ZigBee 3.0 Z-Stack 2.8 Security for joining devices

（配套源码、软件、开发板等资源，可移步博客同名QQ群：拿破仑940911）

1、Decryption
Commonly, the joining device cannot know which kind of network is being joined until it processes the content of the Transport Key command.
1.1 Decrypt with all the preconfigured keys
A joining device without user interface to configure its joining mechanism can be configured to attempt all the preconfigured keys it can try upon joining (Install Code, Global Default Centralized Key and Global Default Distributed Key), by setting gZDSECMGR_TC_ATTEMPT_DEFAULT_KEY to TRUE.
So, when a joining device isfactory new and receives the APS Transport Key command, there can be 3 cases:
a. If Install Code has been loaded through BDB API,install code derived key will be attempted for a centralized network.
b. If no Install Code is set, Global Default Centralized Key will be attempted.
c. If the decryption fails, Z-Stack automatically will attempt withthe Global Default Distributed Key.
1.2 Decrypt with specific keyIf the device is intended only to join networks which only the Install Codes must be used, thengZDSECMGR_TC_ATTEMPT_DEFAULT_KEY  must be set to FALSE. Default value is FALSE.
The secure procedures to join Centralized or Distributed networks are already implemented by the BDB layer.
2. Jitter for multiple devices
Joining devices must consider that the APS TCLK exchange will involve the reading/writing to Nv of the APS security material by the TC, so if multiple devices are meant to be commissioned at the same time as Factory New,a jitter must be implemented to allow the TC to process the joining procedures of all the devices.
3. Large network without TCLK
Joining devices may skip the TCLK exchange procedure by settingrequestNewTrustCenterLinkKey to FALSE to allow Z3.0 devices deploy a custom large network without requiring big tables of TCLK in Coordinator devices.
However, this should not be used if interoperability with certified Z3.0 devices is intended.

（配套源码、软件、开发板等资源，可移步博客同名QQ群：拿破仑940911）