Minimum required bonding information

Hello,

I read through the Bluetooth core specification in order to get a better understanding of the information that has to be stored at a minimum if using bonding. But I'm still not sure if I found all keys and values in the core specification that have to be stored if only bonding and Just Works Pairing with diffie hellman key exchange is used.  No other features or optional functions are used.

In the core specification I found the following sections:

  • Vol 3, Part G, Section 3.3.3.3, in the Bluetooth Core Specification 5.0:
    • "The Client Characteristic Configuration descriptor value shall be persistent across connections for bonded devices."
  • Vol 3, Part C, Section 9.4, in the Bluetooth Core Specification 5.0:
    • "The security and identity information as defined in [Vol 3] Part H, Section 2.4.1 is also known as the bonding information."
  • Vol 3, Part H, Section 2.4.1, in the Bluetooth Core Specification 5.0:
    • "LE security uses the following keys and values for encryption, signing, and random addressing:
      • Identity Resolving Key (IRK) is a 128-bit key used to generate and resolve random addresses.
      • Connection Signature Resolving Key (CSRK) is a 128-bit key used to sign data and verify signatures on the receiving device.
      • Long Term Key (LTK) is a 128-bit key used to generate the contributory session key for an encrypted connection. Link Layer encryption is described in [Vol 6] Part B, Section 5.1.3.
      • Encrypted Diversifier (EDIV) is a 16-bit stored value used to identify the LTK distributed during LE legacy pairing. A new EDIV is generated each time a unique LTK is distributed.
      • Random Number (Rand) is a 64-bit stored valued used to identify the LTK distributed during LE legacy pairing. A new Rand is generated each time a unique LTK is distributed."

Is this everything that has to be taken into account? What does this mean for the example above if these are the only keys and values that have to be stored?

In my opinion only the LTK has to stored regarding the example above. Because the Client Characteristic Configuration descriptor value does only have to be stored if GATT notfication or indication can be enabled. The IRK is used for privacy mechanism only, CSRK is necessary if data signing is used and EDIV and Rand are only necessary  if LE legacy pairing is supported.

Is my assumption right or did I miss something?

Thanks.

Best regards,

Christian