APS layer security

APS layer security can be used to encrypt application data using a key that is shared between source and destination devices. Where network layer security is applied to all data transmissions and is decrypted and reencrypted on a hop-by-hop basis, APS security is optional and provides end-to-end security using an APS link key known by only the source and destination device. APS security cannot be applied to broadcast transmissions.

If APS security is enabled, the APS header and data payload are authenticated with 128-bit AES. A hash is performed on these fields and appended as a four-byte message integrity code (MIC) to the end of the packet. This MIC is different than the MIC appended by the network layer. The MIC allows the destination device to ensure the message has not been changed.

There are two kinds of APS link keys – trust center link keys and application link keys. A trust center link key is established between a device and the trust center, and an application link key is established between a device and another device in the network where neither device is the trust center.

Note Zigbee defines a trust center device that is responsible for authenticating devices that join the network. The trust center also manages link key distribution in the network.