If you have questions on MEAN WELL’s products, please read the FAQ first. If the listed answers still cannot solve your problems, please contract our local distributors , they should reply to you as soon as received your request.
KNX Data Secure
What is KNX Data Secure?
The secured communication includes commissioning(configuration) processes with the ETS as well as the runtime(daily) communication between devices. The concept ensures that all or only selected KNX telegrams are authenticated and encrypted regardless of the medium.
As result, the communication between sender and receiver can neither be interpreted nor manipulated.
What is the security level used in KNX Data Secure?
The system integrators establish a secure communication channel, including authentication of the authorized communication partners and encryption of the transmission during commissioning(configuration) with ETS software.
Is the KNX telegram different between plain one and Data Secure one?
For details, check FAQ “Why KNX Data Secure has same speed as plain one”.
Can I add Data Secure KNX devices into existing traditional KNX installation?
Furthermore, it can also have mixed operation of Secure and plain(conventional) communication on a sensor or actuator via different communication objects.
However, secured and unsecured communication via one and the same communication object is not possible. The ETS project determines which group addresses communicate securely and which group addresses communicate conventionally.
What is required for system components e.g. line coupler for used in KNX Data Secure installation?
Is it possible to disable the secure function from a KNX Data Secure device?
The behavior is same as for device without KNX Data Secure. It means that KNX Data Secure device can also be used in existing system to replace defective unit e.g. actuator.
It is not required to modify the entire KNX system or parts of it, or to update it to secure communication. The system integrator just need to set the Secure Commissioning to “Deactivated” in the application database of KNX Data Secure device shown in the picture below.
Why KNX Data Secure has same speed as plain one?
How does the KNX Data Secure work?
Freshness is realized via a 6-byte long transmission sequence number. A KNX secure receiver device, e.g. actuator, only evaluates a group telegram as valid if the contained sequence number from sender, e.g. pushbutton sensor, is at least one value higher than the last received value of the same sender. Telegrams that have a lower or the same value are rejected by the receiver.
The transmission sequence number do not always have to be exactly one value higher (n+1). It is important that the number is continuous (n+x). During a master reset, the transmission sequence number is automatically reset to an initial value. When replacing a device, the ETS attempts to detect reset devices and replaces the initial value with a valid transmission sequence number using a predefined method.
During a programming procedure, separate sequence numbers are used by the ETS and the device. Transmission sequence numbers can be viewed in the group monitor of the ETS. They are not encrypted but protected against manipulation.
128-bit AES encryption algorithm with symmetric keys are used to encrypt telegrams. A symmetric key means that the same key is used both by the sender to encrypt outgoing messages (authentication and integrity protection) and by the recipient(s) to verify and decrypt the received messages.
- Data integrity
KNX Data Secure uses the CBC-MAC-Mode with AES encryption included in CCM mode to ensure data integrity. A "Message Authentication Code" (MAC) is attached to the message. This authentication code signs all information contained in the telegram so that manipulation can be detected.
The identity of a received telegram is verified via the contained physical address of the sender (source address). A recipient only authorizes the telegram if the source address contained was entered in a special communication table which is automatically programmed by the ETS during commissioning. The table contains a combination of the physical addresses of the permitted communication partners and their transmission sequence numbers in list.
What is device certificate?
The device certificate is printed on removable label attached to the device. The label must be removed from the device after mounting and stored safely to prevent that unauthorised person obtains the FDSK and manipulate existing device of a secure KNX installation.
The QR code contains the device certificate in machine-readable form and can be read into a ETS project via a webcam without typing-in.
What is FDSK?
The FDSK is 128-bit long and represents the manufacturer's initial key of a KNX Data Secure device. The FDSK is included in the device certificate which is attached to the device upon delivery.
Providing the FDSK has been successfully read in during initial commissioning, it is archived in a readable form in the ETS project together with the device certificates. It can be restored by a master reset of the device and consequently reactivated so that the device can be recommissioned as complete new device. If the device certificate attached to the devices and consequently the FDSK is lost, a device can no longer be securely commissioned by other ETS projects. However it can still be commissioned as traditional KNX device without Data Secure. Should you need a lost FDSK, contact the manufacturer for details.
What is Master Reset?
The firmware of a device is not affected by a master reset. Triggering and signalling of the master reset is device-specific and is explained in the respective product documentation.
What is Toolkey?
The Toolkey is archived in the ETS project in unreadable form for the ETS user because it is only relevant for ETS in the existing project. If the project is exported, the ETS writes all Toolkeys of the project in an encrypted and signed form to the *.KNXPROJ file.
What is RuntimeKey?
If required, all or selected RuntimeKeys of an existing project can be exported to a special password-protected export file (*.knxkeys), also known as a project keyring. This export is required if components are to interact with a KNX Data Secure system, but are not configured and commissioned with the ETS (e.g. visualizations). In such cases, the ETS can be used to export a runtime keyring.
What is KNX Serial Number?
The ETS uses the serial numbers to identify new and already commissioned devices in a KNX installation. The serial numbers of all read-in device certificates in the project and of all commissioned devices are archived by the ETS in the project keyring.