solutions
LoRa Basics Modem and LoRa Edge documentation
Scenario - LoRa Cloud™ Join Server¶
Introduction¶
Prior to sending data, devices designed to operate on a LoRaWAN® network must join such a network. The recommended method for joining a device to a LoRaWAN network is to use the LoRa Cloud™ Join Server. This service is based on the LoRaWAN specification and is used to exchange encrypted information required for providing network session data to the device. It is also required for providing a nonce, which is necessary to symmetrically derive session keys (AppSKey and NwkSKey). The LoRa Cloud Join Server uses a secure external join server that never exposes device keys.
Once a device has been claimed using the LoRa Cloud Join Server, it can use the service to provide the join response in coordination with a LoRaWAN network server. There is a sequence of steps (covered in Claiming a Device) that must be performed prior to using this service.
Note
Device owners should understand that they won’t ever see the root keys for the device when using the Join Server. Rather, the root keys are embedded in the HSM. (The join server doesn’t even see them.)
Prerequisites¶
Common:
The end device must be set up and properly initialized (PA, regulator modes, etc.).
The end device must be claimed.
The end device must be within range of at least one LoRaWAN network that is connected to the LoRa Cloud Join Server.
The Region and Device Class must be set up properly.
Prerequisites for LoRa Basics™ Modem:
No additional requirements
Prerequisites for LoRa Basics™ Modem-E:
No additional requirements
Prerequisites Specific to to Transceivers:
Transceivers must have a LoRaWAN stack to communicate with the network server.
Step-by-Step Procedure¶
The application commands a join request.
The stack then starts trying to join by sending one or more join requests (in case one fails).
The join request is received by one or more network servers 1.
The network server uses the JoinEUI from the join request and forwards it to the LoRa Cloud Join Server.
If more than one join request is routed to the join server, the first one declared in the list of registered network servers is used for the rest of the steps (not depicted).
If accepted by the LoRa Cloud Join Server, the NwkSKey is returned to that network server, along with the join response (which includes the AppNonce, used by the device to derive its session keys).
If wrapping is enabled for the AppSKey, the wrapped AppSKey 2 is also returned.
The network server sends the join response, encrypted with the AppSKey, to the end-device.
The network server sends the AppSKey (or the wrapped AppSKey 2) to the application server as part of the data message (not pictured).
Upon receiving the JoinAccept message, the end device can start sending encrypted payloads. Once the first uplink message (encrypted with the new session keys) is verified by the network server, the application can be notified of the completed join sequence.
- 1
If multiple network servers report the same join request, only the first eligible request will be answered. All subsequent join requests will be rejected.
- 2(1,2)
Key Wrapping: The LoRa Cloud Join Server can create a wrapped AppSKey for a device. A wrapped AppSKey is an additional encryption method applied to the original AppSKey. The encryption scheme and key are known only to the device owner and the LoRa Cloud Join Server, which protects the application contents from being decrypted by the LoRaWAN network server.
Used By¶
Embedded application, LR111x/LoRa Edge™ chip, LoRaWAN network server, LoRa Cloud Join Server
Troubleshooting¶
No suggestions at this time.