Two protections happen at once
The network server must know that a frame really belongs to a valid device. The application side must be able to decrypt the useful payload. These are related but separate responsibilities.
LoRaWAN uses 128-bit AES keys. In LoRaWAN 1.0 deployments, common key names include AppKey, NwkSKey, and AppSKey; the session keys are created during activation for OTAA devices.
The Message Integrity Code helps the network reject modified or fake frames. Application payload encryption helps keep the measured data private from layers that only need to transport it.
The network session key is used for network-level integrity checks, while the application session key protects the application payload so only the application side should read sensor measurements.
Why frame counters matter
Frame counters help protect against replay attacks. If an attacker records an old valid uplink and sends it again later, the network can detect that the counter is not moving correctly.
Beginners should treat key storage, activation method, and frame counter handling as deployment-critical details, not as optional configuration.