RE: Protecting write characteristic - best option?

Jebakumar — Tue, 26 Mar 2019 02:59:25 GMT

nicely explained

RE: Protecting write characteristic - best option?

r00li — Wed, 29 Jun 2016 18:45:41 GMT

Thanks for the nicely detailed explanation of security in BLE! It's really helpful.

RE: Protecting write characteristic - best option?

Petter Myhre — Tue, 28 Jun 2016 11:59:15 GMT

BLE security mode 1 has four security levels, and a connection operate in one of these levels.

No security – No encryption
Unauthenticated pairing with encryption, but no MITM protection
Authenticated pairing with encryption and MITM protection
Authenticated LE Secure Connections pairing with encryption

Every time two devices connect, the connection operate in security level 1 - no security. Then you perform an authentication procedure or encryption procedure to increase the level of security of the connection.

With the authentication procedure the higher level of security is achieved by doing unauthenticated or authenticated pairing. Authenticated pairing results in authenticated encryption keys, while unauthenticated pairing results in unauthenticated encryption keys.

Pairing is authenticating another device, and establishing temporary shared secret keys which can be used to encrypt a link. Bonding is pairing followed by distribution of keys which can be used to encrypt the link in future reconnections. With only pairing the keys are only valid on the current connection, with bonding the keys are typically stored persistently (as a bond) and can be used on subsequent connections.

With the encryption procedure the higher level of security is achieved by encrypting the connection with encryption keys that are already available (no pairing necessary). This is typically if encryption keys were shared and stored after previously performed bonding. These encryption keys can also be authenticated or unauthenticated and determine the security level.

It is possible to set a security requirement on a characteristic value, it is also possible to have different security requirements on writes and reads of a characteristic value.

You want the user to be authenticated before he/she can acccess the characteristic value, so you should set the required security level for writing to level 3.

To increase the security level of the connection to level 3 you have two options, pairing with Passkey Entry or OOB.

Passkey Entry normally requires a display or a keyboard, but with our SoftDevices you can set a static passkey, so the device doesn't need any input. This would be similar to a predefined password, only it will be a predefined passkey. This is of course less secure, since the passkey is static. The passkey is also short, only 6 digits, or around 20 bits, which means it provides very limited protection against eavesdroppers during the pairing process. If the attack is not performed during the pairing process, the encryption is secure and confidentiality is achieved.

With OOB a 128 bit key is normally transferred by some other means, for example by using Near-Field Communcation, but you can also have this static in our SoftDevices. The OOB key is intended to be random, so setting it statically is less secure. A problem is that as far as I know Android and iOS doesn't allow you to set OOB key directly, only through NFC or other.

If you bond you can store the authenticated keys persistenly and do an encryption procedure on subsequent connections. This will increase the security level to 3, and you will be able to write the characterisitic value.

In my mind these are the options that are offered to you by the BLE protocol, you can of course (additionally) implement something in the application layer. This blog may not be relevant, but it is an interesting read.

RE: Protecting write characteristic - best option?

r00li — Mon, 27 Jun 2016 15:10:23 GMT

Either a phone or some specialized embedded system running linux.

RE: Protecting write characteristic - best option?

Petter Myhre — Mon, 27 Jun 2016 09:42:37 GMT

What kind of central devices would connect to this device?