Six Frequently Asked Questions about the LoRa Security Alliance

Q: Where is the security mechanism of LoRaWAN specified?
Answer: All security mechanisms are specified in the LULA Alliance specification, which can be downloaded by the public.
Q: How does the LoRa Alliance specification ensure the safe operation of the LoRaWAN network?
A: LoRaWAN supports origin authentication, full Media Access Control (MAC) integrity, and replay protection framework. This also enables end-to-end encryption of the application payload between the end device and its components on the network side. Encrypted mode of MAC commands allowed for operations supported by LoRaWAN. ЗИГБИ-модуль
All of these programs rely on the Advanced Encryption Standard (AES), which uses 128-bit keys and algorithms.
Q: Is there any difference between the HQ (activated personalization) and otaa (over-the-air activation) approach in terms of security?
Answer: LoRaWAN uses static and dynamic root keys to generate session keys.
The root key is only in the configured otaa terminal device. They are used to derive session keys when OTAA end devices perform connection procedures with the network. 
An OTAA end device, when installed in the field, will be able to connect to any network that has an interface to the key server (i.e. joining the 1.1 release server), and the end device is associated. Session keys are used by end devices to secure traffic in the air.
ABP's terminal device does not provide a root key. Instead, they provide a set of session keys for preselected networks. The session key remains the same throughout the lifetime of the ABP side device.
The ability of OTAA devices to update session keys is more suitable for applications that require a higher level of security.
Q: What kind of logo is used in LoRaWAN?
Answer: Each terminal device is identified by a 64-bit globally unique extended unique identifier.
Identifier (EU-64), assigned by the manufacturer or owner of the terminal device. Assignment of EUI64 identifiers requires the assignor to have an Organizationally Unique Identifier (OUI) from the IEEE Registration Authority.
Each connection server used to authenticate end devices is also identified by a 64-bit Universally Unique Identifier (EU-64) assigned by the owner or operator of that server.
Open LoRaWAN networks and private LoRaWAN networks cooperate (roam) with open networks identified by a 24-bit Globally Unique Identifier for the allocation of resource alliances.
When a terminal device successfully joins the network, it gets a 32-bit ephemeral device address assigned by the service network.
Q: Can I freely assign any identifier to my device or network? CAN-модуль
Answer: Please look at each identifier in the previous question regarding the assignment of powers. Failure to follow these guidelines will result in your network deploying identifier conflicts and unpredictable behavior (similar to what happens when multiple devices connected to the same LAN use the same Ethernet MAC address).
Q: Do all end devices come with the same "default" device when the key leaves the manufacturer?
Answer: No, there is no concept of a "default key" or "default password" in LoRaWAN. All end units are provided with a unique key when they leave the manufacturer. Therefore, any compromise of one key from one end device will not affect other end devices.