Zigbee Certificate-Based Key Establishment (CBKE)

1. Introduction

The Zigbee Smart Energy (SE) profile is a framework specifically designed for energy management applications. Devices following the SE profile can interoperate in energy management systems, providing utilities and consumers with tools to monitor and optimize energy usage. Because of the type of data and control within the SE network, application security is a key requirement. The application will use link keys which are optional in the ZigBee and ZigBee Pro stack profiles but are required within a SE network.

2. Installation Code

During the manufacturing process, a random Installation Code is created for each of the SE devices. The associated Pre-configured Link Key is derived using the hashing function Matyas-Meyer Oseas (MMO) and programmed in the device.
More information about the Installation Code can be found in the Zigbee Install Code.
Link keys of the devices that need to join the network should be added to the Trust Center using the following API:

 /* On Trust Center, add a TC Link Key derived from the given install code */
 ZbSecAddDeviceLinkKeyByInstallCode( stZigbeeAppInfo.pstZigbee, dlPartnerExtendedAdress, (uint8_t *)szLinkKeyInstallCode , ZB_SEC_KEYSIZE + 2 );

3. Zigbee Key Establishment (ZKE) cluster

ZKE cluster is a cluster for managing secure communication in ZigBee. It’s used to establish a shared secret key between two devices, which can then be used to encrypt and decrypt messages exchanged between them.
The ZKE cluster uses a combination of asymmetric and symmetric key cryptography to establish and distribute keys. At the end of the process, both nodes will have shared secret key. It is used to encrypt and decrypt messages exchanged between them.
Key agreement scheme is the process of establishing the shared secret key without sending it over the air. It is done between an Initiator, who starts the process, and a Responder.
There are 2 types of key agreement:

  • Symmetric Key Key Establishment (SKKE).
  • Public Key Key Establishment (PKKE).

PKKE involves the exchange of public keys, which can be static (long-term) or ephemeral (temporary), to mutually authenticate devices and establish a shared secret key for secure communications.
The device's static public key can be transported independently, so relying on an implicit trust, or as part of a implicit certificate signed by a Certificate Authority (CA), which is called Certificate-Based Key Establishment (CBKE). In Zigbee Smart Energy, CBKE is a critical component for ensuring that the devices are who they claim to be.
The following Figure illustrates the 5 steps of PKKE process.

  1. Assuming that static keys are exchanged
General Exchange for PKKE
PKKE

4. Certificate-Based Key Establishment (CBKE)