Hello,
Our peripheral device has no keyboard and no display.
Yet we would still like to have the most secured way of communication.
For our application, we don't like a static passkey as anybody with the same mobile app installed could pair.
We are thinking about scanning a unique QR code on every device. Could the information be used to setup a secured link? Like with the "out of bounds" method?
kind regards
I suggest look into LE secure connection, this pairing procedure uses Elliptic Curve Diffie-Hellman cryptography and provide the highest security mode.
Hi Kenneth, is there any example or info in SDK about that LE secure connection ? Thanks.
The easiest is to search all main.c files for '#define SEC_PARAM_LESC', and then all that is defined as '1' support LESC. Here is the result for nRF5 SDKv16:
\ble_central\ble_app_gatts\main.c(89) : #define SEC_PARAM_LESC 0 /**< LE Secure Connections not enabled. */ \ble_central\ble_app_hrs_c\main.c(88) : #define SEC_PARAM_LESC 1 /**< LE Secure Connections enabled. */ \ble_central\ble_app_ias\main.c(97) : #define SEC_PARAM_LESC 0 /**< LE Secure Connections not enabled. */ \ble_central\ble_app_rscs_c\main.c(88) : #define SEC_PARAM_LESC 0 /**< LE Secure Connections not enabled. */ \ble_central\experimental\ble_app_ots_c\main.c(88) : #define SEC_PARAM_LESC 0 /**< LE Secure Connections not enabled. */ \ble_central_and_peripheral\experimental\ble_app_hrs_rscs_relay\main.c(127) : #define SEC_PARAM_LESC 0 /**< LE Secure Connections not enabled. */ \ble_peripheral\ble_app_alert_notification\main.c(112) : #define SEC_PARAM_LESC 0 /**< LE Secure Connections not enabled. */ \ble_peripheral\ble_app_ancs_c\main.c(122) : #define SEC_PARAM_LESC 0 /**< LE Secure Connections not enabled. */ \ble_peripheral\ble_app_bms\main.c(99) : #define SEC_PARAM_LESC 0 //!< LE Secure Connections not enabled. \ble_peripheral\ble_app_bps\main.c(137) : #define SEC_PARAM_LESC 0 /**< LE Secure Connections not enabled. */ \ble_peripheral\ble_app_buttonless_dfu\main.c(109) : #define SEC_PARAM_LESC 0 /**< LE Secure Connections not enabled. */ \ble_peripheral\ble_app_cscs\main.c(130) : #define SEC_PARAM_LESC 0 /**< LE Secure Connections not enabled. */ \ble_peripheral\ble_app_cts_c\main.c(111) : #define SEC_PARAM_LESC 0 /**< LE Secure Connections not enabled. */ \ble_peripheral\ble_app_gls\main.c(117) : #define SEC_PARAM_LESC 1 /**< LE Secure Connections enabled. */ \ble_peripheral\ble_app_hids_keyboard\main.c(129) : #define SEC_PARAM_LESC 0 /**< LE Secure Connections not enabled. */ \ble_peripheral\ble_app_hids_mouse\main.c(119) : #define SEC_PARAM_LESC 0 /**< LE Secure Connections not enabled. */ \ble_peripheral\ble_app_hrs\main.c(124) : #define SEC_PARAM_LESC 1 /**< LE Secure Connections enabled. */ \ble_peripheral\ble_app_hrs_freertos\main.c(125) : #define SEC_PARAM_LESC 0 /**< LE Secure Connections not enabled. */ \ble_peripheral\ble_app_hts\main.c(121) : #define SEC_PARAM_LESC 0 /**< LE Secure Connections not enabled. */ \ble_peripheral\ble_app_ias_c\main.c(105) : #define SEC_PARAM_LESC 0 /**< LE Secure Connections not enabled. */ \ble_peripheral\ble_app_proximity\main.c(118) : #define SEC_PARAM_LESC 0 /**< LE Secure Connections not enabled. */ \ble_peripheral\ble_app_rscs\main.c(125) : #define SEC_PARAM_LESC 0 /**< LE Secure Connections not enabled. */ \ble_peripheral\ble_app_template\main.c(105) : #define SEC_PARAM_LESC 0 /**< LE Secure Connections not enabled. */ \ble_peripheral\ble_app_tile\main.c(101) : #define SEC_PARAM_LESC 0 /**< LE Secure Connections not enabled. */ \ble_peripheral\experimental\ble_app_cgms\main.c(117) : #define SEC_PARAM_LESC 0 /**< LE Secure Connections not enabled. */ \ble_peripheral\experimental\ble_app_cli\main.c(116) : #define SEC_PARAM_LESC 0 /**< LE Secure Connections not enabled. */ \ble_peripheral\experimental\ble_app_lls\main.c(102) : #define SEC_PARAM_LESC 0 /**< LE Secure Connections not enabled. */ \ble_peripheral\experimental\ble_app_lns\main.c(115) : #define SEC_PARAM_LESC 0 /**< LE Secure Connections not enabled. */ \ble_peripheral\experimental\ble_app_queued_writes\main.c(105) : #define SEC_PARAM_LESC 0 /**< LE Secure Connections not enabled. */ \ble_peripheral\experimental\bluetoothds_template\main.c(104) : #define SEC_PARAM_LESC 0 /**< LE Secure Connections not enabled. */
