Equipo e Instrumentación

As with DH the node ( ) and the application server ( ) have their own secret key. To use ECDH key exchange both the node (all nodes connected to the application server) and the application server must select a private key. With ECDH, elliptic curves are used to determine a shared key . An elliptic curve is based on the elliptic curve discrete logarithm problem and is a set of points defined by the solution of an equation in the form of = + + (Smart, 2010). As with DH some publicly known information is needed to use ECDH. The following information must be shared, and this can be performed publicly:

 p is a prime number (Field modulo p);  a and b (which define the equation);

 G is the generator point (consisting of the x and y coordinate of the first point P, which is on the curve);

 n is the infinity pointxvii _{(order of the subgroup);}  h is the cofactor and ideally is 1.

With ECDH it is necessary that the selected private key meets 1 − 1. Furthermore, it is necessary that the equation 4 + 27 0 holds. Using this information both parties (in this case the node and the application server) can compute all the points on the elliptic curve and use that information for the key exchange. The functioning of ECDH is depicted in Figure 22.

Figure 22: Elliptic Curve Diffie-Hellman key exchange in LoRa

can now be used in the same way as with DH and the current usage of the static key in LoRa. When the confidentiality of one of the static keys ( , or ) is breached, or can be updated and a new can be generated.

Using an example, we show that the use of ECDH in a LoRa environment is possible. We use a key exchange between a single node and an application server, because each node has a unique secret key and needs to agree a shared secret key with the application server. If multiple nodes need to perform key exchange with the application server (e.g. if the secret key of the application server is changed), all connected nodes must perform separate key exchange with the application server.

Like with DH the first step in ECDH is to distribute some information, which is used by the node and the application server during key exchange. The equation that we use in this example is = +

+ . With ECDH the values that are shared are a prime (P), two values (a and b) that define the equation, the first point on the elliptic curve (G), the infinity point (n) and the cofactor (h). We use the following values: = 17, = 2, = 2, = (5,1), = 19 and ℎ = 1. These values can be pre- distributed manually or distributed publicly over the network when initializing the key exchange. After this information is shared, both the node and the application server must compute all the points on the elliptic curve. Using G and four standard formulas, all points on the elliptic curve can be computed.

Using G and the formula ≡ the second point (2 = + ) on the elliptic curve can be computed. This formula is only used when computing a new point on the elliptic curve using 2 points for which the coordinates are equal. Using the x and y coordinate of G the x and y coordinates of 2G can be computed. The x-coordinate ( ) of 2G is computed using = − 2 . The y-coordinate ( ) of 2G is computed using = ( − ) − .

≡3 + 2 ≡ 3(5) + 2 2(1) 17 ≡ 13 ( 17) ≡ − 2 ≡ 13 − 2(5) ≡ 6 ( 17) ≡ ( − ) − ≡ 13(5 − 6) − 1 ≡ 3 ( 17) 2 = (6,3)

The third point on the elliptic curve (3G) is computed using G and 2G. Because the coordinates of G and 2G are not equal the following formulas must be used where = ( , ) and 2 = ( , ).

≡ −₋

= − −

= − −

This results in 3 = (10,6). All following points up until the infinity point n are computed using these formulas.

Both the node ( ) and the application server ( ) have a secret key which are used in the ECDH key exchange. In this case = 5 and = 7. and are the private keys that must not be shared and must be kept secret. Using ECDH the node computes its public key point ( ) which the node shares with the application server.

= ∙ = 5 ∙ (5,1) = (9,16)

The public key point of the node is (9,16). In the next step is shared with the application server. The application server computes its public key point ( ) which the application server shares with the node.

= ∙ = 7 ∙ (5,1) = (0,6)

The public key point of the application server is (0,6). Now the node shares its public key point with the application server and the application server shares its public key point with the node. Because and are public key points, they may be publicly known and are shared using unsecure communication channels. After receiving each other’s public key points, the node and the application server can compute the shared secret key . The node computes the shared secret key using the application server’s public key point and its own private key .

= ∙ = 5 ∙ (0,6) = (10,11) = 16

The node computed that the shared secret key = 16. The application server also computes the shared secret key , but the application server uses the node’s public key and its own private key .

The application server computed that the shared secret key = 16. Both the node and the application server have computed the same shared secret key and can use as the new static key (AppKey) for handling join messages and generating session keys.

It is advisable to use elliptic curves that are proven secure when using ECDH, and are published in the digital signature standard. NIST has included a set of 15 elliptic curves in the digital signature standard, which are recommended for usage with ECDH and ECDSA (NIST, 2009).