Mesh profile (3.8) mesh security

(translated from "Mesh Profile v1.0" 3.8 mesh security)

Security Toolbox

Encryption function

CMAC function

CCM Features

S1 Salt generation function

K1 Export Function ( How to understand derivation? ）

K2 Network key export function

K3 Export function

K4 Export function

Serial number

Serial number, which is a 24bit value contained in the network layer PDU seq field. Mainly used to avoid replay attacks (replay attacks).

Elements in the same node can be shared or no serial numbers can be shared.

For mesh network security It is important to include a different serial number in the network layer PDU for each message source (every message source, based on the source address included in the SRC field).

An element can transmit 16777216 (2 24-square + 1) messages before repeating a nonce by using a 24bit serial number.

If an element transmits an average of one message per 5s, it can be transmitted for 2.6 years before repeating the nonce.

Each element of the network layer PDU that it generates should be strictly incremented for the serial number .

The element should update the IV index through the IV update process before the serial number reaches its maximum value. This also guarantees that the serial number will never be duplicated (wrap around surround)

IV Index

The initialization vector index is a 32bit value. And he is a shared resource in the network. ( all nodes in the network share the same IV index , and the IV index is used in the subnets they own.) ）

The IV index starts with 0x000000. Increased through the IV update process.

IV the time to increase the index does not need to be precise. Because the least significant bit of the IV index is communicated in each network layer PDU.

The IV index is a 32bit value, so a mesh network can work close to 5 trillion (trillion) years before the repetition occurs.

The IV index is shared across a network through secure network beacons (secured Netwok beacons).

A subnet is received after the IV update is processed and propagated in the subnet.

IV The propagation of index updates via the device in a specific subnet using the Updated IV index transport secure network beacon is complete.

If one of the devices in a primary network receives an update from that Master network , the device should propagate the update to the other subnets .

If one of the devices in a primary network receives an update message from another subnet, the update message should be ignored. (That is, starting with the primary Network IV index Update)

If a device has been away from the mesh network for some time. It can scan a secure network beacon or use the IV index recovery process to set the IV index value autonomously.

Nonce (an arbitrary or unique random number that is used only once)

A nonce is a value of 13octec . Encryption is unique for each new message. Four different nonce types are used in the network. The type of a nonce is determined by the first octet.

0x00 Network nonce for Network layer authentication and encryption secret key

0x01 application keys for high transport layer authentication and encryption

0x02 device nonce for high transport layer authentication and encryption of device keys

0X04 proxy nonce for proxy authentication and encryption secret keys

Note:ttl is used in a network nonce rather than in the application of nonce and device nonce or proxy nonce. This means that when a message is relayed and the TTL is reduced, the application and device nonce do not change, and the network nonce needs to be changed, allowing the authentication of the TTL value (? Does the TTL value also need to be certified?)

Note:DST is used in the application of nonce and device is a nonce and is no longer in the network nonce. This means that the destination of the application or device message needs to be authenticated, and the network layer destination address is encrypted (? How is a nonce used, and what is the relationship between authentication and encryption? ）。

Secret key

A type of key is defined in the mesh specification: The application secret key and the network key. The application secret key is used for secure communication of high transport layer, and the network secret key is used for secure communication on the network layer.

Two types of keys are shared across nodes.

There is also a device secret key, which is a special application secret key. The device secret key for each node is unique. Only the node and the configuration client know the device key for that node. Device keys are used for secure communication between nodes and the configuration client.

The application key is bound to the network secret key. This means that the application key is only used in the context of the network key it binds to. An application key can only be bound to a network secret key.

A device key is bound to the entire network secret key.

An example of application secret key binding is described.

Device secret key

The device key is an access-layer secret key that only the node itself and the configuration client knows.

The device key should be bound to every network key that the node knows. This binding cannot be changed.

Device keys are obtained by Provisionsalt and Ecdhsecret through the K1 method.

Where Provisionsalt is a public value, Ecdhsecret and Devkey are private values.

Application secret key

The application secret key is generated by the random number generator.

The Application key identification (AID) is used to represent the application secret key, which is obtained by K4 the application secret key.

Network secret key

The network secret key is generated by a random number generator. (The Bluetooth core definition is covered in the parth,volume2)

There is a hierarchy in the network secret key. Such as:

NID, encryption key and private secret key

Each network layer PDU uses a secure material consisting of NID, a cryptographic key, and a private key for secure encryption.

Nid is a 7bit value that identifies the security material used by the network layer PDU.

Note: For each NID there are up to 2,121 keys that can be used, so NID can only provide an indication that a security material has been used on the network layer PDU.

The main security material (as opposed to a friend's secure material) is determined by NID, where the encryption key and private key are entered by the security credentials, which are obtained through the K2 function.

NID | | EncryptionKey | | Privacykey = K2 (Netkey, 0x00)

Secure material in a friend relationship is obtained through the security credentials of a friend:

NID | | EncryptionKey | | Privacykey = K2 (Netkey, 0x01 | | lpnaddress | | friendaddress | | Lpncounter | | Friendcounter)

which

Lpnaddress is the source address of a friend request message when establishing a friend relationship.

Friendaddress is the source address of a friend offer message when a friend is established.

Lpncounter is the value of the Lpncounter field in a friend request message when establishing a friend relationship.

Friendcounter is the value of the Friendcounter field in the message that friends provide when establishing a friend relationship.

A friend security material is required for network layer PDUs that are transferred between low-power nodes and friend nodes.

For other network layer PDUs, the Master (master) security material is used. (Here the main safety material is relative to the friend safety material)

Network ID

The network ID has a network key obtained through the K3 method. Each network secret key generates a network ID.

This network ID is public information.

Identity Key (Identitykey)

The identity key is obtained from the network secret key. Each network secret key generates an identity key.

Salt = S1 ("Nkik")

P = "ID 128" | | 0x01

Identitykey = K1 (Netkey, salt, p)

Beacon Secret Key

The Beacon key is obtained by the network key. Each network key generates a Beacon key.

Salt = S1 ("NKBK")

P = "id128" | | How should 0x01// id128 be understood?

Beaconkey = K1 (Netkey, salt, P)

Global secret key Index

The network and application keys are set up in the two lists in the mesh network, by configuring client maintenance.

Each of these lists is a shared mesh network resource. And each list holds a maximum of 4,096 keys.

The key is referenced through the Global Key index: The network key index and the Application key index.

The key index is a 12bit value, from 0x000 to 0xFFF.

The index is 0X000 's network key is called the Primary network key (Primary Netkey)

Message Security

Message Replay (replay) protection

Message processing Flow

Mesh profile (3.8) mesh security