Who Holds The Keys? Improving LoRaWAN Security Through Dedicated Hardware
June 24, 2019
The Things Industries has developed new hardware with Microchip to improve security handling from the low level of a node all the way to a high level application.
The Things Industries has developed new hardware with Microchip to improve security handling from the low level of a node (i.e. an asset tracker) all the way to a high level application (i.e. a website showing the location of your company’s trucks throughout a city). As data pass from the low-power node up to the server, the keys are hidden from the user and, by extension, from bad actors. This reduces security risk and operational overhead for owners of large device fleets.
LoRaWAN and the need for keys: a brief review
LoRaWAN is a modern networking standard that allows low power devices to talk to the internet via unlicensed subgigahertz spectrum, delivered via specialized radios. These are based on the LoRa protocol from Semtech. To disambiguate, "LoRa" is the low level protocol that actually allows two radios to talk to one another; "LoRaWAN" refers to the variety of software written to help control the large number of devices trying to communicate back over these radios to the internet at large.
From a certain perspective, LoRaWAN itself looks like a microcosm of the internet. Servers forward along information from the nodes to the network. This data information transfers to the final application, which utilizes the data collected in the real world. The actual architecture is much more involved and complex, but is explained well in the LoRaWAN documentation.
Much like in an email interchange server or a network switch (to use the internet comparison), the role of the servers is to detect which devices are allowed to communicate on any particular network. When a data packet is allowed to pass through from one point to the next, it is important to understand the origin of that packet and whether the device can be trusted. When the data arrive at the end application, it's important to be able to decode the encrypted data for use in the final application.
The way network servers and application servers know which data should pass through and how to decrypt the content of a message is from a variety of "keys." The two keys we care about are the Application Key and the Network Key (the Network Key only applies to the most recent LoRaWAN Specifications: V1.1). The two root keys are the most critical piece of data in the entire system.
Who holds these keys?
Who holds the keys during design?
Hardware engineers are normally not in charge of security nor securing keys. Security is typically the realm of software engineers. Implementing complex methods of interacting with servers and exchanging keys requires high level mathematics.
Modern microcontrollers increasingly have security features integrated by default. Cryptography engines and secure memories are available in more products than in the past. But aside from choosing these features and doing trade-offs of cost vs features, hardware engineers are tasked with making the system operate, and less so on the handling of keys.
Who holds the keys during manufacturing?
Each device is designed, manufactured and programmed by a team of people. The node may pass from a manufacturer in China, to a programming house in Ireland, to a warehouse in Germany, to an end user's truck fleet in rural U.S. Each of these steps means the end device changes hands and has the opportunity to be interfered with by a bad actor.
Security keys need to be stored directly in a microcontroller’s memory. This means a factory worker holds the keys at some point during the process. They could pocket some of the codes and use them later. Beyond a factory worker interacting with keys, the assumption was that it was difficult to extract these keys from the memory once they had been placed there, maybe even utilizing one time programmable memories. This is no longer the case. Side channel attacks and dumping firmware ROMs allow bad actors to gain access to these keys. They could be used for future attacks.
What if this was no longer necessary?
Your hardware holds the keys
In this newest method of verification, we keep all critical information on the device AND the server. A hardware secure element is used to store the root keys: the Network Key and the Application Key. This method involves a hardware secure module from Microchip called the ATECC608A-MAHTN-T CryptoAuthentication chip. The manufacturer, nor the user, nor the programmer of the device ever sees that actual key information. Instead, the chip is paired with a "Join Server," which holds similar information as on the hardware device. This synchronizes with the chip, and allows concurrent creation of secure credentials. This is useful for a few reasons. First, it reduces the overhead of injecting the keys one by one to all devices. Second, security keys are securely stored, making it almost impossible to retrieve the keys by physically attacking the device. And Finally, because the root keys are stored in an independent Join Server, the node is much more portable with this method. Transferring the node to a new network only requires a small amount of information to be passed from the Join Server to the device, and then the session keys are once again co-generated. This means your node can pass between multiple LoRaWAN networks as needed. Once your device is in the field, it is a simple process to move to an entirely new LoRaWAN network, avoiding vendor lock-in.
The secure element ensures that the most critical security keys are isolated into a package that is designed specifically for security. Regardless of the node that you design, the security stays inside a low cost, highly secure element.
Onboard key storage acts as a passport between networks
As Xavier Bignalet talked about at The Things Conference 2019, the secure element is similar to a SIM card in that it securely enables access to particular networks. This model reduces the complexity on the hardware and firmware of devices and enables smoother provisioning of new devices onto LoRaWAN networks. It also lowers the power draw and complexity of chips required for doing intensive cryptography. Your node can focus on simplicity and low power draw, so that the device has an extended battery life. This is the reason many designers choose LoRa elements in the first place.
The secure element will give you security throughout your supply chain and as your devices are deployed in the field. Read more about the secure element here or watch more interviews with Xavier, the security lead from Microchip.
Chris Gammell is an electrical engineer, podcaster and consultant from Chicago, IL. He has over 15 years of experience in the electronics industry, working for companies in the industrial, silicon, communications, and test and measurement space. As a full-time consultant for Analog Life LLC, he creates designs for clients ranging from learning platforms to connected sensor networks. He also has been running The Amp Hour podcast for the past nine years (along with Dave Jones of the EEVblog), a weekly show discussing trends throughout the modern electronics design industry. For the past five years, Chris has also been teaching as part of his online course called Contextual Electronics, which focuses on teaching electronics design skills for beginners to intermediate students. Chris got his bachelor’s degree in electrical engineering from Case Western Reserve.