Secure Session Key Generation Method for LoRaWAN Servers

In recent years, Internet of Things (IoT) as an essential infrastructure for industrial development, environmental protection and human life enhancement has attracted researchers' attention. Currently, there are four hot research topics in IoT fields, including sensor design, communication scheme, secure transmission, and data mining. The LoRaWAN, an unlicensed band based long range wide area network specification, is very suitable for the activities or operations in an IoT environment due to its low power and long range communication. In the LoRaWAN, star-of-stars topology, asynchronous communication, and three communication modes are used to reduce its power consumption. In order to enhance the security of network communication, the LoRaWAN adopts the 128-bit Advanced Encryption Standard (AES-128) and utilizes two session keys: network session key and application session key, for encrypting/decrypting data between end devices and network/application servers. However, according to the LoRaWAN Backend Interfaces 1.0 Specification announced by LoRa Alliance in 2017, the application layer communication securities between two arbitrary servers (including network servers, join server, and application servers) are out of the specification's scope. That is to say that the important data transmitted from one server to another may be attacked, falsified, or stolen easily. In this paper, a session key generation method is proposed to generate session keys with which two servers can securely communicate with each other, especially enhancing the application layer communication securities undefined in the LoRaWAN Specification. By integrating elliptic curve cryptography and AES-128, the session keys for different pairs of servers are created. The security discussion shows that the proposed method provides the features of mutual authentication, confidentiality and message integrity. Besides, it can also help to resist replay and eavesdropping attacks.