2010 Second International Conference on Networks Security, Wireless Communications and Trusted Computing
Application and Analysis of ZigBee Security Services
Specification
Hongwei Li, Zhongning Jia, Xiaofeng Xue
School of Computer Science and Engineering
Jiangsu Teachers University of Technology
Changzhou, China
jstulhw@gmail.com
Abstract—ZigBee is a wireless technology developed as an open
global standard. With the application of wireless sensor networks,
many applications not only have low-power, low-complexity and
cost-effective, but also should have high confidentiality. So the
research of the security of ZigBee is becoming very important.
Based on the ZigBee network protocol stack structure, in this
paper, we mainly discuss the ZigBee data transmission security
services, the encryption techniques, security key, the trust center,
secured Frames Format and security Level. At last we introduce
the security application in the ZigBee application layer.
Keywords-Wireless sensor networks; ZigBee; Security; security
key; trust center; MSG
I. INTRODUCTION
ZigBee is an open WPAN standard based on the IEEE
802.15.4 protocol. While IEEE 802.15.4 defines medium
access control (MAC) layer and physical (PHY) layer. ZigBee
takes care of higher layers. ZigBee is used for home, building
and industrial control. It conforms to the IEEE 802.15.4
wireless standard for low data rate networks. With a maximum
speed of 250 Kbps at 2.4 GHz, ZigBee is slower than Wi-Fi
and Bluetooth, but is designed for low power so that batteries
can last for months and years.
ZigBee provides simple yet strong, end-to-end security. It is
based on a 128-bit AES algorithm incorporating the strong
security elements of the IEEE 802.15.4 standard. The ZigBee
stack defines security for the MAC, network, and application
layers. Its security services include methods for key
establishment and transport, device management, and frame
protection. The level of security provided by the ZigBee
security architecture depends on the safekeeping of the
symmetric keys, on the protection mechanisms employed, and
on the proper implementation of the cryptographic mechanisms
and associated security policies involved[1]. However, ZigBee
security is based on the higher cost of consumed a lot of
resources, in some simple applications, security mechanisms
should not be so complicated, so we put forward a simple and
efficient method to protect the MSG packets in the application
layer.
This paper is organized as follows. ZigBee security services
are analyzed in the second section. Encrypted a MSG packet is
given in the third section. Conclusions are presented in the last
section.
978-0-7695-4011-5/10 $26.00 © 2010 IEEE
DOI 10.1109/NSWCTC.2010.261
II. ANALYSIS OF ZIGBEE SECURITY SERVICES
The ZigBee security architecture includes security
mechanisms at two layers of the protocol stack. The network
layer (NWK) and the application support sub-layer (APS) are
responsible for the secure transport of their respective frames.
They use the same security mechanisms built on 128-bit AES.
ZigBee provides security based on three main principles.
First is simplicity: Every layer originating a frame is
responsible for securing it, rather than having multiple layers
do so. Second is directness: Keys are exchanged directly
between each source and destination device. Third is end-to-
end security: Data proceeds without having to be decrypted and
re-encrypted at each hop.
A. Security Features
ZigBee technology in the security is specifically expressed
in the following features:
1) ZigBee provides sequential freshness. Sequential
freshness is a security service that uses an ordered sequence of
inputs to reject frames that have been replayed. It can prevent
the forwarding of attack. ZigBee devices maintain the input
and output freshness counter, when there is a new key is
created, the counter will reset.
2) ZigBee provides frame integrity checking function. It
uses a message integrity code (MIC) to protect data from being
modified by parties without the cryptographic key. It further
provides assurance that data came from a party with the
cryptographic key. This feature prevents an attacker to modify
the data. The bit-length of the MIC may take the values 0, 32,
64 or 128.
3) ZigBee provides entity authentication service. The
entity authentication service provides a secure means for a
device to synchronize information with another device while
simultaneously providing authenticity based on a shared key.
The NWK layer authentication is through the use of a active
network key. The APS layer authentication is through using the
link key between devices.
4) ZigBee provides data encryption. Data encryption is a
security service that uses a symmetric cipher to protect data
from being read by parties without the cryptographic key. Data
495
494
may be encrypted using a key shared by a group of devices or
using a key shared between two peers.
5) ZigBee defines the role of Trust Center. The Trust
Center decides whether to allow or disallow new devices into
its network. The Trust Center may periodically update and
switch to a new Network Key. It first broadcasts the new key
encrypted with the old Network Key. Later, it tells all devices
to switch to the new key. All members of the network shall
recognize exactly one Trust Center, and there shall be exactly
one Trust Center in each secure network. The Trust Center is
usually the network coordinator, but is also able to be a
dedicated device. It is responsible for the following security
