KW41Z 802.15.4 Multiple Security Keys

nick002025 · ‎03-12-2018

I am using the KW41Z module with the 802.15.4 library. I need to use wireless security with multiple end devices where each end device will use an unique key. I am currently trying to figure out how I need to configure the PIB values for this. The demo application only supports a single end device so it is useful but not 100%. I am in the process of reading through AN4973 but I am having a hard time finding definitions for the different PIB variables in order to set multiple keys, and the document seems to use the same key for multiple devices. Any advice?

nick002025 · ‎03-13-2018

I think I figured it out between the demo code, the MAC/PHY Users Guide, and the demo Application Guide.

I copied the PIB setup from the demo application and modified the defines in MacGlobals.h to allow 1 key per device:

/*! The number of keys used by a device. */
#define gNumKeyTableEntries_c 100
/*! Configure one entry for each KeyIdMode used for a specific key. */
#define gNumKeyIdLookupListEntries_c 2
/*! Configure one entry for every device from which secured frames must be received. */
#define gNumKeyDeviceListEntries_c 1 // unique key per device
#define gNumDeviceDescriptorHandleListEntries_c 2
/*! Configure one entry for every secured frame type. */
#define gNumKeyUsageListEntries_c 2
/*! Configure one entry for every device from which secured frames must be received. */
#define gNumDeviceTableEntries_c 1
/*! Configure one entry for every secured frame type received. */
#define gNumSecurityLevelTableEntries_c 2

These defines modify the static allocation for gPIBKeyTable in MacGlobals.c which is modified by the PIB statements from the demo. I can step through with the debugger watching the Table and see that it is correctly filled out as a client associates.

^New

My new question... If i have 100 entries in gPIBKeyTable, will have have to have a separate lookup table in my application to correlate an end device ID to gPIBKeyTable index so I can remove old entries as clients are removed or keys change? Will there be an issue with a fragmented gPIBKeyTable array? For example there are 100 clients in the Table and end device #0 is removed because it has been disassociated/or timed out and the device info is scrubbed from the entry in gPIBKeyTable by the use of NWK_MLME_SapHandler command, will there be an issue in the MAC when it sees an empty entry in the first index and stops iterating through the list?

There are only a finite number of entries in the list so the Table will need to be maintained and scrubbed of any outdated / invalid entries. Without access to the MAC source code, I have no idea of the behavior.

georgecapraru · ‎03-28-2018

Hi Nick,

For your use-case, the device needs to communicate securely with other 100 devices, every one using a different key, the macros needs to be configures as below:

gNumKeyTableEntries_c 100
gNumKeyIdLookupListEntries_c 100
gNumKeyDeviceListEntries_c 100
gNumKeyUsageListEntries_c 1
gNumDeviceTableEntries_c 100
gNumSecurityLevelTableEntries_c 1

There is no problem if you remove/update a device from the security table.

Regards,

George

nick002025 · ‎04-02-2018

The definitions seem excessive.

Using the above defines,

gPIBKeyDeviceDescriptorTable expands to gPIBKeyDeviceDescriptorTable[1][100 * 100]

gPIBKeyIdLookupDescriptorTable expands to gPIBKeyIdLookupDescriptorTable[1][100 * 100]

Having 100,000 element arrays does not seem correct.

georgecapraru · ‎04-02-2018

Hi Nick,

You are correct, the number of entries in gPIBKeyDeviceDescriptorTable and gPIBKeyIdLookupDescriptorTable tables should be 100. I've forgot how the sizes of these tables were defined: [gNumKeyDeviceListEntries_c * gNumKeyTableEntries_c]

In this case the gNumKeyIdLookupListEntries_c and gNumKeyDeviceListEntries_c defines should have the value of 1.

Regards,

George

nick002025 · ‎04-03-2018

Which constant is changed if I want to support 2 keys per client?

It would be nice if there was additional definitions for these constants.

georgecapraru · ‎04-03-2018

In this case gNumKeyTableEntries_c should be (2 * 100)

nick002025 · ‎04-06-2018

gNumKeyTableEntries_c = 100 * 2

gNumKeyIdLookupListEntries_c = 1

gNumKeyDeviceListEntries_c = 1... Accordinging to the MacGlobals.h comment this should be = # of devices but this creates a 100*100 array size for gPIBKeyDeviceDescriptorTable.

gNumKeyUsageListEntries_c =1 x

gNumDeviceTableEntries_c = 100 x

gNumSecurityLevelTableEntries_c = 1 x

Array sizes

gPIBKeyTable[1][200]

gPIBKeyIdLookupDescriptorTable[1][200]

gPIBKeyDeviceDescriptorTable[1][200]

gPIBKeyUsageDescriptorTable[1][200]

gPIBDeviceAddrTable[1][3]

gPIBDeviceTable[1][100]

gPIBSecurityLevelTable[1][1]

To me the gPIBDeviceAddrTable sizing looks strange. By setting gNumKeyDeviceListEntries_c to 1, the check at line 95 in MacGlobals.h changes the sizing to gNumKeyDeviceListEntries_c + 2 instead of gNumDeviceTableEntries_c.

georgecapraru · ‎04-11-2018

Hi Nick,

Indeed, the size of the gPIBDeviceAddrTable is wrong. To overcome this, you must add #define gNumDeviceAddrTableEntries_c (100 + 2) in your application's config file (app_preinclude.h) for this use-case.

This happens because some security table definition depends on the value of gNumKeyTableEntries_c, which simplify upper stacks use-cases.

Regards,

George

estephania_mart · ‎03-26-2018

Hello,

I'm afraid we can't provide the libraries source code. Let me check and I'll reply you through the internal case as well.

Best Regards,

Estephania

KW41Z 802.15.4 Multiple Security Keys

KW41Z 802.15.4 Multiple Security Keys

KW41Z31Z21Z

MACSMAC Software