LoRa Basics Modem and LoRa Edge documentation

Scenario - LoRa Cloud™ Device Join

Introduction

Prior to sending data, devices designed to operate on a LoRaWAN® network must join such a network. The recommended method for joining a device to a LoRaWAN network is to use the LoRa Cloud™ Device Join service. This service is based on the LoRaWAN specification and is used to exchange encrypted information required for providing network session data to the device. It is also required for providing a nonce, which is necessary to symmetrically derive session keys (AppSKey and NwkSKey). The LoRa Cloud Device Join service uses a secure external join server that never exposes device keys.

Once a device has been claimed using the Lora Cloud Device Join service, it can use the service to provide the join response in coordination with a LoRaWAN network server. There is a sequence of steps (covered in Claiming a Device) that must be performed prior to using this service.

Note

Device owners should understand that they won’t ever see the root keys for the device when using the Device Join service. Rather, the root keys are embedded in the HSM. (The join server doesn’t even see them.)

Compatibility

LoRa Basics Modem(s)

LoRa Edge LR1110 transceiver

Prerequisites

Common:

  • The end device must be set up and properly initialized (PA, regulator modes, etc.).

  • The end device must be claimed.

  • The end device must be within range of at least one LoRaWAN network that is connected to the LoRa Cloud Device Join service.

  • The Region and Device Class must be set up properly.

Prerequisites for LoRa Basics Modem:

  • No additional requirements

Prerequisites for LoRa Basics Modem-E:

  • No additional requirements

Prerequisites Specific to to Transceivers:

  • Transceivers must have a LoRaWAN stack to communicate with the network server.

Step-by-Step Procedure

  1. The application commands a join request.

  2. The stack then starts trying to join by sending one or more join requests (in case one fails).

  3. The join request is received by one or more network servers 1.

  4. The network server uses the JoinEUI from the join request and forwards it to the LoRa Cloud Device Join service.

  5. If more than one join request is routed to the join server, the first one declared in the list of registered network servers is used for the rest of the steps (not depicted).

  6. If accepted by the LoRa Cloud Device Join service, the NwkSKey is returned to that network server, along with the join response (which includes the AppNonce, used by the device to derive its session keys).

  7. If wrapping is enabled for the AppSKey, the wrapped AppSKey 2 is also returned.

  8. The network server sends the join response, encrypted with the AppSKey, to the end-device.

  9. The network server sends the AppSKey (or the wrapped AppSKey 2) to the application server as part of the data message (not pictured).

  10. Upon receiving the JoinAccept message, the end device can start sending encrypted payloads. Once the first uplink message (encrypted with the new session keys) is verified by the network server, the application can be notified of the completed join sequence.

@startuml  device_join_modem-ebox Device #LightBlue    participant "End-Device Application" as App #LightBlue    participant "<color #000000>LR111x</color>" as LoRa  #00ADEF end box box LoRaWAN #AAAAAA    participant "Gateway" as GW  #LightGray    participant "Network Server" as NS  #LightGrayend boxbox LoRa Cloud Services #00ADEF     participant "<color #000000>Device Join Service</color>" as JS #00ADEFend boxlegend left|=             |= Owner || <#00ADEF>    | Semtech || <#ADD8E6>    | Customer || <#D3D3D3>    | Ecosystem |endlegend== Device Join == App -> LoRa : Command to JoinLoRa -> GW : Join RequestGW -> NS : Join RequestNS -> JS : Join RequestJS -> NS : Join Response + NwkSkeyJS -> NS : AppSKey or Wrapped AppSKeyNS -> GW : Join ResponseGW -> LoRa : Join ResponseLoRa -> App : Notification of successful Join@enduml

1

If multiple network servers report the same join request, only the first eligible request will be answered. All subsequent join requests will be rejected.

2(1,2)

Key Wrapping: The LoRa Cloud Device Join Service can create a wrapped AppSKey for a device. A wrapped AppSKey is an additional encryption method applied to the original AppSKey. The encryption scheme and key are known only to the device owner and the LoRa Cloud Device Join service, which protects the application contents from being decrypted by the LoRaWAN network server.

Used By

Embedded application, LR111x/LoRa Edge™ chip, LoRaWAN network server, LoRa Cloud Device Join service

Troubleshooting

  • No suggestions at this time.