roles:
• Trust Manager, to authenticate devices that request to
join the network.
• Network Manager, to maintain and distribute network
keys.
• Configuration Manager, to enable end-to-end security
between devices
6) ZigBee adopts CCM* encryption algorithm. CCM* is a
minor modification of CCM. It includes all of the features of
CCM and additionally offers encryption-only and integrity-
only capabilities. These extra capabilities simplify security by
eliminating the need for CTR and CBC-MAC modes. Also,
unlike other MAC layer security modes which require a
different key for every security level, the use of CCM* enables
the use of a single key for all CCM* security levels. With the
use of CCM* throughout the ZigBee stack, the MAC, NWK,
and APS layers can reuse the same key.
B. Secrity Keys
ZigBee uses three types of keys to manage security: Master,
Network and Link.
The master key may be pre-installed during manufacturing,
may be installed by a Trust Center, or may be based on user-
entered data. The master key is not used to encrypt frames.
Instead, it is used as an initial shared secret between two
devices when they perform the Key Establishment Procedure
(SKKE) to generate Link Keys.
The network key performs security Network Layer security
on a ZigBee network. All devices on a ZigBee network share
the same key. A device shall acquire a network key via key-
transport or pre-installation.
The link key secures unicast messages between two devices
at the Application Layer. A device shall acquire link keys
either via key-transport, key-establishment, or pre-installation.
The key-establishment technique for acquiring a link key is
based on a master key.
Ultimately, security between devices depends on secure
initialization and installation of these keys. The link and master
keys shall be available only to the APL layer.
Link key and network key can be updated periodically if
desired. When the two devices have these two kinds of keys
they use a link key to communicate. Although the cost of
495
496
storage network key is small, but it reduces the system's
security, because the network key is shared by multiple devices,
so it does not prevent internal attacks.
C. Secured Frames Format
The NWK layer is responsible for the processing steps
needed to securely transmit outgoing frames and securely
receive incoming frames. Upper layers control the security
processing operations by setting up the appropriate keys and
frame counters and establishing which security level to use.
The NWK layer frame format consists of a NWK header and
NWK payload field. The NWK header consists of frame
control and routing fields. When security is applied to a
network layer protocol data unit (NPDU) frame, the security bit
in the NWK frame control field shall be set to 1 to indicate the
presence of the auxiliary frame header. The auxiliary frame
header shall include a security control field and a frame counter
field, and may include a sender address field and key sequence
number field. The format of a secured NWK layer frame is
shown in Fig. 1. The auxiliary frame header is situated between
the NWK header and payload fields. Its Frame Header Format
is shown in Fig. 2. The secured NWK layer frame needs the
source address field and the key sequence number field in the
auxiliary frame header.
Octets: Variable 14 Variable
Original NWK Auxiliary Encrypted Encrypted message integrity code
header frame payload ˄MIC˅
header
Secure frame payload = output of CCM*
Full NWK header Secured NWK payload
Figure 1. Secured NWK Layer Frame Format
Octets: 1 4 0/8 0/1
Security control Frame counter Source address Key sequence number
Figure 2. Auxiliary Frame Header Format
The APS layer is responsible for the processing steps
needed to securely transmit outgoing frames, securely receive
incoming frames, and securely establish and manage
cryptographic keys. Upper layers control the management of
cryptographic keys by issuing primitives to the APS layer. The
APS layer frame format consists of APS header and APS
payload fields. The APS header consists of frame control and
addressing fields. When security is applied to an application
support sub-layer protocol data unit (APDU) frame, the
security bit in the APS frame control field shall be set to 1 to
indicate the presence of the auxiliary frame header. The format
for the auxiliary frame header is shown in Fig. 2. The format of
a secured APS layer frame is shown in Fig. 3. The auxiliary
frame header is situated between the APS header and payload
fields. The secured APS layer frame doesn’t need the source
address field in the auxiliary frame header, but it may select the
key sequence number field in the auxiliary frame header.
 Octets: Variable 5 or 6 Variable transaction length and transaction data. The transaction
sequence number field is eight bits in length and specifies an
Original APS Auxiliary Encrypted Encrypted message
header frame payload integrity code ˄MIC˅
identification number for the transaction so that a response
Header command frame can be related to the request frame. The
Secure frame payload = output of CCM* transaction length field is eight bits in length and specifies the
Full APS header Secured APS payload number of octets contained in the following transaction data
field. The transaction data field has a variable length, it
Figure 3. Secured APS Layer Frame Format contains primary message.
D. ZigBee Security Levels Bits: 4 4 8 8 Variable Variable 8 8 Variable
Table I lists ZigBee security levels available to the NWK,

sequence number

sequence number
Transaction data

Transaction data
and APS layers.

Transaction

Transaction

Transaction

Transaction
Frame

length

length
Transaction type ……
TABLE I. SECURITY LEVELS AVAILABLE TO THE NWK, AND APS count =0x02
LAYERS (MSG)

Transaction 1 …… Transaction n
Security Security Frame Integrity AF frame
Security Data
Level Level (length M of MIC, in ASDU
Attributes Encryption
Identifier Sub-Field Number of Octets)
Figure 4. Format of the AF frame with MSG type
0x00 ‘000’ None OFF NO (M = 0)
0x01 ‘001’ MIC-32 OFF YES (M=4)
0x02 ‘010’ MIC-64 OFF YES (M=8) B. The redefinition of the Transaction Data Field of MSG
Frame Type
0x03 ‘011’ MIC-128 OFF YES (M=16)
In order to encryption and integrity checking a data frame
0x04 ‘100’ ENC ON NO (M = 0)
of MSG type, we redefined the transaction data field of MSG
0x05 ‘101’ ENC-MIC-32 ON YES (M=4) frame type. Its format is shown as in Fig. 5.
0x06 ‘110’ ENC-MIC-64 ON YES (M=8)
Bits: 8 8 8 8 Variable
0x07 ‘111’ ENC-MIC-128 ON YES (M=16)
Transaction Key bit Real transaction
Transaction sequence. MIC data
sequence
length
The security level identifier indicates how an outgoing number
Transaction data
frame is to be secured, how an incoming frame purportedly has Transaction 1
been secured; it also indicates whether or not the payload is
Figure 5. The redefinition of the transaction data field of
encrypted and to what extent data authenticity over the frame is MSG Frame type
provided, as reflected by the length of the message integrity
code (MIC). The bit length of the MIC may take the values 0, The security material table is 32 bytes in length and is
32, 64 or 128 and determines the probability that a random divided into two groups, each 16 bytes for a group. The Key bit
guess of the MIC would be correct. Note that security level sequence is 8 bits in length, its high four bits are the sequence
identifiers are not indicative of the relative strength of the number of the first group and the low four bits are the sequence
various security levels. Also note that security levels 0 and 4 number of the second group. The MIC field is 8 bits in length
should not be used for frame security. and specifies the message integrity code. The real transaction data
field is the old transaction data.
III. THE SECURITY APPLICATION IN THE ZIGBEE APS
LAYER C. Security Processing of Frames
ZigBee security services and algorithms are complex, in If the key bit sequence field is set to 0, the MSG data is not
some simple applications, using ZigBee security modes will protected, otherwise, the security processing is described as
consume many resources, such as, memory, CPU time and follows:
managing secure data in a frame. Therefore, we use a simple 1) Define the following variables
way to encrypt and integrity checking the data packet of MSG unsigned char en[32]= // the security material
type. { 0xe2, 0x12, 0xa6, 0x8e, // the first group
0x9a, 0xf1, 0x2e, 0x3f,
A. AF Frame Format with MSG Frame Type 0xe7, 0xca, 0xb1, 0x4e,
The Application framework (AF) frame format with MSG 0x58, 0x83, 0x3a, 0xe4,
frame type is illustrated in Fig. 4. The transaction count field is 0x13, 0x23, 0x65, 0xae, // the second group
four bits in length and specifies the number of transactions. The 0x8e, 0xd4, 0x9d, 0x35,
frame type field is four bits in length and specifies the service 0x90, 0x3a, 0x63, 0x8e,
type used by each of the following transactions. The frame type 0x2a, 0x14, 0x54, 0xa2};
is MSG if this field is set to 0x02. Each transaction of MSG unsigned char mm[8]; // the encryption table
frame type contains a transaction sequence number, a unsigned char mic_ch;

