Zigbee Security Architecture and Fundamentals

Imagine a home where the lights turn on when you enter and the thermostat automatically adjusts the temperature. This is the reality that Zigbee offers – a wireless network that seamlessly controls the smart devices in your home.

But how does this invisible “thread” work? And how safe is it? In this article, we will look at the basic concepts of Zigbee, its architecture and technological characteristics, and also dive into the main mechanisms for ensuring its security.

Introduction

Zigbee is a wireless communications standard designed to create networks that are low-power, scalable, and reliable. This technology, based on the IEEE 802.15.4 standard protocol, is designed for communication between devices in various fields, including smart home, industrial and medical applications.

Zigbee came about as part of an idea to create a network for low-power devices that could communicate with each other without the use of wires. Initially, its development was closely related to the IEEE 802.15.4 standard, which was responsible for wireless networks in general.

In 2002, the Zigbee Alliance (now known as the Connectivity Standards Alliance) was formed to promote and standardize Zigbee. On June 13, 2005, the first protocol specification was released, which became known as the ZigBee 2004 Specification, and products based on it began to appear on the market. Since then, Zigbee has grown and improved, with new versions appearing, each making it more reliable, secure, and flexible. For example, Zigbee PRO (2007) made the network more resistant to interference, and Zigbee 3.0 (2015) added the ability to connect directly to the Internet.

However, as the popularity of the technology grows, so do the risks associated with its use. Every new connected device can potentially become an entry point for attackers.

Zigbee Review

All devices in a Zigbee network can be divided into three types: coordinator, routers and end (user) devices – each of them plays its own role.

Coordinator – This is the brain, the administrator of the entire network. It establishes communication between devices and allows them to be controlled, determines on which channel communication will take place, and also initializes and transmits messages between devices. It is important to note that there can only be one coordinator per network. The Zigbee Coordinator can also connect to other networks, including Wi-Fi. This usually happens through integration with smart hubs or gateways that can act as a bridge between Zigbee and other protocols.

Routers (routers) help expand the network range and provide communication between the coordinator and end devices. They receive and distribute messages intended for end devices.

End devices perform specific tasks and interact with the user or environment. They can communicate with each other using routers and have just enough information about the network device to communicate with the nearest router or coordinator. A key feature of endpoints is their typically low power consumption, as they are capable of entering sleep mode to conserve resources. Examples of such devices include motion sensors, smart locks, light bulbs and much more.

Zigbee supports three options for organizing the network topology:

• Star: All devices are connected to a central node (coordinator). This is a simple and reliable topology, but it creates restrictions on the number of devices and range.

• Cluster tree: devices create a hierarchical structure with a central node, which is like the root of a tree. This is a more scalable topology than a star, but is more complex to set up.

• Mesh: This is the most flexible and reliable topology as it provides redundancy and fault tolerance.

The Zigbee network architecture consists of a combination of four layers, of which the lower two are defined by the IEEE 802.15.4 standard, and the upper two are defined by the Zigbee Alliance.

Physical layer responsible for the physical encoding and decoding of signals, determining how data is transmitted over a radio channel; it sets parameters such as transmission power, signal modulation, transmission frequency. Zigbee can operate in three frequency bands: 868 MHz (primarily in Europe), 915 MHz (USA and Australia), and 2.4 GHz (worldwide). However, we note that at the 2.4 GHz frequency, Wi-Fi and Zigbee can overlap and interfere with each other. To solve this problem, there is a function called Energy Detect, which will force Zigbee to select the channel that will create the least amount of interference.

MAC layer (Media Access Control) is responsible for access to the communication channel and control of data transfer, type of data packet (Beacon, Data, etc.), implements mechanisms for channel access (CSMA/CA), data flow control and error control.

The Data Frame encapsulates data from protocols operating at levels above IEEE 802.15.4. Let's look at what the header looks like (pay special attention to the Auxiliary Security Header, we'll return to it later):

Ack Frame is needed to confirm the received data:

To avoid collisions, data transmission can be carried out in Beacon mode: the coordinator distributes special messages, beacons, which are used to synchronize time between devices on the network and can contain information about the network state and channel load, which helps devices optimize energy consumption, allowing them “sleep” further and “wake up” only to receive the necessary notifications.

