BLE security question

Hello,

I suggest you try the Heart Rate sensor and BLE Heart Rate Collector Example. These examples support LE secure connections pairing with Just works which provides protection against passive eavesdropping (i.e. BT sniffers). Just remember to increase the security level of your Bluetooth characteristics to limit access to paired clients only. 

Increasing the security levels of the Bluetooth characteristics in the heart rate example:

diff --git a/main.c b/main.c
index cc98734..9434a82 100644
--- a/main.c
+++ b/main.c
@@ -493,8 +493,8 @@ static void services_init(void)
     hrs_init.p_body_sensor_location      = &body_sensor_location;
 
     // Here the sec level for the Heart Rate Service can be changed/increased.
-    hrs_init.hrm_cccd_wr_sec = SEC_OPEN;
-    hrs_init.bsl_rd_sec      = SEC_OPEN;
+    hrs_init.hrm_cccd_wr_sec = SEC_JUST_WORKS;
+    hrs_init.bsl_rd_sec      = SEC_JUST_WORKS;
 
     err_code = ble_hrs_init(&m_hrs, &hrs_init);
     APP_ERROR_CHECK(err_code);
@@ -508,9 +508,9 @@ static void services_init(void)
     bas_init.initial_batt_level   = 100;
 
     // Here the sec level for the Battery Service can be changed/increased.
-    bas_init.bl_rd_sec        = SEC_OPEN;
-    bas_init.bl_cccd_wr_sec   = SEC_OPEN;
-    bas_init.bl_report_rd_sec = SEC_OPEN;
+    bas_init.bl_rd_sec        = SEC_JUST_WORKS;
+    bas_init.bl_cccd_wr_sec   = SEC_JUST_WORKS;
+    bas_init.bl_report_rd_sec = SEC_JUST_WORKS;
 
     err_code = ble_bas_init(&m_bas, &bas_init);
     APP_ERROR_CHECK(err_code);

Best regards,

Vidar

Hello,

I suggest you try the Heart Rate sensor and BLE Heart Rate Collector Example. These examples support LE secure connections pairing with Just works which provides protection against passive eavesdropping (i.e. BT sniffers). Just remember to increase the security level of your Bluetooth characteristics to limit access to paired clients only. 

Increasing the security levels of the Bluetooth characteristics in the heart rate example:

diff --git a/main.c b/main.c
index cc98734..9434a82 100644
--- a/main.c
+++ b/main.c
@@ -493,8 +493,8 @@ static void services_init(void)
     hrs_init.p_body_sensor_location      = &body_sensor_location;
 
     // Here the sec level for the Heart Rate Service can be changed/increased.
-    hrs_init.hrm_cccd_wr_sec = SEC_OPEN;
-    hrs_init.bsl_rd_sec      = SEC_OPEN;
+    hrs_init.hrm_cccd_wr_sec = SEC_JUST_WORKS;
+    hrs_init.bsl_rd_sec      = SEC_JUST_WORKS;
 
     err_code = ble_hrs_init(&m_hrs, &hrs_init);
     APP_ERROR_CHECK(err_code);
@@ -508,9 +508,9 @@ static void services_init(void)
     bas_init.initial_batt_level   = 100;
 
     // Here the sec level for the Battery Service can be changed/increased.
-    bas_init.bl_rd_sec        = SEC_OPEN;
-    bas_init.bl_cccd_wr_sec   = SEC_OPEN;
-    bas_init.bl_report_rd_sec = SEC_OPEN;
+    bas_init.bl_rd_sec        = SEC_JUST_WORKS;
+    bas_init.bl_cccd_wr_sec   = SEC_JUST_WORKS;
+    bas_init.bl_report_rd_sec = SEC_JUST_WORKS;
 
     err_code = ble_bas_init(&m_bas, &bas_init);
     APP_ERROR_CHECK(err_code);

Best regards,

Vidar

Thank you for your answer.

I will check the security operation with the sample program you gave me.

Sorry for the late reply.
Based on the sample program and advice that you gave me last week
I have checked the operation.

Sample program used)
Central “ble_app_hrs_c”
Peripheral “ble_app_hrs”

I have confirmed that the build was successful and it is working.
As a result, I understood as follows.

I understand that "LE Secure Connections" is a technique for encrypting the communication after pairing is successful and making it safe, and does not determine whether the connection is possible or not by identifying the other party at the time of connection.

Is the above understanding correct?

question)
I would like to use a private key at the connection stage to allow connections only from a specific central. Is there a way to do that?
If it is technically possible, I would like to receive a sample program or program code.

Thank you.

You can advertise with a whitelist like we do in the BLE HID examples to only allow known peers to establish a connection with your device. 

Thank you for your answer.

The problem this time is that an external smartphone is connected to the peripheral, which is a product.
Therefore, it is necessary to deny external smartphone connections from the product's peripherals.

I understand that connection refusal using a whitelist is a setting on the central side.

Please let me know if there is a way to deny connections from devices including smartphones from the peripheral side.

Thank you.

If you advertise with a whitelist, as in the HID examples, the peripheral will reject connection requests from devices that have not been added to the whitelist.