisprotectedagainstreplayattacks–oneNonceisexchanged
n Mutual – both communication partners are authenticated and both communication ways areprotectedagainstreplayattacks–twoNonceareexchanged
For CMAC computing the EnOcean security concept uses the Payload of telegrams. The Nonce isusedduringCMACcomputingtooandsoensuresthattheNonceisconnectedwiththeexchangedmessageanditsdatacontent.Sobecomesthedatacontentalsovalidforlimitedtime.
EnOceanSecurity conceptuses theVAES fordataencryption.TheNoncecanbealsoused for theinitializationvectorfortheVAESprocess.ThiswayarandomelementisaddedtotheVAESprocess.ThisisrequiredifNonceisarandomnumberandnoRLCisused.
TheNoncecanbe:
n UsedduringCMACcounting
n UsedasinitializationvectorforVAEScounting
Nonce represents the challenge and has to be therefore exchanged between the communicationpartners via air interface. The Challenge and Response does not have to encrypt and can betransferredplaintext.TheCMACalgorithmrepresentsthesecuringelement.
Duringdatacommunicationfollowingconstrainsareapplied:
n Bidirectionalcommunicationcanbeonlyexecutedaftermutualauthentication.Bothpartiescantriggertheauthentication
n Unidirectional communication is unilateral authenticated. The emitter of the data flow isauthenticatedandonlytheemittercantriggerthecommunication.Thechallengeisprovidedbytheconsumerofthedata
ForNoncewecanuse:
n Randomnumber32bit–here iscritical thatthegeneratorprocess isnotpredictable,doesnotrepeatsamesequencesandisequallyspreadonthedefinedrange
n Simpleincrementing,non-repeatingsequence32-bitnumber
6.2.2 Communicationscenarios
To protect against relay attacks we define three new security communication approaches. TheydifferinaspectoftheUseCasedefinitionmadeinchapter6.1:
1. MutualauthenticationwithRNDasNONCE2. UnilateralauthenticationwithRNDasNONCE
In following definitions the DEVICE A is the sensor / autarkic device which initialize thecommunication. DEVICE B is the line-powered device which is receiving the communication. ThedefinitionsalsoapplyforUseCase1,thenDEVICEAisalsoanlinepowereddevice.
System Specification
SecurityofEnOceanNetworksv2.51
Page34/63
ThelinkbetweenAtoBisunique,becauseofusedkeys.Nootherdevicecanlistenanddecryptthecommunication.Thecommunicationisunicast–andhastobeeventuallyaddressedinoneorbothdirections,dependingifdeviceAordeviceBhasothercommunicationpartners.
DeviceA
KEYA–keyusedbydeviceAtoencryptcommunication,usedforcommunicationfromAtoB
RNDA–randomnumbergeneratedbydeviceA-32bits
TIMEOUTA–timeoutondeviceAtillnextmessagefromdeviceBshouldbereceived
DeviceB
KEYB–keyusedbydeviceBtoencryptcommunication,usedinforcommunicationfromBtoA
RNDB–randomnumbergeneratedbydeviceB-32bits
TIMEOUTB–timeoutondeviceBtillnextmessagefromdeviceAshouldbereceived
Fields
Inthefollowingdescriptionweusethesefields:
ENC: Encryptionmethod-NA/VAES
VAESIntV: ContentoftheInitializationVectorofVAES,forDetailssee5.1.
PAYLOAD: Contentofthedatafieldusedinthetelegram
CMAC: ContentwhichistheCMACcalculatedon–completeexpiationsee6.3.3.1
RORG-MSTelegrampayloadlength–incaseofMSTelegramisused,wespecifythelength.
6.2.2.1 MutualauthenticationwithRNDasNONCE
InthisscenariotheNONCEisrepresentedbyrandomsequences.NoRLCisused.Thissolutionmightbeuseableforautarkicdevices.
Failuresliketimeoutsarenotconsidered.Onlytheidealcaseisdescribed.Onanyfailuree.g.CMACnotvalidatedortimeoutsthewholeprocessisdiscardedandneedstostartfrombeginningorothermeasurese.g.resynchronizemustbetaken.Thecommunicationwillbeexecutedinthesesteps.
1. AsendsChallengetoB.andstartstimeoutA.
Messageparameters:
o ENC: NAo RORG: RORG-MSo DATA: RORG-MSHeader(RND),RNDAo RORG-MStelegrampayloadlength=5bytes
System Specification
SecurityofEnOceanNetworksv2.51
Page35/63
2. B receives Challenge. Sends Response with next Challenge to A. B starts communicationtimeoutB.
Messageparameters:
o ENC: NAo RORG: RORG-MSo DATA: RORG-MSHeader(DATA/RND/CMAC),RNDBo CMAC: DATA,RNDAo RORG-MStelegrampayloadlength=9bytes
3. A receives Challenge and successfully authenticates it with help of both RNDs. A sendsResponsewithpayloaddatatoB.Optionally-StartstimeoutA.
Messageparameters:
o ENC: VAESo VAESINT: VAESINITVector+RNDBo RORG: RORG-SECo DATA: applicationpayloado CMAC: DATA,RNDB,RNDA
4. B receives Response with payload within timeout B. Validates it with help of both RNDs.Optionally–continueswithcommunicationandsendanotherpayloadmessage.
