XBee®/XBee‐PRO® ZB SMT RF Modules
Trust Center
ZigBee defines a trust center device that is responsible for authenticating devices that join the network. The
trust center also manages link key distribution in the network.
Forming and Joining a Secure Network
The coordinator is responsible for selecting a network encryption key. This key can either be preconfigured or
randomly selected. In addition, the coordinator generally operates as a trust center and must therefore select
the trust center link key. The trust center link key can also be preconfigured or randomly selected.
Devices that join the network must obtain the network key when they join. When a device joins a secure
network, the network and link keys can be sent to the joining device. If the joining device has a pre-configured
trust center link key, the network key will be sent to the joining device encrypted by the link key. Otherwise, if
the joining device is not pre-configured with the link key, the device could only join the network if the network
key is sent unencrypted (“in the clear”). The trust center must decide whether or not to send the network key
unencrypted to joining devices that are not pre-configured with the link key. Sending the network key
unencrypted is not recommended as it can open a security hole in the network. To maximize security, devices
should be pre-configured with the correct link key.
Implementing Security on the XBee
If security is enabled in the XBee ZB firmware, devices acquire the network key when they join a network. Data
transmissions are always encrypted with the network key, and can optionally be end-to-end encrypted with the APS
link key. The following sections discuss the security settings and options in the XBee ZB firmware.
© 2010 Digi International, Inc.
70