Security

Security is a key aspect in the development of a Zigbee gateway. The gateway is not only an important node for the Zigbee network, but also the interface to the cloud. Therefore, both communication within the network and the connection to the cloud must be protected.

Key exchange within the network

In the course of provisioning new devices, secure key exchange is essential to encrypt communication in the Zigbee network. Zigbee uses AES-128 encryption by default to protect data.

Typical procedures for key exchange:

  • Centralized key assignment: The gateway generates the network key and securely shares it with the device during provisioning.
  • Touchlink Procedure: Key exchange occurs through physical proximity between the gateway and the device, minimizing the risk of eavesdropping.
  • QR code or NFC: Devices with QR codes or NFC tags contain pre-configured keys that the gateway reads during provisioning.

These mechanisms ensure that only authorized devices can join the Zigbee network.

Ensuring access to the correct gateway

In addition to security within the network, it is equally important that only the authorized user has access to their gateway and that it is connected to the right cloud.

Typical procedures to ensure this:

    • Device binding by serial number or certificates:
      • Each gateway has a unique serial number or digital certificate.
      • When the gateway is first commissioned, it is linked to a user account by the user manually entering the serial number or scanning it through an app.
    • Public Key Infrastructure (PKI):
      • Each gateway has an individual key pair (private and public key).
      • When connecting to the cloud, the public key is registered and authentication is done through signature verification.
    • OAuth2 for cloud access:
      • Access to the gateway and the associated data in the cloud is via a token-based procedure based on the OAuth2 standard.
      • Users authenticate with their credentials, and the gateway only gains access to the cloud services associated with the user’s account.
    • Two-Factor Authentication (2FA):
      • For added security, access to the gateway can be protected by a second layer of authentication, such as an app or SMS code.

Data encryption and regular security updates

  • End-to-end encryption: Communication between the gateway and the cloud should be secured by protocols such as TLS (Transport Layer Security).
  • Regular updates: Security updates for the firmware of the gateway and for the cloud services are necessary to fix known vulnerabilities.

These security measures not only ensure the integrity of the Zigbee network, but also the confidentiality and security of the user’s data. The combination of local protection and secure cloud connectivity makes the Zigbee gateway a trusted part of modern IoT environments.