Messageparameters:
o ENC: VAESo VAESINT: VAESINITVector+RNDAo RORG: RORG-SECo DATA: applicationpayloado CMAC: DATA,RNDA,RNDB
5. OptionallyAreceivesmessagefromBwithintimeoutA.
No further communicationwith same RND A and RND B can be executed, because no Sequencenumberispresentandreplayattackscouldbeexecuted.Totransmitbiggerdataquantitiesatonceusemessagechaining.
Pleaseseetheprocessdescriptioninthesequencediagrambelow.
System Specification
SecurityofEnOceanNetworksv2.51
Page36/63
Figure20MutualauthenticationwithRNDasNONCE.
SLF:
DATAENC–VAES+RND
6.2.2.2 UnilateralauthenticationwithRNDasNONCE
In this scenario the HASH is represented by one random sequence. No RLC is used. This is thesolutionwhichrequirestheleastamountofresourcesandensuresrelayattackprotection.
Failuresliketimeoutsarenotconsidered.Onlytheidealcaseisdescribed.OnanyfailureCMACnotvalidated or timeouts thewhole process is discarded and needs to start from beginning or othermeasurese.g.resynchronizemustbetaken.Thecommunicationwillbeexecutedinthesesteps.
1. AsendsRequestforCommunicationMessagetoBandstarttimeoutA.
System Specification
SecurityofEnOceanNetworksv2.51
Page37/63
Messageparameters:
o ENC: NAo RORG: RORG-MSo DATA: RORG-MSHeader0x00o Payloadlength=1byte
2. B receives Request for Communication. Sends Challenge to A. B starts communicationtimeoutB.
Messageparameters:
o ENC: NONEo RORG: RORG-MSo DATA: RORG-MSHeader(RND)+RNDBo Payloadlength=5bytes
3. AreceivesChallengeandsuccessfullydecodesit.AsendsresponsewithpayloaddatatoB.StartstimeoutA.
Messageparameters:
o ENC: VAESo VAESINT: VAESINITVector+RNDBo RORG: RORG-SECo DATA: applicationpayloado CMAC: DATA+RNDB
4. BreceivesmessagewithintimeoutB.DecodesthemessageandauthenticateswithhelpofRNDB.
NofurthercommunicationwithsameRNDBcanbeexecuted,becauseRLCisnotpresentandreplayattackscouldbeexecuted.Totransmitbiggerdataquantitiesatonceusemessagechaining.
Pleaseseeprocessdescriptioninthesequencediagrambelow.
System Specification
SecurityofEnOceanNetworksv2.51
Page38/63
FigureUnilateralauthenticationwithRNDasNONCE.
6.2.2.3 Errorscenarios
Ifthemessagegetslosttheprocessisconsideredasfailed.
Repeated transmissions of request for challenge or challenge messages between identicalcommunication partners shall restart the authentication process and cancel any previous ongoingvalidation.
sd Unilateral authentication with RND as NONCE
Device A Device B
{A is authenticated}
{max 500 ms}
Send Request for ChallangeRORG-MS DATA()
Generate RND B()
{max 500 ms}
Send Challange to ARORG-MS DATA(RND)
Calculate Response CMAC(PAYLOAD, RND B)
Send Response to Bwith Payload
RORG-SEC(PAYLOAD, CMAC)
Authenticate CMAC(PAYLOAD, RND B)
Process Payload from A()
System Specification
SecurityofEnOceanNetworksv2.51
Page39/63
6.3 HighSecurityinclusionintoexistingconcept
6.3.1 SecurityLevelFormatextension
Which High Security communication concept is used during data communications needs to becommunicatedat teach in time.For thispurposethedefinedSLF isextended.Followingextensionhasbeenmade:
7 6 5 4 3 2 1 0
RLC_ALGO RLC_TX MAC_ALGO DATA_ENC
1–VEAS–AES128-RND
Table6.SecurityLevelFormatextensionfieldsanditsinterpretation.
DATA_ENC–Value: 0x1
VAES–AES128–RNDisusedas initializationvector insteadofRLCi.e.MutualauthenticationwithRNDasNONCE,UnilateralauthenticationwithRNDasNONCE.
IfsecureteachinisbidirectionalornotisalreadydefinedinINFOfield–seechapter4.1.2.
6.3.2 MetaSecurityTelegram
The Meta Security Telegram is required to support additional task required in high security.Followingmessagestructureisdefined.
Figure21MetasecurityTelegramstructure
RORG-MS
MetaSecuritytelegramsareidentifiedbythecode0x36.
Header
The RORG-MS telegram has a header which expresses what content of the meta-securityinformationiscarried.Thisheaderisalwayspresentatthefirstplace.
7 6 5 4 3 2 1 0
NA NA NA NA NA NA RNDIncluded CMACIncluded
0:RNDnotincluded
1:RNDisincluded
0:CMACnotincluded
1:CMACisincluded
Table6MetaSecurityTelegramheaderfieldsanditsinterpretation.
RND- Randomnumberusedaschallenge–ifincluded.
