6.2.5 Security

As per Figure 6-1, MAC association packets were unencrypted. After completion of the association process:

1. The trust center sends the Transport Key (coordinator with address 0x0000) from which the joining device receives the link key (router-0x0401) (see packet #14). The APS frame carrying the transport key is encrypted with Link Key A.
2. The joined device (router) performs the device announcement (see packets #16 and #17).
3. Node descriptor exchange happens between coordinator and router as part of the initialization procedure (see packets #18 to #22).
4. Packet #23 shows the router sending the request key to the trust center as a request for link Key B. Link Key A secures the APS frame carrying this request key.
5. The trust center transports (packet #25) the requested key via Transport Key with APS encryption by Link Key A.
6. Packet #27 shows Verify Key, which ensures that the trust center and joined device agree on the same key.
7. Packet #29 shows the Confirm Key, which permits the trust center to confirm a previous request to verify a link key.

The following figure illustrates the Transport Key, where Link Key A (5a 69 67 42 65 65 41 6c 6c 69 61 6e 63 65 30 39) is highlighted, which encrypts the APS layer. By default, the network key is used for cluster commands. The following figure highlights the network key, Key: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc.

The following figure illustrates the Request Key, where Link Key A (5a 69 67 42 65 65 41 6c 6c 69 61 6e 63 65 30 39) is highlighted, that encrypts the APS layer.

The following figure illustrates the Transport Key, where Link Key A (5a 69 67 42 65 65 41 6c 6c 69 61 6e 63 65 30 39) is highlighted, that encrypts the APS layer. The following figure illustrates the Link Key B (fb 40 45 17 7a 0a bc 68 e3 35 ce 4b 93 12 63 0a), which is being transported from the trust center to the router.