• State Verified Answer
  • Replies 1 reply
  • Subscribers 71 subscribers
  • Views 3005 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 101386
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

Signed Data support, to authenticate incoming data?

Matthew E.

Hello,

I'm assessing various ways to authenticate/secure a connection with BLE on Nordic nrf51822. Our goal is to enable authenticated modification of a few values in a custom gatt service. These values should only be modified by our authorized external application.

Here: developer.bluetooth.org/.../LE-Security.aspx

discusses the concept of "signed data", which sounds like perhaps what we need.

However, upon searching nordic source code, I find this note in ble_gap.h (near SD_BLE_GAP_SEC_INFO_REPLY):

"Data signing is not implemented yet"

Is this correct? If so, are there other recommendations to insure our goal of preventing non-authorized users of our device from modifying these protected values?

Thank you very much,

Matthew

Parents
  • 0

    It is correct that support for signed data is not implemented in S110. There are as far as I know no ratified or upcoming official BLE Profile using this yet, and it has hence not been prioritized. Also, this data signing as defined in the spec is not usable to limit writes to a single authorized application, it's just made to allow writes from only bonded devices.

    In general all security in BLE is based on devices, not applications. This means that once you bond with a device, any app running on this device can do whatever it wants to all characteristics. If you need to limit activity on certain characteristics to one app only, you will hence be best off by implementing this on the application level.

    It would for example be no problem to implement some kind of data signing on the applicaiton level, for example by appending a signature to the real data and then writing the data plus the checksum to the characteristic. The device can then use authorization for the Write Requests to deny writes that don't have the valid signature.

Reply
  • 0

    It is correct that support for signed data is not implemented in S110. There are as far as I know no ratified or upcoming official BLE Profile using this yet, and it has hence not been prioritized. Also, this data signing as defined in the spec is not usable to limit writes to a single authorized application, it's just made to allow writes from only bonded devices.

    In general all security in BLE is based on devices, not applications. This means that once you bond with a device, any app running on this device can do whatever it wants to all characteristics. If you need to limit activity on certain characteristics to one app only, you will hence be best off by implementing this on the application level.

    It would for example be no problem to implement some kind of data signing on the applicaiton level, for example by appending a signature to the real data and then writing the data plus the checksum to the characteristic. The device can then use authorization for the Write Requests to deny writes that don't have the valid signature.

Children
No Data
Related
Terms of service