How to check CS procudure used by controller in BLE Channel sounding security

Hi,

Channel Sounding Security level is not set anywhere, but instead implicitly selected via the parameters used to run the requested procedure. As seen in the support status of the Channel Sounding documentation: https://docs.nordicsemi.com/bundle/ncs-latest/page/nrfxlib/softdevice_controller/doc/channel_sounding.html#support_status, 10ns RTT accuracy is not supported.

This means that the security level is implicitly 2 if you use RTT (Mode-1 or Mode-3) in the procedure parameters and otherwise 1 (since you need to use RTT to have the 150ns RTT requirement met).

In order to check security level you have to compare the selected configuration and supported features of both devices.

Hi, thanks for the clarification. Could you please highlight which parameters will be used to decide the Security level. ?It would be really helpful.

Hi again,

In Vol 3, Part C, Section 10.11.1 of the 6.0 core specification, the following is stated for each security level:

1. Either CS tone or CS RTT
2. 150 ns CS RTT accuracy and CS tones
3. 10 ns CS RTT accuracy and CS tones
4. Level 3 with the addition of CS RTT sounding sequence or random sequence payloads, and support of the Normalized Attack Detector Metric requirements as described in [Vol 6] Part H, Section 3.5.1.

Security level is decided by RTT accuracy, NADM support and if the RTT measurements include a payload or not. Since all of these parameters require you to use RTT, the security level also requires that main-mode or sub-mode for the procedure contains RTT measurements (Mode-1 or Mode-3)

 Thomas Johansen 

Just to confirm my understanding:

In LE CS create config command

• Selecting Main Mode 1 or 3 configures Channel sounding Security Level 2.
• Selecting Main Mode 2 with Sub Mode 1 configures Channel sounding
  Security Level 1.

This setup should be sufficient to ensure the correct Channel Sounding Security Level is selected, and this should be enough to satisfy qualification criteria ( say PTS) ?  i.e. we are not breaking any functionality ? 

Hi again,

If we consult the specification again, linked here, we can see some more verbose descriptions of the security levels:

A device that operates in security level 1 shall use CS tone or CS RTT within a CS procedure.

A device that operates in security level 2 shall use 150 ns or better CS RTT accuracy and CS tones within a CS procedure.

A device that operates in security level 3 shall use 10 ns or better CS RTT accuracy and CS tones within a CS procedure.

A device that operates in security level 4 shall meet the requirements of security level 3 and shall also require that the CS procedure uses either CS RTT with sounding sequence or CS RTT with random sequence, and that the device shall also support the Normalized Attack Detector Metric requirements as described in [Vol 6] Part H, Section 3.5.1.

This is different to your suggestion in two ways.

1. For security level 2 we need RTT and tones

2. We do not need the RTT to be the main-mode to still meet security level 2 requirements

This is a lot of specification work for an answer, but since this is a complex feature I find that becoming comfortable with the Bluetooth specification helps with understanding.

tl;dr: CS Security levels in the SDC are:

1. If
   1. Main-mode is 2 with no sub-mode
   2. Main-mode is 1 with no sub-mode
2. If
   1. Main-mode is 2 with sub-mode 1
   2. Main-mode is 2 with sub-mode 3
   3. Main-mode is 3 regardless of selected sub-mode

Note that for security level 2 you also need to run enough RTT steps (mode-3 or mode-1) to satisfy the RTT N value in both devices capabilities This value is described here in spec and may depend on what RTT mode is selected.