However those projects that support NFC can also potentially support LESC (by defining NFC_PAIRING_MODE_LESC_JUST_WORKS in main.c or sdk_config.h), so you also need to search for all main.c filed that have '#define NFC_PAIRING_MODE'. Here is the result for nRF5 SDKv16:
\ble_peripheral\experimental\ble_app_hids_keyboard_pairing_nfc\main.c(153) : #define NFC_PAIRING_MODE NFC_PAIRING_MODE_JUST_WORKS \ble_peripheral\experimental\ble_app_hrs_nfc_pairing\main.c(115) : #define NFC_PAIRING_MODE NFC_PAIRING_MODE_JUST_WORKS \ble_peripheral\experimental\ble_nfc_pairing_reference\main.c(63) : #define NFC_PAIRING_MODE NFC_PAIRING_MODE_JUST_WORKS
Lastly it also seems the nRF5 SDK examples sometimes use '#define SEC_PARAMS_LESC' (instead of '#define SEC_PARAM_LESC'). So you need to search main.c files also for those, and check if any is defined as '1':
\ble_central_and_peripheral\experimental\ble_app_multirole_lesc\main.c(113) : #define SEC_PARAMS_LESC 1 /**< LE Secure Connections pairing required. */
To find more information about a specific BLE example you can check out:
https://infocenter.nordicsemi.com/topic/sdk_nrf5_v16.0.0/examples_ble.html?cp=6_1_4_2
A good start may be to use the below two examples, since those two will work out of the box with eachother:
\ble_central\ble_app_hrs_c\
\ble_peripheral\ble_app_hrs\
The easiest is to search all main.c files for '#define SEC_PARAM_LESC', and then all that is defined as '1' support LESC. Here is the result for nRF5 SDKv16:
\ble_central\ble_app_gatts\main.c(89) : #define SEC_PARAM_LESC 0 /**< LE Secure Connections not enabled. */ \ble_central\ble_app_hrs_c\main.c(88) : #define SEC_PARAM_LESC 1 /**< LE Secure Connections enabled. */ \ble_central\ble_app_ias\main.c(97) : #define SEC_PARAM_LESC 0 /**< LE Secure Connections not enabled. */ \ble_central\ble_app_rscs_c\main.c(88) : #define SEC_PARAM_LESC 0 /**< LE Secure Connections not enabled. */ \ble_central\experimental\ble_app_ots_c\main.c(88) : #define SEC_PARAM_LESC 0 /**< LE Secure Connections not enabled. */ \ble_central_and_peripheral\experimental\ble_app_hrs_rscs_relay\main.c(127) : #define SEC_PARAM_LESC 0 /**< LE Secure Connections not enabled. */ \ble_peripheral\ble_app_alert_notification\main.c(112) : #define SEC_PARAM_LESC 0 /**< LE Secure Connections not enabled. */ \ble_peripheral\ble_app_ancs_c\main.c(122) : #define SEC_PARAM_LESC 0 /**< LE Secure Connections not enabled. */ \ble_peripheral\ble_app_bms\main.c(99) : #define SEC_PARAM_LESC 0 //!< LE Secure Connections not enabled. \ble_peripheral\ble_app_bps\main.c(137) : #define SEC_PARAM_LESC 0 /**< LE Secure Connections not enabled. */ \ble_peripheral\ble_app_buttonless_dfu\main.c(109) : #define SEC_PARAM_LESC 0 /**< LE Secure Connections not enabled. */ \ble_peripheral\ble_app_cscs\main.c(130) : #define SEC_PARAM_LESC 0 /**< LE Secure Connections not enabled. */ \ble_peripheral\ble_app_cts_c\main.c(111) : #define SEC_PARAM_LESC 0 /**< LE Secure Connections not enabled. */ \ble_peripheral\ble_app_gls\main.c(117) : #define SEC_PARAM_LESC 1 /**< LE Secure Connections enabled. */ \ble_peripheral\ble_app_hids_keyboard\main.c(129) : #define SEC_PARAM_LESC 0 /**< LE Secure Connections not enabled. */ \ble_peripheral\ble_app_hids_mouse\main.c(119) : #define SEC_PARAM_LESC 0 /**< LE Secure Connections not enabled. */ \ble_peripheral\ble_app_hrs\main.c(124) : #define SEC_PARAM_LESC 1 /**< LE Secure Connections enabled. */ \ble_peripheral\ble_app_hrs_freertos\main.c(125) : #define SEC_PARAM_LESC 0 /**< LE Secure Connections not enabled. */ \ble_peripheral\ble_app_hts\main.c(121) : #define SEC_PARAM_LESC 0 /**< LE Secure Connections not enabled. */ \ble_peripheral\ble_app_ias_c\main.c(105) : #define