System Specification · 2020-04-30 · System Specification Security of EnOcean Networks v2.51 Page...

System Specification

SecurityofEnOceanNetworksv2.51

Page1/63

SecurityofEnOceanRadioNetworks

V2.51

SanRamon,CA,USA,2019

ExecutiveSummary

Ver. Editor Change Date

1.0 MF Creation 05.03.2012

1.1 MF InclusionofAESCBC.

Securetelegramswith/withoutnon-secureRORG.

03.07.2012

1.2 MF Pagenumbering 31.07.2012

1.3 AP RemovingARC4andeditorialchanges 31.10.2012

1.4 MH EditorialonCMACcomputing 22.11.2012

1.5 MH AddedPSKTeachInandVAESextensionsabove16bytes. 17.06.2013

1.6 MF Abstractionfromtelegramtomessage 03.07.2013

1.7 MF Teach-inunidirectional/bidirectionalproceduredescribed 10.07.2013

1.8 MF RLCsynchronization.Message-to-ERP1andERP2conversion 11.07.2013

1.9 MF PSKCRCexplained.Descriptionofteach-inprocedureimproved 26.07.2013

2.0 MH AddedHighSecuritydefinition

-renamedpublickeytoVAESINITVector

-CMACinteach-intelegrameliminated

11.08.2014

2.1 FG AddedTestvectors 09.11.2016

2.2 MF TestvectorsencryptionandCMACcalculationsdescribedindetail 12.07.2017

2.3 MH Bestpracticeexamples,Securechaining,32bitRLC.RemovedMutualauthenticationwithRLCasNONCEfromhighsecurity..ChangedRLCdescription.

09.05.2018

2.4 TM Addsecurechainingexample,updatedthesec_cdmmechanism 27.11.2018

2.5 TM&MH BasedonAllianceTTGFedback:RecommendationsChapterchangedtoimplementationaspects.Formatting,andwording.RemovedAESCBC.

15.01.2019

2.51 MH&FS Re-enablingtheSLFRLCoption0b011(3)16bitRLCexplicitwithwindowalgorithmandrollover-PRELIMINARY

17.04.2019

Copyright©EnOceanAllianceInc.2012-2019.AllrightsReserved.



Page2/63

DISCLAIMER

This information within this document is the property of the EnOcean Alliance and its use anddisclosure are restricted. Elements of the EnOcean Alliance specifications may also be subject tothirdparty intellectualpropertyrights, includingwithout limitation,patent,copyrightortrademarkrights (such a third party may or may not be a member of the EnOcean Alliance.) The EnOceanAllianceisnotresponsibleandshallnotbeheldresponsibleinanymannerforidentifyingorfailingtoidentifyanyorallsuchthirdpartyintellectualpropertyrights.Thisdocumentandtheinformationcontainedhereinareprovidedonan“asis”basisandtheEnOceanAlliancedisclaimsallwarrantiesexpress or implied, including but not limited to (1) anywarranty that the use of the informationhereinwillnotinfringeanyrightsofthirdparties(includinganyintellectualpropertyrights,patent,copyright or trademark rights, or (2) any implied warranties of merchantability, fitness for aparticularpurpose,titleornon-infringement.

InnoeventwilltheEnOceanAlliancebeliableforanylossofprofits,lossofbusiness,lossofuseofdata, interruption of business, or for any other direct, indirect, special or exemplary, incidental,punitive or consequential damages of any kind, in contract or in tort, in connection with thisdocument or the information contained herein, even if advised of the possibility of such loss ordamage.AllCompany,brandandproductnamesmaybetrademarks thatare thesolepropertyoftheirrespectiveowners.

Theabovenoticeandthisparagraphmustbeincludedonallcopiesofthisdocumentthataremade.

The EnOcean Alliance Security of EnOcean networks Specification is available free of charge tocompanies, individuals and institutions for all non-commercial purposes (including educationalresearch,technicalevaluationanddevelopmentofnon-commercialtoolsordocumentation.)

Thisspecificationincludesintellectualproperty(„IPR“)oftheEnOceanAllianceandjointintellectualproperties(„jointIPR“)withcontributingmembercompanies.Nopartofthisspecificationmaybeused in development of a product or service for sale without being a participant or promotermemberoftheEnOceanAllianceand/orjointowneroftheappropriatejointIPR.EnOceanAlliancegrantsnorightstoanythirdpartyIP,patentsortrademarks.

These errata may not have been subjected to an Intellectual Property review, and as such, maycontainundeclaredNecessaryClaims.

EnOceanAllianceInc.5000ExecutiveParkway,Suite302SanRamon,CA94583GrahamMartinChairman&CEOEnOceanAlliance



Page3/63

TABLEOFCONTENTS

1 Introduction.....................................................................................................................................61.1 Terms&Abbreviations..................................................................................................................61.2 Definitionofrequirementslevels...................................................................................................6

2 Scenarios.........................................................................................................................................82.1 Attackerscenarios.........................................................................................................................82.2 SystemArchitecture.....................................................................................................................11

3 Securityforoperationmode.............................................................................................................123.1 Messagestructure........................................................................................................................13

3.1.1 R-ORG.........................................................................................................................133.1.2 DATA..........................................................................................................................133.1.3 RLC(ROLLINGCODE)...................................................................................................14

3.1.3.1SynchronizingRLCwhensynchronizationwindowislost.......................................143.1.4 CMAC.........................................................................................................................14

3.2 Transformingsecureandunsecuremessages................................................................................143.2.1 TransforminganunsecuremessageintoasecuremessagewithR-ORG

encapsulation.............................................................................................................153.2.2 TransformingasecuremessagewithR-ORGencapsulationintoanon-secure

message......................................................................................................................153.2.3 TransforminganunsecuremessagewithoutR-ORGencapsulationintoasecure

message......................................................................................................................163.2.4 TransformingasecuremessagewithoutR-ORGencapsulation......................................16

4 Securityforteach-inmode...............................................................................................................174.1 Messagestructure........................................................................................................................18

4.1.1 R-ORGTS....................................................................................................................184.1.2 TEACH-ININFO............................................................................................................19

4.1.2.1FieldIDX..............................................................................................................194.1.2.2FieldCNT.............................................................................................................194.1.2.3FieldPSK..............................................................................................................194.1.2.4FieldTYPE............................................................................................................194.1.2.5FieldINFO............................................................................................................20

4.1.3 SLF(Securitylevelformat)...........................................................................................204.1.3.1FieldRLC_ALGO...................................................................................................214.1.3.2FieldMAC_ALGO..................................................................................................214.1.3.3FieldDATA_ENC...................................................................................................21

4.1.4 RLC214.1.5 KEY21

4.2 Teach-inwithpre-sharedkey........................................................................................................214.2.1 PSKchecksum.............................................................................................................22

5 Securityalgorithms..........................................................................................................................235.1 VAES(variableAES)encryption.....................................................................................................235.2 VAES(variableAES)decryption.....................................................................................................255.3 VAESINITVector..........................................................................................................................265.4 PrivateKey..................................................................................................................................26



Page4/63

5.5 RollingCode.................................................................................................................................265.6 CMACalgorithm...........................................................................................................................28

5.6.1 CMACcalculationforoperationmodetelegrams..........................................................285.6.2 Calculationofthesubkey(AES-CMAC,RFC4493)..........................................................30

6 EnOceanHighSecurity.....................................................................................................................326.1 UseCasedefinition......................................................................................................................326.2 ProtectionagainstRelayAttacks...................................................................................................32

6.2.1 AuthenticationbasedonCMAC...................................................................................336.2.2 Communicationscenarios............................................................................................33

6.2.2.1MutualauthenticationwithRNDasNONCE..........................................................346.2.2.2UnilateralauthenticationwithRNDasNONCE......................................................366.2.2.3Errorscenarios....................................................................................................38

6.3 HighSecurityinclusionintoexistingconcept.................................................................................396.3.1 SecurityLevelFormatextension..................................................................................396.3.2 MetaSecurityTelegram...............................................................................................396.3.3 Algorithmextension....................................................................................................40

6.3.3.1CMAC..................................................................................................................406.3.3.2VAES....................................................................................................................40

7 SEC_CDM–0x33chainedsecuremessages.........................................................................................428 ImplementationsAspects.................................................................................................................45

8.1 Rollingcode.................................................................................................................................458.2 Standardsecuritylevelformat......................................................................................................45

8.2.1 Forlinepowered,-anddeviceswithsufficientenergybudget.......................................458.2.2 ReducedSLF-exceptionsforenergylimitedapplications.............................................468.2.3 PushButtonTransmitterSLF-Exceptionsforkineticdeviceswithnoenergy

storage.......................................................................................................................468.3 SecureTeach-in...........................................................................................................................47

8.3.1 SecureTeach-inusingQRLabels(orNFC).....................................................................478.3.2 SecureTeach-inovertheAIRwithPSK.........................................................................47

8.4 AESKeySelectionandupdatemechanism.....................................................................................488.4.1 KeySelection..............................................................................................................48

8.5 Bidirectionalcommunication........................................................................................................489 Referenceddocuments.....................................................................................................................49AnnexAAppendix...................................................................................................................................50

A.1 ERP1securetelegrams.................................................................................................................51A.1.1 OperationmodewithEPR1..........................................................................................51A.1.2 Secureteach-inchainingwithERP1.............................................................................51

A.2 ERP2securetelegrams.................................................................................................................53A.2.1 OperationmodewithEPR2..........................................................................................53A.2.2 Secureteach-inwithERP2...........................................................................................53

A.2.2.1 Secureteach-inchainingwithERP2................................................................53A.3 PSKCRC8checksumalgorithm......................................................................................................55A.4 SecurityTestvectors....................................................................................................................57

A.4.1 SecureSTMwithID(019EB63B)................................................................................57



Page5/63

A.4.2 SecurePTM(withID0185E177)................................................................................60A.4.3 SecureChainedData...................................................................................................62



Page6/63

1 Introduction

ThisdocumentspecifiesthesecurityconceptforERP(1/2).ThisconceptwasspeciallydesignedfordevicespoweredbyenergyharvestersandisbasedontheERP.Theobjectiveofthedesignwastokeep the energy requirements andµC resources for the implementationof the security as lowaspossible.

Theimplementationaspects,whichdescribewhichsecurityshallbeused,arelistenedinthechapter8. Chapter 2 – 5 goes into technical details describing the scenario against which the EnOceansecurity protocol protects, technical background and possible security formats. Most of thepossibilities are not recommended and new design shall follow the SLF described in chapter 8.Chapter6describesEnOceanHighSecuritywhichuseschallengeandresponse.Chapter7explainstheusageofSecureChainedmessages,whichshallbeusedtosenddatalongerthanonetelegram.

1.1 Terms&Abbreviations

Term/Abbr. Description

µC Microcontroller(external)

API ApplicationProgrammingInterface

APP Application

Data PayloadofERPtelegram

EEP EnOceanEquipmentProfile

ERP1/2 EnOceanRadioProtocol1or2.Ifnonumberisused,theargumentisvalidforbothversions.

