pairing procedure "authentication requirement"

RE: pairing procedure "authentication requirement"

Stayhungry — Wed, 15 Nov 2017 17:03:26 GMT

As you said, from pm_evt_handler's p_evt parameter, I'm not even able to know who caused PM_EVT_CONN_SEC_SUCCEEDED event, perhaps caused by pairing request from client, or client access to a higher security attribute, although the latter server would send Insufficient Authentication to the client, but in pm_evt_handler of peripheral's code i can not know this, and I would not be able to do a disconnect for the latter case because I do not know what is the current case.

RE: pairing procedure "authentication requirement"

Petter Myhre — Wed, 15 Nov 2017 15:49:07 GMT

Yes.

Yes. Insufficient Authentication will be received if the client tries to access and attribute with a higher security level requirement than the connection is currently in.

RE: pairing procedure "authentication requirement"

Stayhungry — Wed, 15 Nov 2017 15:37:15 GMT

Thank you for your patience, thank you very much.

According to my understanding: After the Central send pairing request, peripheral will get BLE_GAP_SEC_STATUS_SUCCESS, regardless of MITM, and will not initiate pairing failed, I guess this is what you want to let me know

BLUETOOTH SPECIFICATION Version 5.0 | Vol 3, Part C page 2071

"If an authenticated pairing is required but only an unauthenticated pairing has occurred and the link is currently encrypted, the service request shall be rejected with the error code "Insufficient Authentication." "

But in the case of attribute permisson restrictions, which is another idea you mentioned, is it the same? That is, if an NO MITM's encrypted connection, central access a Level 1 mode3 attribute, what happens? peripheral will also get BLE_GAP_SEC_STATUS_SUCCESS and softdevice send "Insufficient Authentication" to central? I feel so strange, it should be my understanding is not clear.

RE: pairing procedure "authentication requirement"

Petter Myhre — Wed, 15 Nov 2017 15:06:37 GMT

You got me wrong. You will always receive BLE_GAP_EVT_AUTH_STATUS on successful pairing. Then you can check the ble_gap_evt_auth_status_t struct that comes with this event. In it you will have sm1_levels. Which will tell you the security level achieved. The result will always be BLE_GAP_SEC_STATUS_SUCCESS if the pairing is successful, even if the pairing is Just Works.

RE: pairing procedure "authentication requirement"

Stayhungry — Wed, 15 Nov 2017 13:35:22 GMT

If I did not get it wrong, what you meant was: If I set an attribute to Level1 mode3, assuming that the connection to the attribute is Level1 mode2 (Just work), it will cause the softdevice send BLE_GAP_EVT_AUTH_STATUS event, But what is the result? BLE_GAP_SEC_STATUS_PAIRING_NOT_SUPP or BLE_GAP_SEC_STATUS_AUTH_REQ? BLE_GAP_SEC_STATUS_SUCCESS?

RE: pairing procedure "authentication requirement"

Petter Myhre — Wed, 15 Nov 2017 13:24:18 GMT

That would be in the ble_gap_evt_auth_status_t struct, in sm1_levels, available when you get the BLE_GAP_EVT_AUTH_STATUS event.

RE: pairing procedure "authentication requirement"

Stayhungry — Wed, 15 Nov 2017 11:57:18 GMT

Thank you for providing me with other ideas.

still have a question: "So if you set level 3, a pairing resulting in level 2 (Just Works) will not be sufficient, and you can disconnect it if you want to."

Where do I get the result of this decision? That is where I execute the disconnect operation in my code.

RE: pairing procedure "authentication requirement"

Petter Myhre — Wed, 15 Nov 2017 11:07:19 GMT

I'm not sure what your goal with this, but there might be other ways to solve this, not using pairing failed.

You can for example just disconnect the link if you don't like the security level the link ends up in. See this for some background information.

Again, I'm not your sure what your goal is, but you can protect your characteristic values by setting the security level required to access them. So if you set level 3, a pairing resulting in level 2 (Just Works) will not be sufficient, and you can disconnect it if you want to.

RE: pairing procedure "authentication requirement"

Petter Myhre — Wed, 15 Nov 2017 11:07:15 GMT

Give up Peer Manager? Do you mean to still use Peer Manager, but replying to the BLE_GAP_EVT_SEC_PARAMS_REQUEST directly yourself? Then you must at least be sure not to forward the BLE_GAP_EVT_SEC_PARAMS_REQUEST event to the Peer Manager, and still it might be complications, I'm not sure. Haven't tested.

RE: pairing procedure "authentication requirement"

Stayhungry — Wed, 15 Nov 2017 10:08:57 GMT

Thank you very much for your reply.

If I want to follow my BLUETOOTH SPECIFICATION Version 5.0 | Vol 3, Part H page 2346 to write my program.

When IO cap is found insufficient Pairing Failed, then I can only give up peer manager, using the original BLE_GAP_EVT_SEC_PARAMS_REQUEST?

Device manager to meet my needs? Or I can only write one to manage peer address, LTK, etc.?

RE: pairing procedure "authentication requirement"

Petter Myhre — Wed, 15 Nov 2017 09:59:54 GMT

My understanding is that "sufficient security properties" is defined by the application.

When a peripheral gets a pairing request (BLE_GAP_EVT_SEC_PARAMS_REQUEST) it can call:

sd_ble_gap_sec_params_reply(conn_handle, BLE_GAP_SEC_STATUS_AUTH_REQ,...,...) if it doesn't like the IO capabilities of the central. See this MSC.

When a central gets a pairing response (BLE_GAP_EVT_SEC_PARAMS_REQUEST) it can call:

sd_ble_gap_sec_params_reply(conn_handle, BLE_GAP_SEC_STATUS_AUTH_REQ,...,...) if it doesn't like the IO capabilities of the peripheral. See this MSC.

At first look it doesn't seem like this is supported by the Peer Manager.

RE: pairing procedure "authentication requirement"

Stayhungry — Mon, 13 Nov 2017 15:40:13 GMT

Sorry, I do not know what pcap file mean?Did you mean sniffer's captured image?

The reason why I am very confused because:

If I make central's MITM = 1, IO cap = BLE_GAP_IO_CAPS_KEYBOARD_DISPLAY, peripheral's MITM = 0, IO cap = BLE_GAP_IO_CAPS_NONE

central will send Pairing Failed command with the error code "Authentication Requirements." These are all the information I get from sniffer

RE: pairing procedure "authentication requirement"

David Edwin — Mon, 13 Nov 2017 15:19:00 GMT

Can you post the pcap file as an attachment ?