Where is AppSKey stored and handled?


We’re working on a project, and we are currently looking at NwkSKey and AppSKey. We want to understand fully where these keys are stored and what exactly they are doing.

We have this diagram - inspired by another diagram


We understand NwkSKey as it is securing the integrity of the data and is stored and handled by Network Server. We rely on The Things Network to handle this.

Then we have AppSKey, which as we understand, is responsible of encrypting and decrypting the payload of our data. We are a little confused here, because we’ve read that AppSKey is handled by the application server… but how can we see unencrypted data on our TTN account? We can see true values from our sensors, which means that the data has been decrypted on TTN. Also, we don’t (as we know) decrypt data we retrieve with node-red from our TTN account… and still we manage to see an unecrypted payload.

In Node-Red we have a node, which is retrieving and accessing our data by using an access key, but we don’t think this is the AppSKey, so we don’t understand how we can retrieve true values.

Our question is, where is AppSKey stored and handled? Is it handled by Network Server? Because then it’s not end-to-end secured, and in that case, is it possible to let Node-Red handle the AppSKey?

Maybe this is how the diagram should look:


Because most users do not have their own application server TTN provides the application server as well as a convenience. This allows users to get their plaintext data using MQTT/HTTP (and other integrations) without having to implement decryption and key handling themselves. (Keep in mind, for OTAA key handling includes generating unique session keys when a device joins within the response window of the node)
The documentation mentions a goal of people being able to run their own handler, which would allow running the application server on your own infrastructure, however I don’t think this was ever implemented in V2 of the TTN stack.
Version 3 of the TTN stack is a complete rewrite which might allow running your own application server. May-be @htdvisser can comment on that?

Currently you are not able to let Node-Red handle the keys, this is done by the TTN servers.

With the v2 stack it is possible to run a private handler. With that, the AppSKeys and decrypted payloads are in your own control. There are currently three private handlers connected to The Things Network (cortex-media, mst-handler and pepidau-tamworth, see the output of ttnctl discover handler where PUBLIC is false). I wrote an article about setting up a private handler back in 2017.

With The Things Stack (v3) we’re making it much easier to run a full private deployment, as well as a private Application Server that connects to another Network Server in the network. Setting up a complete private deployment is already well documented in the Getting Started section of the documentation on https://thethingsstack.io/. Setting up an Application Server that connects to another Network Server isn’t documented yet.

1 Like