The KNX keyring file (.knxkeys) is used in ETS for secure communication, containing encrypted credentials for KNX devices. Its format includes an encrypted FDSK and a signature generated by writing elements and attributes in a specific order, then hashing with PBKDF2 and SHA256. To use it, import the keyring via Project → Security → Import Keyring in ETS.
KNX Keyring Overview:
The keyring file is related to KNX Secure configurations and is primarily used within the ETS (Engineering Tool Software) for secure communication.
The file often has the extension .knxkeys and contains encrypted credentials for KNX devices and interfaces.
Keyring File Format:
Below is the format for keyring file.
The FDSK is encrypted and decryption is explained in article here.
and once FDSK is encrypted, sign the entire format by following below procedure.
Signature Generation:
The signature over the keyring file is generated and verified similar to the hash/signature generation for KNX product data:
- Into a .NT BinaryWriter (sAttributeStream), write in this order (omitting Keyring/@Signature):
-foreach Element
a. char(0x01)
b. Element Name (without any XML namespace)*
c. foreach Attribute, ordered by Attribute Name
-Attribute Name with leading length byte*
-Attribute Value with leading length byte*
d. recursively process possible child elements
e. char(0x02)
2. Base64( PBKDF2( HMAC-SHA256, KeyringPassword, "1.keyring.ets.knx.org", 65536, 128))*
3. Signature = MSB128( SHA256( sAttributeStream))
Note: Element and attribute names as well as attribute values and the base64 password hash are all written a leading length byte. Empty attribute values are written as length value 0x00.
Usage in ETS:
To establish a secure connection with a KNX Secure Router, you must load the KNX keyring file (.knxkeys) into ETS through:
Project → Security → Import Keyring → Select .knxkeys file.