From 5bee8ccafe91ff10002d3d9c7c869f334e29afca Mon Sep 17 00:00:00 2001 From: Bruceforce Date: Thu, 31 Jan 2019 19:09:49 +0100 Subject: [PATCH] Update how_to_secure_network.md (#963) * Update how_to_secure_network.md Make clear that the key consists of 16 hex values and gave an example how to generate a key with command line tools. * Clarified info about network key notation * clarified network key notation (dec or hex) * Update how_to_secure_network.md Make clear that the key consists of 16 hex values and gave an example how to generate a key with command line tools. * Remove trailing comma. #916 --- docs/how_tos/how_to_secure_network.md | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/docs/how_tos/how_to_secure_network.md b/docs/how_tos/how_to_secure_network.md index f9c34265..9df560c4 100644 --- a/docs/how_tos/how_to_secure_network.md +++ b/docs/how_tos/how_to_secure_network.md @@ -1,16 +1,25 @@ # How to secure your Zigbee network By default your Zigbee network isn't as secured as possible. The following settings are recommeded to apply to your configuration. -## Disabled joining -To disable joining it's important that `permit_join: false` is set in your `configuration.yaml`. +## Disable joining +To disable joining it's important that `permit_join: false` is set in your `configuration.yaml`. Otherwise rogue devices are able to join allowing them to send and receive Zigbee traffic. ## Change Zigbee network encryption key **Changing the key requires repairing of all devices!** -Zigbee2mqtt uses a default encryption key. Therefore it is recommended to use a different one. To use a different encryption key add the following to you `configuration.yaml`: +Zigbee2mqtt uses a known default encryption key. Therefore it is recommended to use a different one. To use a different encryption key add the following to your `configuration.yaml`: -**Do not use the following key.** +**Do not use this exact key.** ``` advanced: - network_key: [7, 3, 5, 7, 9, 11, 13, 15, 0, 2, 4, 6, 8, 11, 12, 13], + network_key: [7, 3, 5, 7, 9, 11, 13, 15, 0, 2, 4, 6, 8, 11, 12, 13] +``` + +The network encryption key size is `128-bit` which is essentially 16 decimal values between `0` and `255` or 16 hexadecimal values between `0x00`and `0xFF`. + +If you need to transform your decimals to hexadecimals (or vice versa) please use a [converter](https://www.binaryhexconverter.com/decimal-to-hex-converter). Example: 92 (decimal) would become 5C (hexadecimal). + +You can generate a valid key with the following command in most linux systems: +``` +dd if=/dev/urandom bs=1 count=16 2>/dev/null | od -A n -t x1 | awk '{printf "["} {for(i = 1; i< NF; i++) {printf "0x%s, ", $i}} {printf "0x%s]\n", $NF}' ```