User Guide
– –
– –
22 23
The Join Process
The Join Process is a method of generating a random encryption key and
random network base address, then distributing the key and addresses to
associated modules through a series of button presses. This makes it very
simple to establish an encrypted network in the field or add new nodes to
an existing network without any additional equipment. It is also possible
to trigger the Join Process through commands on the Command Data
Interface.
All modules configured from the same administrator using the Join Process
can communicate with each other. Other modules are added to the
network one at a time.
The hardware required is a pushbutton that is connected to the PB
line. This takes the line to VCC when it is pressed and ground when it
is released. An LED connected to the MODE_IND line provides visual
indication of the module’s state.
A module is set as an administrator by pressing and holding the button for
30 seconds to start the Generate Key function. While the button is held,
the MODE_IND line is on. After 30s, the MODE_IND line repeats a double
blink, indicating that the function is selected. When the button is released
the key and address generation are performed and the module becomes
an administrator.
An alternative way to set a module as administrator is by briefly pressing
the button twice before holding it for 30 seconds. This method selects the
high UART (57600 bps) data rate and high RF data rate. When other units
are Joined, they will also be set to the high data rates.
When Generate Key is performed, the unit is set as the network
administrator. It generates a random 128-bit AES encryption key based on
ambient RF noise and scrambled by an encryption operation. If UMASK
is the default value (0xFFFFFFFF), it is set to 0x000000FF, supporting
up to 254 nodes, and ADDMODE is set to Extended User Address
with encryption (0x27) (or without encryption (0x07) if flag PGKEY in
the SECOPT register was set to 0 by serial command). UMASK and
ADDMODE are not changed if UMASK is not 0xFFFFFFFF. A random
32-bit address is generated. By default, the lower 8 bits are 0, forming the
network base address. Other nodes are assigned sequential addresses,
starting with network base address +1. UDESTID is set to the bitwise OR
of USRCID and UMASK, which is the network broadcast address.
AES Encryption
HumPRC
TM
Series modules offer 128-bit AES encryption. Encryption
algorithms are complex mathematical calculations that use a large number
called a key to scramble data before transmission. This is done so that
unauthorized persons who may intercept the signal cannot access the
data. To decrypt the data, the receiver must use the same key that was
used to encrypt it. It performs the same calculations as the transmitter and
if the key is the same, the data is recovered.
The HumPRC
TM
Series module has the option to use AES encryption,
arguably the most common encryption algorithm on the market. This is
implemented in a secure mode of operation to ensure the secrecy of the
transmitted data. It uses a 128-bit key to encrypt the transmitted data. The
source and destination addresses are sent in the clear.
There are two ways to enable encryption and set the key: sending serial
commands and using the Join Process.
Writing an encryption key to the module with the CDI
The module has no network key when shipped from the factory. An
encryption key can be written to the module using the CDI. The CMD
register is used to write or clear a key. The key cannot be read.
The same key must be written to all modules that are to be used together.
If they do not have the same key, then they will not communicate in
encrypted mode.
The Join Process
The Join Process can be used to generate and distribute the encryption
key and addresses through a series of button presses. The key is stored in
an Administrator device and the process uses a factory key to distribute the
key to node devices in a secure manner. See the Join Process section for
more information on this feature.