Key rotation

72 views
Skip to first unread message

Jonathan Beri

unread,
Sep 10, 2018, 1:25:49 PM9/10/18
to openthread-users
We'd like to provide a way to change the Master Key/PSKc on-demand, for example when there is a known key leak by the administrator. Does:
  1. OpenThread provide a high-level "key rotation" API?
  2. Alternatively, is there an API to set network credentials while the network is running? 
Looking at the docs, I think otDatasetSetPending is what we're looking for as oppose to otThreadSetMasterKey, since the later requires that the "Thread protocols are disabled."

Does setting otDatasetSetPending automatically propagate the network Operational Dataset across the network?

Jonathan Hui

unread,
Sep 10, 2018, 6:52:44 PM9/10/18
to Jonathan Beri, openthread-users
In an active Thread network, network credentials are encapsulated in Operational Datasets.

For updating the Thread Master Key and PSKc via standard Thread mechanisms, otDatasetSetPending is probably what you are looking for. otDatasetSetPending will set the Pending Dataset directly on the local device. OpenThread will then use its normal logic to resolve conflicts between the local datasets and the leader's datasets and attempt to register the new Pending Dataset with the leader.

If you have application-layer logic that can distribute the new network credentials (i.e. Operational Datasets) and apply them directly at the appropriate time, you can use otDatasetSetActive directly to apply the updates immediately, even while the network is running. This may be beneficial to your use case if you have an application-layer way to securely communicate the new network credentials to each individual device. Of course, the downside is that arbitrary Thread 1.1.1 devices that do not have your custom logic will not be able to participate after the Active Dataset update.

Hope that helps.

--
Jonathan Hui

--
You received this message because you are subscribed to the Google Groups "openthread-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openthread-use...@googlegroups.com.
To post to this group, send email to openthre...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/openthread-users/d9d1d3dd-5915-4ce8-8f3d-73ef80b3468b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Jonathan Beri

unread,
Sep 11, 2018, 12:31:10 PM9/11/18
to openthread-users
That's exactly what I was looking for, thanks!
Reply all
Reply to author
Forward
0 new messages