How to check CS procudure used by controller in BLE Channel sounding security

Hi, I am using an external host with NRF54l!5 dk to test the channel sounding feature.

Can you tell me how the NRF controller supports this Cs procedure and whether the controller sends any event to the host so that security levels can be checked? Also, i want to set this security level. I tried searching in the NRF code, but can you help me locate how sample examples have set the security level. And how can we check that the particular security level is using the required cs procedure

Top Replies

Thomas Johansen over 1 year ago in reply to Abhinav152 +1 verified

Hi again, In Vol 3, Part C, Section 10.11.1 of the 6.0 core specification, the following is stated for each security level: Either CS tone or CS RTT 150 ns CS RTT accuracy and CS tones 10 ns…

Parents

0 Thomas Johansen over 1 year ago

Hi,

Channel Sounding Security level is not set anywhere, but instead implicitly selected via the parameters used to run the requested procedure. As seen in the support status of the Channel Sounding documentation: https://docs.nordicsemi.com/bundle/ncs-latest/page/nrfxlib/softdevice_controller/doc/channel_sounding.html#support_status, 10ns RTT accuracy is not supported.

This means that the security level is implicitly 2 if you use RTT (Mode-1 or Mode-3) in the procedure parameters and otherwise 1 (since you need to use RTT to have the 150ns RTT requirement met).

In order to check security level you have to compare the selected configuration and supported features of both devices.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Abhinav152 over 1 year ago in reply to Thomas Johansen

Hi, thanks for the clarification. Could you please highlight which parameters will be used to decide the Security level. ?It would be really helpful.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
+1 Thomas Johansen over 1 year ago in reply to Abhinav152
Hi again,

In Vol 3, Part C, Section 10.11.1 of the 6.0 core specification, the following is stated for each security level:

Either CS tone or CS RTT

150 ns CS RTT accuracy and CS tones

10 ns CS RTT accuracy and CS tones

Level 3 with the addition of CS RTT sounding sequence or random sequence payloads, and support of the Normalized Attack Detector Metric requirements as described in [Vol 6] Part H, Section 3.5.1.

Security level is decided by RTT accuracy, NADM support and if the RTT measurements include a payload or not. Since all of these parameters require you to use RTT, the security level also requires that main-mode or sub-mode for the procedure contains RTT measurements (Mode-1 or Mode-3)
Cancel
Vote Up +1 Vote Down

Sign in to reply

Reject Answer

Cancel
0 Shreeyash17 8 months ago in reply to Thomas Johansen
Thomas Johansen

Just to confirm my understanding:

In LE CS create config command

Selecting Main Mode 1 or 3 configures Channel sounding Security Level 2.

Selecting Main Mode 2 with Sub Mode 1 configures Channel sounding
Security Level 1.

This setup should be sufficient to ensure the correct Channel Sounding Security Level is selected, and this should be enough to satisfy qualification criteria ( say PTS) ? i.e. we are not breaking any functionality ?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Shreeyash17 8 months ago in reply to Thomas Johansen
Thomas Johansen

Just to confirm my understanding:

In LE CS create config command

Selecting Main Mode 1 or 3 configures Channel sounding Security Level 2.

Selecting Main Mode 2 with Sub Mode 1 configures Channel sounding
Security Level 1.

This setup should be sufficient to ensure the correct Channel Sounding Security Level is selected, and this should be enough to satisfy qualification criteria ( say PTS) ? i.e. we are not breaking any functionality ?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 Thomas Johansen 8 months ago in reply to Shreeyash17
Hi again,

If we consult the specification again, linked here, we can see some more verbose descriptions of the security levels:

A device that operates in security level 1 shall use CS tone or CS RTT within a CS procedure.

A device that operates in security level 2 shall use 150 ns or better CS RTT accuracy and CS tones within a CS procedure.

A device that operates in security level 3 shall use 10 ns or better CS RTT accuracy and CS tones within a CS procedure.

A device that operates in security level 4 shall meet the requirements of security level 3 and shall also require that the CS procedure uses either CS RTT with sounding sequence or CS RTT with random sequence, and that the device shall also support the Normalized Attack Detector Metric requirements as described in [Vol 6] Part H, Section 3.5.1.

This is different to your suggestion in two ways.

1. For security level 2 we need RTT and tones

2. We do not need the RTT to be the main-mode to still meet security level 2 requirements

This is a lot of specification work for an answer, but since this is a complex feature I find that becoming comfortable with the Bluetooth specification helps with understanding.

tl;dr: CS Security levels in the SDC are:

If

Main-mode is 2 with no sub-mode

Main-mode is 1 with no sub-mode

If

Main-mode is 2 with sub-mode 1

Main-mode is 2 with sub-mode 3

Main-mode is 3 regardless of selected sub-mode

Note that for security level 2 you also need to run enough RTT steps (mode-3 or mode-1) to satisfy the RTT N value in both devices capabilities This value is described here in spec and may depend on what RTT mode is selected.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel