LoRaWAN
™
SECURITY
A WHITE PAPER PREPARED FOR
THE LoRa ALLIANCE™
BY GEMALTO, ACTILITY AND SEMTECH
February 2017
FULL END–TO–END ENCRYPTION
FOR IoT APPLICATION PROVIDERS
PROPERTIES OF
LoRaWAN™ SECURITY
SECURITY IMPLEMENTATION
INTRODUCTION
The security mechanisms mentioned
previously rely on the well-tested
and standardized AES
1
cryptographic
algorithms. These algorithms have been
analysed by the cryptographic community
for many years, are NIST approved and
widely adopted as a best security
practice for constrained nodes and
LoRaWAN™ is a Low Power Wide Area Network (LPWAN) pro
-
tocol that supports low-cost, mobile, and secure bi-directional
communication for Internet of Things (IoT), machine-to-machine
(M2M), smart city, and industrial applications. The LoRaWAN
protocol is optimized for low power consumption and is
designed to support large networks with millions of devices.
Innovative LoRaWAN features include support for redundant
operation, geolocation, low-cost, and low-power applications.
Devices can even run on energy harvesting technologies
enabling the mobility and ease of use of IoT.
LoRaWAN security is designed to t the
general LoRaWAN design criteria: low
power consumption, low implementation
complexity, low cost and high scalability.
As devices are deployed in the eld
for long periods of time (years),
security must be future-proof. The
LoRaWAN security design adheres
to state-of-the-art principles: use of
standard, well-vetted algorithms, and
end-to-end security. Later, we describe
the fundamental properties that are
supported in LoRaWAN security: mutual
authentication, integrity protection and
condentiality.
Mutual authentication is established
between a LoRaWAN end-device and
the LoRaWAN network as part of the
network join procedure. This ensures
that only genuine and authorized devices
will be joined to genuine and authentic
networks.
LoRaWAN MAC and application
messaging are origin authenticated,
integrity protected, replay protected, and
encrypted. This protection, combined
with mutual authentication, ensures that
network trafc has not been altered, is
coming from a legitimate device, is not
comprehensible to eavesdroppers and
has not been captured and replayed by
rogue actors.
LoRaWAN security further implements
end-to-end encryption for application
payloads exchanged between the
end-devices and application servers.
LoRaWAN is one of the few IoT networks
implementing end-to-end encryption. In
some traditional cellular networks, the
trafc is encrypted over the air interface,
but it is transported as plain text in the
operator’s core network. Consequently,
end users are burdened by selecting,
deploying and managing an additional
security layer (generally implemented by
some type of VPN or application layer
encryption security such as TLS).
This approach is not suited in LPWANs
where over-the-top security layers
add considerable additional power
consumption, complexity and cost.
networks. LoRaWAN security uses the
AES cryptographic primitive combined
with several modes of operation: CMAC
2
for integrity protection and CTR
3
for
encryption. Each LoRaWAN device is
personalized with a unique 128 bit AES
key (called AppKey) and a globally unique
identier (EUI-64-based DevEUI), both of
which are used during the device authen
-
tication process. Allocation of EUI-64
identiers require the assignor to have an
Organizationally Unique Identier (OUI)
from the IEEE Registration Authority. Sim
-
ilarly, LoRaWAN networks are identied
by a 24-bit globally unique identier
assigned by the LoRa Alliance™.
As security is a fundamental need in all of the aforementioned
applications, it has been designed into the LoRaWAN
specication from the very beginning. However, the topic of
security encompasses multiple properties and, in particular,
the cryptographic mechanisms used to implement security in
LoRaWAN deserve careful explanation. This whitepaper aims
to present the security of the current LoRaWAN specication.
First, we will present the security properties embodied in the
LoRaWAN specications, then details of its implementation and
nally some explanations about LoRaWAN security design.