• State Verified Answer
  • Replies 8 replies
  • Subscribers 66 subscribers
  • Views 1511 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 309396
Options

How does Identity Resolving Key work? Why does LESC only work when IRK is set to true(zephyr)?

BenSiso

We are using PC-BLE-DRIVER-JS for our central and zephyr in our peripheral  (833).
The central bonded with the peripheral only when the id (IRK) param in our central is set to true.
If IRK set to false the central will not bond with the peripheral.

Only on zephyr we needed to set it to true, on NRF52 we didnt need to set it.

How does IRK work? Why must it be set to enable bonding sec parameters?

code snap(from our central, on authenticate method):

:

    const secParamsCentral: SecurityParameters = {
      bond: true,
      mitm: true,
      lesc: true,
      keypress: false,
      // eslint-disable-next-line camelcase
      io_caps: this.adapter.driver.BLE_GAP_IO_CAPS_KEYBOARD_ONLY,
      oob: false,
      // eslint-disable-next-line camelcase
      min_key_size: 7,
      // eslint-disable-next-line camelcase
      max_key_size: 16,
      // eslint-disable-next-line camelcase
      kdist_own: {
        enc: true /** Long Term Key and Master Identification. */,
        id: true /** Identity Resolving Key and Identity Address Information. */,
        sign: false /** Connection Signature Resolving Key. */,
        link: false /** Derive the Link Key from the LTK. */,
      },
      // eslint-disable-next-line camelcase
      kdist_peer: {
        enc: true /** Long Term Key and Master Identification. */,
        id: true /** Identity Resolving Key and Identity Address Information. */,
        sign: false /** Connection Signature Resolving Key. */,
        link: false /** Derive the Link Key from the LTK. */,
      },
    };

Parents
  • 0

    Hi Ben

    I discussed this case with a colleague yesterday and it seems like we agreed upon the same misunderstanding yesterday. Sorry for the confusion. The PRIVACY has a dependency on SMP in Zephyr, but not the other way around (as we thought) it seems. I've spoken to the developers today about this, and it should indeed be possible to do LESC without IRK. However, there was some confusion with the SMP in Zephyr for some time, so what exact version of the nRF Connect SDK are you using for development?

    Can you try setting CONFIG_BT_PRIVACY=n in your peripheral project to disable IRKs. If this resuts in issues when tryingt LESC pairing, what error message(s) do you see?

    Best regards,

    Simon

  • 0 in reply to Simonr

    Hi Simon,
    CONFIG_BT_PRIVACY is 'n' by default, my issue is with the IRK and not RPA.
    But I did try it and in addition set IRK to false on central side(typescript) and LESC didnt work.
    The LTK is all zero after first pairing(when trying to connect)
    Our nRF Connect SDK is : 2.2.0

    after pairing I am trying to bond and the ltk on central side is array of 0:

    debug: [libs\bleAdapter] encrypt {"ediv":0,"rand":[0,0,0,0,0,0,0,0]} {"ltk":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"auth":false,"ltk_len":0,"lesc":false}
debug: [logic\ble] securityRequest {"id":30,"name":"BLE_GAP_EVT_SEC_REQUEST","time":"2023-06-18T13:59:35.371Z","conn_handle":0,"bond":true,"mitm":true,"lesc":true,"keypress":false}
debug: [libs\bleAdapter] dataLengthUpdateRequest {"max_rx_octets":251,"max_tx_octets":251}
info: [logic\centralDB] ReportWatchDogMethods saving disconnect Mac to DB.
error: [logic\ble] deviceDisconnected Device <MAC ADDRESS> disconnected incorrectly (BLE_HCI_CONNECTION_TIMEOUT : 8)

Reply
  • 0 in reply to Simonr

    Hi Simon,
    CONFIG_BT_PRIVACY is 'n' by default, my issue is with the IRK and not RPA.
    But I did try it and in addition set IRK to false on central side(typescript) and LESC didnt work.
    The LTK is all zero after first pairing(when trying to connect)
    Our nRF Connect SDK is : 2.2.0

    after pairing I am trying to bond and the ltk on central side is array of 0:

    debug: [libs\bleAdapter] encrypt {"ediv":0,"rand":[0,0,0,0,0,0,0,0]} {"ltk":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"auth":false,"ltk_len":0,"lesc":false}
debug: [logic\ble] securityRequest {"id":30,"name":"BLE_GAP_EVT_SEC_REQUEST","time":"2023-06-18T13:59:35.371Z","conn_handle":0,"bond":true,"mitm":true,"lesc":true,"keypress":false}
debug: [libs\bleAdapter] dataLengthUpdateRequest {"max_rx_octets":251,"max_tx_octets":251}
info: [logic\centralDB] ReportWatchDogMethods saving disconnect Mac to DB.
error: [logic\ble] deviceDisconnected Device <MAC ADDRESS> disconnected incorrectly (BLE_HCI_CONNECTION_TIMEOUT : 8)

Children
  • 0 in reply to BenSiso

    Hi Ben, I got the same issue, after some investigation, it appears that the tools developed during the time of NRF5 SDK were using LE legacy pairing. Both Bluetooth v5.1 (old SDK) and v5.3(Zephyr) specified that for LESC, only IRK (if you will use RPA) and CSRK can be distributed not LTK (this should not be shared at all for security) during pairing(phase 3). Also IRK is not mandatory for LESC according to Bluetooth 5.3 Core spec Vol 3 Part H section 2.4.3.2 i.e., you can still achieve LESC either you are using RPA or not (CONFIG_BT_PRIVACY=n). When you are using RPA(CONFIG_BT_PRIVACY=y) that's the time IRK will be distributed to the master according to Bluetooth v5.3/v5.1 Core spec Vol 3 Part C section 9.4.4.2. 

Related