https://devzone.nordicsemi.com/f/nordic-q-a/2207/bonding-without-passkey-is-possible-using-nrf51822Hi, I was wondering whether bonding between devices is possible without using a passkey. I found a good documentation by Nordic Semi which illustrates all the bonding , pairing process in Message Sequence Charts. By analysing them I concludeden-USTelligent Community 13Fri, 13 Jun 2014 05:23:25 GMThttps://devzone.nordicsemi.com/thread/9324?ContentTypeID=1Fri, 13 Jun 2014 05:23:25 GMT137ad170-7792-4731-bb38-c0d22fbe4515:fa96e4b6-5961-45cd-950d-c29bd30f86edMo A<p>Hi Leo, I am doing this using &#39;just works&#39; (as mentioned) . I haven&#39;t tried with the static key. I too was waiting for a reply to my last comment on the answer below.</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/9323?ContentTypeID=1Thu, 15 May 2014 04:21:20 GMT137ad170-7792-4731-bb38-c0d22fbe4515:489abf53-662a-4a9d-a8a1-2c4cea538c40Leo Fu<p>Hi Mo, have you confirmed that it is possible or not to add a different static key like 123456 on both sides in bonding?</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/9327?ContentTypeID=1Tue, 15 Apr 2014 06:36:37 GMT137ad170-7792-4731-bb38-c0d22fbe4515:390a282f-29c7-4852-a21a-f1acffe2ce15Mo A<p>Thanks again Ulrich,</p> <p>So it is like the key is entered automatically, there is no provision for the developer to add a different static key like 123456 ( also say the phone app developer that I am using this key)? Am I right?</p> <p>I wanted to test the &#39;Bonding&#39; in nRF51822. I used the &#39;ble_app_hrs&#39; for this. I made the macro SEC_PARAM_BOND as 0 from 1. When I downloaded the code, It was showing in the Master Control Panel and I was able to click &#39;Bond&#39; there, and It was bonding to the device (I guess) as when I pressed bond next time it was showing bond already exists. Why is this so ? Any other way to test bonding and storing of the peripheral keys? (Here the app nrf utility(in phone) is not able to connect to the device)</p> <p>Once the bonding is done can my nRF51822 peripheral be connected to the respective Phone/master whenever they comes in range?</p> <p>(Sorry for asking more questions, A newbie)</p> <p>Mo</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/9328?ContentTypeID=1Mon, 14 Apr 2014 21:08:13 GMT137ad170-7792-4731-bb38-c0d22fbe4515:c9a43a9c-5248-481e-965e-efaf4b8b0f6aUlrich Myhre<p>When using S110, the zeroed key will be entered automatically, but some phone vendors will (erroneously) make you enter a PIN with only zeros, so it&#39;s something to just keep in mind.</p> <p>Bluetooth LE is not very secure when using PIN authentication, because the number of possible codes is pretty low. To reiterate: OOB pairing is quite secure, PIN authentication is slightly more secure than JustWorks, and JustWorks is not very secure at all. The danger is someone sniffing the traffic the moment where the keys are exchanged. If you are able to reduce TX power and hold the devices close to eachother (and/or shield them from other devices), this will be much harder to do.</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/9326?ContentTypeID=1Mon, 14 Apr 2014 11:34:11 GMT137ad170-7792-4731-bb38-c0d22fbe4515:463a5465-f592-4545-9411-10250028a338Mo A<p>Thanks a lot Ulrich for the reply,</p> <ul> <li> <p>The passkey you have mentioned &#39;000000&#39; which both devices will agree, Is this automatic or should we provide this in the code in both devices? Where can be the proper place in code&quot; (Or this is done indirectly by setting MITM to 0 and IO capabilities to &quot;BLE_GAP_IO_CAPS_NONE&quot; )</p> </li> <li> <p>In the second para , you have mentioned &quot;If this is not available, passkey authentication can be made more secure by reducing the transmitting power during the bonding.&quot; But I am afraid it is again using a passkey.</p> </li> </ul> <p>regards, Mo</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/9325?ContentTypeID=1Sun, 13 Apr 2014 03:41:43 GMT137ad170-7792-4731-bb38-c0d22fbe4515:743d0fdb-66a5-46c5-9bef-ab5977ff60d7Ulrich Myhre<p>Yes, you can bond two devices without inputting any out-of-band keys. In that scenario, both the devices will agree to use a passkey equal to 000000. This can be done if you set the MITM bit to 0 (and preferably IO capabilities to &quot;BLE_GAP_IO_CAPS_NONE&quot; ). This is what the Bluetooth Spec calls &quot;Just Works&quot; as you already found out.</p> <p>When you pair without man-in-the-middle protection, you risk that someone might be able to listen to the session and save the negotiated keys used for future encryption. This allows an attacker to decrypt future communications easily. It&#39;s recommended to use OOB data for pairing if possible. If this is not available, passkey authentication can be made more secure by reducing the transmitting power during the bonding.</p> <p>There are multiple keys that can be exchanged, and I recommend reading either the Bluetooth Spec or external sources to better understand how these are used. The important ones are the:</p> <ol> <li>Encryption Information, which contains the Long Term Key the central will use together with ediv/rand to encrypt connections in the future.</li> <li>Identity Information, used for resolvable addresses and privacy.</li> </ol> <p>For some inspiration on how to accomplish this, you could take a look at the Bond Manager provided by the SDK.</p><div style="clear:both;"></div>