EO EnOcean

ESP3 EnOceanSerialProtocolV3

RLC RollingCode

CMAC CipherBasedMessageAuthenticationCode

Gateway ModulewithabidirectionalserialcommunicationconnectedtoaHOST

Device Customerend-devicewithanintegratedEnOceanradiomodule

Nonce Numberwhichisusedonce

SLF SecurityLevelFormat,describestheusedsecurityparameters

Table1.Abbreviationsusedinthisdocument.

1.2 Definitionofrequirementslevels

The usage of the keywords “must”,“shall”,”should” and so on follow the ones of the RFC2119.



Page7/63

1. MUSTThisword,ortheterms"REQUIRED"or"SHALL",meanthatthedefinitionisan

absoluterequirementofthespecification.

2. MUSTNOTThisphrase,orthephrase"SHALLNOT",meanthatthedefinitionisanabsoluteprohibitionofthespecification.

3. SHOULDThisword,ortheadjective"RECOMMENDED",meanthattheremayexistvalid

reasonsinparticularcircumstancestoignoreaparticularitem,butthefullimplicationsmustbeunderstoodandcarefullyweighedbeforechoosingadifferentcourse.

4. SHOULDNOTThisphrase,orthephrase"NOTRECOMMENDED"meanthattheremayexist

validreasonsinparticularcircumstanceswhentheparticularbehaviorisacceptableorevenuseful,butthefullimplicationsshouldbeunderstoodandthecasecarefullyweighedbeforeimplementinganybehaviordescribedwiththislabel.

5. MAYThisword,ortheadjective"OPTIONAL",meanthatanitemistrulyoptional.One

vendormaychoosetoincludetheitembecauseaparticularmarketplacerequiresitorbecausethevendorfeelsthatitenhancestheproductwhileanothervendormayomitthesameitem.AnimplementationwhichdoesnotincludeaparticularoptionMUSTbepreparedtointeroperatewithanotherimplementationwhichdoesincludetheoption,thoughperhapswithreducedfunctionality.InthesameveinanimplementationwhichdoesincludeaparticularoptionMUSTbepreparedtointeroperatewithanotherimplementationwhichdoesnotincludetheoption(except,ofcourse,forthefeaturetheoptionprovides.)



Page8/63

2 Scenarios

TheERPisusedinavarietyofapplications.However,themajorusageisinproductswithinbuildingautomation.Sometypicalsituationswhereasecureprotocolcanberequiredare:

n Thermostat vacation mode - A family leaves their home for several weeks. They set theirthermostat in vacationmode. Obscuring data from the thermostatwill prevent an intruder toknowtheoccupancystateofthehouse.

n Windowcontrol–AbuildinghasawindowinstalledwhoseopeningiscontrolledbytemperatureandCO2sensors.Applyingasecureradioprotocolthewindowreceivershouldignoremessagesthat have been already used. Thiswill prevent an intruder to gain unauthorized access to thebuildingbyrecordingpacketsandreplayingthem.

Automated meter reading – Polling a thermostat per radio enables the collection of meterinformationwithout the necessity of a person entering the house. By obscuring data from thethermostatitwillbepreventedthatanintruderobtainsprivateinformationfromthetransmitteddata. To prevent an intruder forging the heating consumption the system must resist reply-attacks.

2.1 AttackerscenariosInsuchfashionscouldbecompromisedthenormaloperationofanEOradiosystem:

Figure 1. The picture shows the possible interferences and attacks in the actual EO radiocommunication. Attacks other than the ones shown in this figure will not be considered in this



Page9/63

documentation and in the implementation of a secure radio protocol. Attacks not consideredinclude,for instance,thephysicalmanipulationofasenderorareceivermodule;continuouswavesending;power-supplysabotage.Fromthefourscenariosdepicted,thefirst(CollisionwiththesameIDbase) corresponds to anunintentional control of a receiver by another EOuser. The last threescenarios represent, however, an intentional attack. Unauthorized listening of information that isbeingtransmittediscalledeavesdropping.

Figure2.This scenario isnotaproperattack. It’s simplyan IDduplicationwithin the rangeof thebase ID (see what is EnOcean Base ID). The duplication happens because two different usersprogrammedtheirsendermoduleswithidenticalIDwithinthebaseIDrange.Whentheuserinroom1 sends a signal with Sender 1 he controls unluckily also Receiver 2, in room 2. A symmetricalsituationhappenswhentheSender2inroom2isoperated.



Page10/63

Figure3. InthisscenarioanattackerprogramstheIDbasetakingintentionalcontrolofthesystemreceiver.Todothis,theintrudersimplylistenstothesenderID.ItprogramsthenthissameBaseIDinhis sendermodule, and controls the system receiver.All this is possibleusing EO toolswithoutperformingreverseengineering.

Figure4.WiththeonlyhelpofanEOreceiveritispossibletohearthecommunicationbetweenanEOsenderandareceiver.Thisisundesirediftheinformationbeingtransmittedisprivate.Thisisthecaseofmeteringreadingsystems.



Page11/63

Figure5. Inamoresophisticatedattackversiontheattackerlistenstothetelegramsintheair.TheattackersendsatelegramwiththesamechipID(replay)astheoneinthesystemsender.

2.2 SystemArchitecture

AtypicalsystemarchitectureusingERPisshownonthefigurebelow:

Figure6ERPsystemarchitecture

In an ERP system most common communication pattern is unidirectional. However there areinstallationswherebi-directionalcommunicationisrequiredforinstancebetweentwoGateways,inSmartACKorinRemoteManagementconcept.ThusthesecurityconcepthastobedesignedinawaythatitcanbeappliedtoN:Mcommunicationpatterns.

Telegram

EnOceanRFmodule

Gateway

EnOceanRFmodule

Sensor

EnOceanRFmodule

Sensor

EnOceanRFmodule

Sensor

EnOceanRFmodule

Gateway



Page12/63

3 Securityforoperationmode

RORG Description

0x30SEC

Secure telegram. This message was not created from a non-secure counterpart. Amessage with this RORG was created by the secure application and the data mayinterpretedbyaTeach-In-Processoutsideofthisspecification(i.e.EEPorGP).

0x31SEC_ENCAPS

SecuremessagethattransporttheoriginalR-ORGnonsecurecode.

0x32SECD

Non-securemessagetypethatresultsfromthedecryptionofasecuremessagewithR-ORG0x30.

0x33

SEC_CDM

SecurechainedMessages

0x35SEC_TI

Secure Teach-In telegrams transmit private key and rolling to the communicationpartner

Table2.SecureRORGs

TheERPsecurityisimplementedontheOSIpresentationlayeroftheERPprotocolstack.

The security strategiesdiscussed in thenext chaptersareapplied tomessages.Messagesabstracttheconceptoftelegrams.Messagesdonotspecifyacertainbyteorder.TheyaretobeimaginedasCstructureswithallnecessarymemberstocontaintheinformationstoredinatelegram.Amessageisageneralisationofserialandradiotelegrams.

Amessage contains all fields that a telegrammayhave: theR-ORG,DATA, Sender ID, receiver ID,repeatercounteraswellasthesecurityspecificmemberslikeRLC,CMAC,SLFthatwillbeexplainedinthenextchapters.

EO secure messages follow a flexible schema made up of different freely combinable securitymechanisms.TheSecurity level formatsdescribed in chapter8 shouldbeused.Thedescriptionofothercombinationstillexistsforlegacyproductsandmaybestillused1.

The security mechanism may transform the DATA and R-ORG fields of the non-secure message.Other fields like themessage sender ID, receiver ID, repeater counter arenot affectedor altered.The RLC and CMAC should be added. Notmodified fields like sender ID, received ID or repeatercounterarenotdepictedthroughthechapterwhenamessageisrepresented.

The following figure depicts the relevant secure radiomessage structuremembers, togetherwithexamplesofapplicationscenarios,attacksthatcanbeblocked.

—————————

1 As the different SLF allow significant freedom, and not all combinations can be seen as optimal secure solutions, and

somesolutionscouldcausedifferentproblemstheSLFshouldbeselectedaccordinglytochapter8.



Page13/63

Table3.ThetableshowsthedifferentsecuremessagesstructuresfortypicalEnOceanapplications..A securemessage is identifiedby specificR-ORGcodes representedasR-ORGS.Obscuredwill beonly the DATA of the message and optionally the original R-ORG. Any combination of DATAencrypted/not encrypted, RLC present/not present, and CMAC present/not present is technicalpossible.Butonlytheonementionedinchapter8shouldbeused.

The structure of the secure telegram is negotiated between the devices within the teach-inprocedure.See4.

3.1 Messagestructure

Figure 7. Relevantmessagemembers In the following chapters,wheneverDATA iswritten, DATAincludesOPTIONALDATA.

3.1.1 R-ORG

ThemessageR-ORG identifies the typeofmessage that isbeing sentor received.ThemessageR-ORGis1-bytelong.Securemessagesareidentifiedbythecodes0x30,0x31,0x33or0x35,denotedgenerallyR-ORGSintheTable3.

Acodedifferentfromthoseidentifiesanon-securemessage.

3.1.2 DATA

UnderDATAwillalwaysbeunderstoodthetelegramDATAfieldandtheOPTIONALDATA,ifitexists.TheDATAisabyteconcatenationofbothDATA+OPTIONALDATA.

Thedataisencryptedusinganyoftheencryptionalgorithmsdescribedinsection5.

TheDATAencryptionalgorithmisindicatedtothereceiverduringtheteach-inprocedure.

ThelengthoftheDATAandtheinterpretationisdefinedbytheapplication.



Page14/63

3.1.3 RLC(ROLLINGCODE)

Thisfieldcontainsacodethatchangesaccordingtoapredefinedalgorithm(see5.5).IftheRLCisnottransmitted,senderandreceivermustkeepthiscodesynchronize.Thecodeincreaseseverytimeamessageissentbytheradiotransmitter.IfamessageRLCdoesnotcoincidewiththeexpectedRLCvaluethereceiverrejectsthemessage.

• IftheRLCistransmittedviaamessage,itmustbehigherthanthepreviousreceivedRLC.• IftheRLCisnottransmitted,theRLCshallbeinRLCwindowrange.

RLCisMSBfirst.

Theteach-inproceduremaysynchronizetheRLCinthereceiverwiththeoneinthereceiver.

TheRLCfieldshouldbetransmittedbutcanbeomitted.AlthoughtheRLCmaynotbesentbythetransmitteritisusedinternallyinthetransmitterandreceivermodulestoperformthecalculationoftheCMACcodeandDATAfieldencryption(see5.6).ByreceptionoftheCMACthereceiverindirectlytestthecorrectnessoftheRLC.

RLC field format: RLC byte length, RLC algorithm and RLC presence in the telegram- arecommunicatedtothereceiverduringtheteach-inprocedureusingtheSLF.

DetailsoftheRLCalgorithmareexplainedinsection5.5

3.1.3.1 SynchronizingRLCwhensynchronizationwindowislost

IfthereceivermissesmoremessagesthenthedefinedRLCwindow,noadditionalmessageswillbedecrypted by the receiver. In this case the receiver needs to resynchronize the RLC. Differentapproaches can be used for this, one is that the sender retransmits a Teach-IN telegrams whichincludesthecurrentRLC.ThereceiverwillresynchronizeitselfafterreceivingthisTeach-IN.Anotherpossibilityise.g.ifthereceiverisalinepowereddeviceanddidsufferapowerlosstoincreasetheRLC window to a very large number one time – for one incoming telegram. In this case it isrecommendedtoensurethatnotaduplicatedRLChasbeenreceived.

