'Secure' Join Server


#1

I’m wanting to use some Cryptography functions to indentify my devices. ( using microchip ATEC608A on the device ). I’m looking at two different approaches;

(a) Dive into the lorasever.io code and see if i can figure out what i’d need to do to modify / extend it to support the secure connectivity. The downside of this, is that i dont’ know go.

(b) Write a secure join server and then use it along side Loraserver. ( using something that i do know ).

I need to do some more work to udnerstand what needs to be passed between the NS and the JS. Does anyone know where that is defined?


#2

Please note that a secure element does not change the way how OTAA works. It improves the security by putting the root-key(s) in a secure-element. The OTAA handshake is still the same.

If you are referring to using an external join-server, this is already (partly) supported. Please see the join-server configuration in the loraserver.toml file.

# Join-server settings.
[join_server]
# Resolve JoinEUI (experimental).
# Default join-server settings.
#
# When set to true, LoRa Server will use the JoinEUI to resolve the join-server
# for the given JoinEUI. LoRa Server will fallback on the default join-server
# when resolving the JoinEUI fails.
resolve_join_eui=false

# Resolve domain suffix.
#
# This configures the domain suffix used for resolving the join-server.
resolve_domain_suffix=".joineuis.lora-alliance.org"


  # Join-server certificates.
  #
  # Example:
  # [[join_server.certificates]]
  # # JoinEUI.
  # #
  # # The JoinEUI of the joinserver to to use the certificates for.
  # join_eui="0102030405060708"

  # # CA certificate (optional).
  # #
  # # Set this to validate the join-server server certificate (e.g. when the
  # # certificate was self-signed).
  # ca_cert="/path/to/ca.pem"

  # # TLS client-certificate (optional).
  # #
  # # Set this to enable client-certificate authentication with the join-server.
  # tls_cert="/path/to/tls_cert.pem"

  # # TLS client-certificate key (optional).
  # #
  # # Set this to enable client-certificate authentication with the join-server.
  # tls_key="/path/to/tls_key.pem"


  # Default join-server settings.
  #
  # This join-server will be used when resolving the JoinEUI is set to false
  # or as a fallback when resolving the JoinEUI fails.
  [join_server.default]
  # hostname:port of the default join-server
  #
  # This API is provided by LoRa App Server.
  server="http://localhost:8003"

  # ca certificate used by the default join-server client (optional)
  ca_cert=""

  # tls certificate used by the default join-server client (optional)
  tls_cert=""

  # tls key used by the default join-server client (optional)
  tls_key=""


  # Join-server KEK set.
  #
  # These KEKs (Key Encryption Keys) are used to decrypt the network related
  # session-keys received from the join-server on a (re)join-accept.
  # Please refer to the LoRaWAN Backend Interface specification
  # 'Key Transport Security' section for more information.
  #
  # Example (the [[join_server.kek.set]] can be repeated):
  # [[join_server.kek.set]]
  # # KEK label.
  # label="000000"

  # # Key Encryption Key.
  # kek="01020304050607080102030405060708"

#3

If I understand correctly, loraserver.io implements the ‘join’ service ‘internally’ (as part of the network server) unless you specify an ‘external’ one? Is that correct?


#4

Yes, you have to enable to use an external one (resolve_join_eui=true). As marked, this is still experimental as the NS <> JS security isn’t fully specified (yet) by the LoRa Alliance.

By default LoRa Server will use LoRa App Server as the Join-Server :slight_smile: (also when the resolve_join_eui would fail).


#5

Thanks, that makes things a bit clearer for me.

I need to go and read the specifications now, to understand what the transactions are (NS <–> JS ).

I’m contemplating attempting to create a JS as a Python based Lambda in AWS…