Centralized security

A centralized trust center network is defined as a Zigbee network where one node acts as the centralized key authority. This centralized trust center defines the network key and manages its distribution, determines when and if nodes can join the network, and issues application link keys. Upon formation of the network, the network coordinator assumes the role of the trust center. The trust center has a reserved address of 0 on the network, and any traffic sent to this address is routed to the trust center.

When a node attempts to join, it first establishes a MAC association with a router on the network. The router sends a request to the trust center, indicating the node wants to join. The trust center decides if the node can join based on the current join policy (Open join window + EO options). If the trust center approves the attempt to join, the network key is encrypted using a trust center link key and sent to the joining node. The joining node must have a copy of the link key in order to decrypt the network key and successfully join the network.

If the joining node does not have a link key that matches the network or has an install code derived link key, then it must be registered to the trust center. Registration is the means by which a link key is given to the trust center using an out-of-band method. Registration requires the trust center operate in API mode (AP=1 or 2) and cannot be performed in Command or Transparent mode.