LoRaWAN security is built around the following principles: low power consumption, low implementation complexity, low cost, and high scalability. Security must be future-proof since devices are deployed in the field for lengthy periods of time. Besides supporting all LoRaWAN device classes, LoRaWAN versions and regional parameters, The Things Stack also supports all security mechanisms defined by the LoRa Alliance. This article will look into the basic LoRaWAN security measures that The Things Stack follows.
The Things Stack supports two LoRaWAN device activation methods: Activation by Personalization (ABP) and Over-the-Air-Activation (OTAA). OTAA is the preferred activation method for end-devices which provides a higher level of security. For OTAA, root keys must be stored securely in the LoRaWAN end device, and the same root keys must be available on the network side at the Join Server (included in The Things Stack).
The Join Server provides secure and trusted storage for root keys, generates session keys (using root keys) and handles the LoRaWAN join procedure to activate the end device. The Things Stack offers a possibility of using a network agnostic The Things Stack Join Server, but using other join servers is possible as well, so there is zero vendor lock-in.
The Things Stack supports all LoRaWAN security mechanisms like mutual authentication, data origin authentication and integrity protection, replay protection, and MAC commands encryption. All of these procedures are based on the Advanced Encryption Standard (AES), and use cryptographic keys (root keys and session keys) and algorithms.
-
Mutual authentication - The join procedure establishes mutual authentication between an end device and network. This means that only authorized end devices can join The Things Stacknetwork.
-
Origin authentication and integrity protection - The AES-CMAC (Cipher-based message authentication code) mode of operation is used for computing the message integrity code (MIC) between the end device and The Things Stack. This ensures only the authorized parties that hold the integrity keys can generate valid data messages to prevent spoofing and validate data messages against malicious modifications.
-
Replay attack prevention - The Things Stack uses frame counters to ensure that the receiver does not accept previously received data messages.
-
MAC commands encryption - AES-CCM (chaining message authentication code) mode of operation is used for encryption of MAC commands exchanged between the end device and The Things Stack Network Server. This ensures only the authorized parties, that hold the decryption keys, can read the MAC commands to prevent eavesdropping (listen in).
-
Application payload encryption - Theapplication payload that is exchanged between the end-device and The Things Stack Application Server is also encrypted. This ensures only the authorized parties, that hold the decryption keys, can read the application data to prevent eavesdropping.
Besides these measures, The Things Stack provides some additional security mechanisms:
-
Rekeying - The Things Stack allows OTAA device sessions to be rekeyed.
-
Secure elements - Secure elements provide tamper-proof storage for protecting root keys against physical threats, hence extremely difficult to extract by malicious users. The Things Industries and Microchip developed ATECC608A/B, a solution that uses secure elements and is pre-provisioned for The Things Stack.
-
Firmware update over the air (FUOTA) - Secure FUOTA is enabled by signed and integrity-protected multicast delivery and unicast commands.
-
Secure backend - The Things Stack backend includes elements such as Network Server, Join Server and Application Server. The secure communication between these components is carried out using technologies like Hypertext Transfer Protocol Secure (HTTPS) and Virtual Private Network (VPN).
Watch the videos of Johan Stokking, co-founder and CTO of TheThings Industries, explaining LoRaWAN security.
Make sure your LoRaWAN solution is compliant with all security measures. Try The Things Stack with Discovery Tier
*LoRaWAN® is a mark used under license from the LoRa Alliance®. *