Security on the XBee

If you enable security in the XBee Zigbee firmware, devices acquire the network key when they join a network. Data transmissions are always encrypted with the network key, and can optionally be end-to-end encrypted with the APS link key.

Enable security

To enable security on a device, the Encryption Enable (EE) parameter must be set to 1. When the parameter value changes, the XBee module leaves the network (PAN ID and channel) it was operating on and attempt to form or join a new network. If you set EE to 1, all data transmissions are encrypted with the network key.

Note The EE parameter must be set the same on all devices in a network.

Set the network security key

The coordinator selects the network security key for the network using the Network Encryption Key (NK) parameter (write-only). If NK=0 (default), the coordinator will selects a random network key. Otherwise, you set NK to a non-zero value, it uses this value as network security key.

NK is only supported on the coordinator. Routers and end devices with security enabled (EE=1) acquire the network key when they join a network. They receive the network key encrypted with the link key if they share a preconfigured link key with the coordinator.

Set the APS trust center link key

The coordinator must also select the trust center link key, using the Encryption Key (KY) parameter (write-only). If KY=0 (default), the coordinator select a random trust center link key (not recommended). Otherwise, if you set KY greater than 0, the module uses this value as the preconfigured trust center link key.

If the coordinator selects a random trust center link key (KY=0, default), then it allows devices to join the network without having a preconfigured link key. However, sends the network key unencrypted over-the-air to joining devices and is not recommended.

If the coordinator uses a preconfigured link key (KY > 0), then the coordinator will not send the network key unencrypted to joining devices. Only devices with the correct preconfigured link key can able to join and communicate on the network.

Enable APS encryption

APS encryption is an optional layer of security that uses the link key to encrypt the data payload. Unlike network encryption that is decrypted and encrypted on a hop-by-hop basis, APS encryption is only decrypted by the destination device. The XBee must be configured with security enabled (EE set to 1) to use APS encryption.

APS encryption can be enabled in API firmware on a per-packet basis. To enable APS encryption for a given transmission, set the "enable APS encryption" transmit options bit in the API transmit frame. Enabling APS encryption decreases the maximum payload size by nine bytes.

Use a trust center

Use the Encryption Options (EO) parameter define the coordinator as a trust center. If the coordinator is a trust center, it received alerts to all new join attempts in the network. The trust center also has the ability to update or change the network key on the network.

How to update the network key with a trust center.

If the trust center has started a network and the NK value changes, the coordinator updates the network key on all devices in the network. Changes to NK will not force the device to leave the network. The network continues to operate on the same channel and PAN ID, but the devices in the network update their network key, increment their network key sequence number, and restore their frame counters to 0.

How to update the network key without a trust center.

If the coordinator is not running as a trust center, the Network Reset (NR1) command can be used to force all devices in the network to leave the current network and rejoin the network on another channel. When devices leave and reform then network, the frame counters are reset to 0. This approach causes the coordinator to form a new network that the remaining devices should join. Resetting the network in this manner brings the coordinator and routers in the network down for about ten seconds, and causes the 16-bit PAN ID and 16-bit addresses of the devices to change.

In Zigbee firmware, a secure network can be established with or without a trust center. Network and APS layer encryption are supported regardless of whether a trust center is used.