CMAC- CMACisincluded,usedasresponseforauthentication–ifincluded.
System Specification
SecurityofEnOceanNetworksv2.51
Page40/63
6.3.3 Algorithmextension
6.3.3.1 CMAC
TheCMACisalteredfordatacommunicationandformetasecuritytelegram.
Followingfieldsareadded:
n SOURCEID-AlsotheLSB32-bitofthecommunicationIDoftheoriginatingdevice
n RND1–32bit,firstincludedrandomnumber
n RND2–32bit,secondincludedrandomnumber(optional,dependingonscenarioi.e.Mutualorunilateral)
RND1,RND2–canberepresentedbyRNDA,orRNDB.Theorderisspecifiedandisimportanttoconsider.Pleaseseecommunicationscenarioschapter6.2.2fordetailsonorderandcontent.
Allfieldsareincludedonlyifrequired.Pleasefindmetasecurityheaderdefinitionchapter6.3.2andcommunicationscenarioschapter6.2.2fordetailsandcontendofthetelegrams.
Figure22GraphicalrepresentationofalteredCMACforMetaSecurityTelegram
6.3.3.2 VAES
The VAES process has to be extended to use RND during processing of VEAS INIT Vector. Thecommunicationscenariosinchapter6.2.2aredefinedtoRNDasinitialisationvector.
TheRNDis32bitlongsotheXORoperationneedstobeextendedtousesall32bits.
TheVAESINITVECTORbytearrayfirstelement,VEAS_INIT_VECTOR[0],isXORedwiththeRNDmostsignificantbyte.VEAS_INIT_VECTOR[1]isXORedwiththeRND2ndmostsignificantbyteandsoon.
System Specification
SecurityofEnOceanNetworksv2.51
Page41/63
Pleaseseegraphicalrepresentationbellow.
Figure23GraphicalrepresentationofVAESextendedprocess.
System Specification
SecurityofEnOceanNetworksv2.51
Page42/63
7 SEC_CDM–0x33chainedsecuremessages
Securechainingisanadd-onfortheERPchainingmechanism.ThecorefunctionalityisthesameasforChainedmessagesandtheoperationkeyandSLFwillbeusedfortransmittingsecurechainedmessages.ThemessagewillbefirstencryptedlikeanormaltelegramwithencapsulatedR-ORGandtheSLFofthedevice.Theencryptionfunctionusesthe0x31R-ORGinternallyfortheCMACcalculation.Aftertheencryptionusingthe0x31R-RORGwassuccessfulandthedatalengthislongerthanthemaximumtransmittablelength.ThemessagewillbechainedusingtheSEC_CDM.ThishastheadvancedthatonlyoncetheoverheadoftransmittingtheCMACandRLCisaddedtothetransmissionofthesplittelegramsandonlyoneRORGencapsulationishappening.
Asmostdevicesareembeddeddeviceswithlimitedmemorycapacity,itishighlyrecommendedthatonlyonechainedmessageissendatatime.(Toorfromadevice).
SEC_CDM
SEQ IDX datafield EURID status checksum
1byte2bit 6bit Nbytes.Dependifaddressedornot
Andprotocol 4bytes 1byte 1byte1byte
Table8:RadiotelegramstructureofSECUREchainedtelegram–NOTADDRESSED.
ReminderfromCDM:
Amessage consists of a number of chained telegrams. Each telegram in a chain has a sequencenumberandan index.Thesequencenumber is thesameforeachmessage in thesamechainandindicates that the messages belong to the same chain. It is increased with every new CDM andcannotbeequalto0.
Theindexstartsfrom0andisincrementedwitheachmessageinachain.Thepurposeoftheindexistoindicatethecorrectorderofthemessages.Thefirstmessageofachaincontainsthetotallengthofthepayloadofthemessage.
System Specification
SecurityofEnOceanNetworksv2.51
Page43/63
AfullworkingexamplecanbefoundintheappendixAnnexA.
Example for the IDX 0 and ERP1: the following data is in the data field:
SEC_CDM
SEQ IDX datalength RORG_EN Payload EURID status checksum
1byte2bit 6bit
2Bytes1byte 10bytes
4bytes 1byte 1byte1byte
0x33 IDX=0
Unencrypted,cleartext.
Datalength=RORG+Payload+RLC+CMAC
length
Encapsulated RORG
Payload
Forthefollowingindexwhicharenotthelasttelegram
SEC_CDM
SEQ IDX Payload EURID status checksum
1byte2bit 6bit
<=13bytes4bytes 1byte 1byte
1byte
0x33 IDX=x
For the last telegram:
SEC_CDM
SEQ IDX datafield RLC CMAC EURID status checksum
1byte
2bit 6bit Last part of thepayloaddata
0,2or3bytes
0,3,4bytes4bytes 1byte 1byte
1byte
0x33 IDX=last Depend on SLF
Depend on SLF
Figure24Remindingof“TransforminganunsecuremessageintoasecuremessagewithR-ORGencapsulation”Section3.2.1.Thesecuredmessage“0x31”isthantransformedwhilesendingintothe0x33message
System Specification
SecurityofEnOceanNetworksv2.51
Page44/63
System Specification
SecurityofEnOceanNetworksv2.51
Page45/63
8 ImplementationsAspects
This chapter explainswhich device should usewhich sort of SLF explained 4.1.3. All these pointsshould be used when starting new devices. Only devices using these SLF shall get a “securedcertification” 01.03.2020. These devices can still be certified using lower levels, but a secureinteroperable communication cannot be guaranteed. Other possible combinations of the SLF aredeprecatedandshouldnolongerbeused,exceptthechallengeresponse(Highsecurity).
