KNX Secure
MECip
SECURE
- 15 -
3
KNX Secure
KNX devices that support KNX Secure are able to use a special protection basing on telegram
encryption. Also, access to the device for configuring is protected and limited to the user that
knows its Device Certificate. The Device Certificate is a device-specific protection code that is
enclosed with the device on delivery.
To make use of the KNX Secure protection, every KNX Secure device supports a secure mode.
When its secure mode is on, commissioning, configuring and runtime communication run in
an encrypted manner so that the device is shielded against intruder attack and unwanted
manipulation. For activation, the Device Certificate is necessary (see chapter
). Only when secure mode is active, the KNX Secure device is able to read and
send encrypted telegrams. When secure mode is off, the Secure device behaves like a
common KNX device without KNX Secure support (also called plain KNX device). KNX Secure
devices in secure mode and plain devices can´t be combined by the same group object, but it
is possible to have a mixed installation consisting of secured devices and plain devices.
Mixing unsecure and secure communication on the same group address is impossible.
Also, a mix of KNX IP Secure couplers in secure mode and plain KNX IP Secure couplers
cannot be configured when IP Backbone Security is on.
Encrypted KNX telegrams that are processed by secured devices can be distinguished
between telegrams for KNX IP Secure and telegrams for KNX Data Secure:
•
KNX IP Secure can only be applied upon the KNX IP medium. KNX Secure telegrams
are sent as encrypted IP Secure frames (no matter if KNX Data Secure is used or not).
•
KNX Data Secure can be applied on any KNX communication medium. End-to-end
communication, better say group communication for one or more certain group
objects is encrypted. Due to an individual security key, only end devices having
identical Group Addresses can encrypt/decrypt the telegrams of their secured group.
For programming a KNX Secure device, ETS must know its FDSK (Factory Default Setup Key)
and its serial number. But it is not necessary entering FDSK or serial number. ETS retrieves
this information from the Device Certificate, a device-specific 36-character code containing
both serial number and FDSK. Serial number and FDSK cannot be modified. After adding a
KNX Secure device plus Device Certificate to the ETS project, ETS automatically sets the
project-specific Tool Key that is used for programming from then. This Tool Key cannot be
modified and only be deleted by a device reset (see chapter
). After the
reset, ETS uses the registered FDSK to get access to the device to program a new Tool Key.