Smart Energy Security Types - SE security Full vs SE security Test

by <a href="http://community.silabs.com/t5/Welcome-and-Announcements/Community-Ranking-System-and-Recognition-Program/m-p/140490#U140490"><font color="#000000"><font size="2">Star Employee</font></font> </a> machatta ‎09-18-2017 10:13 AM - edited ‎10-19-2017 03:06 AM

The Smart Energy (SE) security is based on certificate-based key establishment (CBKE) using Elliptic-Curve Cryptography (ECC). This includes the ECC 163k1 curve used by Smart Energy 1.0 and 1.1, as well as the ECC 283k1 curve used by Smart Energy 1.2.

 

Smart Energy 1.0 utilized an ECC 163k1 curve with a 48-byte certificate format. All certified devices are required to support this. Smart Energy 1.2 introduces a new curve ECC 283k1, and a 74-byte certificate format. Smart Energy 1.2 devices must support the existing 163k1 ECC curve and may also support the new 283k1 curve.

 

There are two types of smart energy security settings which you can select from the Znet Stack tab as following:


a)If you are using unique, per-device link keys based on installation codes for joining devices, as should be the case for production deployments, set the Security option to "Smart Energy Security full (compliant)". Enable Install Code Library Plugin.


b)If you are using a single, global link key for all devices to join, as is often used in development/testing scenarios to reduce complexity, set the Security option to "Smart Energy Security test".

 

If you have selected 'Smart Energy Security full' option then you will need to flash install codes on joining devices to EM35x as per section 3.4 and to EFR32 as per section 3.5 of AN714.

  

You can use CLI command option install-code to add install code link key on coordinator.

 

Example:

option install 0 {00 21 ED 00 00 00 00 52} {24 AA A3 D7 DC 53 50 D6}

 

Where

index in link key table = 0

End device EUI = 00 21 ED 00 00 00 00 52

End device install code = 24 AA A3 D7 DC 53

Install code CRC = 50 D6 ( actual CRC is 0xD650)

 

Confirm that the proper key table entry now exists and is displayed in the output of the "keys print" command at the trust center.