https://devzone.nordicsemi.com/f/nordic-q-a/25893/is-re-pairing-necessary-with-mitm-protectionI am working on a peripheral. This peripheral is IO display only. On the other side, the central is keyboard + display. I have a single, custom service with a single characteristic. Said characteristic is readable and writable and requires both encryptionen-USTelligent Community 13Mon, 16 Oct 2017 13:56:36 GMThttps://devzone.nordicsemi.com/thread/101976?ContentTypeID=1Mon, 16 Oct 2017 13:56:36 GMT137ad170-7792-4731-bb38-c0d22fbe4515:50ed05a1-98db-4cec-bdaf-25ae8a9f46e1Mateusz<p>Looks like the issue was with non-volatile memory. Security properties were not being saved properly. Why or how - I&#39;m not sure yet, but that&#39;s a different issue.</p> <p>So if a device is paired and bonded with MITM protection, authenticated reads or writes should succeed on the initial and following connections.</p> <p>Thanks Hung Bui for your help. I deleted my previous &quot;answer&quot; as I was misunderstanding the book quote.</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/101974?ContentTypeID=1Mon, 16 Oct 2017 07:42:47 GMT137ad170-7792-4731-bb38-c0d22fbe4515:4881aeab-e092-4666-9521-b9cdd7031fc9Hung Bui<p>The log didn&#39;t show how the initial bonding is performed. I would suggest you to get hold of a nRF51 DK (or nRF52 DK ) and capture a sniffer trace.</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/101975?ContentTypeID=1Sun, 15 Oct 2017 00:53:56 GMT137ad170-7792-4731-bb38-c0d22fbe4515:a3d2dc79-332d-4b82-81ee-1142bba4d821Mateusz<p>Here&#39;s a log - see link below. It was captured on MacOS with Xcode&#39;s PacketLogger, but it&#39;s viewable with WireShark. The flow is (more or less) - connect to the device, pair and bond, read and write the characteristic value (successfully), then disconnect. Then, connect again and attempt to read the characteristic value (fails). MacOS then begins to re-pair. In the PacketLogger, I see that the LTK is distributed properly - it&#39;s used on next connection for encryption. <a href="https://goo.gl/BYKNeS">https://goo.gl/BYKNeS</a></p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/101973?ContentTypeID=1Fri, 13 Oct 2017 14:35:35 GMT137ad170-7792-4731-bb38-c0d22fbe4515:506e3368-16e0-426f-ab9d-7fdc32aa28f9Hung Bui<p>Hi,</p> <p>Could you provide <a href="https://www.nordicsemi.com/eng/Products/Bluetooth-Smart-Bluetooth-low-energy/nRF-Sniffer/">a sniffer trace</a> ?</p> <p>Have you make sure when you re-establish the connection, the LTK is used and the connection is encrypted using the LTK.</p> <p>My suspicion is that the LTK was not stored properly (or not exchanged at all if it was only pairing not bonding, initially). So when re-establishing connection, the link is not encrypted , causing Insufficient Authentication.</p> <p>You can check in the code if BLE_GAP_EVT_CONN_SEC_UPDATE is triggered or not when the connection is established. But it&#39;s the best to have the sniffer trace.</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/101972?ContentTypeID=1Thu, 12 Oct 2017 16:10:32 GMT137ad170-7792-4731-bb38-c0d22fbe4515:0eb21e05-2ef0-493b-9e64-c58dbb72ef69Mateusz<p>According to a book &quot;Getting Started With Bluetooth Energy&quot; by Kevin Townsend &amp; others, &quot;Insufficient Authentication (...) denotes (...) that the link is encrypted, but the LTK used to perform the encryption procedure is not authenticated (generated with man-in-the-middle protection (...)) while the permissions required authenticated encryption&quot;.</p><div style="clear:both;"></div>