3.1.4 CMAC

TheCMAC is thecipher-basedmessageauthenticationcode field–withMSB first. Itsmission is toguaranteethatthemessagehasnotbeentamperedwith.Thisconfirmsthatthesenderisthestatedone.

TheCMACisdependentontheprivatekey(see4.1.5),apublicvector,themessagebytesand,if itexists,therollingcode(see3.1.3).

TheMACfieldcodechangesforeverysentmessage.TheCMACchangesunpredictable,unlessthekeyandtheRLCstateareknown.

ThealgorithmtocalculateCMACisexplainedinthechapter5.6

3.2 Transformingsecureandunsecuremessages

Thischapterexplainshowtocreatesecuremessagestakingasbasisanunsecuremessageandviceversa.



Page15/63

In the explanation message fields such as sender ID, receiver ID and other message fields, notmodifiedbythesecuritytransformations,willbenotindicated.Thereadermustsupposethatthesefieldsarepartofthemessage.

3.2.1 TransforminganunsecuremessageintoasecuremessagewithR-ORGencapsulation

Figure8.Anunsecuremessage is transformed intoa securemessage that includes theoriginalR-ORGby1-transformingthemessageR-ORGcodeto0x31.2-TheunsecureR-ORGfieldcodeandtheunsecureDATAfieldsareconcatenatedandthenencrypted.3-Theresultoftheencryptionisstoredin themost significant bytes of the securemessage DATA field. 4- A rolling code, RLC, might becalculated (section5.5).5-Finally, it ispossible toaddaCMACcode (chapter5.6).OthermessagefieldslikesenderID,receiverIDorrepeatercounterarenotmodified.

3.2.2 TransformingasecuremessagewithR-ORGencapsulationintoanon-securemessage

In this case, a secure message with R-ORG 0x31 is transformed into a non-secure message. ThetransformationimpliesdecryptingtheencryptedR-ORGandDatainformationwhichistobefoundconcatenatedintheDATAfieldofthemessage.

Figure9.AsecuremessagewithR-ORG0x31containstheunsecuredR-ORGencryptedintheDATAfield.TheDATAfieldofthemessagemustbedecrypted,maybewiththehelpoftheRLC.ThefirstdecryptedbyterepresentsthemessageR-ORGoftheunsecuremessage.TherestofthedecryptedDATA field bytes represent the unsecuremessage DATA bytes. CMAC does not play a role in thedecryption.Thisfieldwillbecheckedforauthenticationofthetelegram.



Page16/63

3.2.3 TransforminganunsecuremessagewithoutR-ORGencapsulationintoasecuremessage

Figure 10. An unsecuremessage is transformed into a securemessage that does not include theoriginal R-ORG by 1- rewriting the message R-ORG code to 0x30. 2- The unsecure DATA field isencrypted.3-The resultof theencryption is stored in the securemessageDATA field.4-A rollingcodemightbecalculated.5-Finally,itispossibletoaddaCMACcode.Thepurposeofnotincludingtheoriginalunsecuremessage in the securemessageDATA field is to saveenergyat transmissiontime.

3.2.4 TransformingasecuremessagewithoutR-ORGencapsulation

In this case, a secure message with R-ORG 0x30 is transformed into a non-secure message. ThetransformationimpliesdecryptingtheDATAfieldinformation.

Figure 11. The secure message with R-ORG 0x30 does not include the non-secure R-ORGinformation inanyform. Intheconversionfromsecuretonon-securemessagethe latterbecomestheR-ORG=0x32.TheDATAfieldisdecrypted,maybeusingtheRLCfield.TheCMACdoesnotplayaroleinthedecryption.Itisonlyusedforauthenticationpurposes.



Page17/63

4 Securityforteach-inmode

Thischapterexplainstheexchangeofthesecurityinformationviatheradiointerface,whichmaybeomitted.EspeciallysendingtheAES-KeyincleartextshouldbeomittedandatleastaPSKshouldbeused.Theexchangeofthesecurityinformationmaybedonebyusingotherinterfaces,andthenbeadded into the device. This is not explained in details here. (E.g. ReCom, Serial interface or IPGateway)

Toconfigurethedetailsofthesecurecommunicationinoperationmodeateach-inproceduremodemustbeexecuted.Withintheteach-inprocedurethepartsinvolvedinthecommunicationtransmittoeachothertheencryptionmethod,key,rollingcode,rollingcodesizeandCMACsizethatwillbeusedduringtheoperationmode.

The teach-in procedure can be set up to be a unidirectional or bidirectional process. See 4.1.2 tolearnhowtoconfigurethisoption.

Figure12.Schematicrepresentationofthemostgeneralbidirectionalteach-inprocedure.Inthecaseofunidirectionalsecurityteach-inDeviceBdoesnotsendateach-inmessage.

Firstly, theDeviceBmustbeset in learningmodetoaccepttheteach-inmessages fromDeviceA.TheDeviceAsendsthesecurityteach-inmessage(aredescribedinchapter4.1)wheneveritsspecifictrigger is activated. After reception of the teach-in message the Device B stores the securityparametersofDeviceA:theseparametersincludetheDevice'sAprivatekey,KEY,currentRLC,RLC,RLCsizeandCMACsizeandwayofencryptinginformation.TheKEYandRLCcanbesentencryptedbythesenderusingthesocalledpre-sharedkey,PSK.Moredetailsunderchapters4.1.2.3and4.2.

If the process is bidirectional theDevice B, a gateway, for instance, answers backwith a securityteach-inmessage.Thisteach-inmessagecontainsasreceiver-IDtheIDoftheDeviceA.IftheDeviceBencryptsitsteach-inmessageitwillmakeuseofthesamePSKkeyoftheDeviceA.Inthesecondsecurityteach-indepictedinthepicturetheDeviceB informstheDeviceAof itsownKEYandRLC

andCMAC.Theformatoftheteach-inmessagessentbyDeviceAandDeviceBarethesame.

Theteach-indeliveredbyDeviceBmustoccurinworstcase500msafterthereceptionoftheteach-insentbyDeviceA.TheDevice'sAtime-outforthereceptionofateach-inis750ms.

Device A e.g. Sensor

Teach-in

Device B e.g. Gateway

Teach-in

Learn mode ON

Learn mode OFF

Teach-in trigger



Page18/63

BeforeDeviceAsendsthesecurityteach-inmessage,thereceiverisputintoteach-inmode–activelistening for teach-inmessages. The teach-inmethod is limited typically to 30 seconds. After thistime-outthemoduleleavesitsteach-inmode,andreturnstypicallytoitsoperationmode.Teach-inmessagesarenotaccepteduntilthenextactivationoftheteach-inmode.

Thepossiblemethodsfortheteach-inexecutionare:

• Viawirelessfromthetransmittertothereceiver• Viaserialinterfacetothereceiverthroughathirdparty• ViaReCom• Others

Execution via serial interface or other methods are not part of this specification and are ratherapplication/usecasespecific.

Theexecutionoftheteach-inprocessviawirelessleadstotwopossibilities:

o Teach-inmessageissentinplaintext(noencryptionintheinformationisperformed)..Thisshould not be used, as a third party could sniff the key and listens to all latercommunication.

o Partsof the teach-inmessageareencrypted.For theencryptionapre-sharedkey isused.Encrypted are the RLC and KEY. Message structure is listed below. Details about thisexecutioncanbefoundinchapter4.2

4.1 Messagestructure

Theteach-inmessagehasthefollowingsecure-specificfields:

Figure13.Secureteach-inmessage.Teach-inInfofieldcontainsinformationrelativetotheteach-inmessageitself.TheSLFfieldindicatestheformatofthesecurityparametersinoperationmode.TheRLCisthecurrentRLCinthetransmitter.TheKEYcontainstheprivatekeyusedforencryptioninoperationmode.RLCandKEYmaybeencryptedwithapre-sharedkey

Thissecureteach-inmessageonlytransfersthesecurityspecificdata.Thismessagedoesnotcontainthe informationabouthowthedatahastobe interpreted(exceptforfieldtypePTM)inoperationmode.

Toenableprofile interpretationaprofile-teach-inmessage(EEPorGP)hastobetransmittedafterthe secure teach-in. This profile teach-in is conducted already secured (encrypted) using thedecryptedkeythatthesecureteach-intransmitted.

4.1.1 R-ORGTS

Theonebytesecureteach-inR-ORGis0x35.



Page19/63

4.1.2 TEACH-ININFO

7 6 5 4 3 2 1 0

IDX CNT PSK TYPE INFO

0-NoPSK

1–PSK

0–NoPTM

1–PTM

InterpretationdependsonType.

See4.1.2.5

Table4.Teach-ininfobytefields

4.1.2.1 FieldIDX

A tech-in message can be divided in several telegrams. This field indicates the order of thosetelegrams. The first telegram receives the IDX = 0. In the case that the teach-in message is notdividedtheIDXshallbesetto0andthismessageistheonlyone..ChainingisexplainedinchapterA.1.2

4.1.2.2 FieldCNT

IfIDX=0

CNTindicatesthenumberoftelegramsthatthemessageisdividedinto

IfIDXnot0

Thisfieldisreserved

4.1.2.3 FieldPSK

IfIDX=0

0 TheRLCandtheKEYarenotencrypted

1 TheRLCandtheKEYareencryptedwiththepre-sharedkey.See4.2

IfIDXnot0

Thisfieldisreserved

4.1.2.4 FieldTYPE

IfIDX=0

IndicatesiftheapplicationisaPTMornot

1) Non-specifictype

2) PTM

IfIDXnot0

Thisfieldisreserved



Page20/63

4.1.2.5 FieldINFO

TheinterpretationofthisfielddependsonthecodeinField(4.1.2.1)

IfIDX=0andTYPE=0

0 Unidirectionalsecurityteach-inprocedure

1 Bidirectionalteach-inprocedure

IfIDX=0andTYPE=1

0 ROCKERAnormalTeachIn

1 ROCKERBnormalTeachIn

Inothercasesthisfieldisreserved

4.1.3 SLF(Securitylevelformat)

Withtheinformationcontainedintheteach-inSLFbytethereceiverisinformedaboutthedetailsofthesecuremessages inoperationmode:what fields,how longtheyare,andwhataretheappliedsecurityalgorithms.2

7 6 5 4 3 2 1 0

RLC_ALGO3 MAC_ALGO DATA_ENC

0:NoRLC1:Reservedforfutureuse2:16BitimplicitRLCRollOver/WindowAlgorithm

3:16BitexplicitRLCRollOver/WindowAlgorithm

4:24BitimplicitRollOver/WindowAlgorithm

5:24BitexplicitRLC[24Bittransmitted]NoRollOver/NoWindowAlgorithm



0–NoMAC

1–AES1283byte

2–AES1284byte

3–N/A

0–Nodataencryption

1–Seechapter6

2–N/A

3–VAES–AES128

4–N/A

Table 5. Security Level Format fields and its interpretation.When RLC_ALGO is 1 or 2 the secure teach-inmessagecontainstherollingcodewhosesizecorrespondstotheonedescribedbythatbitfield.—————————

2Thecodes6&7shouldbeusedinnewdesigns.3 In older specification the RLC_ALGO field was split into RLC_ALGO + RLC_TX. The same functionality of the old

specificationisstillpossible,case0,2,3,4,5.Onlycase6,7areactuallynewanddefinedanewbehaviour



Page21/63

4.1.3.1 FieldRLC_ALGO

Defines the type of the rolling code algorithm used during secure communication. More detailsunderRollingCode.

