Data integrity and confidentiality protection in NB-Fi protocol
NB-Fi wireless protocol for IoT devices is designed for secure data exchange with full end-to-end encryption between the end devices and the server, and ensures confidentiality and integrity of the transmitted information.
NB-Fi is a LPWAN protocol that supports secure bidirectional communication for Internet of Things (IoT), machine-to-machine (M2M), Smart Grid, Smart Utilities, Smart City and industrial applications. The NB-Fi protocol is optimized for low power consumption and is designed to support large networks with millions of autonomous devices. NB-Fi base station with bidirectional communication powered by NB-Fi technology not only gathers data from utility meters, sensors and gauges but also allows controlling them. This requires the highest level of data security to protect the integrity and confidentiality of messages in both directions, which is implemented in the NB-Fi protocol. NB-Fi protocol is based on encapsulation principle of network protocol layers. The lowest communication protocols layer is the physical layer that is responsible for receiving and transmitting of radio signals and controlling of IoT devices. The MAC layer is responsible for protecting of the transmitted data from interference in the wireless communication channel with non-cryptographic methods (using error correction codes), however the MAC layer does not guarantee delivery of the messages. The SC layer (Secure Channel layer) is used to ensure secure communication between the device and the server. Finally, the transport layer is used to represent application data in the packets that can be processed by the SC layer.
The NB-Fi security is based on well-established methods: use of standard algorithms and end-to-end encryption.
NB-Fi protocol uses a key system – each NB-Fi device has a unique 256-bit root key. Based on this root key, the diversification function generates two keys for the Uplink and Downlink channels. These keys for each channel are used to obtain the 256-bit master keys for data protection. In addition, two separate master keys are generated for the message authentication code. Master keys are used only once to generate the data keys, and after that the master keys are updated. Data keys can be used to encrypt no more than 256 packets. CTR and OMAC modes based on AES-256 are used for the two-key encryption scheme and for the message authentication code. Other symmetric block cipher algorithms with 256-bit key can be used, if required.
To ensure the security and integrity of NB-Fi transport layer, an authenticated encryption with associated data (AEAD) scheme is used.
The distinction of NB-Fi protocol is the absence of the guarantee for the package’s delivery. This limitation is caused by the physical limitations of wireless transmission and the low isotropic radiated power of the end devices. It distinguishes the implementation of NB-Fi protocol, for example, from the Datagram Transport Layer Security (DTLS) protocol, where the data keys on the both side after the handshake do not change during the data transfer, therefore the skipping of the packet or changing of their sequence order does not require additional key synchronization. NB-Fi protocol is designed to establish a secure channel between the end device and the application server controlled by the network operator. Such communication channel shall guarantee security and integrity of messages not only during their wireless transmission, but also during their transmission through the IoT platform.
To ensure cryptographic protection of information at the presentation layer, a scheme similar to the transport layer’s scheme is used. In this case, no keys used at the transport layer can be used at the presentation layer, and it is impossible to disable the encryption or change the encryption algorithm. NB-Fi server interfaces are protected by HTTPS and VPN technologies. For users who have access to control of the devices, a mandatory two-factor authorization may be configured.