User's Manual
Table Of Contents
- 1. Overview
- 2. RF Module Operation
- 3. XBee ZigBee Networks
- Introduction to ZigBee
- ZigBee Stack Layers
- Networking Concepts
- ZigBee Application Layers: In Depth
- Coordinator Operation
- Router Operation
- End Device Operation
- Channel Scanning
- 4. Data Transmission, Addressing, and Routing
- 5. Security
- 6. Network Commissioning and Diagnostics
- 7. Managing End Devices
- 8. XBee Analog and Digital IO Lines
- 9. API Operation
- API Frame Specifications
- API UART Exchanges
- Supporting the API
- API Frames
- AT Command
- AT Command - Queue Parameter Value
- ZigBee Transmit Request
- Explicit Addressing ZigBee Command Frame
- Remote AT Command Request
- Create Source Route
- AT Command Response
- Modem Status
- ZigBee Transmit Status
- ZigBee Receive Packet
- ZigBee Explicit Rx Indicator
- ZigBee IO Data Sample Rx Indicator
- XBee Sensor Read Indicator
- Node Identification Indicator
- Remote Command Response
- Over-the-Air Firmware Update Status
- Route Record Indicator
- Many-to-One Route Request Indicator
- Sending ZigBee Device Objects (ZDO) Commands with the API
- Sending ZigBee Cluster Library (ZCL) Commands with the API
- Sending Public Profile Commands with the API
- 10. XBee Command Reference Tables
- 11. Module Support
- Appendix A: Definitions
- Appendix B: Agency Certifications
- United States FCC
- OEM Labeling Requirements
- FCC Notices
- FCC-Approved Antennas (2.4 GHz)
- Europe (ETSI)
- OEM Labeling Requirements
- Restrictions
- Declarations of Conformity
- Approved Antennas
- XBee RF Module
- XBee-PRO (S2) RF Module
- XBee-PRO (S2B) RF Module
- Canada (IC)
- Transmitters for Detachable Antennas
- Detachable Antenna
- Appendix C: Migrating from ZNet 2.5 to XBee ZB
- Appendix D: Additional Information
XBee®/XBee‐PRO®ZBRFModules
©2009DigiInternational,Inc. 66
that are not pre-configured with the link key. Sending the network key unencrypted is not
recommended as it can open a security hole in the network. To maximize security, devices should
be pre-configured with the correct link key.
Implementing Security on the XBee
If security is enabled in the XBee ZB firmware, devices acquire the network key when they join a
network. Data transmissions are always encrypted with the network key, and can optionally be
end-to-end encrypted with the APS link key. The following sections discuss the security settings
and options in the XBee ZB firmware.
Enabling Security
To enable security on a device, the EE command must be set to 1. If the EE command value is
changed and changes are applied (e.g. AC command), the XBee module will leave the network
(PAN ID and channel) it was operating on, and attempt to form or join a new network.
If EE is set to 1, all data transmissions will be encrypted with the network key. When security is
enabled, the maximum number of bytes in a single RF transmission will be reduced. See the NP
command for details.
Note: The EE command must be set the same on all devices in a network. Changes to the EE
command should be written to non-volatile memory (to be preserved through power cycle or reset
events) using the WR command.
Setting the Network Security Key
The coordinator must select the network security key for the network. The NK command (write-
only) is used to set the network key. If NK=0 (default), a random network key will be selected.
(This should suffice for most applications.) Otherwise, if NK is set to a non-zero value, the network
security key will use the value specified by NK. NK is only supported on the coordinator.
Routers and end devices with security enabled (ATEE=1) acquire the network key when they join a
network. They will receive the network key encrypted with the link key if they share a pre-
configured link key with the coordinator. See the following section for details.
Setting the APS Trust Center Link Key
The coordinator must also select the trust center link key, using the KY command. If KY=0
(default), the coordinator will select a random trust center link key (not recommended).
Otherwise, if KY is set greater than 0, this value will be used as the pre-configured trust center link
key. KY is write-only and cannot be read.
Note: Application link keys (sent between two devices where neither device is the coordinator) are
not supported in ZB firmware at this time.
Random Trust Center Link Keys
If the coordinator selects a random trust center link key (KY=0, default), then it will allow devices
to join the network without having a pre-configured link key. However, this will cause the network
key to be sent unencrypted over-the-air to joining devices and is not recommended.
Pre-configured Trust Center Link Keys
If the coordinator uses a pre-configured link key (KY > 0), then the coordinator will not send the
network key unencrypted to joining devices. Only devices with the correct pre-configured link key
will be able to join and communicate on the network.
Enabling APS Encryption
APS encryption is an optional layer of security that uses the link key to encrypt the data payload.
Unlike network encryption that is decrypted and encrypted on a hop-by-hop basis, APS encryption