• State Not Answered
  • Locked Locked
  • Replies 32 replies
  • Subscribers 73 subscribers
  • Views 7729 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 118756
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to provide authorization of app before connection?

Newbie

Hello, I am using secure_dfu_secure_dfu_ble_s132_pca10040 project. Now I want that the user who has specific key can only access the nrf my device and then can send the zip package for dfu. How should I implement this? I am using nrf52 amd sdk12. I am able to transfer zip package using nrf toolbox.

The file is nrf_ble_dfu.txt

Modified code is code.txt

Ble_gap.h ble_gap.txt

  • 0

    Could you describe a little bit more ? On how you want to limit the user to access your device ?

    When you generate the .zip package there is already a private key used to create the signature. This signature will guarantee the integrity and the origin source of the .zip is from you.

    I assume here you want to limit the person that can do DFU to the device even though it's a legit .zip package.

    For that purpose, I think you can implement one more security level on top of what we have now. It could be as simply as a "password" the app needs to write to the bootloader to enable DFU mode, or could be more complex mechanism of your choice.

  • 0

    Hello Hung, Yes I want password. Actually my applications requirement is as follows

    1. First time when the mobile's app connects to nrf52 , app will send imei of mobile to nrf52.
    2. This imei has to be saved in rom.
    3. So when the device again connects to nrf52 through app it should verify the imei of mobile and only than should allow access for dfu. What should I do to implement this? Thanks
  • 0

    What if an attacker copy the Imei and then send it when he connects using his own phone ?

    What you planing to do now is similar to a whitelist which store the address of the phone. It's very easy to overpass that.

  • 0

    Dear Hung,

    That was the best idea we came up with. If you have a better idea please let us know.'

    We need to be able to do two things:

    1. Once the product is out in the market we need the user's phone to be able to be the only phone that can authenticate the DFU and communicate with the product.

    2. IF the user looses his phone we need the ability to factory reset the device and then have the new phone be the one to authenticate the DFU.

    Please suggest.

    Thanks

    Shailav

  • 0

    Additionally we can also argue that if the key that nordic generates for us which we make our 'private' key can also get into the hands of the attacker. Isn't that also possible?

    You mentioned of some complex mechanisms of our choice. Do you have any suggestions on that? We are newbies into this area so any help that you can provide will be much appreciated.

    Thanks

    Shailav.

Related
Terms of service