'Secure' Join Server

I’m wanting to use some Cryptography functions to indentify my devices. ( using microchip ATEC608A on the device ). I’m looking at two different approaches;

(a) Dive into the lorasever.io code and see if i can figure out what i’d need to do to modify / extend it to support the secure connectivity. The downside of this, is that i dont’ know go.

(b) Write a secure join server and then use it along side Loraserver. ( using something that i do know ).

I need to do some more work to udnerstand what needs to be passed between the NS and the JS. Does anyone know where that is defined?

Please note that a secure element does not change the way how OTAA works. It improves the security by putting the root-key(s) in a secure-element. The OTAA handshake is still the same.

If you are referring to using an external join-server, this is already (partly) supported. Please see the join-server configuration in the loraserver.toml file.

# Join-server settings.
[join_server]
# Resolve JoinEUI (experimental).
# Default join-server settings.
#
# When set to true, LoRa Server will use the JoinEUI to resolve the join-server
# for the given JoinEUI. LoRa Server will fallback on the default join-server
# when resolving the JoinEUI fails.
resolve_join_eui=false

# Resolve domain suffix.
#
# This configures the domain suffix used for resolving the join-server.
resolve_domain_suffix=".joineuis.lora-alliance.org"


  # Join-server certificates.
  #
  # Example:
  # [[join_server.certificates]]
  # # JoinEUI.
  # #
  # # The JoinEUI of the joinserver to to use the certificates for.
  # join_eui="0102030405060708"

  # # CA certificate (optional).
  # #
  # # Set this to validate the join-server server certificate (e.g. when the
  # # certificate was self-signed).
  # ca_cert="/path/to/ca.pem"

  # # TLS client-certificate (optional).
  # #
  # # Set this to enable client-certificate authentication with the join-server.
  # tls_cert="/path/to/tls_cert.pem"

  # # TLS client-certificate key (optional).
  # #
  # # Set this to enable client-certificate authentication with the join-server.
  # tls_key="/path/to/tls_key.pem"


  # Default join-server settings.
  #
  # This join-server will be used when resolving the JoinEUI is set to false
  # or as a fallback when resolving the JoinEUI fails.
  [join_server.default]
  # hostname:port of the default join-server
  #
  # This API is provided by LoRa App Server.
  server="http://localhost:8003"

  # ca certificate used by the default join-server client (optional)
  ca_cert=""

  # tls certificate used by the default join-server client (optional)
  tls_cert=""

  # tls key used by the default join-server client (optional)
  tls_key=""


  # Join-server KEK set.
  #
  # These KEKs (Key Encryption Keys) are used to decrypt the network related
  # session-keys received from the join-server on a (re)join-accept.
  # Please refer to the LoRaWAN Backend Interface specification
  # 'Key Transport Security' section for more information.
  #
  # Example (the [[join_server.kek.set]] can be repeated):
  # [[join_server.kek.set]]
  # # KEK label.
  # label="000000"

  # # Key Encryption Key.
  # kek="01020304050607080102030405060708"
1 Like

If I understand correctly, loraserver.io implements the ‘join’ service ‘internally’ (as part of the network server) unless you specify an ‘external’ one? Is that correct?

Yes, you have to enable to use an external one (resolve_join_eui=true). As marked, this is still experimental as the NS <> JS security isn’t fully specified (yet) by the LoRa Alliance.

By default LoRa Server will use LoRa App Server as the Join-Server :slight_smile: (also when the resolve_join_eui would fail).

1 Like

Thanks, that makes things a bit clearer for me.

I need to go and read the specifications now, to understand what the transactions are (NS <–> JS ).

I’m contemplating attempting to create a JS as a Python based Lambda in AWS…

1 Like

@brocaar @mrpackethead

if we configure below configuration in loraserever

resolve_join_eui=true
join_eui="0102030405060708"

loraserver can join only above join_eui devices?
If loraserver will receive different join_eui so it will discard that request?

how can i configure resolve_domain_suffix (can you please give small example)

resolve_domain_suffix=".joineuis.lora-alliance.org"

Thanks