Texas Instruments 3138 155 232931 MAC Security Operations Encryption and Authentication, Keys

CC2420 features hardware IEEE 802.15.4 MAC security operations. This includes counter mode (CTR) encryption / decryption, CBC-MAC authentication and CCM encryption + authentication. All security operations are based on AES encryption [2] using 128 bit keys. Security operations are performed within the transmit and receive FIFOs on a frame basis.

CC2420 also includes stand-alone AES encryption, in which one 128 bit plaintext is encrypted to a 128 bit ciphertext.

The SAES, STXENC and SRXDEC command strobes are used to start security operations in CC2420 as will be described in the following sections. The ENC_BUSY status bit (see Table 5) may be used to monitor when a security operation has been completed. Security command strobes issued while the security engine is busy will be ignored, and the ongoing operation will be completed.

Table 6 on page 31 shows the CC2420 RAM memory map, including the security related data located from addresses 0x100 through 0x15F. RAM access (see the RAM access section on page 29) is used to write or read the keys, nonces and stand-alone buffer. All security related data is stored little-endian, i.e. the least significant byte is transferred first over the SPI interface during RAM read or write operations.

For a complete description of IEEE

802.15.4MAC security operations, please refer to [1].

21.1 Keys

All security operations are based on 128 bit keys. The CC2420 RAM space has storage space for two individual keys (KEY0 and KEY1). Transmit, receive and stand-alone encryption may select one of these two keys individually in the SEC_TXKEYSEL, SEC_RXKEYSEL and SEC_SAKEYSEL control bits (SECCTRL0).

As can be seen from Table 6 on page 31, KEY0 is located from address 0x100 and KEY1 from address 0x130.

A way of establishing the keys used for encryption and authentication must be decided for each particular application. IEEE 802.15.4 does not define how this is done, it is left to the higher layer of the protocol.

ZigBee uses an Elliptic Curve Cryptography (ECC) based approach to establish keys. For PC based solutions, more processor intensive solutions such as Diffie-Hellman may be chosen. Some applications may also use pre- programmed keys, e.g. for remote keyless entry where the key and lock are delivered in pairs. A push-button approach for loading keys may also be selected.

21.2 Nonce / counter

The receive and transmit nonces used for encryption / decryption are located in RAM from addresses 0x110 and 0x140 respectively. They are both 16 bytes.

The nonce must be correctly initialized before receive or transmit CTR or CCM operations are started. The format of the nonce is shown in Table 7. The block counter must be set to 1 for compliance with [1]. The key sequence counter is controlled by a layer above the MAC layer. The frame counter must be increased for each new frame by the MAC layer. The source address is the 64 bit IEEE address.

Table 7. IEEE 802.15.4 Nonce [1]

The block counter bytes are not updated in RAM, only in a local copy that is reloaded for each new in-line security operation. I.e. the block counter part of the nonce does not need to be rewritten. The CC2420 block counter should be set to 0x0001 for compliance with [1].

CC2420 gives the user full flexibility in selecting the flags for both nonces. The