496
497
 unsigned char sit_1, sit_2; unsigned char step_mic;
unsigned char mic; sit_1 = (info[0]>>4) & 0x0f;
sit_2 = (info[0] & 0x0f) + 16;
The security material “en” is a table that contains 32 bytes.
It is divided into two groups. The encryption table “mm” is 8 step_mic = info[1];
bytes in length and is created dynamically. The sit_1 is a mic = 0;
sequence number the first group. The sit_2 is a sequence for (int i = 0; i< 8; i++)
number of the second group. The variable “mic_ch” is a initial {
value of computing MIC. The mic is a value of MSG data mm[i] = en[(sit_1 + i) %32]^ en[(sit_2 + i) %32];
message integrity code. }
mic_ch =0x5a;
2) Encryption algorithm for (i=0; i< *len -2 ; i++)
Encryption algorithm is described at follow: {
void Encrypt(unsigned char * info, int *len) mic +=info[i+2] ^ en[(sit_1+i)%32];
{ info[i] = info[i+2] ^ mm[i%8];
// info: MSG data; mic_ch = mic_ch ^ info[i];
// len : the length of MSG data mm[i%8] = mm[i%8] ^ en[(sit_1 +8+ i) %32]
sit_1 = 0; sit_2 = 0; ^ mic_ch;
while( sit_1+sit_2 == 0) }
{ if (mic != step_mic) return false;
sit_1 = rand() % 16; //randomly generating number. *len -= 2;
sit_2 = rand() % 16; //randomly generating number. info[*len] = 0;
} return true;
sit_2 +=16; }
for (int i = 0; i< 8; i++) If Decrypt( ) returns true, the receiver correctly receives the
{ // to produce the encryption table MSG data packet, otherwise, the MSG data packet is destroyed.
mm[i] = en[(sit_1+ i) %32] ^ en[(sit_2 + i) %32];
} IV. CONCLUSIONS
mic_ch = 0x5a; In this paper, we have provided a survey of security
unsigned char info_m[ MAXLENGTH]; services provided in the ZigBee wireless sensor networks.
for (i=0; i < *len; i++) ZigBee security, which is based on a 128-bit AES algorithm,
adds to the security model provided by IEEE 802.15.4.
{
ZigBee’s security services include methods for key
mic_ch = mic_ch ^ info[i];
establishment and transport, device management, and frame
info_m[i] = info[i] ^ mm[i%8]; protection. The ZigBee specification defines security for the
mm[i%8] = mm[i%8] ^ en[(sit_1 +8+ i) %32] MAC, NWK and APS layers. Security for applications is
^ mic_ch; typically provided through Application Profiles. This paper
mic +=info_m[i] ^ en[(sit_1+i)%32] ; provided a simple security mode in APS layer to protect the
} data packets of the MSG type.
info[0] = (sit_1<<4) + sit_2 - 16; // the key bit sequence
info[1] = mic; // the MIC REFERENCES
for (i=0; i < *len; i++)
[1] ZigBee Alliance Document 053474r17. “ZigBee Specification”, January,
{ 2008.
info[i+2] = info_m[i]; [2] X. L. Ren, H. B. Yu. “Study on Security of ZigBee Wireless Sensor
} Network”, Chinese Journal of Scientific Instrument (in Chinese), Vol 28,
*len += 2; No 12 , December 2007, pp 2132-2137.
} [3] ZigBee Alliance Document 053473r00. “ZigBee Specification v1.0”,
3) Decryption algorithm December, 2004.
[4] IEEE 802.15.4, “Wireless Medium Access Control (MAC) and Physical
Decryption alogrithm is described as follow: Layer (PHY) Specifications for Low-Rate Wireless Personal Area
Networks (LR-WPANs),” May 2003.
bool Decrypt(unsigned char * info, int *len)
{

497
498