KNX 'plain' devices vs. KNX Secure devices
The difference between 'plain' KNX devices and KNX secure devices is that KNX secure devices are able to encrypt and decrypt telegrams. This technology adds extra security to a KNX installation, both during the commissioning of KNX installations as for KNX installations at runtime. KNX telegrams encrypted by KNX secure devices are called KNX secure telegrams.
KNX Secure device: axioms
- A KNX secure device is a KNX device that can encrypt/decrypt KNX telegrams.
- Two types of encrypted KNX telegrams can be distinguished.
- telegrams entirely encrypted: this type can only be applied upon the KNX IP medium and the security based on this type is hence indicated as 'KNX IP Secure'
- telegrams partly encrypted: this type can can be applied on any KNX communication medium and the security based on this type is indicated as 'KNX Data Secure'
- KNX IP Secure shall be used for that part of the KNX installation (typically its backbone line) exposed to an external IP network, like internet.
- KNX Data Secure can also be used for the KNX IP medium, but shall only be used for that part of the KNX installation NOT exposed to an external IP network.
- Every KNX IP secure and KNX Data secure telegrams contains a MAC, which is the abbreviation for Message Authentication Code.
- Secure devices have a secure mode which is represented by a property called 'Secure Commissioning' of the device in the ETS project, only when this secure mode is activated it will be able to encrypt/decrypt telegrams.
- Secure devices have a Tool Key, given the secure mode of a secure device is activated, ETS is only able to communicate with this device if it knows the Tool Key of this device.
- Secure devices have a FDSK = Factory Default Setup Key. The FDSK is unique per device and cannot be modified of deleted.
- The Tool Key of a secure device is in principle ex-factory set to its FDSK.
- The Tool Key of a secure device can always be set back to its FDSK via a master reset, check with the manufacturer how to accomplish such master reset.
- ETS can only retrieve the FDSK of secure device via its certificate.
- A device certificate is unique per device and is a 25 character code which contains its serial number and its FDSK.
- After a KNX secure device has been added to an ETS project and after its certificates has been added too, ETS automatically sets its Tool Key in the project, i.e. the ETS user cannot define/modify the Tool Key manually, the Tool Key is also never visible for the ETS user.