Wireshark-dev: [Wireshark-dev] Trouble decrypting Zigbee APS layer
From: Mark Whitney <[email protected]>
Date: Wed, 20 Jul 2011 11:59:23 -0400
I am trying to decrypt a capture of a Zigbee SE device joining to an
ECC-encrypted smart meter (AES-128, 32-bit IP).  The device is using
an installation code, so I entered the derived link key into the
Zigbee NWK key list and it looks like the network layer is decrypted
just fine.

The problem I am having is there are still some encrypted bits left in
some of the packets at the APS layer.  Is this part of the application
security layer?  Here is an example of what looks like a half
decrypted Simple Metering packet:

Frame 67: 96 bytes on wire (768 bits), 96 bytes captured (768 bits)
IEEE 802.15.4 Data, Dst: 0x5896, Src: 0x0000
ZigBee Network Layer Data, Dst: 0x5896, Src: 0x0000
ZigBee Application Support Layer Data, Dst Endpt: 10, Src Endpt: 16
    Frame Control Field: Data (0x60)
    Destination Endpoint: 10
    Cluster: Simple Metering (0x0702)
    Profile: Smart Energy (0x0109)
    Source Endpoint: 16
    Counter: 186
    ZigBee Security Header
        Security Control Field
            ...0 0... = Key Id: Link Key (0x00)
            ..0. .... = Extended Nonce: False
        Frame Counter: 484375
        Message Integrity Code: dd913617
        [Expert Info (Warn/Undecoded): Encrypted Payload]
            [Message: Encrypted Payload]
            [Severity level: Warn]
            [Group: Undecoded]
    Data (42 bytes)

0000  5d 6b 4f 0d ee eb 20 6b 6b c4 98 9a b4 0b e1 30   ]kO... kk......0
0010  ce da ce 9d 7c 8a db 17 5c e9 8e 32 51 05 2a 15   ....|...\..2Q.*.
0020  5a 4d f1 91 5c fd 24 da 9a 86                     ZM..\.$...
        Data: 5d6b4f0deeeb206b6bc4989ab40be130cedace9d7c8adb17...
        [Length: 42]

Is decryption of the APS layer currently supported?  Or am I just
doing something wrong?

I can also provide a filtered pcap of the joining and ensuing
exchange, if that is helpful.

Mark Whitney