• State Verified Answer
  • Replies 13 replies
  • Subscribers 73 subscribers
  • Views 7758 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 126852
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

pairing procedure "authentication requirement"

Stayhungry

Thank you for reading my question.image description

peripheral project :ble_app_hrs_rscs_relay,SDK14.1 ,S132

client project: another manufacturer's soc

I set peripheral peer manager to MITM = 1, IO cap = BLE_GAP_IO_CAPS_KEYBOARD_DISPLAY

client's MITM = 0, IO cap = BLE_GAP_IO_CAPS_NONE

Through sniffer capture packets found that pairing procedure can be normal, and finally used should be Just work way to generate STK.

BLUETOOTH SPECIFICATION Version 5.0 | Vol 3, Part H page 2315

"If the key generation method does not result in a key that provides sufficient security properties then the device shall send the Pairing Failed command with the error code "Authentication Requirements."

Question 1: Is "sufficient security properties" here referring to the MITM field in the pairing request / pairing response? Just work generated STK is not satisfied with the safety requirements of peripheral?

BLUETOOTH SPECIFICATION Version 5.0 | Vol 3, Part H page 2346

"value: 0x03

Name: Authentication Requirements

Description: The pairing procedure can not be performed as authentication requirements can not be met due to IO capabilities of one or both devices "

Question 2: If my understanding of Question 1 is correct, why does peripheral not send Pairing Failed with "Authentication Requirements"? Or is my understanding of Question 1 wrong?

Parents
  • 0

    My understanding is that "sufficient security properties" is defined by the application.

    When a peripheral gets a pairing request (BLE_GAP_EVT_SEC_PARAMS_REQUEST) it can call:

    sd_ble_gap_sec_params_reply(conn_handle, BLE_GAP_SEC_STATUS_AUTH_REQ,...,...) if it doesn't like the IO capabilities of the central. See this MSC.

    When a central gets a pairing response (BLE_GAP_EVT_SEC_PARAMS_REQUEST) it can call:

    sd_ble_gap_sec_params_reply(conn_handle, BLE_GAP_SEC_STATUS_AUTH_REQ,...,...) if it doesn't like the IO capabilities of the peripheral. See this MSC.

    At first look it doesn't seem like this is supported by the Peer Manager.

  • 0 in reply to Petter Myhre

    Thank you for your patience, thank you very much.

    According to my understanding: After the Central send pairing request, peripheral will get BLE_GAP_SEC_STATUS_SUCCESS, regardless of MITM, and will not initiate pairing failed, I guess this is what you want to let me know

    BLUETOOTH SPECIFICATION Version 5.0 | Vol 3, Part C page 2071

    "If an authenticated pairing is required but only an unauthenticated pairing has occurred and the link is currently encrypted, the service request shall be rejected with the error code "Insufficient Authentication." "

    But in the case of attribute permisson restrictions, which is another idea you mentioned, is it the same? That is, if an NO MITM's encrypted connection, central access a Level 1 mode3 attribute, what happens? peripheral will also get BLE_GAP_SEC_STATUS_SUCCESS and softdevice send "Insufficient Authentication" to central? I feel so strange, it should be my understanding is not clear.

Reply
  • 0 in reply to Petter Myhre

    Thank you for your patience, thank you very much.

    According to my understanding: After the Central send pairing request, peripheral will get BLE_GAP_SEC_STATUS_SUCCESS, regardless of MITM, and will not initiate pairing failed, I guess this is what you want to let me know

    BLUETOOTH SPECIFICATION Version 5.0 | Vol 3, Part C page 2071

    "If an authenticated pairing is required but only an unauthenticated pairing has occurred and the link is currently encrypted, the service request shall be rejected with the error code "Insufficient Authentication." "

    But in the case of attribute permisson restrictions, which is another idea you mentioned, is it the same? That is, if an NO MITM's encrypted connection, central access a Level 1 mode3 attribute, what happens? peripheral will also get BLE_GAP_SEC_STATUS_SUCCESS and softdevice send "Insufficient Authentication" to central? I feel so strange, it should be my understanding is not clear.

Children
No Data
Related
Terms of service