4.1.2 Certificates and Key Establishment
Once a device has joined to the ZSE network and obtained the network key from the trust center, the new device must then re-negoti-
ate its trust center link key through certificate-based key establishment (CBKE). This takes the place of the Zigbee 3.0 link key request
mechanism that a standard Zigbee 3.0 device uses.
The CBKE protocol ensures that the new link key is unrelated to the preconfigured key, ensures that the key that is random and unre-
producible, and provides proof of identity by validating the authenticity of the certificates at both devices. The new link key derived from
this CBKE process replaces the original, preconfigured trust center link key, such that the preconfigured key is not used again unless
this new ZSE device is purged from the network and later needs to re-enter. ZSE networks require that a CBKE-based link key shall be
used for unicast data communications on most ZSE clusters. (Refer to the “Cluster Usage of Security Keys” section of the Zigbee Smart
Energy Profile Specification for details about which clusters require only Network layer security and which require both Network and
APS layer security.)
CBKE is variation of Public Key-Key Establishment (PKKE, as opposed to SKKE, Symmetric Key-Key Establishment) between a pair of
devices. PKKE is a process whereby a link key is established based on each party’s shared, static, public key and ephemeral, public
key. Since these keys are public, they do not require secrecy in their storage and transmission. These keys by themselves (without the
non-public certificate data) aren’t enough to recreate the key, so knowledge of these public keys doesn’t compromise the established
link key. In CBKE, specifically, each device’s static, public key is transported as part of a device-implicit certificate signed by the send-
er’s certificate authority (CA), allowing the receiver to validate the device’s identity during key establishment; this differs from traditional
PKKE, where certificates are manually created.
The digital certificates used in the CBKE process are programmed into each device at manufacturing time and are issued by the CA.
For the process to complete successfully, both devices must contain certificates signed by the same CA. For ZSE networks using
Smart Energy 1.x protocol versions, Certicom (www.certicom.com) is the only Zigbee-approved certificate issuer. Certicom offers certifi-
cates signed by either of the following CAs:
• Test SE CA – A special certificate authority used exclusively for non-commercial testing purposes. Certificates signed by this CA are
free to generate through Certicom’s website.
• Production CA – The normal certificate authority used by Certicom to sign certificates for production-grade devices used in commer-
cial deployments. These certificates require paid licensing terms with Certicom to generate and will not interoperate with test certifi-
cates signed by the Test SE CA.
There are actually two different certificate formats and two different elliptic curves used by the CBKE protocol. The original Smart Ener-
gy 1.0 specification used the sect163k1 elliptic curve, which has a symmetric key equivalent length of 80 bits. The NIST standard rec-
ommends a key strength of 128 bits for all devices deployed after 2010 (see NIST sp800-57-part1, Table 4: Recommended algorithms
and minimum key sizes). Therefore, the Smart Energy 1.2 standard introduced a second elliptic curve, sect283k1, which has an equiva-
lent strength of128 bits. Smart Energy labelled the certificate format and curve for the SE 1.0 release Crypto Suite 1, and labelled the
certificate format for the SE 1.2 release Crypto Suite 2. Smart Energy 1.2 supports both Crypto Suite 1 and Crypto Suite 2.
The Crypto Suite 1 certificate data stored on each device consist of the fields described in the following table.
Table 4.1. ZSE Crypto Suite 1 Stored Certificate Fields
Size (bytes) Name Description
22 CA Public Key Public key specific to the CA who signed the certificate. During CBKE, this is used to verify the au-
thenticity of the CA.
48 Device-Implicit
Certificate
Unique data signed by the CA (using the CA’s private key) and representing the digital certificate for
this specific device. This is the portion of the certificate that is shared over the air during CBKE and
contains the following subfields:
" " Reconstruction data for the device’s public key (22 bytes)
" " This device’s IEEE MAC address (EUI64), also known as the Subject for the certificate (8 bytes in
MSB order)
" " Issuer ID for the CA who created this device-implicit certificate (8 bytes in MSB order)
" " Profile-specific data as defined by the Zigbee application profile using the certificate. The first 2
bytes represent the 16-bit Zigbee application profile ID (in most significant byte notation), such as
0x0109 for ZSE. (10 bytes)
21 Device Private
Key
A unique, device-specific value chosen by the CA during certificate generation. During CBKE, this is
used as an input (along with the Device Public Key) to an Elliptic-Curve Cryptography (ECC) algo-
rithm.
AN1233: Zigbee Security
Zigbee Smart Energy (ZSE) Security
silabs.com | Building a more connected world. Rev. 0.4 | 19