• State Verified Answer
  • Replies 13 replies
  • Subscribers 73 subscribers
  • Views 7754 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 126852
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

pairing procedure "authentication requirement"

Stayhungry

Thank you for reading my question.image description

peripheral project :ble_app_hrs_rscs_relay,SDK14.1 ,S132

client project: another manufacturer's soc

I set peripheral peer manager to MITM = 1, IO cap = BLE_GAP_IO_CAPS_KEYBOARD_DISPLAY

client's MITM = 0, IO cap = BLE_GAP_IO_CAPS_NONE

Through sniffer capture packets found that pairing procedure can be normal, and finally used should be Just work way to generate STK.

BLUETOOTH SPECIFICATION Version 5.0 | Vol 3, Part H page 2315

"If the key generation method does not result in a key that provides sufficient security properties then the device shall send the Pairing Failed command with the error code "Authentication Requirements."

Question 1: Is "sufficient security properties" here referring to the MITM field in the pairing request / pairing response? Just work generated STK is not satisfied with the safety requirements of peripheral?

BLUETOOTH SPECIFICATION Version 5.0 | Vol 3, Part H page 2346

"value: 0x03

Name: Authentication Requirements

Description: The pairing procedure can not be performed as authentication requirements can not be met due to IO capabilities of one or both devices "

Question 2: If my understanding of Question 1 is correct, why does peripheral not send Pairing Failed with "Authentication Requirements"? Or is my understanding of Question 1 wrong?

Parents
  • 0

    My understanding is that "sufficient security properties" is defined by the application.

    When a peripheral gets a pairing request (BLE_GAP_EVT_SEC_PARAMS_REQUEST) it can call:

    sd_ble_gap_sec_params_reply(conn_handle, BLE_GAP_SEC_STATUS_AUTH_REQ,...,...) if it doesn't like the IO capabilities of the central. See this MSC.

    When a central gets a pairing response (BLE_GAP_EVT_SEC_PARAMS_REQUEST) it can call:

    sd_ble_gap_sec_params_reply(conn_handle, BLE_GAP_SEC_STATUS_AUTH_REQ,...,...) if it doesn't like the IO capabilities of the peripheral. See this MSC.

    At first look it doesn't seem like this is supported by the Peer Manager.

  • 0 in reply to Petter Myhre

    I'm not sure what your goal with this, but there might be other ways to solve this, not using pairing failed.

    You can for example just disconnect the link if you don't like the security level the link ends up in. See this for some background information.

    Again, I'm not your sure what your goal is, but you can protect your characteristic values by setting the security level required to access them. So if you set level 3, a pairing resulting in level 2 (Just Works) will not be sufficient, and you can disconnect it if you want to.

Reply
  • 0 in reply to Petter Myhre

    I'm not sure what your goal with this, but there might be other ways to solve this, not using pairing failed.

    You can for example just disconnect the link if you don't like the security level the link ends up in. See this for some background information.

    Again, I'm not your sure what your goal is, but you can protect your characteristic values by setting the security level required to access them. So if you set level 3, a pairing resulting in level 2 (Just Works) will not be sufficient, and you can disconnect it if you want to.

Children
No Data
Related
Terms of service