This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

nrf52832 security level and bonding

Hi there,

I am adding security to my service characteristic and i found that for security mode 1 level 4, bonding is required in order to access characteristic values. Is it the same case for level1- level3, can i separate characteristic and bonding? eg. add different security level to characteristic and bonding and bond two devices only when i want to? I am using nRF52832 and SDK14.00.

  • Yes, you are partially correct, Security level 4 requires the link to be encrypted(i.e pairing must be performed) and that MITM protection was used. Bondinng is an optional step after pairing, i.e. storing the encryption key agreed upon during the pairing process in internal memory so that the link can be re-encrypted at a later stage without going through the pairing phase first.  I have attached a table below showing the different security levels available in BLE. Security level 2 and above require encryption, i.e. pairing.

    You can set the security level of each characteristic individually, so if you have a service with two characteristics then one can be set to security level 1 and the other to security level 4.

    We have macros in the SDK that can be used to set the security level of an Attribute( i.e. characteristics and descriptors).

    Here is an example where the BLE_GAP_CONN_SEC_MODE_SET_OPEN macro is used to set the read permission on a CCCD

    static uint32_t heart_rate_measurement_char_add(ble_hrs_t            * p_hrs,
                                                    const ble_hrs_init_t * p_hrs_init)
    {
        ble_gatts_char_md_t char_md;
        ble_gatts_attr_md_t cccd_md;
        ble_gatts_attr_t    attr_char_value;
        ble_uuid_t          ble_uuid;
        ble_gatts_attr_md_t attr_md;
        uint8_t             encoded_initial_hrm[MAX_HRM_LEN];
    
        memset(&cccd_md, 0, sizeof(cccd_md));
    
        BLE_GAP_CONN_SEC_MODE_SET_OPEN(&cccd_md.read_perm);
        cccd_md.write_perm = p_hrs_init->hrs_hrm_attr_md.cccd_write_perm;
        cccd_md.vloc       = BLE_GATTS_VLOC_STACK;
        .
        .
        .
    }

  • Thanks for your reply bjorn, i have another question, is the macro BLE_GAP_CONN_SEC_MODE_SET_XXX subject to the ble_gap_sec_params_t settings? For example, according to my experience, if i disable MITM, disable LESC, i can still use the macro BLE_GAP_CONN_SEC_MODE_SET_LESC_ENC_WITH_MITM, which is security level 4. 

  • Yes, you can still use the BLE_GAP_CONN_SEC_MODE_SET_LESC_ENC_WITH_MITM macro to set the ble_gap_sec_params_t settings of any characteristic even though you set MITM and LESC to 0. However, the peer will never be able to access the attribute if you do so, because it will never be able to pair with MITM or LESC. 

  • Thanks bjorn, you are right, i couldn't access characteristic without MITM and LESC being enabled

Related