0 NoRLC1 Reservedforfutureuse2 16BitimplicitRLCwhichallowsarolloverandusesawindowalgorithmatthereceiverside

toensurethatbothdevicesareinsync.3 16BitexplicitRLCwhichallowsarolloverandusesawindow.4 24BitimplicitRLCwhichallowsarolloverandusesawindowalgorithmatthereceiverside

toensurethatbothdevicesareinsync.SeeRollingCode.5 24bitexplicitRLC,theRLCwillbetransmitted.Rolloverisnotallowedandnowindow

algorithmisused6 32bitexplicitRLConly24bitofitwillbetransmitted.Rolloverisnotallowedandno

windowalgorithmisused7 32bitexplicitRLC,thefullRLCwillbetransmitted.Rolloverisnotallowedandnowindow

algorithmisused

4.1.3.2 FieldMAC_ALGO

DefinesthetypeofalgorithmfortheCMACcalculation

0 NoMACincludedinthesecuretelegram1 CMACisa3-byte-longcode.MACiscalculatedusingAES128asdescribedinthe5.6chapter2 MACisa4-byte-longcode.MACiscalculatedusingAES128asdescribedinthe5.6chapter3 N/A

4.1.3.3 FieldDATA_ENC

DefinesthetypeofalgorithmforDATAencryptionduringsecurecommunicationinoperationmode.

0 DATAnotencrypted1 Challenge-Response2 Reserved.Notdefined3 DATAwillbeencrypted/decryptedXORingwithastringobtainedfromanAES128.See5.14 Reserved.Notdefined

4.1.4 RLC

Contains the rolling code needed for the transmitter-receiver RLC synchronization.). See chapter4.1.3.

4.1.5 KEY

ContainstheprivatekeyusedfortheencryptionofDATAandCMACgenerationinoperationmode.

4.2 Teach-inwithpre-sharedkeyIncasea teach-in isexecutedwithapre-sharedkeythe fieldsRLCandKEYareencrypted.For themessagestructureofateach-inpleaserefertotheFigure13.



Page22/63

Thepre-sharedkeyofthesendermodulemusthavebeencommunicatedtothereceiver(agateway)via serial interface in advance. The pre-shared key is typically written on a sticker on the sendermodule.Thepre-sharedkeyisnottransmittedthroughtheEnOceanairinterface.

WhenTEACH_IN_INFO.PSK=1thefieldsRLCandKEYwillbeencryptedusingtheVAESencryption.Seechapter5.1fordetails.ThefollowingparametersareusedintheVAESalgorithm:

• VAESDATA = concatenationofRLC+KEYbytes• VAESRLC = 0x0000(Rollingcodeisnotexchangedatthismoment,

thereforeitmustbeinitializedtoadefaultvalue)• VAESPRIVATEKEY = PRE-SHAREDKEY

4.2.1 PSKchecksum

ThePSKcode(16bytes)comestogetherwithanextrabyte,CRCchecksum,whichisusedtoverifythatthe installer/userwritescorrectlythe16-bytePSKcode intotheDeviceB(seeFigure12).ThechecksumusesaCRC8algorithmthatisexplainedinchapterA.3.



Page23/63

5 Securityalgorithms

This section describes the security algorithms for the ERP that are used to secure the telegramcontent.

5.1 VAES(variableAES)encryptionAmore secureway to encrypt data is using the 128-bit AES algorithm(1) in combinationwith therolling code. Themechanismdescribed here allowsDATA lengths from1 toN,whereN does nothave to benecessarily amultiple of 16. Thanks to the rolling code the generated encrypted codevaries, although the DATA input is constant. This feature improves the obscurity of the originalinformationandavoidsreplayattacks.Encryptionisdonein16byteschunks,similartothepreviousalgorithm.But the lengthof the resultingcipher text is the sameas the lengthofplain text.AftertransmittingeachmessagetheRLCisincreased.

Figure14.EncryptionoftelegramDATAusingvariableXORAES128forDATAequalor lessthan16bytes.TheAES128 isusedtoperformapseudorandomgenerator.TheplussymbolwithinacirclerepresentsabitwiseXORoperation.OneDATAchunkcanhaveamaximumof16bytes.ThelengthofDATA_ENC is equal to the lengthofDATA.VAES INITVector is a constant16-bytehexadecimalstringarray.TheRLCisXORedwiththeVAESINITVectorbeforeenteringtheAES128algorithm.TheVAES INIT VECTOR byte array first element, VEAS_INIT_VECTOR [0], is XORed with the RLCmostsignificantbyte.VEAS_INIT_VECTOR[1]isXORedwiththeRLC2ndmostsignificantbyteandsoon.

VAES INIT Vector

++

RLC

AES128 ENC

ENC

DATA +

DATA_ENC

PRIVATE KEY



Page24/63

TheRLCispaddedwith0untilafull16byteblockisreached.InthesamewayDATAandENCarraysareXORedtoproducetheoutputcode.

Figure15.EncryptionoftelegramDATAusingvariableXORAES128forDATAlongerthan16bytes.EncryptionisrepeatedbutinallfollowingcyclestheENCfieldfrompreviouscycleisXORedwiththeencryption input for theactualcycle.TheRollingCode is thesameforall cycles.Byusing theENCfieldinallfollowingcyclestheencryptioninputwillchangeandsotheENCfieldforDATA.Otherwisesamerulesapplyasinencryptionwithlessthan16bytes.



Page25/63

5.2 VAES(variableAES)decryption

Figure 16. Decryption algorithm of the received telegram. DATA_ENC is the received encryptedDATA.DATAislessthan16bytes.Note:TheAESalgorithmrequiredisthesameasintheencryptionalgorithm.TheRLCvalueinthereceivermustbethesameasinthetransmittermodule.Otherwisethe decryptedDATAwill not correspond to theDATA in the transmitter. TheDATA has the samelengthastheDATA_ENC.TheXORbitalignmentfollowstheideasdescribedin

Figure14.

VAES INIT Vector

+ RLC

AES128 ENC

ENC

DATA_ENC +

DATA

PRIVATE KEY



Page26/63

Figure17.Decryptionalgorithmofthereceivedtelegram.DATA_ENCisthereceivedencryptedDATAfromthetransmitter.DATAismorethan16bytes.

ForthisalgorithmtoworkcorrectlythereceivermustcheckfirstthatitsinternalRLCiscorrect.Thiscanbedonebycomparing the internalRLCagainst the telegramRLCor, if there isnotransmittedRLC,bycomparingtheMAC(see5.6).

5.3 VAESINITVectorTheVAESINITVectorisaknownconstantvalueusedasinputtotheAESalgorithm.

Itsvalueisthehex3410de8f1aba3eff9f5a117172eacabd.

Seenasa16-bytearray,theVEAS_INIT_VECTORfirstelement,VEAS_INIT_VECTOR[0]=0x34.

ThearraylastelementisVEAS_INIT_VECTOR[15]=0xbd.

5.4 PrivateKeyTheprivatekeyisasecretconstantvalueusedasinputtotheAESalgorithm.Itslengthis128bits(16bytes).

5.5 RollingCodeThe rolling code is a value stored in the sender and transmittermodule independently. The codechanges for every sent/received telegramaccording to apredefinedalgorithm. The rolling code isusedas toobtaindifferentCMACcodes (5.6) andVAESencryption values (5.1) although telegramDATAremainsconstant.



Page27/63

ExplicitRLCstrategy-TheRLCshallbetransmittedaspartofthetelegraminformation.

ImplicitRLCstrategy-ItispossibleforthetransmittermodulenottosendRLCinthetelegram(See5.6)todecreasetheneededenergy.

IftheRLCistransmittedornotisindicatedbytheSLF(Securitylevelformat)

Therollingcodealgorithmisthesimplestpossible:itisacounterthatisincrementedby1whenthetransmitter/receiversends/receivesatelegram.ARLCvalueshallnotbeduplicated.Toensurethisthefollowingstrategiesshallbeused.

• If theRLC is send, rolloverof theRLC isnotallowedandwindowalgorithm isnotused.AreceivershallblockmessageswithalowerRLC.TheRLCshallonlyberesetwhenanewkeyisused.

• IftheRLCisnotsend,theRLCwindowshallbeused.AreceivermaystorethefirstreceivedRLCandinformtheuserifsamevaluesareusedagain.

IftheimplicitRLCstrategyisused,awindowisusedtoensuresynchronizationbetweenreceiverandtransmitter.

Figure 18. Rolling Window of Acceptance for Counter Values (AVR411: Secure Rolling CodeAlgorithm).

The RLCwindow is amechanism that ensures that even if the transmitter and receiver lost theirsynchronization(transmitterwasoperatedoutsidetherangeofthereceiverortelegramswerelost),telegramswillbestillaccepted.Thedifferencebetweentherollingcodecountersinthesenderandreceivermustnotbebiggerthantherollingcodewindowsize.WhenthereceivermodulereceivesawrongRLC it tests thenextrollingcode. If this test failsagain, it tests thenextrollingcode.Thesetestscontinueuntil theRLCmatch,oranumberofRLCwindowsize testswereperformed. In thislastcasethereceiverreturnstoitsoriginalRLCandrejectsthetelegram.

OncethereceivercannotmatchthetransmitterrollingcodeintherangeofthewindowsizeitmayblocktheTXIDofthetransmitter.

IfsenderandreceiverRLCweredesynchronizedwithaRLCdifferencebiggerthantheRLCwindowsize,theycanbesynchronizedagainbymeansoftheteach-inprocedure(section4)orwritingtheRLCdirectlyintothereceiver.



Page28/63

ThewindowsizeforincorrectRLCshouldbe128.Othervaluesmaybeused.

5.6 CMACalgorithm

Thegeneralalgorithm(see[3])tocalculatetheCMACofamessagetosendisthefollowing.

Ifmessagespayloadisalignedby16bytes,thecase(a) isused.SubkeyK1isusedinthiscase.See5.6.2 for details about the subkey generation. The case (b) applies for messages that are notmultipleof16bytes.SubkeyK2isusedthen.

M_iare16-bytelongarrayofthemessagebyteswhoseCMACistobecalculated.M_1..M_n-1are16-byte long arrays. In case of (b) the last byte of the message is concatenated with the bitsequence10…0,toobtaina16byte-longarray.

TheAES_Kusesasinputthe16-byteM_iarrayandtheKkey.

Thelast16-byteM_iarrayrequiresthesubkeyK1–case(a)-orthesubkeyK2-case(b).

Themessage is composedof theRORG-S field, theDATA fieldandoptionally theRLC (in case it isbeingusedexplicitlyinthetelegramorimplicitly).

