LE Secure Connection Info and crypto

Hi,

I am trying to just find what is this LE Secure Connection but can't seem to find anything basic.

LE Secure Connection use a Diffie–Hellman key exchange method to obtain a shared secret (encryption key) used to encrypt the link in a way that is safe even though there are eavesdroppers. In legacy pairing the encryption key is transmitted in clear text on air so that any eavesdropper could obtain the key.

and if you want MITM prevention turn that param bit on also.

This is not the same as MITM protection, so LE Secure connections also supports MITM protection. This includes numeric comparison which is only sensible for LESC, since it would be useless in legacy pairing where an attacker could anyway eavesdrop on the communication and display the correct number.

Is that all there is to it to make a secure  connection?

 In short: yes.

I dont need ot make a private and public key or anything? or what is a good example which shows public private key useage for LE secure conenction i can look at

 No. the key pair is generated automatically by the peer manager library for every bonding, so you do not need to think of it as long as you have enabled LESC when you configured the Peer manager.

I am looking also in the aes-ctr cryptoi library to encrypt and decrypt on either side of the BLE conneciton as a possibility and just send encrypted data over unsecure BLE if need be

 I do not see any need for adding another layer of encryption on the link if you use LESC. It is usually better to go with the standardized way of doing things, unless you have a very good reason not to.

If i am not using peer manager as a means to handle connections, maybe i should, would the LESC bit turned on work same way.

Hi,

I did not understand this question. Can you elaborate?

However, I would like to stay that I strongly recommend using the peer manager library to handle pairing/bonding. This is quite complex, so making a good implementation from scratch will be very time consuming and probably error-prone.

What is a good example of peer management? right now this is what i do. I am new to both nRF and BLE. 

Advertiser only accepts connections from a MAC address it knows stored flash memory. If the MAC address is not stored it just disconnects.

In order to add a MAC to the storage you have to put the advertiser into add MAC mode which modifies the manufacturer data to advertise that it is in MAC storing mode. Then if it doesnt recognize the connected MAC, it will add it to its list of accepted MAC devices.

The scanner before connecting looks for a specific UUID and then if it finds that UUID it checks its list of accepted MAC addresses. If the MAC address is stored, it will establish a connection with the advertiser. If it doesnt recognize the MAC address, it will check the manufacturer data to see if the devices is in MAC storing mode. if it is, it will go ahead and remember the MAC of the advertiser and establish a connection.

Is this considered bonding? pairing? or what function of peer manager would give me the same results?

All the examples of peer manager i have looked at it doesnt have a function to put the system into pair/bonding mode. nor does it have an add_peer function call of sorts in the code. so not sure right now how to implement peer manager. Only thing i know how to do is delete peers.

Hi,

dmleone said:

What is a good example of peer management? right now this is what i do. I am new to both nRF and BLE. 

The SDK contains a number of BLE peripheral examples that implements bonding, all using the peer manager. Which example you should refer to depend on your requirements. For instance, do you need MITM? Do you need LESC?

dmleone said:

Advertiser only accepts connections from a MAC address it knows stored flash memory. If the MAC address is not stored it just disconnects.

In this case you can use whitelisting. That way the SoftDevice will only allow connections from that specific MAC. Please note though that this approach will not work if the peer device is a modern device (phone, tablet etc.), as these use a random resolvable MAC address based on the identity resolving key (IRK). This can only be obtained by pairing with the device, which exchanges some data, including the IRK and long term key (LTK).

(Generally I advice against using custom "smart" methods, as it is usually better to stick with standard BLE procedures. There are well tested, properly implemented in the SDK.)

dmleone said:

The scanner before connecting looks for a specific UUID and then if it finds that UUID it checks its list of accepted MAC addresses. If the MAC address is stored, it will establish a connection with the advertiser. If it doesnt recognize the MAC address, it will check the manufacturer data to see if the devices is in MAC storing mode. if it is, it will go ahead and remember the MAC of the advertiser and establish a connection.

 This is easy to implement. I recommend you take a look at some of the BLE central examples in the SDK, and look at how you can use filters.

dmleone said:

Is this considered bonding? pairing? or what function of peer manager would give me the same results?

 Pairing means that the peer devices establish a encrypted link. This can be done in several ways defined by the Bluetooth specification (LESC, MITM etc.). Bonding means that the encryption keys etc. are stored (in flash) and used the next time the same two devices connect. It is possible for two peer devices to connect and communicate without pairing if there is no need for an encrypted link.

dmleone said:

ll the examples of peer manager i have looked at it doesnt have a function to put the system into pair/bonding mode.

There is no pairing/bonding mode per se. The peripheral can advertise in a connectable way, and then the peer can connect. Once in a connection either the central or peripheral can initiate pairing. Typically the nRF peripheral will just support pairing, and accept it when it is initiated by the central. On the central side you can for instance refer to <SDK>\examples\ble_central\ble_app_hrs_c\main.c, where you can see that pairing is initiated by a call to pm_conn_secure().