I read on a website (sorry, can’t remember which one) that said if you have the NwkSKey then you have control over the network. That’s a mistake right? Having the NwkSKey only gives you decryption between one end node and the network?
If that happens (someone got the NwkSKey of one of my nodes), could a new NwkSKey be generated by just doing another OTAA join?
Is it OK to have the DevEUI printed on a sticker on an end node? Will having this value make it easier to figure out the encryption keys?
Some poorly written website articles about LoRaWAN security state that many end nodes are not safe because they have default values written for their keys. Unfortunately these articles are poorly written and are not written without any techinical context. What values are they talking about, the AppKey, AppEUI and DevEUI? All 3 should be fairly random, right?
That is right. However in the early days some networks used the same NwkSKey for all nodes.
Yes. New session keys are generated during OTAA join. Both network and application session keys.
That is no problem. That value has no relation to the active encryption keys what so ever. It is just the one of the identifiers used when looking up the AppKey. The DevEUI is also transmitted unencrypted during a join, not something that would be done with sensitive information.
The AppKey should be totally random. The two EUIs should not be totally random, they need to be part of the EUI space registered by the vendor. The DevEUI should be unique and only assigned to that one device. (EUI space is governed by IEEE, vendors can register/buy a block of identifiers for their usage)