• State Verified Answer
  • Replies 8 replies
  • Subscribers 66 subscribers
  • Views 1510 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 309396
Options

How does Identity Resolving Key work? Why does LESC only work when IRK is set to true(zephyr)?

BenSiso

We are using PC-BLE-DRIVER-JS for our central and zephyr in our peripheral  (833).
The central bonded with the peripheral only when the id (IRK) param in our central is set to true.
If IRK set to false the central will not bond with the peripheral.

Only on zephyr we needed to set it to true, on NRF52 we didnt need to set it.

How does IRK work? Why must it be set to enable bonding sec parameters?

code snap(from our central, on authenticate method):

:

    const secParamsCentral: SecurityParameters = {
      bond: true,
      mitm: true,
      lesc: true,
      keypress: false,
      // eslint-disable-next-line camelcase
      io_caps: this.adapter.driver.BLE_GAP_IO_CAPS_KEYBOARD_ONLY,
      oob: false,
      // eslint-disable-next-line camelcase
      min_key_size: 7,
      // eslint-disable-next-line camelcase
      max_key_size: 16,
      // eslint-disable-next-line camelcase
      kdist_own: {
        enc: true /** Long Term Key and Master Identification. */,
        id: true /** Identity Resolving Key and Identity Address Information. */,
        sign: false /** Connection Signature Resolving Key. */,
        link: false /** Derive the Link Key from the LTK. */,
      },
      // eslint-disable-next-line camelcase
      kdist_peer: {
        enc: true /** Long Term Key and Master Identification. */,
        id: true /** Identity Resolving Key and Identity Address Information. */,
        sign: false /** Connection Signature Resolving Key. */,
        link: false /** Derive the Link Key from the LTK. */,
      },
    };

  • 0

    Hi

    The IRK is the key used to support a privacy feature of the BLE spec. that allows devices to use a random address that can be resolved. The IRK, in combination with a rando value, is used to identify a said device. If a device doesn't get access to IRK, it's impossible to identify if the random address belongs to the same device. https://www.bluetooth.com/blog/bluetooth-technology-protecting-your-privacy/ 

    What peripheral application is this nRF52833 running? 

    Best regards,

    Simon

  • 0 in reply to Simonr

    Hi Simon,
    Our product(Peripheral) is using nRF52833.
    Is it possible to disable IRK on zephyr?

  • +1

    Hi

    Just to make sure, you still want to have privacy and do bonding, just without the IRK, correct? LESC pairing/bonding requires IRK to work, as this is a step of the privacy/encryption used in our Bluetooth controller stacks.

    You can do pairing without IRKs, but that would be restricty to the JUST_WORKS pairing, see \ncs\v2.4.0\zephyr\subsys\bluetooth\host\smp.c for info on how to use this pairing method. Note that CONFIG_BT_SMP_SC_PAIR_ONLY and CONFIG_BT_SMP_OOB_LEGACY_PAIR_ONLY must not be set in your project config to use JUST_WORKS pairing.

    Best regards,

    Simon

  • 0 in reply to Simonr

    I am a bit confused, We used to work with NRF5 on our peripheral(before zephyr) and we didnt need to set our central(typescript) IRK (id=false, on ble adapter, pcb-ble-driver-js) and they(our central with our peripheral) successfully bonded with each other(LESC with ltk).

    Does it mean it(IRK) wasn't mandatory on NRF5?
    thank you,

    Ben 

  • 0

    Hi Ben

    I discussed this case with a colleague yesterday and it seems like we agreed upon the same misunderstanding yesterday. Sorry for the confusion. The PRIVACY has a dependency on SMP in Zephyr, but not the other way around (as we thought) it seems. I've spoken to the developers today about this, and it should indeed be possible to do LESC without IRK. However, there was some confusion with the SMP in Zephyr for some time, so what exact version of the nRF Connect SDK are you using for development?

    Can you try setting CONFIG_BT_PRIVACY=n in your peripheral project to disable IRKs. If this resuts in issues when tryingt LESC pairing, what error message(s) do you see?

    Best regards,

    Simon

Related