How to provide authorization of app before connection?

RE: How to provide authorization of app before connection?

Hung Bui — Thu, 26 Jan 2017 06:06:37 GMT

How did you get that "demo" keys ? As far as I know the private key for demo is not available.

To generate your own key, please follow the instruction here on how to generate cryptography keys.

You would need to modify the bootloader code. What was designed is only for 1 pair of key. If you want 2 pairs, there should be 2 check, one for each key. (two check before throwing the Your plan is to make the 2nd keys dynamic, how do you plan to update the 2nd key ? You may need to update the bootloader so that it has an extra command to receive a new key, store it into flash. The bootloader then read the flash to get the key next time it starts.

RE: How to provide authorization of app before connection?

Newbie — Thu, 19 Jan 2017 04:26:23 GMT

Hello Hung, I have few question.

The public and private key that I have is only for demo purpose. So if I want to go for production then how should I generate those keys?
Can I use 2 keys in firmware? One key will be common for our company and other key will be different for different users.

We want to send common updated firmware to all user so one key will be same and generated by our company. At the user end we want to add other key so that will be different for different users.

Now my concern is how to update key at run time without compiling it?

At present I need to manually add keys in dfu_public_keys.

Thanks

RE: How to provide authorization of app before connection?

Hung Bui — Tue, 17 Jan 2017 15:17:40 GMT

Once bonded or paired, the link is encrypted with AES128 bit. The most vulnerable part is when the bonding process is performed and it's where MITM avoidance taken place (Phase 2). It could be passkey, numeric comparison or OOB.

You may want to read more about BLE security, for example from here.

RE: How to provide authorization of app before connection?

Newbie — Tue, 17 Jan 2017 09:22:41 GMT

Hello Hung, Once the link is established between app and nrf device even then mitm attacks are possible. Does the data transfers takes place as normal plain text or aes encryption technique is used to transfer the data?

RE: How to provide authorization of app before connection?

Hung Bui — Tue, 17 Jan 2017 08:45:24 GMT

The passkey you mentioned is part of BLE bonding process. You can try to bond your device with the phone either in both your application and your bootloader (share bond information) or separately if you found sharing bond information is difficult.

If your device doesn't have screen or keyboard, you can think of using static passkey. It's a passkey you printed and only the owner of the device know it. It's less secure than normal random dynamic passkey.

RE: How to provide authorization of app before connection?

Newbie — Mon, 16 Jan 2017 09:42:04 GMT

Hello Hung, I have few questions. With dfu secure project I can now upload securely to my nordic device but when the connection is established how can I stop man in the middle attacks? Is there any encryption technique provided by nordic to ensure that my mobile and nordic communicates securely? I have read the dynamic passkey code. In that random passkey is generated to stop mitm attack but with devices having io facilities only. I just have nordic app and nrf52 so should I try this in my firmare?

RE: How to provide authorization of app before connection?

Hung Bui — Wed, 11 Jan 2017 09:07:18 GMT

No, BLE whitelist can only be used with BLE address.

If you want to use IMEI, please implement your own mechanism. For example device won't do any activity, until the phone write its own IMEI to the device. You can put a timing requirement, say after 5 seconds if no valid IMEI is written device will disconnect.

RE: How to provide authorization of app before connection?

Newbie — Wed, 11 Jan 2017 08:50:31 GMT

Hello Hung, Instead of Device address can I use imei of my cell phone and implement whitelist?

RE: How to provide authorization of app before connection?

Hung Bui — Wed, 11 Jan 2017 08:41:44 GMT

Are you talking about using peer manager ? If you don't use peer manager, you need to handle all of that on your own. With peer manager, it will handle that for you. But you need to know how to use peer manager. Please have a look at our examples in the SDK, the ble_hid_keyboard for example.

RE: How to provide authorization of app before connection?

Newbie — Wed, 11 Jan 2017 05:05:59 GMT

Do I need to add the address of my phone in firmware or it will first bond with the device and will afterwards it will only connect with that specific device which was bonded first?

RE: How to provide authorization of app before connection?

Hung Bui — Tue, 10 Jan 2017 12:09:12 GMT

You don't have to add it if you don't want to. It's simply a library as a guidance. You can use the API directly. If you simply want a hardcoded whitelist with public address, you can go with what you are trying to do. What I suggested was to study the id_manager.c to know how we set the whitelist, inside im_whitelist_set().

RE: How to provide authorization of app before connection?

