Terminology » LoRaWAN Security:NwkSKey,AppSKey,AppKey session keys

LoRaWAN Security:NwkSKey,AppSKey,AppKey session keys

lorawan session security keys

Introduction : Security is a cornerstone of LoRaWAN, ensuring that data transmitted across long-range, low-power IoT networks remains protected from tampering or unauthorized access. To achieve this, LoRaWAN employs a set of cryptographic keys viz. NwkSKey, AppSKey and AppKey. These keys are used to establish trust between end devices, network servers and application servers. Each key serves a distinct purpose, from protecting message integrity to safeguarding user data. Understanding how these session keys function is essential for designing secure, reliable and scalable LoRaWAN deployments.

Key features

  • LoRaWAN uses AES-128 encryption (128-bit symmetric keys).
  • Each device uses different keys for:
    • Network layer security (control, MAC commands, replay protection).
    • Application layer security (payload confidentiality).
  • Keys are derived during device activation (OTAA) or pre-provisioned (ABP).

NwkSKey (Network Session Key)

  • Functions:
    • Ensures integrity of messages between device ↔ Network Server.
    • Used to sign uplink/downlink frames with a MIC (Message Integrity Code).
    • Protects frame counters, preventing replay attacks.
  • Scope: Shared between end device and Network Server only.

AppSKey (Application Session Key)

  • Functions:
    • Encrypts and decrypts the application payload (FRMPayload).
    • Provides end-to-end encryption between end device and Application Server.
    • The Network Server cannot see the application data (privacy preserved).
  • Scope: Shared between end device and Application Server only.

AppKey (Application Key)

  • Functions:
    • A root key used only during OTAA (Over-The-Air Activation).
    • Used by the Join Server to derive session keys (NwkSKey and AppSKey) from the Join-Accept exchange.
    • Never transmitted over the air.
  • Scope: Unique per device, stored securely in device and Join Server.

Conclusion: The use of NwkSKey, AppSKey, and AppKey in LoRaWAN provides a layered approach to security, ensuring both network integrity and application confidentiality.