Frequently Asked Questions of LoRa Security Alliance

Where are the security mechanisms of LoRaWAN specified?
All security mechanisms are specified in the LULA Alliance specification and can be downloaded by the public. How does the
LoRa Alliance specification ensure the safe operation of the LoRaWAN network?
LoRaWAN supports source authentication, complete media access control (MAC) integrity and replay protection framework. This also enables end-to-end encryption of the application load between the terminal device and its components on the network side. The MAC command encryption mode allowed by the operation supported by LoRaWAN.
All these programs rely on the Advanced Encryption Standard (AES), using 128-bit keys and algorithms.
Is there any difference between the HQ (activation personalization) and otaa (over-the-air activation) in terms of security methods?
LoRaWAN uses static and dynamic root keys for session keys.
The root key is only in the configured otaa terminal device. When OTAA terminal devices perform the connection process with the network, they are used to derive the session key.
An OTAA terminal device, when installed on site, will be able to connect to any network, there is a key server with an interface (that is, the 1.1 release server is added), and the terminal equipment is related. The session key is used by the terminal device to protect traffic in the air.
The ABP terminal device does not provide the root key. Instead, they provide a set of session keys for the preselected network. The session key remains unchanged throughout the life cycle of the ABP end device.
The ability of OTAA devices to update session keys is more suitable for applications that require a higher level of security.
What kind of identification is used in LoRaWAN?
Each terminal device is identified by a 64-bit globally unique extension unique identification.
Identifier (EU-64), assigned by the manufacturer or the owner of the terminal device. The assignment of the EUI64 identifier requires the assignor to have an Organizational Unique Identifier (OUI) from the IEEE registration authority.
Each connection server used to authenticate terminal devices is also identified by a 64-bit globally unique identifier (EU-64) assigned by the owner or operator of the server.
The Open LoRaWAN network and private LoRaWAN network cooperate (roaming) with the open network to determine the allocation of resource alliances by a 24-bit globally unique identifier.
When the terminal device successfully joins the network, it gets the 32-bit short device address allocated by the service network.
I can arbitrarily assign any identifier to my device or network?
Please see each identifier in the previous question about assigning rights. Failure to follow these guidelines will cause your network deployment identifier conflicts and unpredictable behavior (similar to the same Ethernet MAC address that occurs when multiple devices are connected to the same LAN).
Are all terminal devices equipped with the same "default" device? When the key leaves the manufacturer?
No, there is no concept of "default key" or "default password" in LoRaWAN. All terminal devices are equipped with a unique key when they leave the manufacturer. Therefore, any compromise from a key of one terminal device will not affect other terminal devices.