5.6.1 CMACcalculationforoperationmodetelegrams

ToillustratetheCMACcalculationamessage<=16byteswillbeused:



Page29/63

Figure19.CMACgenerationalgorithmforamessage<=16bytes.TheR-ORG-S isthesecureradiomessageR-ORGcode.DATAisthesecuremessageDATAfield.WhenR-ORGS=0x31,DATAincludesthe encrypted non-secure R-ORG asmost significant byte.When R-ORG S= 0x30, DATA does notincludetheencryptednon-secureR-ORG.IfnoRLCisused(eitherinthemessageorinternally)thefield RLC is not included for the CMAC calculation. IMPORTANT: if the RLC is used but nottransmitted with the telegram then the RLC is included in the CMAC calculation. In this way theCMACchangesforeachtransmittedmessage.FromtheAES-generatedarraythebyteswithindex0,1,...,(CMAC_size-1)aretakenasCMAC.Thepaddingbytesareonlynecessaryforthecasethattheinputinformationis<16bytes.

Whenthemessagefields(R-ORGS,DATA-andoptionallyRLC-)doesnotadd16bytesforapplyingtheAES128algorithm,abitsequence100…0(paddingbits)isconcatenatedtoformatotalbitstringof16bytes.

TheR-ORGS,DATA–optionallyRLCandPADDINGBITS-areXORedwiththe16-byteSubkeyderivedfromtheprivatekey.R-ORGSXORsSubkey_Kn[0]andsoon.

IftheR-ORGS+DATA+RLCfieldsadd16bytesthenthesubkeyK1willbeused.

OtherwisethesubkeyK2isused.

WhenperformingAES,thebyteR-ORGScorrespondstothestringarraybytewithindex0.

A four byte CMAC corresponds to the string array bytes 0 (MSB), 1, 2, 3 (LSB) generated by theAES128 algorithm. A three byte CMAC corresponds to the string array bytes 0(MSB), 1, 2 (LSB)generatedbytheAES128algorithm.



Page30/63

Note:WhentheR-ORGS+DATA+RLC>16bytethemessagehastobespittedlikeindicatedin5.1.TheR-ORGwillonlybepresentasfirstbyteintheM_1whiletheRLCwillonlybepresentonlywithinM_n.

5.6.2 Calculationofthesubkey(AES-CMAC,RFC4493)

AlgorithmGenerate_Subkey

n Instep1,AES-128withkeyKisappliedtoanall-zeroinputblock

n Instep2,K1isderivedthroughthefollowingoperation:

o IfthemostsignificantbitofLisequalto0,K1istheleft-shiftofLby1bit

o Otherwise,K1istheexclusive-ORofconst_Rbandtheleft-shiftofLby1bit

n Instep3,K2isderivedthroughthefollowingoperation:

o IfthemostsignificantbitofK1isequalto0,K2istheleft-shiftofK1by1bit

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

+ Algorithm Generate_Subkey +

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

+ +

+ Input : K (128-bit key) +

+ Output : K1 (128-bit first subkey) +

+ K2 (128-bit second subkey) +

+-------------------------------------------------------------------+

+ +

+ Constants: const_Zero is 0x00000000000000000000000000000000 +

+ const_Rb is 0x00000000000000000000000000000087 +

+ Variables: L for output of AES-128 applied to 0^128 +

+ +

+ Step 1. L := AES-128(K, const_Zero); +

+ Step 2. if MSB(L) is equal to 0 +

+ then K1 := L << 1; +

+ else K1 := (L << 1) XOR const_Rb; +

+ Step 3. if MSB(K1) is equal to 0 +

+ then K2 := K1 << 1; +

+ else K2 := (K1 << 1) XOR const_Rb; +

+ Step 4. return K2; +

+ +

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



Page31/63

o Otherwise,K2istheexclusive-ORofconst_Rbandtheleft-shiftofK1by1bit.

n InthecasethatpaddingbitswherenecessaryusetheK2assubkey.OtherwiseK1



Page32/63

6 EnOceanHighSecurity

EnOceanHighsecurityisanextensionoftheexistingsecurityconcept.Itsmainaimisto:

n Enableprotectionagainstspecialman-in-middleattack(relayattack)

n Enablemoreflexiblehandlingfordevicescommunicatingbidirectionalwithencryption

Tohandlefirstrequirementisitsuitabletoapplythechallenge&responseprocesswithtimelimitedauthentication. This implies that both communication devices are bidirectional. All the followingdefinitionsarebasedonthatconstrain.

6.1 UseCasedefinitionHighsecurityspecificationisdevelopedforspecificdesignedapplicationswherethiskindofsecurityis required (e.g. doorlock, access control, safety applications). It is not the baseline for securityapplicationbutthehighestgradeandshouldbeappliedonly inapplicationswhere it isavalidusecase.

ForhighSecuritytheseusecasesaredefined:

1. Bidirectionaldataflow–bothdevicesareline-powered

Bothdeviceshaveenoughcomputingcapabilitiesandenergytoperformsecurityrelevanttasks.Data telegrams are exchanged in both ways e.g. communication between smart plug andgateway.

2. Bidirectionaldataflow–onedeviceisenergyautarkicandoneisline-powered

Onedevice isdoingenergyharvestingandthesecond is line-powered.Dataflowisexecuted inbothdirections.Theautarkicdevice initializes the communicationand thenexpectsa responsefromtheline-powereddevicei.e.SmartAcknowledgeprocess.

3. Unidirectionaldataflow(bothdeviceshavebidirectionalcapabilities)–onedeviceisenergyautarkicandoneisline-powered

One device is energy harvesting and the second is line-powered. Data flow is executed in onedirection – from the autarkic device to the line-powered. Bidirectionality is only required toexecutehighsecurityfeaturesnotforactualapplicationusecase.InthiscaseSmartAcknowledgewillbeusedtoo.

6.2 ProtectionagainstRelayAttacksRelay attacks are special man-in-the-middle attack scenarios. The intruder intercepts thecommunicationandblocksthetargetedreceiver.Thenhecanreplaythecommunicationtoa latermoment.WiththisscenariohewillevenbypasstheRLCCounterchecking,becausethereceiverhasnotupdatedhiscounterandsoacceptsthereplayedmessage.

Topreventthisattackscenariothemessagevaliditymustbetimelimitedand/orthereceivermustbe aware of transmission process ongoing. Time limitations are ensured by performing anauthenticationbychallengeandresponsewhichvalidonly limitedtime(500ms).DuringchallengeandresponseaNonceisusedaschallenge.



Page33/63

6.2.1 AuthenticationbasedonCMAC

Authenticationcanbe:

n Unilateral – only one of the communication partners is authenticated and his outgoingcommunicationisprotectedagainstreplayattacks–oneNonceisexchanged

n Mutual – both communication partners are authenticated and both communication ways areprotectedagainstreplayattacks–twoNonceareexchanged

For CMAC computing the EnOcean security concept uses the Payload of telegrams. The Nonce isusedduringCMACcomputingtooandsoensuresthattheNonceisconnectedwiththeexchangedmessageanditsdatacontent.Sobecomesthedatacontentalsovalidforlimitedtime.

EnOceanSecurity conceptuses theVAES fordataencryption.TheNoncecanbealsoused for theinitializationvectorfortheVAESprocess.ThiswayarandomelementisaddedtotheVAESprocess.ThisisrequiredifNonceisarandomnumberandnoRLCisused.

TheNoncecanbe:

n UsedduringCMACcounting

n UsedasinitializationvectorforVAEScounting

Nonce represents the challenge and has to be therefore exchanged between the communicationpartners via air interface. The Challenge and Response does not have to encrypt and can betransferredplaintext.TheCMACalgorithmrepresentsthesecuringelement.

Duringdatacommunicationfollowingconstrainsareapplied:

n Bidirectionalcommunicationcanbeonlyexecutedaftermutualauthentication.Bothpartiescantriggertheauthentication

n Unidirectional communication is unilateral authenticated. The emitter of the data flow isauthenticatedandonlytheemittercantriggerthecommunication.Thechallengeisprovidedbytheconsumerofthedata

ForNoncewecanuse:

n Randomnumber32bit–here iscritical thatthegeneratorprocess isnotpredictable,doesnotrepeatsamesequencesandisequallyspreadonthedefinedrange

n Simpleincrementing,non-repeatingsequence32-bitnumber

6.2.2 Communicationscenarios

To protect against relay attacks we define three new security communication approaches. TheydifferinaspectoftheUseCasedefinitionmadeinchapter6.1:

1. MutualauthenticationwithRNDasNONCE2. UnilateralauthenticationwithRNDasNONCE

In following definitions the DEVICE A is the sensor / autarkic device which initialize thecommunication. DEVICE B is the line-powered device which is receiving the communication. ThedefinitionsalsoapplyforUseCase1,thenDEVICEAisalsoanlinepowereddevice.



Page34/63

ThelinkbetweenAtoBisunique,becauseofusedkeys.Nootherdevicecanlistenanddecryptthecommunication.Thecommunicationisunicast–andhastobeeventuallyaddressedinoneorbothdirections,dependingifdeviceAordeviceBhasothercommunicationpartners.

DeviceA

KEYA–keyusedbydeviceAtoencryptcommunication,usedforcommunicationfromAtoB

RNDA–randomnumbergeneratedbydeviceA-32bits

TIMEOUTA–timeoutondeviceAtillnextmessagefromdeviceBshouldbereceived

DeviceB

KEYB–keyusedbydeviceBtoencryptcommunication,usedinforcommunicationfromBtoA

RNDB–randomnumbergeneratedbydeviceB-32bits

TIMEOUTB–timeoutondeviceBtillnextmessagefromdeviceAshouldbereceived

Fields

Inthefollowingdescriptionweusethesefields:

ENC: Encryptionmethod-NA/VAES

VAESIntV: ContentoftheInitializationVectorofVAES,forDetailssee5.1.

PAYLOAD: Contentofthedatafieldusedinthetelegram

CMAC: ContentwhichistheCMACcalculatedon–completeexpiationsee6.3.3.1

RORG-MSTelegrampayloadlength–incaseofMSTelegramisused,wespecifythelength.

6.2.2.1 MutualauthenticationwithRNDasNONCE

InthisscenariotheNONCEisrepresentedbyrandomsequences.NoRLCisused.Thissolutionmightbeuseableforautarkicdevices.

Failuresliketimeoutsarenotconsidered.Onlytheidealcaseisdescribed.Onanyfailuree.g.CMACnotvalidatedortimeoutsthewholeprocessisdiscardedandneedstostartfrombeginningorothermeasurese.g.resynchronizemustbetaken.Thecommunicationwillbeexecutedinthesesteps.

1. AsendsChallengetoB.andstartstimeoutA.

Messageparameters:

o ENC: NAo RORG: RORG-MSo DATA: RORG-MSHeader(RND),RNDAo RORG-MStelegrampayloadlength=5bytes



Page35/63

2. B receives Challenge. Sends Response with next Challenge to A. B starts communicationtimeoutB.

Messageparameters:

o ENC: NAo RORG: RORG-MSo DATA: RORG-MSHeader(DATA/RND/CMAC),RNDBo CMAC: DATA,RNDAo RORG-MStelegrampayloadlength=9bytes

3. A receives Challenge and successfully authenticates it with help of both RNDs. A sendsResponsewithpayloaddatatoB.Optionally-StartstimeoutA.