At the same level, a special network identifier PAN ID (Personal Area Network ID) is defined, separating one Zigbee network from another if they operate on the same channel. PAN ID is a 16-bit number (0 to 65535) that is set during network setup and stored in the internal memory of each device.

Network layer is responsible for routing data between devices on a network, determining the optimal path for data transfer.

Application layer provides an interface for applications that interact with the Zigbee network.

Benefits of Zigbee

Let's step back a little from the topic and try to answer a completely logical question: why do we need Zigbee if there are already wireless protocols such as Wi-Fi and Bluetooth?

Bluetooth is used for short-term communication between devices located a short distance from each other. It has a higher data transfer rate than Zigbee, but is much less energy efficient. Connecting a device to Bluetooth can take up to 10 seconds, and there can be no more than 7 devices on the network.

Wi-Fi is designed for higher speed communications over longer distances, and it also requires much more power than Zigbee. For a device to connect to the network, you need to wait up to 3 seconds; the maximum number of devices on the network is 32.

At the same time, connecting a device to a Zigbee network takes about 30 milliseconds, and there can be about 65,000 devices in total (in theory).

Zigbee security.

IEEE 802.15.4 and AES-128.

IEEE 802.15.4 uses the AES-128 (Advanced Encryption Standard) encryption algorithm with a key length of 128 bits (16 bytes). This key size ensures the security of an algorithm that has never been cracked. The choice of this algorithm is due to the availability of special hardware modules for its implementation on devices with limited resources. Also, this algorithm is used not only for encryption, but also for checking data integrity (Data Integrity), for which the Message Integrity Code (MIC) is used, which can be added to the sent message. The MIC is created by encrypting part of the 802.15.4 frame using the network key. If the resulting MIC does not match what is expected, the data has been modified. The MIC can be 0, 32, 64, or 128 bits long, which determines the probability that a randomly chosen value will be correct.

Let's take a closer look at the operating principle of AES-128. This is a symmetric block cipher algorithm that operates in blocks of 128 bits. That is, this algorithm takes 128 bits of plaintext and, using a 128-, 192-, or 256-bit encryption key, turns it into 128 bits of ciphertext. This algorithm is based on the SP network (Substitution-Permutation network): having the original block and the encryption key as input, it performs several successive cycles consisting of substitution stages and block rearrangement stages.

The S-box receives a block of input bits as input and one-to-one replaces it with a block of output bits, which receives the P-box, rearranges all the bits in it and again transmits it to the S-box. For each such round, a new round key is used, generated from the original one. If the original key contained 128 bits, then there will be 10 rounds in total.

At the very beginning of the algorithm, a 128-bit (or 16-byte) or padded block of source text is decomposed into a 4×4 matrix, each cell of which contains exactly one byte – this matrix (state) looks like this:

In this table, 0, 1, 2 and so on are the byte number.

At the first stage, the key turns into (n+1) keys, where n is the number of rounds. Thus, if the key initially consisted of 128 bits, then it is converted into 11 round keys for the algorithm to work. At the very beginning of encryption, we use the first round key and the original text and add them modulo 2 (XOR).

Let's consider the process that occurs within one round of encryption:

1. The SubBytes function replaces some bytes from the table with others (substitution);

2. The ShiftRows function shifts elements in each row of the matrix (permutation);

3. The MixColumns function mixes elements within a column (permutation) – not performed in the final round;

4. A round key is added.

To transform a key, the KeyExpansion function is used, which cyclically XORs the original key with keys from a fixed array Rcon.

The SubBytes function replaces each state element with the corresponding element of the special SBox table using the formula: s_ij = SBox[s_ij]. The SBox table itself is a 256-byte array. To access its element S, you need to calculate the return byte to S in the Galois field GF(2⁸) – b, and then do the following: S = b ⊕ (b <<< 1) ⊕ (b <<< 2) ⊕ (b <<< 3) ⊕ (b <<< 4) ⊕ 63₁₆. Otherwise:

The ShiftRows function performs permutations of row elements as follows: the first row of the state matrix (already modified after SubBytes) remains unchanged, the elements of the second row are shifted one position to the left, the third row – two positions to the left, the fourth row – three positions to the left.

