Long distance, low power wireless connection
When the wireless termination device exceeds the link ranges such as Wi-Fi® or ZigBee®, there are several connection schemes to choose from. For typical Internet access sensors or actuators, 3G or 4G high-speed connections are more complex, expensive and power consumption than expected connection schemes. Although the second generation (2G) GSM is economical and affordable, the 2G network still has variables because some smartphone users have used 4G and 5G services. GSM Association (GSMA) has proposed CAT-0 LTE, an Internet of Things-friendly method that easily connects to a 4G network. At the same time, low-power WAN (LPWAN) standards such as LoraWanTM, Sigfox, Ingenu and Weightless have become an economic affordable substitute for GSM standards.
The LPWAN network works in a non-license band. SIGFOX and INGENU, organizations are setting their own networks, while the LORA® Alliance has used different methods that are promoting technology for independent network operators. In 2015, Orange announced that as part of the strategy, the company will create a LORA network to serve the M2M and Internet of Things connection market.
Simply put, the Lorawan network works in 868 kHz in Europe, working in North America with 915 MHz. The protocol is designed to achieve extremely low power consumption and support 0.3 kbit / s to 50 kbit / s data rate. Supports adaptive data rates, automatic optimization distance, battery life and network capacity. The communication range is 2 km to 15 km, depending on factors such as the construction environment and the size of the message. Lorawan is getting more popular, and designers can use some products that are now available for autonomous devices to add LoraWan connection functions.
As the Internet of Threat enters the public domain, network attacks that threaten security and safe have become a focus issue. Such threats may affect individuals or many people due to the nature of the Internet of Things. Hackers may try to take over equipment, causing equipment failures, stealing device data or hosted networks that use devices to access sensitive individuals or financial information. It is also possible to use the device to propagate malware or just try to steal the intellectual property rights such as application code running on the device.
Guarantee LORA data flow security
The security strategy for protecting the Internet of Things should be simple enough to support resource restricted IoT endpoints, but also the lowest price and the requirements for device power. The Lorawan security mechanism protects communication based on mutual authentication between networks and endpoints. In this way, the network ensures that the devices attempt to connect to the network are registered correctly and not invaded, and to ensure the authenticity of the network that is connected to the device. The network and connection devices need a security key, also known as AppKe, which can encrypt information for the other party and correctly decrypt information received from each other. LoraWAN security protects information integrity by using signature and encryption after verifying credentials and connecting endpoints.
The LORA Alliance designed the LoraWan protocol to support end-to-end encryption. The data stream is not only in an encrypted state in the air interface, but also maintains an encrypted state in the operator's core network, which is not transmitted in plain text. This saves more security overhead, which additional application layer encryption, thereby saving cost and energy consumption, and also reduces complexity.
LoraWAN security is based on security developed for IEEE 802.15.4 radio communication, and is also expanded by using both network session keys (NWKSKEY) and application session key (Appskey). According to the existing IEEE 802 security specification, a 64-bit global unique identifier named DEVEUI is assigned to each Lorawan device, which is compatible with the IEEE extension unique identifier (EUI-64). Only the distribution organization with the 24-bit organization unique identifier (OUI) assigned by the IEEE registration authority is qualified to assign identifiers. Each Lorawan terminal device also has its own 128-bit AES key, also known as AppKey.
Each device needs to communicate in the Lorawan network after activation. Two forms of air activation (OTAA) or personalized activation (ABP) can be used. Regardless of which method, network and connection devices need to prove its correct security key to establish a connection.
In OTAA, the terminal device transmits a connection request containing the device DEVEUI, App Identifier (APPEUI), and AppKey. The application server then transmits an encrypted acceptance message, and the terminal device can decrypt it using its AppKey to obtain the specified network device address (DEVADDR), and the network session key (NWKSKEY) and Appskey. These keys are the unique key of the device.
In ABP, the device address and session key of the terminal device have been programmed. This applies to the situation where the device is intended to be connected to a particular known network. You can communicate immediately in the network without air signal exchange.
In the LoraWan network, the terminal device communicates with the web server through one or more gateways, as shown in Figure 1. The web server further transmits the data of each terminal device to the application server suitable for the device, and manages data transmission from the application server to the terminal device via the gateway. Safety protection is provided by NWKSKEY and AppsKey session keys, providing security in control and application data levels. Each data contains a MAC header, a frame header, and a payload, and the complete code (MIC) generated using NWSKEY.
MIC is calculated by advanced encryption standards and standard password-based information authentication code (AES-CMAC) to implement verification. Use Appskey to encrypt payload. In this way, the web server and application server can verify the information from the terminal device. As shown in Figure 2, the application payload is encrypted by the Advanced Encryption Standard Count (CTR) mode, and the frame counter is also included in the Lorawan packet. You can effectively prevent attackers from access access by playing information. The correct management counter is important to avoid repeating sequences, nor will reset the counter due to the renewal of the node to the network.
LORA node physical security
Lorawan security design simple energy conservation, avoid complex or cumbersome encryption calculations or multi-layer security design. Although encryption is implemented by NWKSKEY and AppsKey, the key is implemented from the same key (AppKey). Therefore, network operators with AppKey can get AppsKey and decrypt data streams. If you need to prevent this loophoch, the server responsible for handling AppKey storage and related services should be controlled by trusted organizations associated with network operators. The LORA Alliance said that there is a planning change for Lorawan, which will get NWKSKSKSKSKEY and AppsKey from separate keys.
In actual operation, the transceiver modules such as Microchip. The transceiver modules can be encoded, encrypted and transmitted using the LORAWAN wireless connection. This module implements the onboard LoraWan protocol stack in the integrated microcontroller, and integrates LORA technology radio and UART for connecting host microcontrollers (Figure 3). The embedded microcontroller has 14 GPIO pins for connecting user equipment such as sensors, switches, or LED status indicators. You can also use SEEED TECHNOLOGY SEEEDUINO LORAWAN modules, users can use Creative Guest expansion boards to quickly and easily add a variety of sensors.
Although the LoraWan standard uses some mechanisms to protect data transmitted between LORA networks and connected terminal devices, the nodes are still easily affected by physical attacks. If you can extract the stored key, the device in the network may be pretended. Physical attacks can seriously threaten equipment installed in remote or non-monitoring regions, and there is a need to take more safety measures.
The Murata CMWX1zzABZ-078 LORA module is available, which is equipped with an optional security element for security key storage (Figure 4). Embedded security components are effective protection measures to prevent encryption keys and other sensitive data from physical attacks such as intrusion detection or pin monitoring, which is increasingly applied to Internet accessories and personal computers, etc. In the device to create trust root hardware to verify machines, software, and users.
in conclusion
Internet of Things applications have been considered when developing the LoraWan protocol, and includes various security measures for protecting data in transmission. Equipment designers should take care of the LORA alliance recommendations to ensure the safety of the application as much as possible. In addition, additional safety measures must prevent unattended Internet of Things equipment from being physically attacked.
Be
Article source network
Our other product:
