• State Not Answered
  • +1 person also asked this people also asked this
  • Replies 34 replies
  • Subscribers 71 subscribers
  • Views 20192 views
  • Users 0 members are here
Attachments (6) Download All
Nordic Case Info
  • Case ID: 226323
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

encryption and decryption of advertising data

Naralasetty Praneeth

Hii nordic;

I need to encrypt and decrypt my advertising data i.e;UUID,Major,Minor,etc.;  of my nrf52832

So it cannot be seen by third parties

my sdk version is 15.2 and softdevice is 132

  • 0 in reply to Naralasetty Praneeth

    You need to send the nounce used by the advertiser to the central in order to decrypt the message on the central side. 

    Since you are basing this on advertisement data, then you would have to place the nounce in the advertisement packet or the scan response packet for the central to decrypt the advertisment data. In addition you would have to make sure that the counters are in sync as well. In addition the advertisment data is the beacon UUID, major, minor etc, which is fixed and will not be changed during the lifetime of the device, so you will in reality only encrypt this once with counter values 0x00 and 0x01. 

    Hence,  I am beginning to doubt that this is the correct way of encrypting advertisment data. I think it might be much easier to just use an XOR cipher instead, i.e. just XOR the advertisement data with the m_ecb_key. That way you would not need to send any nounce nor keep any counters in sync. 

    It would be helpful if you could share a bit more on what the use case for the code is.

    Best regards

    Bjørn

  • 0 in reply to bjorn-spockeli

    bjorn-spockeli

    We are working on an application based on Id cards which broadcasts its information and gateway reads the information it and sends to a server. Now the problem is that the ID card's information should not be cloned by any third party.

  • 0 in reply to Naralasetty Praneeth

    Understand. 

    As I stated in my previous reply, exchanging the nounce and keeping counters in sync is complicated when only doing advertisement. The added complexity cannot really be justified when you're only encrypting two 16 byte buffers on boot and then keeping the advertisment data static. 

    My suggestion would be to create a unique key for each device and then simply use sd_ecb_block_encrypt to encrypt the advertisment data. The central would then hold a copy of each unique key and then use the same function sd_ecb_block_encrypt to decrypt the data. 

    Best regards

    Bjørn

  • 0

     I have been thinking some more on the solution I proposed in my previous reply and from a security perspective I think it would be better to include the nounce in the advertisement packet and then keep the counter values static, i.e. 0x0000 and 0x0001. 

    I am afraid that we do not have any example code that does this in our SDK out-of-the-box. You should be able to modify the existing code I have provided for the peripheral side, you would just have to modify it to place the nounce in the scan response packet as manufacturing specifc data. 

    On the central side you will have to add the handling of  the NRF_BLE_SCAN_EVT_SCAN_REQ_REPORT case in the scan_evt_handler() function that is set as the scan event handler function in scan_init() in main.c. There you will have to extract the nounce and then store both the nounce and the address of the sender. You will need this to determine which nounce that should be used to decrypt which advertisment message. 

    Best regards

    Bjørn

Related