Connecting several nodes to the same app - AppKey changes!


(Mark Stanley) #1

Hi there,

I am trying to connect several nodes to the same application using OTAA but I'm finding they won't join.

The reason seems to be that each of these devices is being given a unique AppKey, which means I cannot deploy the same code to each device. I thought that the AppKey and AppEUI were constant for all devices connecting to the application? It is important to me that I can deploy the same code to several devices - I don't want to edit it for each device.

I'm sure there is an answer to this - in fact I'm pretty sure it used to work as I've described. Grateful for any help!

Thanks, Mark


(Mark Stanley) #2

I think I fixed my own problem!

When you register an application you can set it to use a customised AppKey.

When you register devices against that application you ALSO need to customise the AppKey for each device to be the same, otherwise it generates random ones and you lose the ability to deploy common code to multiple devices.

It would be a better user experience if the dashboard could be fixed so that if you have specified a default AppKey when registering the application then it gets set for each device registered.


(Jac Kersing) #3

@mark-stanley,

Using the same AppKey for multiple devices is convenient, however it is less secure. If you are willing to compromise on security any way you could use the 'Default App Key' (found in the application info settings). Any device using this key can register itself without requiring the DevEUI to be registered.
Recall, I wrote 'if you are willing to compromise on security', this option is less secure...


(Mark Stanley) #4

Hiya @kersing

Is there an alternative approach that doesn't require tailoring the code on each device? This is the only way I could think of.

Simply setting the default app key didn't work for me by the way. Join requests were being refused.

Cheers, Mark


#5

@Hiya
I even discovered doing a bad command, that you can change appKey afterward with ttnctl, becaus for testing, I'm like you, same appkey for all my nodes (as kersing says, do not to this for production or customers)

 ttnctl devices register YourExistingDevEUI YourNewAppKey

and this will replace the appKey, magic, isn't it?


(Jac Kersing) #6

I recall using the randomize button to generate a new key after enabling (and saving) the feature, I've been using that key for weeks while prototyping with different RN2483 modules, saves me the hassle of having to find the DevEUI and registering the device when changing module.


#7

I've been using the same key on all the devices in a single application when using the OTAA option.

RN2483 is a bit of a problem device because you need to run code first to extract the EUI. It would be convenient if Microchip provided it on the module in the same way that Multitech do.

Andrew


(Mark Stanley) #8

I had been too @thinginnovations , and then it stopped new devices from joining when I registered them. Something has changed...

It feels to me like there is a missing combination:

  1. "Default" app key - means you do not need to register any devices, just give them the appeui and appkey and they're good to go. Downside is that you can't stop a device from using the app once it has the key.

  2. "Unique" app key per device - so each device is registered and given its own appkey for the appeui. Plus side - control over which devices are allowed to use your app. Down side - really quite a big admin overhead because you need to update the appkey for each device in its code.

3 - the one that I'd like - "Single" appkey for the application, but each device needs to be registered. Plus sides - control over which devices are allowed to use your app, and you can use the same code image for all devices, so mass production more feasible. Downsides - ...seemingly not as secure as option 2

There's an alternative approach which Mike the Bee and I discussed last week, which is option 2 but where your device calculates its own appkey based on its Device EUI, so you can avoid some of the admin overhead. You would need to use the same hashing function to key in the appkey when you register the device, but I imagine that could be semi-automated.


(Astro) #9

I cannot seem to find the above mentioned “Default App Key” for the Application. Has it been (re)moved since 2016 or am I just looking into the wrong place?

Essentially I want to be able to program my end devices with the same code (for testing purposes, I understand there are security issue in doing so). But cannot quite figure it out how to do it.
Because there is also a Device EUI, which is also supposed to be unique, or is it?

Thanks in advance for any replies.


(Heath Raftery) #10

Any updates or advice from those that have implemented their own solution? Managing AppKeys for OTAA devices must be a common issue.

Using @mark-stanley’s numbering scheme:

  1. Gone?
  2. Still the recommendation? So how are people managing the process of registering each node, then adding the AppKey to each Node’s firmware? A build file per Node, or a common build file plus a non-volatile configuration area?
  3. A heck of a lot easier, but relatively easy for rogue devices to enter the application? Could be implemented by a series of ttnctl devices register YourExistingDevEUI YourNewAppKey commands? How does that go in practice?