- Network information is encrypted with a Network Session Key (NwkSKey). This key needs to be shared between device and KPN LoRa Core.
- Payload information is encrypted with a Application Session Key (AppSKey). This key needs to be shared between device and customer Application Server. The AppSKey does not have to be shared with the network operator, but developers can choose to share the AppSKey with KPN to decrypt the payload and sent the decrypted payload over a secure https connection.
For implementation at the application server, LoRaWAN defines a specific de/encryption scheme using AES. Note that it is not simply putting the payload through standard AES!
Note: The LoRaWAN encryption scheme is set up such that only a AES-encryption scheme has to be implemented and decryption can be done with the same scheme, saving device resources and development effort.