nRF51822 Peripheral with Passkey

RE: nRF51822 Peripheral with Passkey

andrey — Tue, 14 Jul 2015 20:19:35 GMT

Could you expand on your answer? Does the "passkey display event" happen on nRF side or for a host? What else must be added except the sd_ble_opt_set() call?

RE: nRF51822 Peripheral with Passkey

Stephen — Mon, 16 Mar 2015 22:38:49 GMT

This information appears to no longer be relevant.

RE: nRF51822 Peripheral with Passkey

Pål Håland — Wed, 02 Jul 2014 08:14:54 GMT

With the latest softdevice www.nordicsemi.com/.../S110-SoftDevice-v7.0 you will be able to set a static passkey.

By using the API call sd_ble_opt_set() with the structure ble_gap_opt_passkey_t, then the passkey display event will come with the passkey you set.

RE: nRF51822 Peripheral with Passkey

Juliane — Mon, 21 Apr 2014 02:17:41 GMT

Hi Samuele,

We have implemented the authentication procedure at application level using a custom GATT Service/Characteristics and checking for a password (that can be static or changeable) to authenticate the connected device.

I also want to implement the authentication procedure at application level by adding a custom Service/Charateristics and checking for a changeable password,Could you share me the code .

I am looking forward receiving your reply! Thanks so much!

RE: nRF51822 Peripheral with Passkey

Samuele Forconi — Fri, 11 Apr 2014 11:38:16 GMT

Hi, as Ole Morten said, there isn't a Bluetooth LE standard way to obtain a static authentication with such devices. We have implemented the authentication procedure at application level using a custom GATT Service/Characteristics and checking for a password (that can be static or changeable) to authenticate the connected device. I haven't found any other solution yet...

RE: nRF51822 Peripheral with Passkey

Juliane — Thu, 10 Apr 2014 02:45:52 GMT

Hi Samuele,

I have the same problem with you and I want to know wheather your problem solved.

Could you share the solutions with me ,thank you so much!

RE: nRF51822 Peripheral with Passkey

Ole Morten — Fri, 21 Feb 2014 14:21:40 GMT

I don't have any readymade suggestions for anything like this, but it's certain that implementing this on the application level is better than trying to use a static Bluetooth passkey for bonding. Since passkeys are only 6 digits, it would be trivial for someone to brute-force this if wanted.

One possibility could for example be to have the two devices share a key beforehand (i.e. as part of the firmware image and of the app), and then doing encryption of a dynamically shared value, comparing the results and then only let the device access the configuration mode if the values matches. If security is of great concern, I would however recommend you to talk to some security expert before moving ahead, as there could very well be flaws in such scheme, that I've overlooked.

Also, I think you're better off by just always having the services there, but just disallowing operations before authentication has been passed. This saves you the trouble of sending Service Changed indications and similar, when the service setup changes.

Finally, since I believe my first reply answered your original question, I'd be happy if you could accept it, to clear up this question. :)

RE: nRF51822 Peripheral with Passkey

Samuele Forconi — Thu, 20 Feb 2014 17:01:10 GMT

Hi, thanks for your answer.

So, setting a static passkey to pair with a Peripheral Device seems to be unfeasible... unless you write your own application-auth layer on top of BLE.

I was thinking about the passkey pairing because I have a BLE Peripheral Device that needs to work in 2 modes: CONF_MODE and WORK_MODE, in CONF_MODE the device should expose some configuration services/characteristics that only a Device Manager (the man who know the password) should be able to edit, while in WORK_MODE the device exposes others services/characteristics, those needed for its ordinary work. The two operating modes are switched by pressing a button on the board.

Do you have any experience/suggestions/solutions on how to implement a BLE Peripheral Device that should be capable to authenticate only the users that have the right "password"?

Thanks again for your answer. Regards, Samuele.

RE: nRF51822 Peripheral with Passkey

Ole Morten — Thu, 20 Feb 2014 12:34:30 GMT

In general, using a static passkey isn't really possible with BLE. It has previously been discussed for example here, here and here, and I'd recommend you to read all of those, as they all include information that may be useful to find a good security scheme for your application.

Calling sd_ble_gap_sec_info_reply() is most often handled by the bond manager. For an example of how to use the bond manager, you can refer to this branch of the nrf51-ble-app-lbs example application.

For completeness, if you want to implement this yourself instead, you are supposed to reply to this event with the keys for the connected device. You should be able to find the connected device in your database of bonded devices by using the information in the sec_info_request event, and you should pass the LTK that should be used back to the softdevice in the _reply() call. You can refer to this MSC, as well as the bond manager code for details. Beware that implementing a bond manager is not trivial, and will require a good understanding of the relevant parts of the Core Specification, in particular Volume 3, Part H.

Finally, using _authenticate() is not recommended, especially not when working with iOS devices, as explained in Apple's Bluetooth Accessory Design Guidelines. Instead, you should make sure to set the permissions as you want on your characteristics (see the usage of BLE_GAP_CONN_SEC_MODE_SET_ENC_NO_MITM() above), so that an error will be returned to the Central when it tries to do something that requires encryption. This error will then trigger most Central devices to automatically start bonding.