AnsweredAssumed Answered

Elliptic curve cryptography (ECC) library for ZigBee Smart Energy

Question asked by Alan Led Collins Rivera Employee on Sep 9, 2014
Latest reply on Sep 11, 2014 by Juan Carlos Pacheco

Hello folks,


     Thanks to Alexandru Andreescu who put together a very nice description about ECC for our ZigBee SE stack:


On the ECC library:


The Smart Energy 1.x solutions from BeeKit are exported with an empty stub ECC library for the Certificate Based Key Establishment procedure (CBKE). This library does not implement ECC functionality but otherwise still establishes a key through SEP1 ECC-based key exchange mechanisms. Using the stub, the generated key will however always be the same.


For certification and production, a full ECC library is needed. One can request the SDK from Certicom at this location free of charge (some terms and conditions apply):


To add the Certicom library to the project, copy both eccapi.h and libecc.a from Certicom to [Project]/BeeApps/SE/. Ensure gEccIncluded_d and gFullEcc_d are set to TRUE in SEProfile.h. One should only recompile the project to enable full ECC functionality.


On the Test Certificates:


The Freescale solutions come with 3 test certificates and corresponding public private key pairs (see SEProfile.c) that can be used in certification testing. The certificates are linked with a specific device MAC/EUI64 address (in our case 0x0000000000000001, 0x1111111111111111 and 0x0000000000000002). You can find the MAC address embedded in the certificate.


To generate certificates for other MAC addresses, you have to register for this service on Certicom's website ( You will receive 4 values when you will generate new certificates:

- CA Public Key which will be copied in CertAuthPubKey.

- Device Implicit Cert which will be copied in DeviceImplicitCert.

- Device Private Key which will be copied in DevicePrivateKey.

- Device Public Key which will be copied in DevicePublicKey.


On Production Devices (after certification):


For production purposes, one has to replace the test certificates and keys with the production ones. These differ by Issuer ID field, so a device with a test certificate (which is submitted for SEP1 ZigBee certification) will not interoperate with a device with production certificates. To register for production certificates go to


Besides the steps for the test certificates, one will have to update CertAuthIssuerID to [0x00, 0x22, 0x08, 0x00, 0x00, 0x00, 0x00, 0x01].


More detailed information about the Certicom ZigBee Smart Energy SDk can be found in the following PDF file: