Provisioning Devices for Over-the-Air Activation

OTAA devices must join a network to gain connectivity via the Join process, which consists of a JoinRequest issued by the end device, followed by a JoinAccept from the network. The JoinAccept consists of granting the device access to the network and providing a DevAddr and session key derivation material. Finally, the joining of the device to the network is confirmed by the first uplink from the end device using the new session keys. 

This section describes the provisioning requirements for both the end device and the network that is necessary for supporting OTAA operation.

Device EUI (DevEUI): A globally-unique EUI-64, legitimately allocated to the end device by the organization owning the OUI

JoinEUI : The JoinEUI (also known as AppEUI in LoRaWAN 1.0.3 and earlier versions of the LoRaWAN specification) is the EUI-64 address of the join server that has been provisioned with the root key material paired with the end device.

Root Key: A Root key is a unique key for each individual device.  Root keys are used only to derive session keys. Root Keys must be generated in such a fashion that there is no derivable pattern between the root keys of different devices so that the compromise of a single device does not lead to other devices becoming compromised as well.

Root Key Delivery and Storage: All parties involved in the manufacturing, distribution, operation, and integration of devices and so forth must strictly limit access to root key material. An attacker is likely to try to compromise the system at its weakest point. The LoRaWAN standard uses a mechanism that is robust and that has passed extensive security reviews, however, attacks commonly occur at the following points:

  • when security keys are provisioned via the manufacturer
  • when security keys are delivered to the operator
  • when security keys are stored in an operator's systems


Last modified: Tuesday, August 30, 2022, 12:14 AM