Wi-SUN Security#
Overview#
Wi-SUN FAN security mechanisms are built on widely used industry standards. Access control is based on IEEE 802.1X and IEEE 802.11i concepts, providing mutual authentication and establishment of a security association between the joining node and the PAN Border Router. Frame security uses AES-CCM* from IEEE 802.15.4, providing both data confidentiality and data authenticity.
Device Certificate#
Each Wi-SUN node has a secure identity based on a unique per-device X.509 certificate and its corresponding private key, using the Secure Device Identifier (DevID) concept from IEEE 802.1AR. Wi-SUN device certificates must adhere to the requirements in the table below.
X.509 w/ v3 Extensions#
Fields and Extensions | Value |
|---|---|
version | v3 |
serialNumber | an unique serial number |
signature | ecdsa-with-SHA256 |
issuer | copied from issuer's subject field |
notBefore | issuing time and date in UTC (GeneralizedTime) |
notAfter | 99991232235959Z (GeneralizedTime) |
subjectPublicKeyInfo | id-ecPublicKey, namedCurve secp256r1 |
signatureAlgorithm | ecdsa-with-SHA256 |
keyUsage | digitalSignature, keyAgreement |
extendedKeyUsage | clientAuth, id-kp-wisun-fan-device |
authorityIdentifier | only the keyIdentifier field |
subjectAltName | id-on-hardwareModuleName |
id-kp-wisun-fan-device#
In addition to clientAuth, all Wi-SUN device certificates must contain the id-kp-wisun-fan-device object identifier.
id-kp-wisun-fan-device OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) Wi-SUN (45605) FieldAreaNetwork(1) }
id-on-hardwareModuleName#
All Wi-SUN device certificates must contain one and only one alternative name of type OtherName of type id-on-hardwareModuleName. The sequence is specified in RFC4108.
HardwareModuleName ::= SEQUENCE { hwType OBJECT IDENTIFIER, hwSerialNum OCTET STRING }
hwType is an object identifier that, at a minimum, identifies the manufacturer's enterprise number (IANA) but may optionally be subtyped to contain manufacturer-specific information, such as the device model.
hwSerialNum is the serial number of the hardware module. No particular structure is imposed on the serial number. However, the combination of the hwType and hwSerialNum uniquely identifies the hardware module.
Device Private Key#
In addition to a plaintext key in the buffer, the stack also accepts a PSA key reference to the device private key. When using the key reference, the PSA key attributes must be set according to the table below.
Attribute | Value |
|---|---|
psa_set_key_usage_flags | PSA_KEY_USAGE_SIGN_HASH |
psa_set_key_type | PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1) |
psa_set_key_algorithm | PSA_ALG_ECDSA(PSA_ALG_SHA_256) |
Credential Cache#
The device maintains a credential cache for the previously connected PAN. If the same PAN is joined again, the device will use the stored credentials to bypass the authentication phase.
NOTE: The credential cache can be cleared before the join attempt by using the API function sl_wisun_clear_credential_cache() but it should be used with care. Clearing the cache on the joining node may prevent it from re-joining the same PAN. This is due to AES-CCM* replay protection security mechanism.