Installation Code CRC#
The installation code CRC is mechanism used to verify the integrity of an installation code when it is transmitted via an out-of-band mechanism to the utility. This transport mechanism involves human interaction in some way. As a result, the CRC was designed as a way to verify that an installation code is valid and was not mistakenly changed during transport.
The Zigbee installation model enables users to install a device themselves. Users simply read the installation code on the back of the device and enter it into a webpage or provide it over the phone to a utility service. Because the number is a hexadecimal value, it is easy to transpose digits or read the wrong value.
Validation#
The Zigbee specification expects that the server processing the out-of-band installation code entry from the installer will perform basic checking of the installation code for validity. The server then calculates the CRC over all bytes in the installation code except the final two. It then compares the final two bytes of the installation code with the calculated CRC to see if they match. If they do not match, the user entering the installation code can be informed immediately that it does not look valid. The user should then double-check the value.
Zigbee specifications do not require the Trust Center to validate the installation code directly. (Any validation can be done on a remote web- or cloud-based server if the Trust Center doesn’t have this capability locally.) The Trust Center expects to receive a pre-configured link key along with the EUI64 of the new joining device. It does not need to have any knowledge about how that key was derived. It is up to the particular utility how it wishes to manage and transport the link key to the Trust Center.
For details on how the CRC is calculated, including sample code, consult the Install Codes section of the Security Chapter of the Zigbee 3.0 Base Device Behavior Specification (Zigbee document #13-0402).
Generation#
Silicon Labs recommends that the installation code be a random number. This reduces the chances of an attacker guessing the installation code and compromising the initial join procedure. The installation code should not be based on the manufacturing process, such as tied to the EUI64 or sequential numbering based on the manufacturing lot. If that were the case, an attacker with knowledge about the type of device being joined would have a known range of installation codes it could try to compromise the network and clone the device’s identity. An installation code does not have to be unique across all Zigbee devices for all manufacturers.
Labels#
The device’s installation code should be printed on a label on the outside of the device along with its EUI64. Both elements should be identified with text indicating what they are. The installation code should not be printed on the outside of the box because that makes it easier for an attacker to gain knowledge of the installation code and potentially compromise the device. It is recommended that the installation code be printed in 2-byte blocks (for example, 83FE D340 7A93 9723 A5C6 39B2 6916 D505 C3B5).
Note: The CRC should be appended to the installation code in little endian format on the label.
Example#
The following is an 18-byte installation code label (16-byte random code with a 2-byte CRC):
83FE D340 7A93 9723 A5C6 39B2 6916 D505 C3B5The random number portion of the code is the first 16 sequential bytes. The calculated CRC value is 0xB5C3, but it is appended in little-endian format.