Two-step NFC OOB pairing and immediate pairing

Hi,

I am working on an application with NCS (2.5.0) that will have central and peripheral devices with no I/O capabilities. During the commissioning phase, I want to use LE Secure OOB pairing to ensure that the authenticity and integrity of the link is assured. Both the central and the peripherals have NFC capability, but due to the installation process it's not possible to bring the devices together when they need to connect. My plan was to use a smartphone as intermediary that will first get the OOB information over NFC from the central which will then start scanning. Then the smartphone will be brought to the peripheral to share the OOB information of the central and then the peripheral should start advertising and pair with the central, given the OOB information through NFC.

I was studying the BLE NFC Pairing example to get started but I'm a bit confused by how it works. When bringing my phone close, I get a pop-up to pair the device immediately. This is the behaviour I would like to see between my central and peripheral, i.e. immediately pair or disconnect if this doesn't work. From the Nordic Developer Academy BLE Fundamentals course Lesson 5 I understand that normally a connection is set up at Level 1 and the security level is then only raised when it is required because of permissions set on the service characteristics. From this Q&A I see that it's also recommended to do it like this, however it is possible to issue a security request manually from the peripheral by calling bt_conn_set_security(). I don't see bt_conn_set_security() being called in the NFC Pairing sample, so I'm wondering if the central (smartphone in the case of the NFC pairing sample) actively requests to elevate the security level, or is this somehow embedded somewhere in the Connection Handover libraries?

I can probably work by setting permissions to the service characteristics, and only pair using the OOB data I have transferred when the central starts using the characteristics, but I was just wondering where the differences are (if any)

Parents
  • Hello,

    This is kind of a big topic of questions here, but here are some pointers I have.

    So NFC here is just used to transfer some data between the two peers, and you are using the phone as a way to transport that data. I do believe that should work, likely you can just the generic NFC example, and replace the "Hello World" with the OOB data and possible the name, address or irk of the peer (just to make sure the correct peer connect in the first place):
    https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/samples/nfc/record_text/README.html 

    In terms of how to use the OOB data on the peer, I suggest to for instance look at the auth_oob_data_request() in main.c for peripheral_keyboard and replace app_nfc_oob_data_get() with the 128-bit key you want to use. Similar on central you need to add the .oob_data_request callback in conn_auth_callbacks to handle such event.

    You are right that by default it will connect using no security, and to ensure that it's not "stuck" in a connection with an invalid peer, I suggest to add some timeout that for instance after 1-2seconds the peer will disconnect if it has not achieved the desired security level.

    Kenneth

Reply
  • Hello,

    This is kind of a big topic of questions here, but here are some pointers I have.

    So NFC here is just used to transfer some data between the two peers, and you are using the phone as a way to transport that data. I do believe that should work, likely you can just the generic NFC example, and replace the "Hello World" with the OOB data and possible the name, address or irk of the peer (just to make sure the correct peer connect in the first place):
    https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/samples/nfc/record_text/README.html 

    In terms of how to use the OOB data on the peer, I suggest to for instance look at the auth_oob_data_request() in main.c for peripheral_keyboard and replace app_nfc_oob_data_get() with the 128-bit key you want to use. Similar on central you need to add the .oob_data_request callback in conn_auth_callbacks to handle such event.

    You are right that by default it will connect using no security, and to ensure that it's not "stuck" in a connection with an invalid peer, I suggest to add some timeout that for instance after 1-2seconds the peer will disconnect if it has not achieved the desired security level.

    Kenneth

Children
  • Hi Kenneth,

    Thank you for the feedback. I was able to transfer the 'remote' bt_le_oob and to use that for pairing when accessing a characteristic with the BT_GATT_PERM_READ_LESC permission. I can indeed also implement a timeout to disconnect when the security level is not raised within a certain amount of time. 

    I was just wondering how it works with the Bluetooth: NFC Pairing sample, since there the phone automatically asks to pair with the device when scanning the tag, seemingly before there is any interaction with any characteristic or even before a connection is set up. But that's mostly informational and not really a requirement, since I got everything working now, so I'll verify your answer.

Related