We would like to walk you through Matter, with the simple example of a light bulb and a light switch, to explain some basic concepts. A deeper dive will be provided in smaller boxes if you like to have some more insight.
In a future (not) far, far away, Alice wants to set up a new smart light system and decided for a brand-new Matter device. Still warm from the factory, she unboxes the new Matter light switch. The new light switch will work without any cloud app, vendor bridge, nor will it need a vendor app to be used (Matter support will be added natively to Android and iOS). Alice will just need her home IP network with Wi-Fi, Ethernet or Thread and Alice is ready to go. Alice already owns Matter lights and wants to connect the newly bought switch to them.
Commissioning a new Device
After Alice unboxed the new device, she will power on the switch and start the commissioning.
1.) Alice will scan the QR-Code, printed on the device, to get all needed information to set up the device. The QR-Code contains base38 encoded binary including the values:
- Vendor ID
- Product ID
- Custom Flow
- Discovery Capabilities
- TLV data (optional) (used to configure the Custom Flow)
2.) After following instructions on how to set the device into commissioning mode. Alice’s smartphone will start a Bluetooth Low Energy (in the future other interface like NFC might be available) scan to find the device based on the QR-Code data and connect to it.
3.) Now, the session between smartphone and device will be secured using Matter’s PASE (Passcode-Authenticated Session Establishment) protocol. The protocol is based on a Password-Authenticated Key Exchange (PAKE). The password is derived from the QR-Code’s Passcode using a Password-Based Key Derivation Function (PBKDF). After the keys are established, they are used to encrypt, authenticate and privacy protect the Matter messages send between both parties (for the encryption and authentication concern, as is usually done in modern protocols, an Authenticated Encryption with Associated Data (AEAD) primitive is used). The PASE protocol is only used during commissioning.
4.) The Commissioner requests a Device Attestation from the light switch. This will be done in form of a challenge-response protocol that will be checked against the Distributed Compliance Ledger (DCL). The goal of this step is to provide the user with a cryptographic proof that the device in front of Alice is legit. The device uses the Device Attestation Credentials (DAC) to prove its identity to the commissioner. The DAC is based on a certificate chain with a root certificate (called Product Attestation Authority (PAA)) which is managed by the Connectivity Standards Alliance (CSA). The PAA signs a vendor issued certificate (called the Product Attestation Intermediate (PAI)) which signs a device unique DAC containing metadata such as Vendor ID and Product ID and the Certification Declaration which is provided by the CSA as part of the Product Certification process. Optionally, the response could also include the result of the recommended measured boot process which could indicate the users if the firmware was tampered.
5.) After verifying that we are dealing with a legit device and not a fake product, we will continue to set up the device. In this step, the Commissioner (the smartphone) will generate and install the Node Operational Credentials (NOC) on the light switch. The NOCs consists of the RootCA (symbolizing the Fabric and acting as its trust anchor) and a Node unique certificate and private key. The RootCA will be used by the Commissioner (which is considered the Fabric-wide administrator) to authenticate after commissioning has ended. The Node unique certificate and private key are used for communication between different Fabric Nodes.
6.) As BLE won’t be our primary mode of communication, we need to provide the credentials for our wireless network (Wi-Fi or Thread are currently supported).
7.) Before we finalize our commissioning, we need to add the Commissioner into the Access Control List of the light switch. The ACL will include information about the Fabric, privilege level (here Administer rights), authentication mode, subjects and targets. So, basically, who is allowed to perform which kind of actions for what kind of services on the current device.
8.) The commissioning is now completed and we can close the PASE and BLE session.
Bind a new Device
For now, our light switch is not very useful as we can’t control any light with it. But this will now change as we will bind the light-switch to one of our lights.
9.) Alice will open a session to (an already commissioned) light via Wi-Fi. For this the Certificate-Authenticated Session Establishment (CASE) is used. CASE is based on the SIGMA protocol, in contrast to the PASE protocol used during commissioning, CASE relies on the NOCs for key exchange. The exchanged keys are then used for encryption and privacy protection of the Matter protocol messages using AEAD.
10.) The Commissioner will now install the public parts of the light-switch’s NOC on the light bulb. The light bulb will use this to authenticate the light switch later on.
11.) Furthermore, a new ACL will be added to allow the light-switch to turn the light on and off.
12.)-13.) Will repeat the steps for the light-switch to provide the NOC’s of the light bulb.
14.) In this step, we will bind the light switch and its operation to the light bulb. Now we are finished with setting up our light-switch and light-bulb. What is unique to Matter is that the device will now directly communicate with each other and do not need any intermediate broker or server to forward the data.
15.) If the switch is now pressed to turn on the light, it will establish a secure session using CASE and the NOCs added by the Commissioner earlier.
16.) The switch sends the Matter commands to operate the light. And the light will turn on.
Multiple Fabrics - Multi Admin
With the concepts of Fabrics and trust originated from the Commissioner, it is possible to allow other users to configure their own Fabric on the device and operate the device independent of each other.
To allow a new person to administer the device, the current Commissioner re-opens the commissioning window and provides a new commissioning QR-Code (with a new Passcode) to the other person. The commissioning will work as before. The trust/security of the previous Fabric will be untouched.
Another way to provide your family and friends access to your Matter Smart Home will be configuring specific ACLs for family members (and their smartphones) to allow fine granular access to the Matter devices. For example, to create your own color and brightness settings and control the lights even though you are not the Commissioner.
This is the first part of a series of blog posts. In the up coming post we will create a Matter capable light with an ESP32. In addition we walk you through the internals of Clusters, Endpoints and Attributes. See more in Part 2.
- NordicTech Webinars - Introduction to Matter
- NordicTech Webinars - Developing Matter products with nRF Connect SDK
- Enable Matter on iOS 15