The KU/KL commands assume that the
session key is already set at the coordinator. So to transmit keys from
the coordinator to an endpoint the following steps must be used:
- Set the Provisioning Key using the PK command on both the
coordinator and endpoint. This can be set at the factory or prior to
deployment in the field.
- Set the Session Key on the coordinator in the field which will be the key used for future communications.
- Use the KU and KL commands to transfer the key to an endpoint. The
format of the command is: ATKU<id> and ATKL<id>. So for
example, to transfer the upper half of the key to an endpoint with
device ID 12345678, use the command: ATKU12345678.
- Enable encryption on the coordinator. Endpoints will enable
encryption automatically when it receives both halves of the session
key.
- Communicate between the devices normally using Send Packet or other
commands. The communications will be encrypted over the air but are sent
and received through the serial port as normal plaintext.
Note that when the session key is sent over the radio, it must be
encrypted with the provisioning key. The modules do not allow for
unencrypted transfers of keys over the air. If setting a provisioning
key prior to deployment in the field is not possible for all devices,
the session key may be programmed in the coordinator and endpoint
devices at any time.