Finally, the MixColumns function shuffles the elements within each column. Each column can be represented as a polynomial of the form b(x) = b₃x³ +b₂x² +b₁x+b₀and then this polynomial is multiplied by a(x) = 3x³ +x² + x + 2 modulo an irreducible polynomial m(x) = x⁴ + 1. All actions are performed in the Galois field GF(2).

Let's return to the MAC layer of the protocol: it can provide security for data transmission. When the third bit in the Frame Control field is 1, that is, the Security Enabled mode is activated, an additional Auxiliary Security Header appears, which sets the security level and activates a counter that allows you to exclude the simplest attacks. This header includes three fields:

• Security Control (1 byte) – determines the Security Level and the length of the MIC, that is, the Security Policy is set here;

• Frame Counter (4 bytes) is a special counter that performs two important functions:

  1. Replay Protection: This counter ensures that a user cannot reuse old frames to gain access to the network or change data. Each time the device sends a frame, the counter is incremented by one. The receiver checks the Frame Counter of incoming frames, and if the current value has already been encountered, the frame is discarded.

  2. ensuring the correct sequence of data transmission: the counter allows you to check that frames arrive in the correct order and without gaps.

Using the Security Level field belonging to the Security Control header, we can select the MIC length and other parameters:

Security Level determines how well the outgoing frame will be protected and how well the incoming frame was protected. This field also controls whether the payload will be encrypted, as well as the confidence level.

The Key ID Mode field specifies the type of key that will be used when communicating between the sender and recipient. Possible values:

• 0 – the key is specified implicitly, which is not specified in the message;

• 1, 2, 3 – the key is specified explicitly using the Key Index fields (allows you to identify different keys from the Key Source) and Key Source from the Key Identifier Field and can have different lengths depending on whether the value is 1, 2 or 3.

Thus, the design of the field containing the payload, Frame Payload (Fig. 4), depends on the configurations listed above. In other words, the IEEE 802.15.4 standard provides three levels of security:

1. AES-CTR: data is encrypted using a 128-bit AES key, and the counter sets unique message IDs and performs its functions described above;

2. AES-CBC-MIC: A MIC is added to the end of the payload field, the length of which is determined by the Security Level field;

3. AES-CCM: This layer is a mixture of the previous two.

Zigbee

Zigbee security mechanisms complement IEEE 802.15.4 by providing security at the Network and Application layers. In general, the security architecture of this protocol is an “open trust” model based on the following assumptions:

1. different applications running on the same device trust each other;

2. data between different parts of the software of the same device is not encrypted;

3. the device will not transfer security keys to other devices without the need and appropriate command;

4. data exchange between two different devices is cryptographically encrypted;

5. The hardware is protected from unauthorized access.

Next, we'll look at two different Zigbee security models.

The distributed model is the easiest to implement, but at the same time less reliable. The basic idea of ​​this model is that routers are responsible for authenticating end devices by initializing the network and generating a network key. End devices must know the pre-configured link key in order to be able to connect to the network. At the same time, the network key is the same for all devices on the network, which makes this model less secure.

In the centralized model, the coordinator is responsible not only for building and organizing the network, but also for security in it, being the “Trust Center”. His area of ​​responsibility includes authenticating devices on the network (adding new devices) and creating encryption keys for the Network and Application levels. Let's look at the types of keys defined in the Zigbee standard, all of them are 128 bits long and are also generated using AES-128:

1. Network Key – key used in broadcast communication format. It is generated regularly by the trust center and does not remain constant for a long time. When the trust center initiates a Network Key change, it broadcasts the new key, causing the Frame Counter on all devices to go to zero. Every new device that wants to connect to the network must first obtain this key.

2. Link Key (or Application Link Key) – keys, unique for each pair of devices, are used to encrypt message transmissions between them.

Let's see (for example, using Wireshark) how a new device is connected to the Zigbee network:

At the Network and Application levels, like the MAC layer, the Auxiliary NWK/APS Security Header appears if the corresponding Security field from Frame Control is set to 1 bit. They are arranged in a similar way.

In summary, Zigbee provides a sufficient level of security for most IoT applications, but it is important to consider specific security requirements when designing and deploying Zigbee systems, and it is worth remembering that no security system is completely impenetrable.