• State Verified Answer
  • Replies 3 replies
  • Subscribers 73 subscribers
  • Views 2849 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 218234
Options
Beware that this post is related to an SDK in maintenance mode
More Info: Consider nRF Connect SDK for new designs
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

Enforcing LE Secure Simple Pairing for some services.

kuchen

Hi,
I would like to establish services with following security permissions in a Bluetooth 5 peripheral:
Currently I use the NRF52-DK and SDK 15.2

Service A: Security level 2 - Unauthenticated pairing with encryption 
This service shall be accessible (characteristics readable) after pairing with JustWorks Legacy or Secure pairing

-> e.g. for old Smartphones



Service B: Security level 2 - Unauthenticated pairing with encryption 
This service shall be accessible (characteristics readable)  only if JustWorks Secure pairing with P-256 Cryptography was used. 

->e.g. newer Smartphones without NFC; Secure Pairing shall be used to provide at least some security against eavesdropping.

I don't know how to configure Service B in order to reject requests from JustWorks legacy connections. 

To may understanding I cannot use security level 4 with Service B, as this would require authentication and the peripheral does not have the I/O capabilities for that. 
I cannot use Secure Connection Only, as non of the services has security level 4. 

Does anyone know how to achieve the described behavior?


Thanks in advance.

Parents
  • 0

    Hi Kuchen,

    If you take a look at the ble_app_gls_pca10040 example in the SDK (under the ble_peripheral folder) you can see an example of how to change/increase the security level for a service.

    You can change/increase the level of security for different characteristics inside the Glucose Service. See main.c lines 428-432.

        // Here the sec level for the Glucose Service can be changed/increased.
    gls_init.gl_meas_cccd_wr_sec = SEC_JUST_WORKS;
    gls_init.gl_feature_rd_sec   = SEC_JUST_WORKS;
    gls_init.racp_cccd_wr_sec    = SEC_JUST_WORKS;
    gls_init.racp_wr_sec         = SEC_JUST_WORKS;

    Take also a look at the init structure of the Glucose Service in ble_gls.h

    /**@brief Glucose Service init structure. This contains all options and data needed for
 *        initialization of the service. */
typedef struct
{
    ble_gls_evt_handler_t     evt_handler;                     /**< Event handler to be called for handling events in the Glucose Service. */
    ble_srv_error_handler_t   error_handler;                   /**< Function to be called in case of an error. */
    uint16_t                  feature;                         /**< Glucose Feature value indicating supported features. */
    bool                      is_context_supported;            /**< Determines if optional Glucose Measurement Context is to be supported. */
    security_req_t            gl_meas_cccd_wr_sec;             /**< Security requirement for writing glucose measurement characteristic CCCD. */
    security_req_t            gl_feature_rd_sec;               /**< Security requirement for reading glucose feature characteristic. */
    security_req_t            racp_cccd_wr_sec;                /**< Security requirement for writing RACP Characteristic CCCD. */
    security_req_t            racp_wr_sec;                     /**< Security requirement for writing RACP Characteristic. (Service specification mandates authentication) */
} ble_gls_init_t;

    and the init function ble_gls_init in ble_gls.c

    Best Regards,

    Marjeris

  • 0 in reply to Marjeris Romero

    Hi,

    Thanks for your reply.
    I see that I can that I can set the security level for different characteristics/services using the options provided in security_req_t, which are:

    1. SEC_NO_ACCESS
    2. SEC_OPEN
    3. SEC_JUST_WORKS
    4. SEC_MITM
    5. SEC_SIGNED
    6. SEC_SIGNED_MITM

    As far as I understand I can use the Just Works association model with LE Secure Connection using the P-256 elliptic curve.

    I would like to know, how I can block requests from connections, which did not use the  P-256 elliptic curve.
    I do not see how I can achieve that by the options given in security_req_t.

    Best regards

  • +1 in reply to kuchen

    Hi,

    Both service A and service B will have security level 2. The macro BLE_GAP_CONN_SEC_MODE_SET_ENC_NO_MITM sets the security level to level 2, mode 1. Set the read/write sec level for each characteristic in service A or B to SEC_JUST_WORKS.

    What you can do is to reject the read request for Service B in the application. You can set rd_auth to 1 in the ble_gatts_attr_md_t struct, to set read authorization on every read request.

    When the peer sends a ATT read request the softdevice will generate a BLE_GATTS_EVT_RW_AUTHORIZE_REQUEST to the application. You can then set a flag at BLE_GAP_EVT_AUTH_STATUS and find out if the connection procedure resulted in a LE secure Connection or not, check if auth_status.lesc is set or not.

    Best Regards,

    Marjeris

Reply Children
No Data
Related
Terms of service