• State Not Answered
  • Replies 2 replies
  • Subscribers 73 subscribers
  • Views 2674 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 240885
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

OpenThread master key usage and generation

zhliao

Hi,

I am trying to build the Thread network using nRF52840 and nRF5_SDK_for_Thread_and_Zigbee_v3.2 SDK. I tried to load the \examples\thread\cli\ftd\uart\pca10056 exampl on the board and it works fine. Thanks for the nice example and documentation!

Now I have some issues about the Thread security property. When we tried to generate the new Thread dataset using CLI, we will get the network parameters such as PANID, EX PAN ID, master key, etc, shown as the following figure:

For my understanding, I have the following questions:

1. Is there any other ways to build a Thread network? For example, without CLI, can we use the hardcoded program to generate and test the OpenThread Network?

2. For my view, the Master Key is used to encrypt the UDP packages between the Thread nodes during their communication. It is automately and randomly generated when the "dataset" command is input. And the UDP communication is encrypted by AES-CCM, is that right? 

3. May I know the purpose of "PSKc"? From this tutorial, the "J01NME"  should be the PSKd between the commissioner and new incoming device. And the new incoming device will be certified using the DTLS PSK mode. If so, what will "PSKc" be used for?

4. A follow up question for question 3. I searched the DTLS documentation and found there are two modes, raw public keys or pre-shared keys. I guess the "J01NME" uses the second approach. Is there any reference we can find for the first approach? We are trying to build a Thread network with the PKI and we think the first approach (raw public key) might be more suitable for our project. 

Thanks for your patient and any advice is welcomed. Thank you.

Best,

Zhonghao

Parents
  • 0

    Hi,

    1. The default master key is hardcoded into the OpenThread libraries. You can set a new key in the application using otThreadSetMasterKey() API call. PAN ID and channel can be configured in the sdk_config.h file of the projects in the SDK, or you can use otLinkSetPanId() in your application to set it.
    2. This is from Thread 1.1.1 specification: "With the exception of in-band commissioning, all messages are secured, either by [IEEE802154] security (level 5, encryption and 32-bit MIC), or by the MLE protocol (which is based on 802.15.4 AES-CCM frame security, but done above the link layer). The 802.15.4 and MLE keys are derived from the master key received during commissioning". As far I know, the UDP packets are not encrypted beyond this unless DTLS is used for end-to-end encryption.
    3. The PSKc is the Pre-Shared Key for the Commissioner, see this guide.
    4. I do not have any experience with using raw public keys, and unfortunately, I'm not aware of any references for this.

    Best regards,
    Jørgen

Reply
  • 0

    Hi,

    1. The default master key is hardcoded into the OpenThread libraries. You can set a new key in the application using otThreadSetMasterKey() API call. PAN ID and channel can be configured in the sdk_config.h file of the projects in the SDK, or you can use otLinkSetPanId() in your application to set it.
    2. This is from Thread 1.1.1 specification: "With the exception of in-band commissioning, all messages are secured, either by [IEEE802154] security (level 5, encryption and 32-bit MIC), or by the MLE protocol (which is based on 802.15.4 AES-CCM frame security, but done above the link layer). The 802.15.4 and MLE keys are derived from the master key received during commissioning". As far I know, the UDP packets are not encrypted beyond this unless DTLS is used for end-to-end encryption.
    3. The PSKc is the Pre-Shared Key for the Commissioner, see this guide.
    4. I do not have any experience with using raw public keys, and unfortunately, I'm not aware of any references for this.

    Best regards,
    Jørgen

Children
Related
Terms of service