There are 2 parts to setting up a secure connection between NET2GRID hardware (SmartBridge) and platform. First is a secure connection between hardware and platform to prevent a third-party from intervening or sniffing the traffic. Second is ensuring that the data is actually reported by genuine NET2GRID hardware.

Platform Connection

The NET2GRID gateway architecture is based on a client/server model, where the gateway device takes the client role, and the NET2GRID platform becomes the server. Each connection is initiated by the gateway using the ZigBee Gateway protocol specification. Communication between NET2GRID hardware and the platform is secured with TLS1.2 that prevents decrypting traffic between the gateway and platform. TLS provides no client authentication, that is taken care of by the AES keys described in the next section.

Platform Authentication

The gateway uses a unique identifier based on the IEEE assigned MAC address and a per device unique 128-bit key programmed into the device's flash memory at manufacture to encrypt and authenticate the platform connection. AES128-CCM is used as the encryption algorithm.

Since the keys are unique to each gateway device, it is not possible to decrypt the traffic between the gateway and platform without prior knowledge of the encryption key. For the same reason, no foreign device can make a platform connection without prior knowledge of the AES key. This way, we can ensure that any data present in the platform originated from an authenticated gateway.