8.1 RollingcodeRollingcodeisthekeyelementindataprotectionandvalidation.Thefollowingdefinitionsshallbeadopted:
The RLC as plain information (not encrypted) should be transmitted explicitly inside the telegramwithoutcorruptingthedataencryption/authenticationor increasingtheriskofpotential intruderattacks.Ifthedevicedoesnothaveanyenergystorageandisextremelylimited(See8.2.3)thismaybeomitted.
TheRLCshallbea32-bitsequencenumberwherepossible.The24-bitlengthshouldbeusedonlyinapplicationswithlimitedenergy.(See8.2.2andbelow)
TheinitialvalueoftheRLCineveryproduceddeviceshouldbe0.
Whentherollingcodeisexplicitlyincludedinsidethetelegram,theRLCwindowlimitconceptshallnotbeapplied.ThisresultsintheacceptanceofanyincomingRLCfromthecommunicationpartner,as longas ithasahighervalueas thepreviously storedRLC.Rollover shallnotbeallowed in thiscase.
TheRLCshallonlybeincreased.AnexceptiontothisiswhenanewAESKEYisused;theRLCcountershallbesetto0again.
This removes the need of RLC resynchronization, and simplifies the use case scenario by notcompromisinganysecurityprotection.
Fordevicesusing8.2.3itcouldbethatRLCsynchronizationisneededaftere.g.apowerdownreset.TherecommendationforthisistoonetimeincreasetheRLCwindowafterapowerdown,toallowaguaranteedresync.AlternativelytheRLCcouldbesetdirectlyinthereceiverafterreadingitout.
8.2 Standardsecuritylevelformat
8.2.1 Forlinepowered,-anddeviceswithsufficientenergybudget
Thestandardsecuritylevelformatshallbeusedforall
- LinepoweredDevices.
Itshouldbeusedfor
- Batterypowered- EnergyHarvestingdevices
System Specification
SecurityofEnOceanNetworksv2.51
Page46/63
7 6 5 4 3 2 1 0
RLC_ALGO MAC_ALGO DATA_ENC
7–32bitRLC/32bittransmitted
2–AES1284byte
3–VAES–AES128-RLC
8.2.2 ReducedSLF-exceptionsforenergylimitedapplications
Ifadevicedoesnothaveenoughenergytotransmittheadditional2bytesitcanusethe“ReducedSLF”
ThisreducedSLFcanonlybeusedwith
- Batterypowered- EnergyHarvesting
Andshouldonlybeusedif8.2.1StandardSLFusestoomuchenergy.
7 6 5 4 3 2 1 0
RLC_ALGO MAC_ALGO DATA_ENC
5-24bitRLC–24bitTransmitted
6–32bitRLC/24bittransmitted
1-AES1283byte
3–VAES–AES128-RLC
8.2.3 PushButtonTransmitterSLF-Exceptionsforkineticdeviceswithnoenergystorage
This SLF shall only be used if a device does not contain any sort of energy storage and has anextremely tight energy budget. Therefore, it has to use the generated energy directly afterharvesting it. For example, a kinetic transmitter which immediately sends after activation securedata(Pushbuttontransmitter)
7 6 5 4 3 2 1 0
RLC_ALGO MAC_ALGO DATA_ENC
4–24bitRLC–nottransmitted
5-24bitRLC–24bitTransmitted
1-AES1283byte
3–VAES–AES128-RLC
System Specification
SecurityofEnOceanNetworksv2.51
Page47/63
8.3 SecureTeach-inPlain text AES transmission over the AIR is deprecated and shall not be used for newimplementations. The security teach-in shallbehandledby,entering the security container(SLF + Key (+optional RLC)) using a second pathway (e.g. Security Link tables with SecureReMan,SerialCommunicationorviaIPbackbone).
Alternatively,theSecuritycontainercanbetransmittedusingaPSK.
8.3.1 SecureTeach-inusingQRLabels(orNFC)
The security container (SLF+key)ofadevicecanbeentered intoanotherdeviceusinga “scan©”method.
1. Scanthe128bitAESkey+SLFfrom
a. Thelabelofthecommunicatingdevice.
b. OrusinganNFCtag
2. Enterthe128bitAEScodeintothereceivingdevice.
a. ViaReCom
b. UserInputmethod
c. IPBackbone
d. SerialCommunication
3. ThereceivingdevicewillusetheRLCfromthefirstdatatelegramforinitialization.
NOTE: Since the RLC is part of the CMAC computing, the RLC in every data telegram is signed.Therefore there is no additional risk in taking the RLC from the first radio telegram. It isrecommended that the first data telegrammust be triggered by the user at a defined moment,similartoteach-intelegrams.
8.3.2 SecureTeach-inovertheAIRwithPSK
ThePSKscenarioincludesscanningthedevicePSKandenteringitintothereceiver.Bykeepingthesesteps,thefollowingscenarioispossible:
1. Scanthe128bitAESPSKcodefromthelabelofthecommunicatingdevice.
2. Enterthe128bitAEScodeintothereceivingdevice.
3. Afterwards,thereceiverwillusethePSKtodecryptincomingteachintelegrams.
System Specification
SecurityofEnOceanNetworksv2.51
Page48/63
8.4 AESKeySelectionandupdatemechanism
8.4.1 KeySelection
FortheAESkey,thefollowingimplementationaspectsshallbeused:
1. Eachdeviceshallhaveaunique,randomlygeneratedAESkeywhenit’sdelivered2. ThiskeyshallbetheoneprintedontheQR–Label3. EachdeviceshallhaveapossibilitytochangetheAESkey:
a. Viaexternalinterfacetoacertainvalueb. Randomlyviauserinteraction
AfterchangingtheAESkey,theRLCcodeshallbesetto0.
Ifkeyscanbechanged,eachkeyshallbeselecteduniquelyandnotduplicated.
8.5 Bidirectionalcommunication
Forbidirectionalcommunicationandchangeablekeysthefollowingrulesapply.
1. EachdirectionshalluseauniquekeywithitsownRLC.
2. Foreachcommunicationpartner,anotheruniquekeyshallbeused.
a. Broadcastshallbeseenforthisusecaseas“onecommunication”partner
Figure25Exampleformultipledevicesandusedkeys
System Specification
SecurityofEnOceanNetworksv2.51
Page49/63
9 Referenceddocuments
(1)NIST,FIPS197,Advancedencryptionstandard(AES),2001
http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
(2)-Zabala,RijndaelCipher,128-bitversion(datablockandkey)
http://www.cs.bc.edu/~straubin/cs381-05/blockciphers/rijndael_ingles2004.swf
(3)-JH.Song,R.Poovendran,J.Lee,T.Iwata,2006,TheAES-CMACAlgorithm
http://www.rfc-editor.org/rfc/rfc4493.txt
(4)-AVR411:SecureRollingCodeAlgorithm.
http://www.atmel.com/Images/doc2600.pdf
(5)–Wikipedia,Blockciphermodesofoperation.
http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation
System Specification
SecurityofEnOceanNetworksv2.51
Page50/63
AnnexA Appendix
System Specification
SecurityofEnOceanNetworksv2.51
Page51/63
A.1 ERP1securetelegrams
ThefollowingfigureindicatestheconcretizationofthesecuremessageintoERP1protocol.
A.1.1 OperationmodewithEPR1
Figure26.InthemostgeneralversionofthesecuremessagetheRLCandCMACfieldsarepresent.DATA can be encrypted. The fields R-ORG S, DATA, RLC and CMAC are integrated withoutmodification in theERP1 telegram. IfDATA isencrypted in themessage it isalsoencrypted in theERP1telegram.TheIDandSTATUSarespecifictothetelegram.
A.1.2 Secureteach-inchainingwithERP1
TheERP1limitstheamountofbytestransmittedto21pertelegram.Therefore,thesecureteach-inmessagemustbepartitionedinatleasttwotelegrams(chaining).
Figure27Thegeneralteach-inmessagesecuritymembers
Dividingthemessageintotwotelegramsresultsinthefollowing:
Teach-in message information divided in two ERP1 telegrams. The telegram withTEACH_IN_INFO_0 byte is sent first. This telegram contains the teach-in RLC, SLC and thefirstpartoftheKEYoftheteach-inmessage.ThesecondtelegramtransportsthesecondpartoftheKEY.
TEACH_IN_INFO_0
SLF RLC KEY RORG-TS ID STAT
KEY RORG-TS ID STAT TEACH_IN_INFO_1
System Specification
SecurityofEnOceanNetworksv2.51
Page52/63
The IDX bit field of TEACH_IN_INFO_0 = 0 indicates that this is the first telegram. The CNT=2indicatesthatthemessage isdivided in2telegrams.TEACH_IN_INFO_1 IDXfield=1saysthatthistelegramisthesecondone.Seechapter4.1.2tolearnmoreabouttheTEACH-ININFObitfields.
It is specified, that there is no direct timeout between the chained telegrams of the teach-in-message.Eachnewerreceivedtelegramoverwritesolderreceivedtelegrams.Attheendofthelearnmode,allpartlyreceivedmessageswillbedeleted.
TEACH_IN_INFO_0
IDX = 0 TYPE INFO CNT = 2
IDX = 1
RESERVED
TEACH_IN_INFO_1
System Specification
SecurityofEnOceanNetworksv2.51
Page53/63
A.2 ERP2securetelegrams
ThefollowingfigureindicatestheconcretizationofthesecuremessageintoERP2protocol.
A.2.1 OperationmodewithEPR2
ThesecuremessageDATAfieldusedthroughoutthisdocumentationcontainstheinformationoftheconcatenatedERP2telegramDataandOptionalDatafields.IfthemessageDATAfieldisencryptedisalsoencryptedinthetelegram.TheRLCandCMACareplacedaftertheOptionalData.TheinformationoftheR-ORGSiscontainedwithintheHEADERfield.TheEXTENDEDHEADERdependsonthetelegram.SeeERP2Specification
A.2.2 Secureteach-inwithERP2
Figure28.ThemessagefieldsTEACH_IN_INFO,SLF,RLCandKEYareconcatenatedintheorderindicatedandplacedintheDATAfieldoftheERP2telegram.TheinformationofR-ORGTSiscontainedwithintheHEADER.TheEXTENDEDHEADERdependsonthetelegram.
A.2.2.1 Secureteach-inchainingwithERP2
Many EnOcean applications have a very limited amount of energy available. For this reason, ifneeded,ispossibletofragmenttheteach-inmessage(describedin4)inseveraltelegrams.
DATA RLC CMAC
Data RLC HEADER
CMAC
Secure message:
ERP2 telegram:
ORIG. ID
LENGTH
EXT. HEADER
DEST. ID
OPT. Data
R_S
System Specification
SecurityofEnOceanNetworksv2.51
Page54/63
Figure29.Thesecureteach-inmessageistransmittedherebytwoERP2telegrams.TheinformationwithinthefieldDATA,betweenthetelegram'sDestinationIDandOptionalData,isshown.SLF,RLCandthefirstpartoftheKEYaretransmittedinthefirsttelegram.ThesecondtelegramcontainsthesecondpartoftheKEY.TheTEACH_IN_INFO_XbytesareinterpretedlikeintheChapter4.
Itisspecified,thatthereisnodirecttimeoutbetweenthechainedtelegramsoftheteach-in-message.Eachnewerreceivedtelegramoverwritesolderreceivedtelegrams.Attheendofthelearnmode,allpartlyreceivedmessageswillbedeleted.
System Specification
SecurityofEnOceanNetworksv2.51
Page55/63
A.3 PSKCRC8checksumalgorithm
ThepolynomialisP(x)=x8+x2+x1+x0
codeuint8u8CRC8Table[256]={
0x00,0x07,0x0e,0x09,0x1c,0x1b,0x12,0x15,
0x38,0x3f,0x36,0x31,0x24,0x23,0x2a,0x2d,
0x70,0x77,0x7e,0x79,0x6c,0x6b,0x62,0x65,
0x48,0x4f,0x46,0x41,0x54,0x53,0x5a,0x5d,
0xe0,0xe7,0xee,0xe9,0xfc,0xfb,0xf2,0xf5,
0xd8,0xdf,0xd6,0xd1,0xc4,0xc3,0xca,0xcd,
0x90,0x97,0x9e,0x99,0x8c,0x8b,0x82,0x85,
0xa8,0xaf,0xa6,0xa1,0xb4,0xb3,0xba,0xbd,
0xc7,0xc0,0xc9,0xce,0xdb,0xdc,0xd5,0xd2,
0xff,0xf8,0xf1,0xf6,0xe3,0xe4,0xed,0xea,
0xb7,0xb0,0xb9,0xbe,0xab,0xac,0xa5,0xa2,
0x8f,0x88,0x81,0x86,0x93,0x94,0x9d,0x9a,
0x27,0x20,0x29,0x2e,0x3b,0x3c,0x35,0x32,
0x1f,0x18,0x11,0x16,0x03,0x04,0x0d,0x0a,
0x57,0x50,0x59,0x5e,0x4b,0x4c,0x45,0x42,
0x6f,0x68,0x61,0x66,0x73,0x74,0x7d,0x7a,
0x89,0x8e,0x87,0x80,0x95,0x92,0x9b,0x9c,
0xb1,0xb6,0xbf,0xb8,0xad,0xaa,0xa3,0xa4,
0xf9,0xfe,0xf7,0xf0,0xe5,0xe2,0xeb,0xec,
0xc1,0xc6,0xcf,0xc8,0xdd,0xda,0xd3,0xd4,
0x69,0x6e,0x67,0x60,0x75,0x72,0x7b,0x7c,
0x51,0x56,0x5f,0x58,0x4d,0x4a,0x43,0x44,
0x19,0x1e,0x17,0x10,0x05,0x02,0x0b,0x0c,
0x21,0x26,0x2f,0x28,0x3d,0x3a,0x33,0x34,
0x4e,0x49,0x40,0x47,0x52,0x55,0x5c,0x5b,
0x76,0x71,0x78,0x7f,0x6A,0x6d,0x64,0x63,
0x3e,0x39,0x30,0x37,0x22,0x25,0x2c,0x2b,
0x06,0x01,0x08,0x0f,0x1a,0x1d,0x14,0x13,
0xae,0xa9,0xa0,0xa7,0xb2,0xb5,0xbc,0xbb,
System Specification
SecurityofEnOceanNetworksv2.51
Page56/63
0x96,0x91,0x98,0x9f,0x8a,0x8D,0x84,0x83,
0xde,0xd9,0xd0,0xd7,0xc2,0xc5,0xcc,0xcb,
0xe6,0xe1,0xe8,0xef,0xfa,0xfd,0xf4,0xf3
crc=0;
for (i=0; i<sizeof(key); i++)
{
crc = u8CRC8Table[crc ^ key[i]];
}
Example
key=0x3410de8f1aba3eff9f5a117172eacabd
crc8=0x07
System Specification
SecurityofEnOceanNetworksv2.51
Page57/63
A.4 SecurityTestvectors
Thefollowingtestvectorsareusefultochecktheuserimplementationforsecureapplications.
