Hashed Link Keys are a shortcut for unique link key storage on devices with constrained key table capacity. They facilitate pseudo-random link keys by hashing the remote's EUI64 with a given Master Key (chosen by the centralized Trust Center and stored in the Global Link Key slot of TOKEN_STACK_TRUST_CENTER's data) using the AES HMAC algorithm. Derivation of the key can then be done "just in time" for decryption or encryption as long as the Trust Center knows the remote node's EUI64. Note that because there is no permanent storage of these hashed keys on the Trust Center, there is also no memory of incoming APS frame counters, so this method has a vulnerability of APS replay attacks. Also note that the hashing only occurs on the Trust Center side, where many keys may be needed. Other nodes receive this Trust Center Link Key upon request from the TC and treat it like any other "randomly" derived TCLK.
Hashed Link Keys are enabled on a centralized Trust Center node by setting the EMBER_TRUST_CENTER_USES_HASHED_LINK_KEY bit in the EmberInitialSecurityBitmask during emberSetInitialSecurityState() prior to forming the network.
In recent versions of the ZNet stack (6.x), this is automatically enabled if your Trust Center is using the Network Creator Security plugin. You can see the call in the start function of network-creator-security.c:
Network Creator Security. Basically, there is a bit which is set during the Network Creator Security Start function. You can see how this is done in network-creator-security.c:
// Use hashed link keys for improved storage and speed.
state.bitmask |= EMBER_TRUST_CENTER_USES_HASHED_LINK_KEY;
If you know the Master Key, you can get Network Analyzer to give you the hashed link key for a given EUI64.... Just go into Network Analyzer's Security Key preferences (Window >> Preferences >> Network Analyzer >> Decoding >> Security Keys) and click the "Run HMAC" button. Then input your Master Key and an EUI64 to get the HMAC hashed key.