Newbie — Tue, 10 Jan 2017 11:20:36 GMT

Hello Hung, The peer libraries are not added in the code of dfu_secure project. So do I need to add it or is there any other way?

RE: How to provide authorization of app before connection?

Hung Bui — Tue, 10 Jan 2017 10:27:16 GMT

Hi, my code is for S110v8.0 and S130 v1.0 as I mentioned in the blog "The following code (for S110v8.0/S130v1.0)"

If you are using with S132 v3.0 you need to use sd_ble_gap_whitelist_set() to set the whitelist. Please have a look here. Please study the id_manager.c in the peer manager library.

You can't simply change the structure defined in the API header files. The structure is fixed, as it's hardcoded in the softdevice, you shouldn't change them.

RE: How to provide authorization of app before connection?

Newbie — Tue, 10 Jan 2017 06:29:07 GMT

Hello Hung, I have figured out the problem. Please refer to my text document as when I paste code here it gets mess . Thanks

RE: How to provide authorization of app before connection?

Hung Bui — Mon, 09 Jan 2017 15:10:18 GMT

Have you checked all the return code and it returns NRF_SUCCESS?

RE: How to provide authorization of app before connection?

Newbie — Mon, 09 Jan 2017 14:17:57 GMT

Hello Hung, Its not advertising at all. I changed the addr to my phone's address but it doesn't connect. Thanks

RE: How to provide authorization of app before connection?

Hung Bui — Mon, 09 Jan 2017 13:43:10 GMT

You need to tell me what is the outcome of the code, what is the issue you have now? Please answer the question I asked in the previous message.

RE: How to provide authorization of app before connection?

Newbie — Mon, 09 Jan 2017 13:37:18 GMT

Hello Hung, As suggessted by you have edited the code and I am attaching my code in the file above. Now do I need to add anything to the cases? Can you try this modification at your end tell me what changes should I make to make it work? Thanks, Shailav

RE: How to provide authorization of app before connection?

Hung Bui — Fri, 06 Jan 2017 14:24:34 GMT

It's simple to add whitelist. But the question is how you can get the address of the device, how do you deal with device that have Resolvable Random Address (iPhone). Also simply use only whitelist won't guarantee security, anyone can spoof your address.

Regarding the code, you would need to check return err_code of each of the API call.

RE: How to provide authorization of app before connection?

Newbie — Fri, 06 Jan 2017 13:59:45 GMT

I think its more complex to implement whitelist by referring this code. I need to add more peer related files to this.Can you suggest me easy way like the one mentioned in your blog. Can you edit the code that I attached previously by referring your blog? Thanks

RE: How to provide authorization of app before connection?

Hung Bui — Fri, 06 Jan 2017 11:58:21 GMT

Then you need to implement whitelisting and bonding with your application. Please study the example.

RE: How to provide authorization of app before connection?

Newbie — Fri, 06 Jan 2017 11:56:48 GMT

yes I want my phone to be only phone to connect and access the device.

RE: How to provide authorization of app before connection?

Hung Bui — Fri, 06 Jan 2017 11:43:40 GMT

You can have a look at the ble_app_hid_keyboard, advertising_start() function to see how whitelist is used. It's the combination between peer manager (where device address, IRK, and bond information is collected) and ble_advertising module (where whitelist is used in advertising packet).

You may want to describe what exactly you want to achieve and how you plan to do it. Please answer my question :

You want to limit the phone to be the only phone that can authenticate the DFU action or also the only phone can connect and access the device ?

RE: How to provide authorization of app before connection?

Newbie — Fri, 06 Jan 2017 11:07:35 GMT

Hello Hung, Is there any peer code in the sdk? I didnt find any in example. Which code should I refer to generate whitelist and ? I am using sdk12 as mentioned before. Thanks

RE: How to provide authorization of app before connection?

Hung Bui — Fri, 06 Jan 2017 10:00:36 GMT

Hi Shailav,

I would suggest you to get familiar with how whitelist work, how you can get the address, the IRK (when the peer device using random resolvable address, like the iPhone) and try to test using normal application first, before you implement on the bootloader. You also need to deal with how to store bonding information how to restore it. All this is already implemented in our peer manager. But it's not used in the bootloader.

I can see in your code you didn't check for the return err_code back. Always check the err_code is NRF_SUCCESS, if not, it won't work. Removing code check won't help.

I mentioned it in my blog:

To make the code short and simple, the check of the return code (err_code) of the API call is not added here. When you implement your code, make sure the return code of each API is checked and it should return NRF_SUCCESS (0x00).