SEC_PARAM_LESC 0 /**< LE Secure Connections not enabled. */ \ble_peripheral\ble_app_proximity\main.c(118) : #define SEC_PARAM_LESC 0 /**< LE Secure Connections not enabled. */ \ble_peripheral\ble_app_rscs\main.c(125) : #define SEC_PARAM_LESC 0 /**< LE Secure Connections not enabled. */ \ble_peripheral\ble_app_template\main.c(105) : #define SEC_PARAM_LESC 0 /**< LE Secure Connections not enabled. */ \ble_peripheral\ble_app_tile\main.c(101) : #define SEC_PARAM_LESC 0 /**< LE Secure Connections not enabled. */ \ble_peripheral\experimental\ble_app_cgms\main.c(117) : #define SEC_PARAM_LESC 0 /**< LE Secure Connections not enabled. */ \ble_peripheral\experimental\ble_app_cli\main.c(116) : #define SEC_PARAM_LESC 0 /**< LE Secure Connections not enabled. */ \ble_peripheral\experimental\ble_app_lls\main.c(102) : #define SEC_PARAM_LESC 0 /**< LE Secure Connections not enabled. */ \ble_peripheral\experimental\ble_app_lns\main.c(115) : #define SEC_PARAM_LESC 0 /**< LE Secure Connections not enabled. */ \ble_peripheral\experimental\ble_app_queued_writes\main.c(105) : #define SEC_PARAM_LESC 0 /**< LE Secure Connections not enabled. */ \ble_peripheral\experimental\bluetoothds_template\main.c(104) : #define SEC_PARAM_LESC 0 /**< LE Secure Connections not enabled. */
However those projects that support NFC can also potentially support LESC (by defining NFC_PAIRING_MODE_LESC_JUST_WORKS in main.c or sdk_config.h), so you also need to search for all main.c filed that have '#define NFC_PAIRING_MODE'. Here is the result for nRF5 SDKv16:
\ble_peripheral\experimental\ble_app_hids_keyboard_pairing_nfc\main.c(153) : #define NFC_PAIRING_MODE NFC_PAIRING_MODE_JUST_WORKS \ble_peripheral\experimental\ble_app_hrs_nfc_pairing\main.c(115) : #define NFC_PAIRING_MODE NFC_PAIRING_MODE_JUST_WORKS \ble_peripheral\experimental\ble_nfc_pairing_reference\main.c(63) : #define NFC_PAIRING_MODE NFC_PAIRING_MODE_JUST_WORKS
Lastly it also seems the nRF5 SDK examples sometimes use '#define SEC_PARAMS_LESC' (instead of '#define SEC_PARAM_LESC'). So you need to search main.c files also for those, and check if any is defined as '1':
\ble_central_and_peripheral\experimental\ble_app_multirole_lesc\main.c(113) : #define SEC_PARAMS_LESC 1 /**< LE Secure Connections pairing required. */
To find more information about a specific BLE example you can check out:
https://infocenter.nordicsemi.com/topic/sdk_nrf5_v16.0.0/examples_ble.html?cp=6_1_4_2
A good start may be to use the below two examples, since those two will work out of the box with eachother:
\ble_central\ble_app_hrs_c\
\ble_peripheral\ble_app_hrs\
Thank you Kenneth, that really helps!
I have a new project like to use nRF51822 for cost reason, the chip only needs to perform a simple task but has to implement highest security level available in BLE4.2. (authorization and signing)
I found SDK12.3 is the latest revision which supporting nRF51822, and only one example utilizes the security function which is \nRF5_SDK_12.3.0\examples\ble_central_and_peripheral\experimental\ble_app_multirole_lesc
But as you can see, it is located in the experimental folder which means it may contain bugs and not yet fully tested.
Since nRF51822 is a quite mature chip and SDK12.3 was released more than two years ago, do we know is there known issue on this example? Is there any other example available that using secure BLE pairing? Is nRF51822 a viable choice for my application or I have to use nRF52 series instead?
Thank you in advance,
Martin
I have a new project like to use nRF51822
Note that nRF51 is not recommended for new BLE designs - and has not been for some time now:
Good point, also check out this Nordic Blog post:
https://devzone.nordicsemi.com/nordic/nordic-blog/b/blog/posts/what-impact-does-the-deprecation-and-withdrawal-of-bluetooth-core-specification-v4-0-and-v4-1-have-on-your-current-and-future-products
And this thread of known issues with SDKv12.x (including 12.3):
https://devzone.nordicsemi.com/f/nordic-q-a/16156/what-are-sdk-12-x-0-known-issues