Messageparameters:

o ENC: VAESo VAESINT: VAESINITVector+RNDBo RORG: RORG-SECo DATA: applicationpayloado CMAC: DATA,RNDB,RNDA

4. B receives Response with payload within timeout B. Validates it with help of both RNDs.Optionally–continueswithcommunicationandsendanotherpayloadmessage.

Messageparameters:

o ENC: VAESo VAESINT: VAESINITVector+RNDAo RORG: RORG-SECo DATA: applicationpayloado CMAC: DATA,RNDA,RNDB

5. OptionallyAreceivesmessagefromBwithintimeoutA.

No further communicationwith same RND A and RND B can be executed, because no Sequencenumberispresentandreplayattackscouldbeexecuted.Totransmitbiggerdataquantitiesatonceusemessagechaining.

Pleaseseetheprocessdescriptioninthesequencediagrambelow.



Page36/63

Figure20MutualauthenticationwithRNDasNONCE.

SLF:

DATAENC–VAES+RND

6.2.2.2 UnilateralauthenticationwithRNDasNONCE

In this scenario the HASH is represented by one random sequence. No RLC is used. This is thesolutionwhichrequirestheleastamountofresourcesandensuresrelayattackprotection.

Failuresliketimeoutsarenotconsidered.Onlytheidealcaseisdescribed.OnanyfailureCMACnotvalidated or timeouts thewhole process is discarded and needs to start from beginning or othermeasurese.g.resynchronizemustbetaken.Thecommunicationwillbeexecutedinthesesteps.

1. AsendsRequestforCommunicationMessagetoBandstarttimeoutA.



Page37/63

Messageparameters:

o ENC: NAo RORG: RORG-MSo DATA: RORG-MSHeader0x00o Payloadlength=1byte

2. B receives Request for Communication. Sends Challenge to A. B starts communicationtimeoutB.

Messageparameters:

o ENC: NONEo RORG: RORG-MSo DATA: RORG-MSHeader(RND)+RNDBo Payloadlength=5bytes

3. AreceivesChallengeandsuccessfullydecodesit.AsendsresponsewithpayloaddatatoB.StartstimeoutA.

Messageparameters:

o ENC: VAESo VAESINT: VAESINITVector+RNDBo RORG: RORG-SECo DATA: applicationpayloado CMAC: DATA+RNDB

4. BreceivesmessagewithintimeoutB.DecodesthemessageandauthenticateswithhelpofRNDB.

NofurthercommunicationwithsameRNDBcanbeexecuted,becauseRLCisnotpresentandreplayattackscouldbeexecuted.Totransmitbiggerdataquantitiesatonceusemessagechaining.

Pleaseseeprocessdescriptioninthesequencediagrambelow.



Page38/63

FigureUnilateralauthenticationwithRNDasNONCE.

6.2.2.3 Errorscenarios

Ifthemessagegetslosttheprocessisconsideredasfailed.

Repeated transmissions of request for challenge or challenge messages between identicalcommunication partners shall restart the authentication process and cancel any previous ongoingvalidation.

sd Unilateral authentication with RND as NONCE

Device A Device B

{A is authenticated}

{max 500 ms}

Send Request for ChallangeRORG-MS DATA()

Generate RND B()

{max 500 ms}

Send Challange to ARORG-MS DATA(RND)

Calculate Response CMAC(PAYLOAD, RND B)

Send Response to Bwith Payload

RORG-SEC(PAYLOAD, CMAC)

Authenticate CMAC(PAYLOAD, RND B)

Process Payload from A()



Page39/63

6.3 HighSecurityinclusionintoexistingconcept

6.3.1 SecurityLevelFormatextension

Which High Security communication concept is used during data communications needs to becommunicatedat teach in time.For thispurposethedefinedSLF isextended.Followingextensionhasbeenmade:

7 6 5 4 3 2 1 0

RLC_ALGO RLC_TX MAC_ALGO DATA_ENC

1–VEAS–AES128-RND

Table6.SecurityLevelFormatextensionfieldsanditsinterpretation.

DATA_ENC–Value: 0x1

VAES–AES128–RNDisusedas initializationvector insteadofRLCi.e.MutualauthenticationwithRNDasNONCE,UnilateralauthenticationwithRNDasNONCE.

IfsecureteachinisbidirectionalornotisalreadydefinedinINFOfield–seechapter4.1.2.

6.3.2 MetaSecurityTelegram

The Meta Security Telegram is required to support additional task required in high security.Followingmessagestructureisdefined.

Figure21MetasecurityTelegramstructure

RORG-MS

MetaSecuritytelegramsareidentifiedbythecode0x36.

Header

The RORG-MS telegram has a header which expresses what content of the meta-securityinformationiscarried.Thisheaderisalwayspresentatthefirstplace.

7 6 5 4 3 2 1 0

NA NA NA NA NA NA RNDIncluded CMACIncluded

0:RNDnotincluded

1:RNDisincluded

0:CMACnotincluded

1:CMACisincluded

Table6MetaSecurityTelegramheaderfieldsanditsinterpretation.

RND- Randomnumberusedaschallenge–ifincluded.

CMAC- CMACisincluded,usedasresponseforauthentication–ifincluded.



Page40/63

6.3.3 Algorithmextension

6.3.3.1 CMAC

TheCMACisalteredfordatacommunicationandformetasecuritytelegram.

Followingfieldsareadded:

n SOURCEID-AlsotheLSB32-bitofthecommunicationIDoftheoriginatingdevice

n RND1–32bit,firstincludedrandomnumber

n RND2–32bit,secondincludedrandomnumber(optional,dependingonscenarioi.e.Mutualorunilateral)

RND1,RND2–canberepresentedbyRNDA,orRNDB.Theorderisspecifiedandisimportanttoconsider.Pleaseseecommunicationscenarioschapter6.2.2fordetailsonorderandcontent.

Allfieldsareincludedonlyifrequired.Pleasefindmetasecurityheaderdefinitionchapter6.3.2andcommunicationscenarioschapter6.2.2fordetailsandcontendofthetelegrams.

Figure22GraphicalrepresentationofalteredCMACforMetaSecurityTelegram

6.3.3.2 VAES

The VAES process has to be extended to use RND during processing of VEAS INIT Vector. Thecommunicationscenariosinchapter6.2.2aredefinedtoRNDasinitialisationvector.

TheRNDis32bitlongsotheXORoperationneedstobeextendedtousesall32bits.

TheVAESINITVECTORbytearrayfirstelement,VEAS_INIT_VECTOR[0],isXORedwiththeRNDmostsignificantbyte.VEAS_INIT_VECTOR[1]isXORedwiththeRND2ndmostsignificantbyteandsoon.



Page41/63

Pleaseseegraphicalrepresentationbellow.

Figure23GraphicalrepresentationofVAESextendedprocess.



Page42/63

7 SEC_CDM–0x33chainedsecuremessages

Securechainingisanadd-onfortheERPchainingmechanism.ThecorefunctionalityisthesameasforChainedmessagesandtheoperationkeyandSLFwillbeusedfortransmittingsecurechainedmessages.ThemessagewillbefirstencryptedlikeanormaltelegramwithencapsulatedR-ORGandtheSLFofthedevice.Theencryptionfunctionusesthe0x31R-ORGinternallyfortheCMACcalculation.Aftertheencryptionusingthe0x31R-RORGwassuccessfulandthedatalengthislongerthanthemaximumtransmittablelength.ThemessagewillbechainedusingtheSEC_CDM.ThishastheadvancedthatonlyoncetheoverheadoftransmittingtheCMACandRLCisaddedtothetransmissionofthesplittelegramsandonlyoneRORGencapsulationishappening.

Asmostdevicesareembeddeddeviceswithlimitedmemorycapacity,itishighlyrecommendedthatonlyonechainedmessageissendatatime.(Toorfromadevice).

SEC_CDM

SEQ IDX datafield EURID status checksum

1byte2bit 6bit Nbytes.Dependifaddressedornot

Andprotocol 4bytes 1byte 1byte1byte

Table8:RadiotelegramstructureofSECUREchainedtelegram–NOTADDRESSED.

ReminderfromCDM:

Amessage consists of a number of chained telegrams. Each telegram in a chain has a sequencenumberandan index.Thesequencenumber is thesameforeachmessage in thesamechainandindicates that the messages belong to the same chain. It is increased with every new CDM andcannotbeequalto0.

Theindexstartsfrom0andisincrementedwitheachmessageinachain.Thepurposeoftheindexistoindicatethecorrectorderofthemessages.Thefirstmessageofachaincontainsthetotallengthofthepayloadofthemessage.



Page43/63

AfullworkingexamplecanbefoundintheappendixAnnexA.

Example for the IDX 0 and ERP1: the following data is in the data field:

SEC_CDM

SEQ IDX datalength RORG_EN Payload EURID status checksum

1byte2bit 6bit

2Bytes1byte 10bytes

4bytes 1byte 1byte1byte

0x33 IDX=0

Unencrypted,cleartext.

Datalength=RORG+Payload+RLC+CMAC

length

Encapsulated RORG

Payload

Forthefollowingindexwhicharenotthelasttelegram

SEC_CDM

SEQ IDX Payload EURID status checksum

1byte2bit 6bit

<=13bytes4bytes 1byte 1byte

1byte

0x33 IDX=x

For the last telegram:

SEC_CDM

SEQ IDX datafield RLC CMAC EURID status checksum

1byte

2bit 6bit Last part of thepayloaddata

0,2or3bytes

0,3,4bytes4bytes 1byte 1byte

1byte

0x33 IDX=last Depend on SLF

Depend on SLF

Figure24Remindingof“TransforminganunsecuremessageintoasecuremessagewithR-ORGencapsulation”Section3.2.1.Thesecuredmessage“0x31”isthantransformedwhilesendingintothe0x33message



Page44/63



Page45/63

8 ImplementationsAspects

This chapter explainswhich device should usewhich sort of SLF explained 4.1.3. All these pointsshould be used when starting new devices. Only devices using these SLF shall get a “securedcertification” 01.03.2020. These devices can still be certified using lower levels, but a secureinteroperable communication cannot be guaranteed. Other possible combinations of the SLF aredeprecatedandshouldnolongerbeused,exceptthechallengeresponse(Highsecurity).

8.1 RollingcodeRollingcodeisthekeyelementindataprotectionandvalidation.Thefollowingdefinitionsshallbeadopted:

The RLC as plain information (not encrypted) should be transmitted explicitly inside the telegramwithoutcorruptingthedataencryption/authenticationor increasingtheriskofpotential intruderattacks.Ifthedevicedoesnothaveanyenergystorageandisextremelylimited(See8.2.3)thismaybeomitted.

TheRLCshallbea32-bitsequencenumberwherepossible.The24-bitlengthshouldbeusedonlyinapplicationswithlimitedenergy.(See8.2.2andbelow)

TheinitialvalueoftheRLCineveryproduceddeviceshouldbe0.

Whentherollingcodeisexplicitlyincludedinsidethetelegram,theRLCwindowlimitconceptshallnotbeapplied.ThisresultsintheacceptanceofanyincomingRLCfromthecommunicationpartner,as longas ithasahighervalueas thepreviously storedRLC.Rollover shallnotbeallowed in thiscase.

TheRLCshallonlybeincreased.AnexceptiontothisiswhenanewAESKEYisused;theRLCcountershallbesetto0again.

This removes the need of RLC resynchronization, and simplifies the use case scenario by notcompromisinganysecurityprotection.

Fordevicesusing8.2.3itcouldbethatRLCsynchronizationisneededaftere.g.apowerdownreset.TherecommendationforthisistoonetimeincreasetheRLCwindowafterapowerdown,toallowaguaranteedresync.AlternativelytheRLCcouldbesetdirectlyinthereceiverafterreadingitout.

8.2 Standardsecuritylevelformat

8.2.1 Forlinepowered,-anddeviceswithsufficientenergybudget

Thestandardsecuritylevelformatshallbeusedforall

- LinepoweredDevices.

Itshouldbeusedfor

- Batterypowered- EnergyHarvestingdevices



Page46/63

7 6 5 4 3 2 1 0

RLC_ALGO MAC_ALGO DATA_ENC

7–32bitRLC/32bittransmitted

2–AES1284byte

3–VAES–AES128-RLC

8.2.2 ReducedSLF-exceptionsforenergylimitedapplications

Ifadevicedoesnothaveenoughenergytotransmittheadditional2bytesitcanusethe“ReducedSLF”

ThisreducedSLFcanonlybeusedwith

- Batterypowered- EnergyHarvesting

Andshouldonlybeusedif8.2.1StandardSLFusestoomuchenergy.

7 6 5 4 3 2 1 0


5-24bitRLC–24bitTransmitted

6–32bitRLC/24bittransmitted

1-AES1283byte


8.2.3 PushButtonTransmitterSLF-Exceptionsforkineticdeviceswithnoenergystorage

This SLF shall only be used if a device does not contain any sort of energy storage and has anextremely tight energy budget. Therefore, it has to use the generated energy directly afterharvesting it. For example, a kinetic transmitter which immediately sends after activation securedata(Pushbuttontransmitter)

7 6 5 4 3 2 1 0


4–24bitRLC–nottransmitted

5-24bitRLC–24bitTransmitted

1-AES1283byte




Page47/63

8.3 SecureTeach-inPlain text AES transmission over the AIR is deprecated and shall not be used for newimplementations. The security teach-in shallbehandledby,entering the security container(SLF + Key (+optional RLC)) using a second pathway (e.g. Security Link tables with SecureReMan,SerialCommunicationorviaIPbackbone).

Alternatively,theSecuritycontainercanbetransmittedusingaPSK.

8.3.1 SecureTeach-inusingQRLabels(orNFC)

The security container (SLF+key)ofadevicecanbeentered intoanotherdeviceusinga “scan&copy”method.

1. Scanthe128bitAESkey+SLFfrom

a. Thelabelofthecommunicatingdevice.

b. OrusinganNFCtag

2. Enterthe128bitAEScodeintothereceivingdevice.

a. ViaReCom

b. UserInputmethod

c. IPBackbone

d. SerialCommunication

3. ThereceivingdevicewillusetheRLCfromthefirstdatatelegramforinitialization.

NOTE: Since the RLC is part of the CMAC computing, the RLC in every data telegram is signed.Therefore there is no additional risk in taking the RLC from the first radio telegram. It isrecommended that the first data telegrammust be triggered by the user at a defined moment,similartoteach-intelegrams.

8.3.2 SecureTeach-inovertheAIRwithPSK

ThePSKscenarioincludesscanningthedevicePSKandenteringitintothereceiver.Bykeepingthesesteps,thefollowingscenarioispossible:

1. Scanthe128bitAESPSKcodefromthelabelofthecommunicatingdevice.

2. Enterthe128bitAEScodeintothereceivingdevice.

3. Afterwards,thereceiverwillusethePSKtodecryptincomingteachintelegrams.



Page48/63

8.4 AESKeySelectionandupdatemechanism

8.4.1 KeySelection

FortheAESkey,thefollowingimplementationaspectsshallbeused:

1. Eachdeviceshallhaveaunique,randomlygeneratedAESkeywhenit’sdelivered2. ThiskeyshallbetheoneprintedontheQR–Label3. EachdeviceshallhaveapossibilitytochangetheAESkey:

a. Viaexternalinterfacetoacertainvalueb. Randomlyviauserinteraction

AfterchangingtheAESkey,theRLCcodeshallbesetto0.

Ifkeyscanbechanged,eachkeyshallbeselecteduniquelyandnotduplicated.

8.5 Bidirectionalcommunication

Forbidirectionalcommunicationandchangeablekeysthefollowingrulesapply.

1. EachdirectionshalluseauniquekeywithitsownRLC.

2. Foreachcommunicationpartner,anotheruniquekeyshallbeused.

a. Broadcastshallbeseenforthisusecaseas“onecommunication”partner

Figure25Exampleformultipledevicesandusedkeys



Page49/63

9 Referenceddocuments

(1)NIST,FIPS197,Advancedencryptionstandard(AES),2001

http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf

(2)-Zabala,RijndaelCipher,128-bitversion(datablockandkey)

http://www.cs.bc.edu/~straubin/cs381-05/blockciphers/rijndael_ingles2004.swf

(3)-JH.Song,R.Poovendran,J.Lee,T.Iwata,2006,TheAES-CMACAlgorithm

http://www.rfc-editor.org/rfc/rfc4493.txt

(4)-AVR411:SecureRollingCodeAlgorithm.

http://www.atmel.com/Images/doc2600.pdf

(5)–Wikipedia,Blockciphermodesofoperation.

http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation



Page50/63

AnnexA Appendix



Page51/63

A.1 ERP1securetelegrams

ThefollowingfigureindicatestheconcretizationofthesecuremessageintoERP1protocol.

A.1.1 OperationmodewithEPR1

Figure26.InthemostgeneralversionofthesecuremessagetheRLCandCMACfieldsarepresent.DATA can be encrypted. The fields R-ORG S, DATA, RLC and CMAC are integrated withoutmodification in theERP1 telegram. IfDATA isencrypted in themessage it isalsoencrypted in theERP1telegram.TheIDandSTATUSarespecifictothetelegram.

A.1.2 Secureteach-inchainingwithERP1

TheERP1limitstheamountofbytestransmittedto21pertelegram.Therefore,thesecureteach-inmessagemustbepartitionedinatleasttwotelegrams(chaining).

Figure27Thegeneralteach-inmessagesecuritymembers

Dividingthemessageintotwotelegramsresultsinthefollowing:

Teach-in message information divided in two ERP1 telegrams. The telegram withTEACH_IN_INFO_0 byte is sent first. This telegram contains the teach-in RLC, SLC and thefirstpartoftheKEYoftheteach-inmessage.ThesecondtelegramtransportsthesecondpartoftheKEY.

TEACH_IN_INFO_0

SLF RLC KEY RORG-TS ID STAT

KEY RORG-TS ID STAT TEACH_IN_INFO_1



Page52/63

The IDX bit field of TEACH_IN_INFO_0 = 0 indicates that this is the first telegram. The CNT=2indicatesthatthemessage isdivided in2telegrams.TEACH_IN_INFO_1 IDXfield=1saysthatthistelegramisthesecondone.Seechapter4.1.2tolearnmoreabouttheTEACH-ININFObitfields.

It is specified, that there is no direct timeout between the chained telegrams of the teach-in-message.Eachnewerreceivedtelegramoverwritesolderreceivedtelegrams.Attheendofthelearnmode,allpartlyreceivedmessageswillbedeleted.

TEACH_IN_INFO_0

IDX = 0 TYPE INFO CNT = 2

IDX = 1

RESERVED

TEACH_IN_INFO_1



Page53/63

A.2 ERP2securetelegrams

ThefollowingfigureindicatestheconcretizationofthesecuremessageintoERP2protocol.

A.2.1 OperationmodewithEPR2

ThesecuremessageDATAfieldusedthroughoutthisdocumentationcontainstheinformationoftheconcatenatedERP2telegramDataandOptionalDatafields.IfthemessageDATAfieldisencryptedisalsoencryptedinthetelegram.TheRLCandCMACareplacedaftertheOptionalData.TheinformationoftheR-ORGSiscontainedwithintheHEADERfield.TheEXTENDEDHEADERdependsonthetelegram.SeeERP2Specification

A.2.2 Secureteach-inwithERP2

Figure28.ThemessagefieldsTEACH_IN_INFO,SLF,RLCandKEYareconcatenatedintheorderindicatedandplacedintheDATAfieldoftheERP2telegram.TheinformationofR-ORGTSiscontainedwithintheHEADER.TheEXTENDEDHEADERdependsonthetelegram.

A.2.2.1 Secureteach-inchainingwithERP2

Many EnOcean applications have a very limited amount of energy available. For this reason, ifneeded,ispossibletofragmenttheteach-inmessage(describedin4)inseveraltelegrams.

DATA RLC CMAC

Data RLC HEADER

CMAC

Secure message:

ERP2 telegram:

ORIG. ID

LENGTH

EXT. HEADER

DEST. ID

OPT. Data

R_S



Page54/63

Figure29.Thesecureteach-inmessageistransmittedherebytwoERP2telegrams.TheinformationwithinthefieldDATA,betweenthetelegram'sDestinationIDandOptionalData,isshown.SLF,RLCandthefirstpartoftheKEYaretransmittedinthefirsttelegram.ThesecondtelegramcontainsthesecondpartoftheKEY.TheTEACH_IN_INFO_XbytesareinterpretedlikeintheChapter4.

Itisspecified,thatthereisnodirecttimeoutbetweenthechainedtelegramsoftheteach-in-message.Eachnewerreceivedtelegramoverwritesolderreceivedtelegrams.Attheendofthelearnmode,allpartlyreceivedmessageswillbedeleted.



