Once the AES-CMAC has been computed and verified, the join server and device create a pair of session keys. One is the NwkSKey, which is used to protect LoRaWAN network commands; the other is the AppSKey, which encrypts the application data. The keys are distributed to the LoRaWAN network server and relevant application servers, respectively. This maintains a separation between application data and network management messages. This avoids the need to share keys with the network operator. Users can be sure packets containing application data simply pass through the LoRaWAN gateways and network routers without the risk of snooping or man-in-the-middle attacks.
All traffic sent and received by a sensor node is protected using the two session keys. The payload of each packet is encrypted using the AES counter mode (AES-CTR). This embeds a frame counter and message integrity code (MIC) computed using the NwkSKey code in the payload. The combination of protections prevents packet-replay attacks, in which a hacker inserts data in a message and retransmits it into the data stream.
Although LoRaWAN enforces security as part of its core design, a number of aspects are outside the control of the protocol designers and need to be taken care of by the applications developer or integrator. The key elements that need attention are key management and provisioning.