Spacelynk /W4K IP SECURE Application note

domotiqa · ‎2021-03-23

Hello,

Ididn't find the documentation for the "Knx IP Secure" ?

In Ets we need to put:

ETS requires a device certificate for each device with KNX Security that is created in the ETS.

This certificate contains:

- the serial number of the device

- as well as an intangible key (FDSK= FactoryDefaultSetupKey)

Without it, no way to use IP secure !

Should be great to add Application Note, because in the firmware manual, I didn't find anything about it.

Smarthome & Smartbuilding Expert

PetrMares · ‎2021-03-23

Hello,

if we are talking about KNX security it can be split into KNX data secure and KNX IP secure.

For data secure you have to have a support in KNX device, TP (special crypto chip and firmware which allows encryption/decryption of telegrams). On IP level there can be a system devices like KNX IP router, interface ... This can be used for commissioning of KNX devices in ETS when they support secure tunneling. We have on our devices small lock icon to indicate this.

Once you add this data secure or IP secure into the ETS project you have to define a password for the whole project and when commission these devices you are asked for FCSK (QR or 36characters) before commissioning even start.

W4K, spaceLYnk is not configured in ETS so for this kind of controllers, gateway you have to import a backbone key which allows the controller understand encrypted telegrams, otherwise you would not be for example control from visualization a data secured device in field. Also routing would not be possible because you have to decrypt a telegram, process, encrypt and send to different line. There is also knx telegrams time synchronization and a lot of other mechanism in background,

To state that the installation is KNX secure all devices has to support a KNX secure telegrams and be commissioned like this in ETS + if controller like w4k is sitting on backbone it must be secured as well.

Note that secured commissioning require a support of KNX long frames from the device use as an interface. For W4K, spaceLYnk we are going to support from upcoming version 2.6.1, but already now there is a way via small patch. If needed you can contact us.

See Answer In Context

PetrMares · ‎2021-03-23

Hello,

W4K, spaceLYnk are KNX IP secure compatible since firmware 2.6.0. The routing is supported only. You can find more information in user guide, for W4K page 40 in chapter 9.10.

In general you have to export a backbone key from ETS and insert into KNX connection settings in W4K. Once you do it W4K is able to decrypt encrypted routing telegrams and process them.

domotiqa · ‎2021-03-23

Thank you for the answer,

In SL manual it is written between Wiser product:

Encryption key – password for secure KNX
communication (inactive when empty) between Wiser
for KNXs/spaceLYnks

You mean that I need to put the Authentication Code from a virtual routing device ??

For example I add a Schneider IP router device, then add code

Smarthome & Smartbuilding Expert

domotiqa · ‎2021-03-23

I found it in other manual:

Backbone key (encryption) – Backbone key for decrypting secured telegrams for IP routing. Backbone key can be exported from ETS software in Reports => Project Security.

But it mean that the entire project is Ip secure.

When selecting Automatic in security backbone, the key is not discplaying.

It mean also if there is more Ip router, that they need to be secure.

Am i right

Smarthome & Smartbuilding Expert

PetrMares · ‎2021-03-23

Hello,

if we are talking about KNX security it can be split into KNX data secure and KNX IP secure.

For data secure you have to have a support in KNX device, TP (special crypto chip and firmware which allows encryption/decryption of telegrams). On IP level there can be a system devices like KNX IP router, interface ... This can be used for commissioning of KNX devices in ETS when they support secure tunneling. We have on our devices small lock icon to indicate this.

Once you add this data secure or IP secure into the ETS project you have to define a password for the whole project and when commission these devices you are asked for FCSK (QR or 36characters) before commissioning even start.

W4K, spaceLYnk is not configured in ETS so for this kind of controllers, gateway you have to import a backbone key which allows the controller understand encrypted telegrams, otherwise you would not be for example control from visualization a data secured device in field. Also routing would not be possible because you have to decrypt a telegram, process, encrypt and send to different line. There is also knx telegrams time synchronization and a lot of other mechanism in background,

To state that the installation is KNX secure all devices has to support a KNX secure telegrams and be commissioned like this in ETS + if controller like w4k is sitting on backbone it must be secured as well.

Note that secured commissioning require a support of KNX long frames from the device use as an interface. For W4K, spaceLYnk we are going to support from upcoming version 2.6.1, but already now there is a way via small patch. If needed you can contact us.

domotiqa · ‎2021-03-23

Ok I already use Ip secure but the way I posted above. Import Schneider Ip gateway + setup commission and auth code.

However never use backbone password.

The aim of Ip secure is also, for my point of view, to be able to secure the all installation on the LAN of the customer and even link Building buyy router securely (even with TP scure coupler. Which is more reasonable instead of changing every product non secure (some are not available in secure version).

I would like to test the patch if possible.

Can you provide it and documentation ? Would we have Knxprod file + certificate like QRcode in ip secure product ?

Thank for your information.

Smarthome & Smartbuilding Expert

PetrMares · ‎2021-03-24

Hello,

to complete our discussion on the exchange you are requesting a patch (lmup) file adding support of knx long frames for Wiser for KNX and spaceLYnk.

After patch you can commission a knx device faster (if the device support long frames) or KNX secure device, but in a plain mode (not knx data secure) as the W4K, sL does not support and cannot support a KNX IP secure tunneling.

For KNX data secure you can use our new SpaceLogic KNX USB Interface MTN6502-0101 or system IP devices from same SpaceLogic offer.

Please, just write me an email to petr.mares@se.com and let me share lmup as attachment to reply.

Regards

domotiqa · ‎2021-03-24

Ok, so If I understand, Ip secure is not supported. Only programming secure device.

So it mean that project programmed securely are not supported:

1/ building linked with IP router secure activated

2/ projetc entirely programmed via Data secure

So Spacelynk is this case, would be useless ?

For example, if I put in a project a router secure like MTN6500-0103, I set it wih its QR code (serial+factory), and generate pass. If the SL is on the same LAN and I set the backbone key, would it be possible to communicate between both with ip secure activated?

Smarthome & Smartbuilding Expert