Specifications
XBee®/XBee‐PRO®SERFModules
©2009DigiInternational,Inc. 64
APS Layer Encryption and Decryption
Packets with APS layer encryption are encrypted at the source and only decrypted by the
destination. Since APS encryption appends a 4 byte MIC and other fields, the maximum data
payload is reduced by 9 bytes when APS encryption is used.
Network and APS Layer Encryption
Network and APS layer encryption can both be applied to data. The following figure demonstrates
the authentication and encryption performed on the final ZigBee packet when both are applied.
Trust Center
ZigBee defines a trust center device that is responsible for authenticating devices that join the
network. The trust center also manages link key distribution in the network.
Forming and Joining a Secure Network
The coordinator is responsible for selecting a network encryption key. This key can either be
preconfigured or randomly selected. In addition, the coordinator generally operates as a trust
center and must therefore select the trust center link key. The trust center link key can also be
preconfigured or randomly selected.
Devices that join the network must obtain the network key when they join. When a device joins a
secure network, the network and link keys can be sent to the joining device. If the joining device
has a pre-configured trust center link key, the network key will be sent to the joining device
encrypted by the link key. Otherwise, if the joining device is not pre-configured with the link key,
the device could only join the network if the network key is sent unencrypted (“in the clear”). The
trust center must decide whether or not to send the network key unencrypted to joining devices