Channel Security and Private Networks
Channel Security and Private Networks
MeshCoreMeshCore's channel system is the primary mechanism for organizingorganizes mesh traffic into communities of interest.
Understanding what public and private mean in the MeshCore context and what those labels do not guarantee is essential for anyone deploying MeshCore
in environments where confidentiality matters.
How Channel Keys Work
Each MeshCore channel is identified by a name and protected by a 16-byte (128-bit) secret key. The channel name and channel secret are separate values — the name is a human-readable label, while the secret is the actual cryptographic key used to encrypt and authenticate channel traffic.
Channel configuration (name + secret) can be shared between devices via QR code, using the format:
meshcore://channel/add?name=ChannelName&secret=<32-hex-chars>
where the secret is a 16-byte value expressed as 32 hexadecimal characters.
Public Channels
A public channel uses a well-known orchannel easilyname guessableand a shared secret that is distributed openly within a community.
Any node configured with the same channel name.name Becauseand the AES-256 channel key is derived deterministically from the channel name, anyone who knows the namesecret can join and read all traffic.
Public channels are appropriate forfor:
Nodes on a public channel broadcast their advertisements including display names and public keys to all other nodes.
Traffic analysis such as (who communicates with whom andwhom, at what signal strengthstrength) is visible to all participants and to any
passive radio receiver tuned to the correct LoRa parameters.
Private Channels
A private channel uses a channel namesecret that is kept secretconfidential within the intended community.
BecauseOnly the AES-256 key derives directly from the name, a non-obvious channel name functions as the shared key. Nodesnodes configured with the same privatecorrect channel namesecret can decode each other traffic; nodestraffic on anythat other channel name see the ciphertext as noise.channel.
Private channels are appropriate forfor:
Configuring a Private MeshCore NetworkChannel
1.
- Generate a
Channel Key (Channel Name)
The channel name is the key and must be treated with the same care as any shared secret.secret: Use a randomlycryptographically generatedrandom string16-byte of at least 16 characters drawn from a mixed-case alphanumeric and symbol alphabet.value. A 128-bitpassword random token encoded in base64 provides approximately 21 characters and 128 bits of entropy.
Example generation on an air-gapped machine:
import secrets, base64
channel_name = base64.urlsafe_b64encode(secrets.token_bytes(16)).decode().rstrip(=)
print(channel_name) # e.g. Xk9mQr3LpZvN7yT2Avoid dictionary words, proper nouns,manager or anycommand stringlike guessableopenssl fromrand knowledge-hex of16theworks community.well. AnAvoid adversarypredictable whovalues.
guesses
2. Distribute the Channel Name Securely
The channel name must be distributed through a channel that is itself secure. Unencrypted radio, unencrypted email,settings and SMS are not adequate. Recommended methods:
MeshCore QR code channel configuration encodesenter the channel name and LoRasecret.
3.Anyone Configurewho Allreceives Nodesthe QR code will have access to the Privatechannel.
# Via MeshCore CLI (serial or BLE):
set channel YourPrivateChannelNameHere
# Verify the derived key is consistent across nodes:
show channelThe show channel command displays the derived AES-256 key in hexadecimal. If two nodes display the same hex key, they are using the same channel name and will decode each other traffic. This provides a verification step without retransmitting the channel name itself.
4. Verify All Nodes Are on the Same Key
After configuring all nodes, verify end-to-end connectivity by sending test messages from each node and confirming receipt on all others. Common failure causes include case sensitivity mismatch (channel names are case-sensitive), leading or trailing whitespace, non-ASCII character encoding issues (restrict to printable ASCII), and firmware version mismatches where different versions use different KDF implementations.
What PrivateChannel ActuallyEncryption MeansProvides onand aDoes RadioNot NetworkProvide
AChannel privateencryption channelprovides:
Channel encryption does notNOT provideprovide:
Trafficis Concealment
used Anyindefinitely; RFcompromise of the key reveals all past and future traffic
For thatcommunications packetsrequiring arestronger beingguarantees, transmitted.use Thedirect receiver(unicast) doesmessages, notwhich needuse toper-pair decodeECDH thekey packetagreement toproviding observeindividual that radio activity is occurring at a given timeauthentication and location.stronger There is no encryption for the RF carrier. This is fundamental physics.confidentiality.
Metadata Protection
MeshCore packet headers contain unencrypted fields including source address, destination address, hop count, and packet type. An observer with a compatible receiver can map the complete communication graph of who talks to whom and how often without knowing the channel name and without decrypting any message content.
Frequency Obscurity
Configuring a private channel does not change the LoRa radio parameters unless you also configure a non-standard frequency or spreading factor. By defaultSource: MeshCore operatesQR oncode regionallyformat standard LoRa frequenciesdocumentation (868 MHz in the EU, 915 MHz in North America). Observers scanning known LoRa frequencies can locate MeshCore networks.github.com/meshcore-dev/MeshCore)
Protection Against Node Compromise
Any node that is physically captured and whose flash memory is read will reveal the channel name stored in NVS. This allows an adversary to retrospectively decrypt all previously captured channel traffic. Treat any missing or captured device as a channel key compromise event requiring immediate channel name rotation across all remaining nodes.