• State Verified Answer
  • Replies 4 replies
  • Subscribers 91 subscribers
  • Views 239 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 360242
Options

DECT MAC: security key by network

chrysn

My DECT nr+ PT supports connecting to either of a set of networks, which of course have different integrity and cipher keys.

While scanning for cluster beacons, I can receive the 24MSB of the network ID and then make a decision on the key to use, but the key is set in control_configure already before scanning. I can only run control_configure again successfully if I deactivate control_functional_mode, and when I activate it again, the information that the MAC layer stores internally during mac_network_scan is lost, mac_association therefore fails, and I have to mac_network_scan with the new keys, even though no new information is expected.

Is there a shorter way to update the keys to allow association without another round of waiting for the beacon, or is that the penalty that has to be taken for not guessing the network to connect to correctly?

Parents
  • 0

    For clarification: When not initially setting any key or setting the one not matching the network, I get no response to mac_network_scan. Nonetheless, the possibility to report something is there. So until beacons that could not be decrypted are reported through the MAC interface, joining necessarily takes two beacons time: scanning needs to happen in PHY mode, and then when the network ID was read, there's the switch to the MAC mode, which just again needs to wait for the next item on the radio.

  • 0 in reply to chrysn

    Hi,

    Sorry for the delay,

    I don't have a lot of experience on DECT NR+, so I can't give you a good answer right now.

    Let me ask internally, and I'll get back to you when I have more information (most likely before the end of the week)

    Best regards,

    Simon D-M

Reply Children
  • +1 in reply to Simon D-M

    Hi,

    Sorry for the delay,

    It looks like the MAC is oriented towards one network only. So when you are dealing with multiple networks IDs and keys, you unfortunately need to scan twice, as you described in your post.

    Best regards,

    Simon D-M

  • 0 in reply to Simon D-M

    Thanks.

    Seeing that  NRF_MODEM_DECT_MAC_SECURITY_MODE_2 is currently not part of nrfxlib, I'll have to wait for that too as part of rolling over keys within the same network.

    (That'd have been a follow-up question, and relevant one: Best practice with shared symmetric keys is to replace them regularly (eg.as part of rekeying, see RFC8654 or draft-irtf-cfrg-aead-limits for recent work). While TSI TS 103 636-4 leaves the rotation itself to further specification, it does provide a key index in the MAC Security Info IE (MAC Security 10 in the MAC header type). But without SECURITY_MODE_2, no point in asking about how to use it.)

Related
Terms of service