A.4.1 SecureSTMwithID(019EB63B)
ThefirstexampleusesvariableAES128asencryptionalgorithm,4byteCMACand3byterollingcodeassecurityparameters.
• Teach-InMessages:Transmittedpacketsovertheair:1. 352093C0FFEE456E4F6365616E019EB63B002. 354020476D62482E313300019EB63B00
• Teach-Info:0x00• SecurityLayerformat:0x93• “SLF_DATA_ENC_VAES128|SLF_MAC_4BYTE|SLF_RLC_ALGO_24BIT”• SecurityKey:0x45,0x6E,0x4F,0x63,0x65,0x61,0x6E,0x20,0x47,0x6D,0x62,0x48,0x2E,
0x31,0x33,0x00
• Rollingcode:0xC0FFEE
UnsecureDatamessage:
• TransmittedPacketovertheAir:A50827FF80019EB63B00• RORG:0xA5• DATA:0x08,0x27,0xFF,0x80
SecureDataMessage:
Dataencryption:
VAES init vector 0x3410de8f1aba3eff9f5a117172eacabd
XOR
RLC padded 0xc0ffee00000000000000000000000000
---------------------------------------------------
Input 0xf4ef308f1aba3eff9f5a117172eacabd
AES
Key 0x456E4F6365616E20476D62482E313300
---------------------------------------------------
0x9be2e35d5fe7858645200587dd3b515c
XOR
Data padded 0xa50827ff800000000000000000000000
---------------------------------------------------
System Specification
SecurityofEnOceanNetworksv2.51
Page58/63
Data encrypted 0x3eeac4a2dfe7858645200587dd3b515c
SubkeygenerationforCMACcalculation
Key 0x456E4F6365616E20476D62482E313300
AES128
Input 0x00000000000000000000000000000000
------------------------------------------------
0xdd21aa892ddf3cb967c314369a272338
<<
------------------------------------------------
0xba4355125bbe7972cf86286d344e4670
XOR
0x00000000000000000000000000000087
------------------------------------------------
K1= 0xba4355125bbe7972cf86286d344e46f7
<<
------------------------------------------------
0x7486aa24b77cf2e59f0c50da689c8dee
XOR
0x00000000000000000000000000000087
------------------------------------------------
K2= 0x7486aa24b77cf2e59f0c50da689c8d69
Message padded 0x313eeac4a2dfc0ffee80000000000000
XOR
K2 0x7486aa24b77cf2e59f0c50da689c8d69
----------------------------------------------------
Input 0x45b840e015a3321a718c50da689c8d69
AES128
Key 0x456E4F6365616E20476D62482E313300
System Specification
SecurityofEnOceanNetworksv2.51
Page59/63
---------------------------------------------------
CMAC(128bits) 0xeaf20eed28679f641c15b10b9308d0d4
• TransmittedPacketovertheAir:313EEAC4A2DFEAF20EED019EB63B00
• RORG:0x31(secureROGwithencryptedoriginalROG)• DATA:0x3E,0xEA,0xC4,0xA2,0xDF
• CMAC:0xEA,0xF2,0x0E,0xED• RLC(nottransmitted):0xC0FFEE
The secondexampleuses variableAES128asencryptionalgorithm,3byteRolling codeandnoCMACassecurityparameters.
Teach-InMessage
• Transmittedpacketsovertheair
1. 352083C0FFEE456E4F6365616E019EB63B00
2. 354020476D62482E313300019EB63B00
• Teach-Info:0x00
• SecurityLayerformat:0x83
“SLF_DATA_ENC_VAES128|SLF_MAC_NO|SLF_RLC_ALGO_24BIT”
• SecurityKey:
o 0x45,0x6E,0x4F,0x63,0x65,0x61,0x6E,0x20,0x47,0x6D,0x62,0x48,o 0x2E,0x31,0x33,0x00
• Rollingcode:0xC0FFEE
UnsecureDataMessage:
• TransmittedPacketovertheAir:A50827FF80019EB63B00• RORG:0xA5• DATA:0x080x270xFF0x80
SecureDataMessage:
• Transmittedpacketovertheair:313EEAC4A2DF019EB63B00
System Specification
SecurityofEnOceanNetworksv2.51
Page60/63
• RORG:0x31• DATA:0x3E0xEA0xC40xA20xDFSamebytesequenceasinexample1..• RLC:0xC0FFEE
A.4.2 SecurePTM(withID0185E177)
ThisexampleusesvariableAES128encryptionalgorithm,3byteCMACand2byterollingcode.
