Set EE (Encryption Enable) to 1 to enable encryption. Use KY (AES Encryption Key) to set an encryption key and the same key must be set on each device in the network.
Starting with firmware version 9002, the XBee/XBee-PRO S2C DigiMesh 2.4 supports 256-bit AES counter mode encryption. We recommend using this enhanced security mode to provide greater security against replay attacks and attempts to determine the plaintext.
Use C8 (Compatibility Options) bit 2 to select an encryption mode.
This security mode uses Counter (CTR) mode encryption instead of Electronic Codebook (ECB) mode encryption. Since the counter is passed over-the-air (OTA) and changes with each frame, the same text is always encrypted differently and there are no known attacks to determine the plaintext from the ciphertext.
A side effect of this implementation is that the maximum payload is reduced by the size of the counter (8 bytes). Therefore, no frames can exceed 65 bytes with encryption enabled. The maximum payload is still 73 bytes with encryption disabled.
Also effective starting with version 9002, the key is 256 bits rather than 128 bits. 256 bits is 32 bytes. Since the key is entered with ASCII HEX characters in Command mode, up to 64 ASCII HEX characters may be entered for the KY command.
This security mode is compatible with other XBee/XBee-PRO S2C DigiMesh 2.4s running version 9002 or greater and XBee3 DigiMesh modules. This security mode is not enabled by default. To enable this enhanced security mode, clear C8 (802.15.4 Compatibility) bit 2.
This mode is enabled by default, however we recommend using 256-bit AES CTR mode encryption whenever possible.
For compatibility with nodes in the same network that do not support CTR mode encryption, setting C8 bit 2 enables legacy mode 128-bit ECB mode encryption as supported previously. In this case, only the last 32 ASCII HEX characters of the key are used, even if more characters were previously entered for the key.
128-bit encryption refers to the length of the encryption key entered with the KY command (128 bits = 16 bytes).
The 802.15.4 protocol specifies eight security modes, enumerated as shown in the following table.
|
Level |
Name |
Encrypted? |
Length of message integrity check |
Packet length overhead |
|---|---|---|---|---|
|
0 |
N/A |
No |
0 (no check) |
0 |
|
1 |
MIC-32 |
No |
4 |
9 |
|
2 |
MIC-64 |
No |
8 |
13 |
|
3 |
MIC-128 |
No |
16 |
21 |
|
4 |
ENC |
Yes |
0 (no check) |
5 |
|
5 |
ENC‑MIC‑32 |
Yes |
4 |
9 |
|
6 |
ENC-MIC-64 |
Yes |
8 |
13 |
|
7 |
ENC‑MIC‑128 |
Yes |
16 |
21 |
The XBee/XBee-PRO S2C DigiMesh 2.4 only supports security levels 0 and 4. It does not support message integrity checks. EE 0 selects security level 0 and EE 1 selects security level 4. When using encryption, all devices in the network must use the same 16-byte encryption key for valid data to get through. Mismatched keys will corrupt the data output on the receiving device. Mismatched EE parameters will prevent the receiving device from outputting received data.