Encryption

Communications between SNAP devices are normally unencrypted. Using the SNAP Sniffer (or some other means of monitoring radio traffic), you can clearly see the traffic passed between devices. This can be very useful when establishing or troubleshooting a network, but it provides no protection for your data from prying eyes. Encrypting your network traffic provides a solution for this. By encrypting all your communications, you reduce the chances that someone can intercept your data.

SNAP devices offer two forms of encryption: AES-128 and Basic encryption. If you have a compatible firmware version loaded into your devices, you can configure them to use AES-128 encryption for all their communications. You must have a firmware version that enables AES-128 to be able to do this. You can determine which firmware is loaded into a device by using SNAPtoolbelt. Firmware that supports AES-128 encryption will include “AES-128” in the firmware name.

Warning

Basic “encryption” is not strong encryption and should not be used. It is not supported by SNAPstack or SNAPtoolbelt.

Enabling encryption requires two steps. First, you must indicate that you would like to encrypt your traffic and specify which form of encryption you wish to use. Then, you must specify what your encryption key is. After rebooting the node, all communications from the device (both over the air and over the UARTs) are encrypted, and the device will expect all incoming communications to be encrypted. It will no longer be able to participate in unencrypted networks.

NV50 - Enable Encryption is where you indicate which form of encryption should be used. The valid values are:

  • 0 = Use no encryption

  • 1 = Use AES-128 encryption

  • 2 = Use Basic “encryption”

NV51 - Encryption Key is where you specify the encryption key for your encrypted network. The key must be exactly 16 bytes long. You can specify the key as a simple string (e.g., ThEeNcRyPtIoNkEy), as a series of hex values (e.g., x2ax14x3bx44xd7x3cx70xd2x61x96x71x91xf5x8fx69xb9), or as some combination of the two (e.g. xfbOFx06xe4xf0Forty-Two!). Standard security practices suggest you should use a complicated encryption key that would be difficult to guess.

No encryption will be used if:

As with all NV parameter configuration, the changes you make will only take effect after the device reboots.