Page55/63

A.3 PSKCRC8checksumalgorithm

ThepolynomialisP(x)=x8+x2+x1+x0

codeuint8u8CRC8Table[256]={

0x00,0x07,0x0e,0x09,0x1c,0x1b,0x12,0x15,

0x38,0x3f,0x36,0x31,0x24,0x23,0x2a,0x2d,

0x70,0x77,0x7e,0x79,0x6c,0x6b,0x62,0x65,

0x48,0x4f,0x46,0x41,0x54,0x53,0x5a,0x5d,

0xe0,0xe7,0xee,0xe9,0xfc,0xfb,0xf2,0xf5,

0xd8,0xdf,0xd6,0xd1,0xc4,0xc3,0xca,0xcd,

0x90,0x97,0x9e,0x99,0x8c,0x8b,0x82,0x85,

0xa8,0xaf,0xa6,0xa1,0xb4,0xb3,0xba,0xbd,

0xc7,0xc0,0xc9,0xce,0xdb,0xdc,0xd5,0xd2,

0xff,0xf8,0xf1,0xf6,0xe3,0xe4,0xed,0xea,

0xb7,0xb0,0xb9,0xbe,0xab,0xac,0xa5,0xa2,

0x8f,0x88,0x81,0x86,0x93,0x94,0x9d,0x9a,

0x27,0x20,0x29,0x2e,0x3b,0x3c,0x35,0x32,

0x1f,0x18,0x11,0x16,0x03,0x04,0x0d,0x0a,

0x57,0x50,0x59,0x5e,0x4b,0x4c,0x45,0x42,

0x6f,0x68,0x61,0x66,0x73,0x74,0x7d,0x7a,

0x89,0x8e,0x87,0x80,0x95,0x92,0x9b,0x9c,

0xb1,0xb6,0xbf,0xb8,0xad,0xaa,0xa3,0xa4,

0xf9,0xfe,0xf7,0xf0,0xe5,0xe2,0xeb,0xec,

0xc1,0xc6,0xcf,0xc8,0xdd,0xda,0xd3,0xd4,

0x69,0x6e,0x67,0x60,0x75,0x72,0x7b,0x7c,

0x51,0x56,0x5f,0x58,0x4d,0x4a,0x43,0x44,

0x19,0x1e,0x17,0x10,0x05,0x02,0x0b,0x0c,

0x21,0x26,0x2f,0x28,0x3d,0x3a,0x33,0x34,

0x4e,0x49,0x40,0x47,0x52,0x55,0x5c,0x5b,

0x76,0x71,0x78,0x7f,0x6A,0x6d,0x64,0x63,

0x3e,0x39,0x30,0x37,0x22,0x25,0x2c,0x2b,

0x06,0x01,0x08,0x0f,0x1a,0x1d,0x14,0x13,

0xae,0xa9,0xa0,0xa7,0xb2,0xb5,0xbc,0xbb,



Page56/63

0x96,0x91,0x98,0x9f,0x8a,0x8D,0x84,0x83,

0xde,0xd9,0xd0,0xd7,0xc2,0xc5,0xcc,0xcb,

0xe6,0xe1,0xe8,0xef,0xfa,0xfd,0xf4,0xf3

crc=0;

for (i=0; i<sizeof(key); i++)

{

crc = u8CRC8Table[crc ^ key[i]];

}

Example

key=0x3410de8f1aba3eff9f5a117172eacabd

crc8=0x07



Page57/63

A.4 SecurityTestvectors

Thefollowingtestvectorsareusefultochecktheuserimplementationforsecureapplications.

A.4.1 SecureSTMwithID(019EB63B)

ThefirstexampleusesvariableAES128asencryptionalgorithm,4byteCMACand3byterollingcodeassecurityparameters.

• Teach-InMessages:Transmittedpacketsovertheair:1. 352093C0FFEE456E4F6365616E019EB63B002. 354020476D62482E313300019EB63B00

• Teach-Info:0x00• SecurityLayerformat:0x93• “SLF_DATA_ENC_VAES128|SLF_MAC_4BYTE|SLF_RLC_ALGO_24BIT”• SecurityKey:0x45,0x6E,0x4F,0x63,0x65,0x61,0x6E,0x20,0x47,0x6D,0x62,0x48,0x2E,

0x31,0x33,0x00

• Rollingcode:0xC0FFEE

UnsecureDatamessage:

• TransmittedPacketovertheAir:A50827FF80019EB63B00• RORG:0xA5• DATA:0x08,0x27,0xFF,0x80

SecureDataMessage:

Dataencryption:

VAES init vector 0x3410de8f1aba3eff9f5a117172eacabd

XOR

RLC padded 0xc0ffee00000000000000000000000000

---------------------------------------------------

Input 0xf4ef308f1aba3eff9f5a117172eacabd

AES

Key 0x456E4F6365616E20476D62482E313300

---------------------------------------------------

0x9be2e35d5fe7858645200587dd3b515c

XOR

Data padded 0xa50827ff800000000000000000000000

---------------------------------------------------



Page58/63

Data encrypted 0x3eeac4a2dfe7858645200587dd3b515c

SubkeygenerationforCMACcalculation

Key 0x456E4F6365616E20476D62482E313300

AES128

Input 0x00000000000000000000000000000000

------------------------------------------------

0xdd21aa892ddf3cb967c314369a272338

<<

------------------------------------------------

0xba4355125bbe7972cf86286d344e4670

XOR

0x00000000000000000000000000000087

------------------------------------------------

K1= 0xba4355125bbe7972cf86286d344e46f7

<<

------------------------------------------------

0x7486aa24b77cf2e59f0c50da689c8dee

XOR

0x00000000000000000000000000000087

------------------------------------------------

K2= 0x7486aa24b77cf2e59f0c50da689c8d69

Message padded 0x313eeac4a2dfc0ffee80000000000000

XOR

K2 0x7486aa24b77cf2e59f0c50da689c8d69

----------------------------------------------------

Input 0x45b840e015a3321a718c50da689c8d69

AES128

Key 0x456E4F6365616E20476D62482E313300



Page59/63

---------------------------------------------------

CMAC(128bits) 0xeaf20eed28679f641c15b10b9308d0d4

• TransmittedPacketovertheAir:313EEAC4A2DFEAF20EED019EB63B00

• RORG:0x31(secureROGwithencryptedoriginalROG)• DATA:0x3E,0xEA,0xC4,0xA2,0xDF

• CMAC:0xEA,0xF2,0x0E,0xED• RLC(nottransmitted):0xC0FFEE

The secondexampleuses variableAES128asencryptionalgorithm,3byteRolling codeandnoCMACassecurityparameters.

Teach-InMessage

• Transmittedpacketsovertheair

1. 352083C0FFEE456E4F6365616E019EB63B00

2. 354020476D62482E313300019EB63B00

• Teach-Info:0x00

• SecurityLayerformat:0x83

“SLF_DATA_ENC_VAES128|SLF_MAC_NO|SLF_RLC_ALGO_24BIT”

• SecurityKey:

o 0x45,0x6E,0x4F,0x63,0x65,0x61,0x6E,0x20,0x47,0x6D,0x62,0x48,o 0x2E,0x31,0x33,0x00

• Rollingcode:0xC0FFEE

UnsecureDataMessage:

• TransmittedPacketovertheAir:A50827FF80019EB63B00• RORG:0xA5• DATA:0x080x270xFF0x80

SecureDataMessage:

• Transmittedpacketovertheair:313EEAC4A2DF019EB63B00



Page60/63

• RORG:0x31• DATA:0x3E0xEA0xC40xA20xDFSamebytesequenceasinexample1..• RLC:0xC0FFEE

A.4.2 SecurePTM(withID0185E177)

ThisexampleusesvariableAES128encryptionalgorithm,3byteCMACand2byterollingcode.

Teach-InMessage:

• Transmittedpacketsovertheair:1. 35244B3E2D456E4F6365616E0185E177002. 354020476D62482E3133000185E17700

• Teach-Ininfo:0x04//TEACH_INFO_PTM|TEACH_INFO_PTM_ROCKERA• SecurityLayerformat=0x4B

SLF_DATA_ENC_VAES128|SLF_MAC_3BYTE|SLF_RLC_ALGO_16BIT• SecurityKey:

0x45,0x6E,0x4F,0x63,0x65,0x61,0x6E,0x20,0x47,0x6D,0x62,0x48,0x2E,0x31,0x33,0x00

• Rollingcode:0x3E2D

UnsecureDatamessage:

• TransmittedDataovertheair:D2090185E17700

• RORG:0xD2

• DATA:0x09

SecureDatamessage:

Dataencryption:

VAES init vector 0x3410de8f1aba3eff9f5a117172eacabd

XOR

RLC padded 0x3E2D0000000000000000000000000000

---------------------------------------------------



Page61/63

Input 0x0a3dde8f1aba3eff9f5a117172eacabd

AES

Key 0x456E4F6365616E20476D62482E313300

---------------------------------------------------

0xc77f3257ca9f626ad8f6ed44db04d26c

XOR

Data padded 0x09

---------------------------------------------------

0xce

AND

Mask(*) 0x0f

----------------------------------------------------

Data encrypted 0x0e

(*)ForPTMsecuretelegramsthesecureddatamostsignificantbyteischopped.

CMAC generation (like in example 1)

Key 0x456E4F6365616E20476D62482E313300

Subkey K2 0x7486aa24b77cf2e59f0c50da689c8d69

Message padded 0x300E3E2D800000000000000000000000

XOR

K2 0x7486aa24b77cf2e59f0c50da689c8d69

----------------------------------------------------

Input 0x44889409377cf2e59f0c50da689c8d69

AES128

Key 0x456E4F6365616E20476D62482E313300

---------------------------------------------------

CMAC(128bits) 0xebdcc47285ab750a21c06a4ed2627ad0



Page62/63

• TransmittedDataovertheair:300EEBDCC40185E17700

• RORG:0x30• DATA:0x0E• CMAC:0xEB,0xDC,0xC4

DecryptedDataMessagebythereceiver:

• TransmittedDataovertheair:

32090185E17700

• RORG:0x32• DATA:0x09

A.4.3 SecureChainedData

Expecteddecrypteddata:

RORG:0xD10x54 0x68 0x69 0x73 0x20 0x61 0x20 0x76 0x65 0x72 0x79 0x20 0x6C 0x6F 0x6E 0x67 0x20 0x73 0x74 0x72 0x69 0x6E 0x67 0x20 0x74 0x6F 0x20 0x67 0x65 0x6E 0x65 0x72 0x61 0x74 0x65 0x20 0x6E 0x6F 0x69 0x73 0x65 0x21 0x00

UsedencryptionKEY:0x45 0x4f 0x54 0x45 0x53 0x54 0x4b 0x45 0x59 0x59 0x45 0x41 0x48 0x21 0x5c 0x30

Used SLF:

SLF_RLC_TX_ON | SLF_RLC_32_BIT | SLF_MAC_3_AES128 | SLF_DATA_ENC_VAES128

RLC:

0x01 0x02 0x03 0x04

GeneratedEncryptedMessage:

RORG:0x31PayloadwithencryptedRORG+Payload+RLC+CMAC:

0x1D 0x70 0xD9 0x54 0x01 0x0F 0x84 0x78 0x2B 0x24 0xF6 0x32 0xE6 0x65 0xAD 0x7D 0x65 0x21 0xAE 0x4F 0x34 0x84 0xB6 0x39 0x08 0xF7 0x12 0xFC 0x0A 0xAC 0x56 0x76 0x49 0xC4 0xC9 0xF2 0xA8 0x29 0x7D 0xF3 0x61 0x99 0x51 0x0D 0x01 0x02 0x03 0x04 0x2F 0x71 0x9F TransmittedTelegramsoverair:

RORG SEQ IDX Datelength Payload



Page63/63

SEC_CDM 2bit 6bit 2byte 11byte

33 2 0 00 33 1D 70 D9 54 01 0F 84 78 2B 24 F6 TableChainedSecuretelegramIDX=0

RORG SEQ IDX PayloadSEC_CDM 2bit 6bit 12byte

33 2 1 32 E6 65 AD 7D 65 21 AE 4F 34 84 B6 39

TableChainedSecuretelegramIDX=1

RORG SEQ IDX Payload

SEC_CDM 2bit 6bit 12byte

33 2 2 08 F7 12 FC 0A AC 56 76 49 C4 C9 F2 A8




33 2 3 29 7D F3 61 99 51 0D 01 02 03 04 2F 71




33 3 4 9F

Table7ChainedSecuretelegramIDX=4

Date post:	11-Jul-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

System Specification · 2020-04-30 · System Specification Security of EnOcean Networks v2.51 Page...

Documents