LoRaWAN® Is Secure (but Implementation Matters)

Securing an Internet of Things (IoT) deployment and keeping it safe and secure is not only a matter of choosing the right protocol, it relies on the implementation process as well as embracing best practices and industry standards. ---LoRa Alliance. 

LoRaWAN® is by design very secure—authentication and encryption are, in fact, mandatory—but networks and devices can be compromised if security keys are not kept safe, not randomized across devices or if cryptographic numbers used once (nonces) are reused, as is shown by numerous blog posts.

The LoRa Alliance has always kept security front and center in its development of the LoRaWAN® specification and has been highly transparent about the protocol’s security features (see Figure 1). The LoRaWAN® specification has been designed from the outset with security as an essential aspect, providing state-of-the-art security properties that meet the needs of highly scalable low-power IoT networks. Unlike many other IoT technologies, the LoRaWAN® specification already offers dedicated end-to-end encryption to application providers.

lorawan-is-secure-lora-alliance

Figure 1: LoRaWAN® Security Overview

 

The specification defines two layers of cryptography:

  • Using a unique 128-bit network session key shared between the end-device and network server
  • Using a unique 128-bit application session key (AppSKey) shared end-to-end at the application level

AES algorithms are used to provide authentication and integrity of packets to the network server and end-to-end encryption to the application server. By providing these two levels, it becomes possible to implement “multitenant” shared networks without the network operator having visibility of the users’ payload data. The devices can be activated by Personalization on the production line or during commissioning or can be over the air-activated (OTAA) in the field. OTAA allows device sessions to be rekeyed if necessary.

LoRaWAN® has all the fundamental building blocks required and used by any modern wireless communications technology, and does so at AES-128 strength. LoRaWAN®’s inherent security, as provided in the specification, needs to be accompanied by secure implementation and secure deployment of these devices and/or networks to maintain the protocol’s built-in security mechanisms. It should be pointed out that this is true of all secure device implementations using any communication technology.

As stated above, LoRaWAN® relies on symmetric cryptography, which requires sharing keys in a safe and secure way. To further aid with this process, LoRa Alliance members have developed:

  • LoRaWAN® backend interfaces that isolate the storage of root keys in the join server, so that becomes a trusted player, regardless of network
  • Secure element solutions that provide additional hardware physical protection against tampering

To ensure device and network security, as with any technology, the best practice is always to use certified devices and work with proven and trusted service providers. LoRaWAN® is no different, and end-users can be confident in their deployment if they leverage resources that know how to correctly implement LoRaWAN® solutions.

Security is a constantly moving target, with malicious actors continuously appearing, and LoRaWAN® is always evolving to meet any new threats as well. Though LoRaWAN® is inherently secure, the LoRa Alliance is constantly reviewing, designing and implementing security enhancements and best practices to ensure LoRaWAN® stays ahead of the changing security landscape.

As such, and to assist the market in choosing the right implementation, the LoRa Alliance will publish a Recommended Practices document in the next month that will provide best practices for device makers to keep their devices secure. In addition, the Security Working Group, reporting to the LoRa Alliance Technical Committee responsible for the LoRaWAN® specification, continuously reviews security aspects of technical specifications and documents. The Security Working Group consists of security experts from the LoRa Alliance membership and works with academia to review papers and discuss security challenges.

As such, and to assist the market in choosing the right implementation, the LoRa Alliance will publish a Recommended Practices document in the next month that will provide best practices for device makers to keep their devices secure. In addition, the Security Working Group, reporting to the LoRa Alliance Technical Committee responsible for the LoRaWAN® specification, continuously reviews security aspects of technical specifications and documents. The Security Working Group consists of security experts from the LoRa Alliance membership and works with academia to review papers and discuss security challenges.

 

LoRa Alliance®, LoRaWAN® and LoRaWAN® CertifiedCM are registered trademarks.

Source: LoRa Alliance

https://lora-alliance.org/resource-hub/lorawanr-secure-implementation-matters

If you are interested in Milesight, please leave us a message.

Verify Code

Contact Us

Contact Us

Verify Code

Contact Us to Get More Information