Data security with Amazon IoT Core for LoRaWAN
Two methods secure the data from your Amazon IoT Core for LoRaWAN devices:
-
The security that wireless devices use to communicate with the gateways.
The LoRaWAN devices follow the security practices described in LoRaWAN ™ SECURITY: A White Paper Prepared for the LoRa Alliance™ by Gemalto, Actility, and Semtech
to communicate with the gateways. -
The security that Amazon IoT Core uses to connect gateways to Amazon IoT Core for LoRaWAN and send the data to other Amazon services.
Amazon IoT Core security is described in Data protection in Amazon IoT Core.
How data is secured throughout the system
This diagram identifies the key elements in a LoRaWAN system connected to Amazon IoT Core for LoRaWAN to identify how data is secured throughout.
-
The LoRaWAN wireless device encrypts its binary messages using AES128 CTR mode before it transmits them.
-
Gateway connections to Amazon IoT Core for LoRaWAN are secured by TLS as described in Transport security in Amazon IoT Core. Amazon IoT Core for LoRaWAN decrypts the binary message and encodes the decrypted binary message payload as a base64 string.
-
The resulting base64-encoded message is sent as the message payload to the Amazon IoT rule described in the destination assigned to the device. Data within Amazon is encrypted using Amazon-owned keys.
-
The Amazon IoT rule directs the message data to the services described in the rule's configuration. Data within Amazon is encrypted using Amazon-owned keys.
LoRaWAN device and gateway transport security
LoRaWAN devices and Amazon IoT Core for LoRaWAN store pre-shared root keys. Session keys are derived by both LoRaWAN devices and Amazon IoT Core for LoRaWAN following the protocols. The symmetric session keys are used for encryption and decryption in a standard AES-128 CTR mode. A 4-byte message integrity code (MIC) is also used to check the data integrity following a standard AES-128 CMAC algorithm. The session keys can be updated by using the Join/Rejoin process.
The security practice for LoRa gateways is described in the LoRaWAN
specifications. LoRa gateways connect to Amazon IoT Core for LoRaWAN through a web socket using a
Basics StationBasics
Station version 2.0.4 and later.
Before the web socket connection is established, Amazon IoT Core for LoRaWAN uses the TLS Server and Client Authentication mode to authenticate the gateway. Amazon IoT Core for LoRaWAN also maintains a Configuration and Update Server (CUPS) that configures and updates the certificates and keys used for TLS authentication.