This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

Require BLE 4.2 key exchange but not MITM

I have an application which requires protection from passive eavesdropping, but not man in the middle attacks. I want to enforce the use of diffie hellman key exchange.

Security Mode 1 Level 4 does enforce diffie hellman key exchange, but it also enforces man in the middle protection. I really only need Security Mode 1 Level 2, but with Secure Connection support.

I thought about checking the lesc field in the data for the BLE_GAP_EVT_SEC_PARAMS_REQUEST event. However, sd_ble_gap_sec_params_reply returns NRF_ERROR_INVALID_STATE. I'm using Peer Manager, which is presumably already calling this function.

BLE_GATTS_EVT_RW_AUTHORIZE_REQUEST looks capable of doing what I want, but I wanted to check if there was a way which involved configuration only. Any suggestions?

I'm using SDK 13.0.0 and softdevice s140 5.0.0-2.alpha on the nRF52840.

Parents
  • Ok, then I guess my question becomes: why am I not getting mode 1 level 4? I'm using nRF Connect as the central node. I perform a pair with the "Enable LE Secure Connection pairing" option checked. The resulting security level is 2.

    I've integrated LESC support from the ble_app_multirole_lesc example. I can see from the nRF logs that the LESC key is generated. I get a PM_EVT_CONN_SEC_SUCCEEDED with a procedure of 2. Then I get a BLE_GAP_EVT_AUTH_STATUS with mode 1 level 2. Would the nRF Connect log be helpful?

Reply
  • Ok, then I guess my question becomes: why am I not getting mode 1 level 4? I'm using nRF Connect as the central node. I perform a pair with the "Enable LE Secure Connection pairing" option checked. The resulting security level is 2.

    I've integrated LESC support from the ble_app_multirole_lesc example. I can see from the nRF logs that the LESC key is generated. I get a PM_EVT_CONN_SEC_SUCCEEDED with a procedure of 2. Then I get a BLE_GAP_EVT_AUTH_STATUS with mode 1 level 2. Would the nRF Connect log be helpful?

Children
No Data
Related