XBee®/XBee‐PRO® ZB SMT RF Modules
Enabling Security
To enable security on a device, the EE command must be set to 1. If the EE command value is changed and
changes are applied (e.g. AC command), the XBee module will leave the network (PAN ID and channel) it was
operating on, and attempt to form or join a new network.
If EE is set to 1, all data transmissions will be encrypted with the network key. When security is enabled, the
maximum number of bytes in a single RF transmission will be reduced. See the NP command for details.
Note: The EE command must be set the same on all devices in a network. Changes to the EE command should
be written to non-volatile memory (to be preserved through power cycle or reset events) using the WR
command.
Setting the Network Security Key
The coordinator must select the network security key for the network. The NK command (write-only) is used to
set the network key. If NK=0 (default), a random network key will be selected. (This should suffice for most
applications.) Otherwise, if NK is set to a non-zero value, the network security key will use the value specified
by NK. NK is only supported on the coordinator.
Routers and end devices with security enabled (ATEE=1) acquire the network key when they join a network.
They will receive the network key encrypted with the link key if they share a pre-configured link key with the
coordinator. See the following section for details.
Setting the APS Trust Center Link Key
The coordinator must also select the trust center link key, using the KY command. If KY=0 (default), the
coordinator will select a random trust center link key (not recommended). Otherwise, if KY is set greater than 0,
this value will be used as the pre-configured trust center link key. KY is write-only and cannot be read.
Note: Application link keys (sent between two devices where neither device is the coordinator) are not
supported in ZB firmware at this time.
Random Trust Center Link Keys
If the coordinator selects a random trust center link key (KY=0, default), then it will allow devices to join
the network without having a pre-configured link key. However, this will cause the network key to be sent
unencrypted over-the-air to joining devices and is not recommended.
Pre-configured Trust Center Link Keys
If the coordinator uses a pre-configured link key (KY > 0), then the coordinator will not send the network
key unencrypted to joining devices. Only devices with the correct pre-configured link key will be able to join
and communicate on the network.
Enabling APS Encryption
APS encryption is an optional layer of security that uses the link key to encrypt the data payload. Unlike network
encryption that is decrypted and encrypted on a hop-by-hop basis, APS encryption is only decrypted by the
destination device. The XBee must be configured with security enabled (EE set to 1) to use APS encryption.
APS encryption can be enabled in API mode on a per-packet basis. To enable APS encryption for a given
transmission, the "enable APS encryption" transmit options bit should be set in the API transmit frame. Enabling
APS encryption decreases the maximum payload size by 9 bytes.
Using a Trust Center
The EO command can be used to define the coordinator as a trust center. If the coordinator is a trust center, it
will be alerted to all new join attempts in the network. The trust center also has the ability to update or change
the network key on the network.
In ZB firmware, a secure network can be established with or without a trust center. Network and APS layer
encryption are supported if a trust center is used or not.
© 2010 Digi International, Inc.
71