Security functions of router

Owned by Wolfgang Granzer
Jun 03, 2020
2 min read

The KNX standard was extended by KNX Security to protect KNX installations from unauthorized access. KNX Security reliably prevents the monitoring of communication as well as the manipulation of the system.

The specification for KNX Security distinguishes between KNX IP Security and KNX Data Security. KNX IP Security protects the communication over IP while on KNX TP the communication remains unencrypted. Thus KNX IP Security can also be used in existing KNX systems and with non-secure KNX TP devices.

KNX Data Security describes the encryption at telegram level. This means that the telegrams on the twisted pair bus are also encrypted.

KNX IP Security for the router function

The coupling of individual KNX TP lines via IP is referred as KNX IP routing. Communication between all connected KNX IP routers takes place via UDP multicast.

Routing communication is encrypted with KNX IP Security. This means that only IP devices that know the key can decrypt the communication and send valid telegrams. A time stamp in the routing telegram ensures that no previously recorded telegrams can be replayed. This prevents the so-called replay attack.

The key for the routing communication is reassigned by ETS for each installation. If KNX IP Security is used for routing, all connected KNX IP devices must support security and be configured accordingly.

KNX IP Security for the interface function

When using a KNX IP router as an interface to the bus, access to the installation is possible without security for all devices that have access to the IP network. With KNX Security a password is required. A secure connection is already established for the transmission of the password. All communication via IP is encrypted
and secured.

KNX Data Security for the device

The NETx KNX Secure Router also supports KNX Data Security to protect the device from unauthorized access from the KNX bus. If the KNX IP router is programmed via the KNX bus, this is done with encrypted telegrams.

Encrypted telegrams are longer than the previously used unencrypted ones. For secure programming via the bus, it is therefore necessary that the interface used (e.g. USB) and any intermediate line couplers support the so called KNX long frames.

KNX Data Security for group telegrams

Telegrams from the bus that do not address the KNX IP Router as a device are forwarded or blocked according to the filter settings (parameters and filter table). It does not matter whether the telegrams are unencrypted or encrypted. Forwarding takes
place exclusively on the basis of the destination address. The security properties are checked by the respective recipient.

KNX Data Security and KNX IP Security can be used in parallel. In this case, for example, a KNX sensor would send a group telegram encrypted with KNX Data Security to the bus. When forwarding via KNX IP with KNX IP Security, the encrypted telegram would be encrypted again just like unencrypted ones. All participants on the KNX IP level that support KNX IP Security can decode the IP encryption, but not the data security. Thus the telegram from the other KNX IP routers is again transmitted to the target line(s) with KNX Data Security. Only devices that know the key used for data security can interpret the telegram.