Channel Security and Private Networks
Channel Security and Private Networks
MeshCore channel system is the primary mechanism for organizing mesh traffic into communities of interest. Understanding what public and private mean in the MeshCore context and what those labels do not guarantee is essential for anyone deploying MeshCore in environments where confidentiality matters.
Public Channels
A public channel uses a well-known or easily guessable channel name. Because the AES-256 channel key is derived deterministically from the channel name, anyone who knows the name can join and read all traffic. Public channels are appropriate for general-purpose mesh traffic, emergency communication networks requiring broad access, testing environments, and wide-area mesh backbones carrying routing advertisements.
Nodes on a public channel broadcast their advertisements including display names and public keys to all other nodes. Traffic analysis such as who communicates with whom and at what signal strength is visible to all participants and to any passive radio receiver tuned to the correct LoRa parameters.
Private Channels
A private channel uses a channel name that is kept secret within the intended community. Because the AES-256 key derives directly from the name, a non-obvious channel name functions as the shared key. Nodes configured with the same private channel name can decode each other traffic; nodes on any other channel name see the ciphertext as noise.
Private channels are appropriate for closed community networks such as neighbourhood groups, amateur radio clubs, and emergency response teams; commercial or industrial deployments requiring channel isolation; and multi-tenant mesh scenarios where multiple independent groups share physical infrastructure.
Configuring a Private MeshCore Network
1. Generate a Channel Key (Channel Name)
The channel name is the key and must be treated with the same care as any shared secret. Use a randomly generated string of at least 16 characters drawn from a mixed-case alphanumeric and symbol alphabet. A 128-bit random token encoded in base64 provides approximately 21 characters and 128 bits of entropy.
Example generation on an air-gapped machine:
import secrets, base64
channel_name = base64.urlsafe_b64encode(secrets.token_bytes(16)).decode().rstrip(=)
print(channel_name) # e.g. Xk9mQr3LpZvN7yT2Avoid dictionary words, proper nouns, or any string guessable from knowledge of the community. An adversary who guesses the channel name gains full access to all channel traffic. Generate the channel name offline, not on the mesh nodes themselves.
2. Distribute the Channel Name Securely
The channel name must be distributed through a channel that is itself secure. Unencrypted radio, unencrypted email, and SMS are not adequate. Recommended methods:
- In person, verbally or on paper
- Via an end-to-end encrypted messaging application such as Signal
- Via a MeshCore QR code scanned directly from a trusted device
MeshCore QR code channel configuration encodes the channel name and LoRa parameters (frequency, spreading factor, bandwidth, coding rate) in a compact URL-safe format, providing a convenient physical-proximity distribution mechanism.
3. Configure All Nodes to the Private Channel
# Via MeshCore CLI (serial or BLE):
set channel YourPrivateChannelNameHere
# Verify the derived key is consistent across nodes:
show channelThe show channel command displays the derived AES-256 key in hexadecimal. If two nodes display the same hex key, they are using the same channel name and will decode each other traffic. This provides a verification step without retransmitting the channel name itself.
4. Verify All Nodes Are on the Same Key
After configuring all nodes, verify end-to-end connectivity by sending test messages from each node and confirming receipt on all others. Common failure causes include case sensitivity mismatch (channel names are case-sensitive), leading or trailing whitespace, non-ASCII character encoding issues (restrict to printable ASCII), and firmware version mismatches where different versions use different KDF implementations.
What Private Actually Means on a Radio Network
A private channel provides confidentiality of message content to passive observers who do not know the channel name. It does not provide the following protections:
Traffic Concealment
Any RF receiver tuned to the correct LoRa parameters will detect that packets are being transmitted. The receiver does not need to decode the packet to observe that radio activity is occurring at a given time and location. There is no encryption for the RF carrier. This is fundamental physics.
Metadata Protection
MeshCore packet headers contain unencrypted fields including source address, destination address, hop count, and packet type. An observer with a compatible receiver can map the complete communication graph of who talks to whom and how often without knowing the channel name and without decrypting any message content.
Frequency Obscurity
Configuring a private channel does not change the LoRa radio parameters unless you also configure a non-standard frequency or spreading factor. By default MeshCore operates on regionally standard LoRa frequencies (868 MHz in the EU, 915 MHz in North America). Observers scanning known LoRa frequencies can locate MeshCore networks.
Protection Against Node Compromise
Any node that is physically captured and whose flash memory is read will reveal the channel name stored in NVS. This allows an adversary to retrospectively decrypt all previously captured channel traffic. Treat any missing or captured device as a channel key compromise event requiring immediate channel name rotation across all remaining nodes.
Operational Security Summary for Private Deployments
| Threat | Private Channel Mitigation | Residual Risk |
|---|---|---|
| Passive content eavesdropping by unknown observer | Strong: content encrypted with AES-256 | Channel name disclosure retroactively breaks all recorded traffic |
| Traffic analysis (who communicates with whom, when) | None: packet headers are plaintext | Always present on radio, fundamental to the medium |
| RF detection (is traffic occurring at all) | None | Always present on radio |
| Device seizure followed by flash read | None absent hardware flash encryption | Channel name is recoverable from NVS |
| Insider who knows the channel name | None for channel traffic | ECDH direct messages remain private even from channel insiders |
| Retroactive decryption after channel name is disclosed | None for channel traffic | All previously recorded channel traffic becomes readable |
No comments to display
No comments to display