Teach-InMessage:
• Transmittedpacketsovertheair:1. 35244B3E2D456E4F6365616E0185E177002. 354020476D62482E3133000185E17700
• Teach-Ininfo:0x04//TEACH_INFO_PTM|TEACH_INFO_PTM_ROCKERA• SecurityLayerformat=0x4B
SLF_DATA_ENC_VAES128|SLF_MAC_3BYTE|SLF_RLC_ALGO_16BIT• SecurityKey:
0x45,0x6E,0x4F,0x63,0x65,0x61,0x6E,0x20,0x47,0x6D,0x62,0x48,0x2E,0x31,0x33,0x00
• Rollingcode:0x3E2D
UnsecureDatamessage:
• TransmittedDataovertheair:D2090185E17700
• RORG:0xD2
• DATA:0x09
SecureDatamessage:
Dataencryption:
VAES init vector 0x3410de8f1aba3eff9f5a117172eacabd
XOR
RLC padded 0x3E2D0000000000000000000000000000
---------------------------------------------------
System Specification
SecurityofEnOceanNetworksv2.51
Page61/63
Input 0x0a3dde8f1aba3eff9f5a117172eacabd
AES
Key 0x456E4F6365616E20476D62482E313300
---------------------------------------------------
0xc77f3257ca9f626ad8f6ed44db04d26c
XOR
Data padded 0x09
---------------------------------------------------
0xce
AND
Mask(*) 0x0f
----------------------------------------------------
Data encrypted 0x0e
(*)ForPTMsecuretelegramsthesecureddatamostsignificantbyteischopped.
CMAC generation (like in example 1)
Key 0x456E4F6365616E20476D62482E313300
Subkey K2 0x7486aa24b77cf2e59f0c50da689c8d69
Message padded 0x300E3E2D800000000000000000000000
XOR
K2 0x7486aa24b77cf2e59f0c50da689c8d69
----------------------------------------------------
Input 0x44889409377cf2e59f0c50da689c8d69
AES128
Key 0x456E4F6365616E20476D62482E313300
---------------------------------------------------
CMAC(128bits) 0xebdcc47285ab750a21c06a4ed2627ad0
System Specification
SecurityofEnOceanNetworksv2.51
Page62/63
• TransmittedDataovertheair:300EEBDCC40185E17700
• RORG:0x30• DATA:0x0E• CMAC:0xEB,0xDC,0xC4
DecryptedDataMessagebythereceiver:
• TransmittedDataovertheair:
32090185E17700
• RORG:0x32• DATA:0x09
A.4.3 SecureChainedData
Expecteddecrypteddata:
RORG:0xD10x54 0x68 0x69 0x73 0x20 0x61 0x20 0x76 0x65 0x72 0x79 0x20 0x6C 0x6F 0x6E 0x67 0x20 0x73 0x74 0x72 0x69 0x6E 0x67 0x20 0x74 0x6F 0x20 0x67 0x65 0x6E 0x65 0x72 0x61 0x74 0x65 0x20 0x6E 0x6F 0x69 0x73 0x65 0x21 0x00
UsedencryptionKEY:0x45 0x4f 0x54 0x45 0x53 0x54 0x4b 0x45 0x59 0x59 0x45 0x41 0x48 0x21 0x5c 0x30
Used SLF:
SLF_RLC_TX_ON | SLF_RLC_32_BIT | SLF_MAC_3_AES128 | SLF_DATA_ENC_VAES128
RLC:
0x01 0x02 0x03 0x04
GeneratedEncryptedMessage:
RORG:0x31PayloadwithencryptedRORG+Payload+RLC+CMAC:
0x1D 0x70 0xD9 0x54 0x01 0x0F 0x84 0x78 0x2B 0x24 0xF6 0x32 0xE6 0x65 0xAD 0x7D 0x65 0x21 0xAE 0x4F 0x34 0x84 0xB6 0x39 0x08 0xF7 0x12 0xFC 0x0A 0xAC 0x56 0x76 0x49 0xC4 0xC9 0xF2 0xA8 0x29 0x7D 0xF3 0x61 0x99 0x51 0x0D 0x01 0x02 0x03 0x04 0x2F 0x71 0x9F TransmittedTelegramsoverair:
RORG SEQ IDX Datelength Payload
System Specification
SecurityofEnOceanNetworksv2.51
Page63/63
SEC_CDM 2bit 6bit 2byte 11byte
33 2 0 00 33 1D 70 D9 54 01 0F 84 78 2B 24 F6 TableChainedSecuretelegramIDX=0
RORG SEQ IDX PayloadSEC_CDM 2bit 6bit 12byte
33 2 1 32 E6 65 AD 7D 65 21 AE 4F 34 84 B6 39
TableChainedSecuretelegramIDX=1
RORG SEQ IDX Payload
SEC_CDM 2bit 6bit 12byte
33 2 2 08 F7 12 FC 0A AC 56 76 49 C4 C9 F2 A8
TableChainedSecuretelegramIDX=2
RORG SEQ IDX Payload
SEC_CDM 2bit 6bit 12byte
33 2 3 29 7D F3 61 99 51 0D 01 02 03 04 2F 71
TableChainedSecuretelegramIDX=3
RORG SEQ IDX Payload
SEC_CDM 2bit 6bit 1byte
33 3 4 9F
Table7ChainedSecuretelegramIDX=4