Good evening. I write a project on nrf51822 in which there are a number of services with a set of characteristics (write and read). I need to limit access to some characteristics with a password. Is it possible?
Good evening. I write a project on nrf51822 in which there are a number of services with a set of characteristics (write and read). I need to limit access to some characteristics with a password. Is it possible?
You are right, there exist two levels on (G)ATT layer: Authorization to Read/Write and Authentication to Read/Write. It seems that authorization is what you are looking for (that depends on App proprietary state and explicit permission to execute while the other should just relate to Link state - if it uses encryption or not). See GATT Server message sequence charts here. I've totally forgotten about these and reason probably is that I've never seen this in use. Passwords are adding typically almost no security at all so if you are not able to utilize BLE security inside the stack (e.g. because it doesn't scale to fleet of many devices) then you should design proper secure channel protocol on APP layer.
Just to complete: if you are not using encrypted link that using passwords is useless because anyone with 40$ equipment will hear it in 20-100m diameter. If you are using properly secured link then why would you protect one part of the client from another when it must come from the same device? And if you don't trust each other then fine, deploy proper secure channel based on symmetric or asymmetric keys and not passwords, that should have died in 80s...
I have a problem with the following character. I have two services. One device (administrator) must have access to one service, the other device (user) must have access to the other. Neither the user nor the administrator has access to someone else's service. there is a possibility to implement it on the stack or you will have to implement it in app?
It should work with Read/Write with authorization as per the message sequence chart. "Password and then you can do anything" isn't really secure but yes, it's slightly better then nothing. If this is enough for you it should work, sorry to pushing you to something more complex...
how specifically does authentication work? By what principle does it allow / disallow devices?