S2 AES mode of operation


In a recent(ish) Sigma Designs presentation it was mentioned that the S2 used the Output Feedback (OFB) mode of operation for AES, just as S0 does. The Transport Encapsulation spec, however, says that S2 uses the authenticated mode of encryption, CCM (Counter [CTR]+ CBC MAC).

I’m inclined to believe the official spec, however, and assume the presentation had a typo in the slide. Can anyone comment for sure?

Also, I was a little surprised to see that Counter mode is used as that would need both the node and controller to keep track of the counter used… I had assumed that some devices would not have the resource capable of doing this.


The spec. is indeed correct, and the slide is not. S0 uses OFB while S2 uses CCM for the payload. I’d appreciate if you could point me to the presentation in question, so that the error can be reported and corrected.

The nonces required by CCM as input are generated by a CTR_DRBG algorithm, which allows the two parties to stay “synced” and not have to exchange nonces before each communication. Should decryption fail on the receiver side, it will request a fresh nonce from the sender and sync back up. Storing these SPANs and MPANs consumes minimal memory, since it’s perfectly acceptable to store them only for the few nodes with which S2 communication happens frequently, and is not an issue for the devices.


Thanks, and apologies for the delay. It looks like the original posting has been pulled, but it was at http://www.techonline.com/electrical-engineers/education-training/webinars/4442176/How-To-Use-Z-Wave-S2-for-Unparalleled-Smart-Home-IoT-Security

The recording is still available, here, however:


I have removed my registration code from the URL so the above link won’t work. The full link that I have, however (with my registration code), does still work.