This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

BLE preshared PIN/key auth

Hi, i'm developing an app for Android and iOS that needs to comunicate with a devices based on nRF51422 with S110 v7 loaded.

We want to encrpyt all comunication and enstablish a bond only between the app and our devices.

The device hasn't a keyboard or a screen.

I looked that there are a lot of solutions:

whitelisting
static pin
oob mechanism

I am a little in trouble because whitelisting is bypassable using mac spoofing and it is fixed while static pin is exploitable by a brute force attack.

The oob mechanism seems the best one but there is no support from Android neither iOS. Please correct me if I'm wrong.

I'm thinking to implement a challange response algorithm reading/writing to a GATT characteristic but with SoftDevice I've no access to AES engine. So I feel in a no go issue.

Probably, I'm sure, there is a simpler solution than those I thought and I just wrote to you. Let me know your opinion.

To be clear, I need only to enstabilish a comunication between my devices and my app in an encrypted way using a key hardcoded in the device.

Thank you in advance! Emiliano

Top Replies

Sai over 10 years ago +2

Did you look at my discussion with Ulrich here? devzone.nordicsemi.com/.../ In my prototype, I used ECDH for shared key exchange and AES for encryption of heart rate data from the default heart rate…

0 Sai over 10 years ago

Did you look at my discussion with Ulrich here? devzone.nordicsemi.com/.../

In my prototype, I used ECDH for shared key exchange and AES for encryption of heart rate data from the default heart rate service. It's quite simple really, just drop in the nano-ecc and tiny-AES code into your GATT service and use it to generate shared keys and encrypt data.

Of course, your app will have to know how to generate the same shared key using ECDH. Let me know if you want to talk more. I'm not a cryptographer and my interest in this was to build a PoC but I'd happy to help as best as I can.
Cancel
Vote Up +2 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Emiliano Bonassi over 10 years ago

Very interesting discussion. You found a resourceful solution but I need something different.

I need a static key written in my phone's app and in the nRF51422 rom. I don't have to change it in the future it will remain the same.

Then I will use it as key to start an encrypted comunication between the device and the mobile phone.

I know it is possibile to do that using Gap Peripheral Bonding: Passkey entry but the security is limited by the length of the pin. As I told you before, it can be a 4 or 6 digit number and a bruteforce attack is very easy.

I hope I have explained my issue better.

Anyway, I am going to evaluate your security scheme, the public/private key it's a solution. I let you update on my progress.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Pål Håland over 10 years ago

With the latest softdevice www.nordicsemi.com/.../S110-SoftDevice-v7.0 you will be able to set a static passkey.

By using the API call sd_ble_opt_set() with the structure ble_gap_opt_passkey_t, then the passkey display event will come with the passkey you set.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Lucas over 10 years ago in reply to Pål Håland

enum BLE_GAP_OPTS { BLE_GAP_OPT_LOCAL_CONN_LATENCY = BLE_GAP_OPT_BASE, /< Local connection latency. */ BLE_GAP_OPT_PASSKEY, /< Set passkey to be used during pairing. This option can be used to make the SoftDevice use an application provided passkey instead of generating a random passkey.*/ BLE_GAP_OPT_PRIVACY, /**< Set or get custom IRK or custom private address cycle interval. */ };
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Pål Håland over 10 years ago

devzone.nordicsemi.com/.../a00303.html
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel