Elliptic curve cryptography (ECC) library for ZigBee Smart Energy

Showing results for 
Search instead for 
Did you mean: 

Elliptic curve cryptography (ECC) library for ZigBee Smart Energy

Contributor V

Hello folks,

     Thanks to Alexandru Andreescu who put together a very nice description about ECC for our ZigBee SE stack:

On the ECC library:

The Smart Energy 1.x solutions from BeeKit are exported with an empty stub ECC library for the Certificate Based Key Establishment procedure (CBKE). This library does not implement ECC functionality but otherwise still establishes a key through SEP1 ECC-based key exchange mechanisms. Using the stub, the generated key will however always be the same.

For certification and production, a full ECC library is needed. One can request the SDK from Certicom at this location free of charge (some terms and conditions apply):


To add the Certicom library to the project, copy both eccapi.h and libecc.a from Certicom to [Project]/BeeApps/SE/. Ensure gEccIncluded_d and gFullEcc_d are set to TRUE in SEProfile.h. One should only recompile the project to enable full ECC functionality.

On the Test Certificates:

The Freescale solutions come with 3 test certificates and corresponding public private key pairs (see SEProfile.c) that can be used in certification testing. The certificates are linked with a specific device MAC/EUI64 address (in our case 0x0000000000000001, 0x1111111111111111 and 0x0000000000000002). You can find the MAC address embedded in the certificate.

To generate certificates for other MAC addresses, you have to register for this service on Certicom's website (http://www.certicom.com/index.php/gencertregister). You will receive 4 values when you will generate new certificates:

- CA Public Key which will be copied in CertAuthPubKey.

- Device Implicit Cert which will be copied in DeviceImplicitCert.

- Device Private Key which will be copied in DevicePrivateKey.

- Device Public Key which will be copied in DevicePublicKey.

On Production Devices (after certification):

For production purposes, one has to replace the test certificates and keys with the production ones. These differ by Issuer ID field, so a device with a test certificate (which is submitted for SEP1 ZigBee certification) will not interoperate with a device with production certificates. To register for production certificates go tohttp://www.certicom.com/index.php/regzigbee.

Besides the steps for the test certificates, one will have to update CertAuthIssuerID to [0x00, 0x22, 0x08, 0x00, 0x00, 0x00, 0x00, 0x01].

More detailed information about the Certicom ZigBee Smart Energy SDk can be found in the following PDF file: http://www.certicom.com/images/pdfs/ZigBee/faq-zigbee-security.pdf

Labels (1)
Tags (2)
0 Kudos
1 Reply

NXP Employee
NXP Employee

Just to complete the info regarding the 3 certificates included in the demo.

Those were generated for the following MAC Addresses:

  1. 0x0000000000000001  --> Coordinator
  2. 0x1111111111111111  --> Router or ED
  3. 0x0000000000000002  --> Other Router or ED

By default if a Coordinator is programmed, it will automatically use the certificate for 0x0000000000000001

By default if a non-Coordinator device is programmed, it will select the certificate for 0x1111111111111111 … if you want to use the certificate for 0x0000000000000002  you’ll have to modify SeProfile.c to use it instead of the one for 0x1111111111111111

Here’s the section of the code:


#if ( gCoordinatorCapability_d )

IdentifyCert_t DeviceImplicitCert = {




uint8_t DevicePrivateKey[gZclCmdKeyEstab_PrivateKeySize_c] = {0x00,0x75,0xa9,0x4b,0x20,0x2e,0xbe,0xc8,0x89,0xa2,0xea,


uint8_t DevicePublicKey[gZclCmdKeyEstab_CompressedPubKeySize_c]  = {0x03,0x03,0x19,0x89,0xf6,0xd4,0x94,0x74,0xe8,0xe8,0x50,



/*Cert 2*/

IdentifyCert_t DeviceImplicitCert = {

0x02 ,0x04 ,0xac ,0x2c ,0x26 ,0x56 ,0xf1 ,0xee ,0xa4 ,0xff ,0x5d ,0xac ,0x4e ,0xdd ,0xa1 ,0x76 ,0xbf ,0xe4 ,0xfa ,0x70 ,0xd9 ,0x56,

0x11 ,0x11 ,0x11 ,0x11 ,0x11 ,0x11 ,0x11 ,0x11 ,0x54 ,0x45 ,0x53 ,0x54 ,0x53 ,0x45 ,0x43 ,0x41 ,0x01 ,0x09 ,0x00 ,0x01 ,0x00 ,0x00,

0x00 ,0x00 ,0x00 ,0x00};

uint8_t DevicePrivateKey[gZclCmdKeyEstab_PrivateKeySize_c] =  {

0x03 ,0xad ,0x06 ,0x1f ,0x0a ,0x0d ,0x4b ,0x8e ,0xdb ,0x94 ,0xf3 ,0x5e ,0x51 ,0x1d ,0xa8 ,0x7e ,0x12 ,0xa5 ,0x42 ,0x95 ,0xf0};

uint8_t DevicePublicKey[gZclCmdKeyEstab_CompressedPubKeySize_c]  =  {

0x03 ,0x05 ,0xae ,0x1a ,0x16 ,0x67 ,0x79 ,0x7a ,0xfe ,0x37 ,0x75 ,0x26 ,0xf4 ,0x53 ,0x3b ,0x0f ,0x8a ,0x03 ,0xd2 ,0x15 ,0xf9 ,0x8a};

#if 0

IdentifyCert_t DeviceImplicitCert = {





uint8_t DevicePrivateKey[gZclCmdKeyEstab_PrivateKeySize_c] =  {0x00,0x56,0x97,0x73,0x52,0x61,0x19,0xc5,0x5a,0x87,0x31,


uint8_t DevicePublicKey[gZclCmdKeyEstab_CompressedPubKeySize_c]  =  {0x02,0x04,0x12,0xd9,0x24,0x2a,0x4f,0x46,0xe1,0x6c,0x2d,





So, the application is generated to use a coordinator with MAC 0x0000000000000001 and a non-Coordinator device (ZR or ZED) with MAC 0x1111111111111111  for the certificates to match the MAC address and avoid modifying the example code or generating another certificate. If a 3rd device is added, the MAC0x0000000000000002 is to be used and SeProfile.c has to be adapted for that.

0 Kudos