• State Verified Answer
  • Replies 5 replies
  • Subscribers 62 subscribers
  • Views 2047 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 234410
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

BLE_GAP_CONN_SEC_MODE_SET_ENC_WITH_MITM not working for write

thoric_fish

I am using the custom_bluetooth_service tutorial from https://github.com/bjornspockeli/custom_ble_service_example. However, I now want to try increasing security settings (encryption and adding passkey restrictions to characteristics). Someone from this post https://devzone.nordicsemi.com/f/nordic-q-a/28746/nrf51822-password-on-characteristic said to set "the authorization flag (rd_auth and wr_auth)". But when I try doing custom_value_char_attr_md.rd_auth or BLE_GAP_CONN_SEC_MODE_SET_OPEN(&cccd_md.wr_auth) I get the error that the members rd_auth and wr_auth do not exist. (I am using SDK v15 with NRF52840 DK PCA10056 and S140).

So to increase security I tried using BLE_GAP_CONN_SEC_MODE_SET_ENC_WITH_MITM(). When I do BLE_GAP_CONN_SEC_MODE_SET_ENC_WITH_MITM(&cccd_md.read_perm), the custom characteristic no longer appears under the service after I scan and connect my NRF52840 DK . I undo any code change and now do BLE_GAP_CONN_SEC_MODE_SET_ENC_WITH_MITM(&cccd_md.write_perm), and this has no effect on the custom characteristic or reading/writing.

static uint32_t custom_value_char_add(ble_cus_t * p_cus, const ble_cus_init_t * p_cus_init)
{
    uint32_t            err_code;
    ble_gatts_char_md_t char_md;
    ble_gatts_attr_md_t cccd_md;
    ble_gatts_attr_t    attr_char_value;
    ble_uuid_t          ble_uuid;
    ble_gatts_attr_md_t attr_md;

    // Add Custom Value characteristic
    memset(&cccd_md, 0, sizeof(cccd_md));

    //  Read  operation on cccd should be possible without authentication.
    BLE_GAP_CONN_SEC_MODE_SET_OPEN(&cccd_md.read_perm);
    BLE_GAP_CONN_SEC_MODE_SET_OPEN(&cccd_md.write_perm);

I undo any code change and now do BLE_GAP_CONN_SEC_MODE_SET_ENC_WITH_MITM(&cus_init.custom_value_char_attr_md.read_perm). After I scan and connect to the DK, when I try to read values from the characteristics of the custom service, the nrf_connect application successfully bonds with the DK, but afterwards I still cannot read the characteristic values of the service. 

I undo any code change and delete the bonding in the nrf_connect app. Now I do BLE_GAP_CONN_SEC_MODE_SET_ENC_WITH_MITM(&cus_init.custom_value_char_attr_md.write_perm). After I scan and connect to the DK, I can read values from the characteristics of the custom service. When I try writing values to the characteristics, the nrf_connect application successfully  bond with the DK, but I cannot write values to the characteristics anymore.

static void services_init(void)
{
        ret_code_t          err_code;
        nrf_ble_qwr_init_t  qwr_init = {0};
        ble_cus_init_t      cus_init = {0};

        // Initialize Queued Write Module.
        qwr_init.error_handler = nrf_qwr_error_handler;

        err_code = nrf_ble_qwr_init(&m_qwr, &qwr_init);
        APP_ERROR_CHECK(err_code);

         // Initialize CUS Service init structure to zero.
        cus_init.evt_handler                = on_cus_evt;
    
        BLE_GAP_CONN_SEC_MODE_SET_OPEN(&cus_init.custom_value_char_attr_md.cccd_write_perm);
        BLE_GAP_CONN_SEC_MODE_SET_OPEN(&cus_init.custom_value_char_attr_md.read_perm);
        BLE_GAP_CONN_SEC_MODE_SET_OPEN(&cus_init.custom_value_char_attr_md.write_perm);

My questions are: Is this behavior expected? I am confused as to why BLE_GAP_CONN_SEC_MODE_SET_ENC_WITH_MITM(&cccd_md.write_perm) does not restrict writing to the custom characteristic.

I didn't do any passkey testing yet, but if I later add a passkey can the user enter the passkey to gain access to service/characteristic read & write if I am using BLE_GAP_CONN_SEC_MODE_SET_ENC_WITH_MITM?

Parents
  • 0

    Hello,

    when I try to read values from the characteristics of the custom service, the nrf_connect application successfully bonds with the DK, but afterwards I still cannot read the characteristic values of the service. 

     do you mean that you can't see the characteristic, or that it gives you an error saying something about insufficient authentication?

     

    Now I do BLE_GAP_CONN_SEC_MODE_SET_ENC_WITH_MITM(&cus_init.custom_value_char_attr_md.write_perm). After I scan and connect to the DK, I can read values from the characteristics of the custom service.

     

    I am confused as to why BLE_GAP_CONN_SEC_MODE_SET_ENC_WITH_MITM(&cccd_md.write_perm) does not restrict writing to the custom characteristic.

     These two quotes don't make much sense to me. Can you write to it or not?

    Setting BLE_GAP_CONN_SEC_MODE_SET_ENC_WITH_MITM() means that you must bond with Man In The Middle (MITM) protection, meaning a passkey, so if you haven't done this, then you shouldn't be able to use that characteristic's read or write (whichever you set). 

    If you want to test that pairing is required but not MITM, then may I suggest you try out BLE_GAP_CONN_SEC_MODE_SET_ENC_NO_MITM() instead.

    Best regards,

    Edvin

Reply
  • 0

    Hello,

    when I try to read values from the characteristics of the custom service, the nrf_connect application successfully bonds with the DK, but afterwards I still cannot read the characteristic values of the service. 

     do you mean that you can't see the characteristic, or that it gives you an error saying something about insufficient authentication?

     

    Now I do BLE_GAP_CONN_SEC_MODE_SET_ENC_WITH_MITM(&cus_init.custom_value_char_attr_md.write_perm). After I scan and connect to the DK, I can read values from the characteristics of the custom service.

     

    I am confused as to why BLE_GAP_CONN_SEC_MODE_SET_ENC_WITH_MITM(&cccd_md.write_perm) does not restrict writing to the custom characteristic.

     These two quotes don't make much sense to me. Can you write to it or not?

    Setting BLE_GAP_CONN_SEC_MODE_SET_ENC_WITH_MITM() means that you must bond with Man In The Middle (MITM) protection, meaning a passkey, so if you haven't done this, then you shouldn't be able to use that characteristic's read or write (whichever you set). 

    If you want to test that pairing is required but not MITM, then may I suggest you try out BLE_GAP_CONN_SEC_MODE_SET_ENC_NO_MITM() instead.

    Best regards,

    Edvin

Children
  • 0 in reply to Edvin
    Edvin said:
    service

    When I do BLE_GAP_CONN_SEC_MODE_SET_ENC_WITH_MITM(&cus_init.custom_value_char_attr_md.read_perm), I can see the characteristic, but when I try pressing the down arrow (read request) on the characteristic it is unsuccessful and no read values show up. The nrf_connect log gives an error that authorization failed.

    To clarify on the other quotes: when I only do BLE_GAP_CONN_SEC_MODE_SET_ENC_WITH_MITM(&cus_init.custom_value_char_attr_md.write_perm), I can see and read the characteristics value. But after I press the up arrow (write request) on the characteristic and try writing a new value, the value does not change. The nrf_connect log again gives an error that authorization failed.

    When I do BLE_GAP_CONN_SEC_MODE_SET_ENC_WITH_MITM(&cccd_md.write_perm), I can write new values to the characteristic without any issue. 

  • 0 in reply to thoric_fish

    An update: before I implement static passkey and do BLE_GAP_CONN_SEC_MODE_SET_ENC_WITH_MITM I get Error 137(0x89): GATT AUTH FAIL. After I implement static passkey and reflash to DK, I try reading or writing to custom characteristic from nrf_connect app and then the Android system's Bluetooth prompts pairing & passkey entry with DK. The read and write is now successful.

    But when I do BLE_GAP_CONN_SEC_MODE_SET_LESC_ENC_WITH_MITM with static passkey, Android system's Bluetooth prompts pairing & passkey entry before I can connect to the DK. Even after I correctly enter passkey and successfully connect & bond with DK, when I try to do read or write to custom characteristic I have this new error:Error 5(0x5) GATT INSUF AUTHENTICATION. I am pretty sure this error is because I use LESC without implementing micro-ECC library yet. 

  • +1 in reply to thoric_fish

    Your first answer:

    thoric_fish said:

    When I do BLE_GAP_CONN_SEC_MODE_SET_ENC_WITH_MITM(&cus_init.custom_value_char_attr_md.read_perm), I can see the characteristic, but when I try pressing the down arrow (read request) on the characteristic it is unsuccessful and no read values show up. The nrf_connect log gives an error that authorization failed.

    To clarify on the other quotes: when I only do BLE_GAP_CONN_SEC_MODE_SET_ENC_WITH_MITM(&cus_init.custom_value_char_attr_md.write_perm), I can see and read the characteristics value. But after I press the up arrow (write request) on the characteristic and try writing a new value, the value does not change. The nrf_connect log again gives an error that authorization failed.

    When I do BLE_GAP_CONN_SEC_MODE_SET_ENC_WITH_MITM(&cccd_md.write_perm), I can write new values to the characteristic without any issue. 

     This is because you don't have a passkey.

    Whichever characteristic that you protect with this BLE_GAP_CONN_SEC_MODE_SET_ENC_WITH_MITM() doesn't succeed. You protect the write, it doesn't write, and you protect the read, it doesn't read. Right?

    Did you try BLE_GAP_CONN_SEC_MODE_SET_ENC_NO_MITM()? Please note the _NO_ in BLE_GAP_CONN_SEC_MODE_SET_ENC_NO_MITM.

    Then to your last post:

     

    thoric_fish said:

    An update: before I implement static passkey and do BLE_GAP_CONN_SEC_MODE_SET_ENC_WITH_MITM I get Error 137(0x89): GATT AUTH FAIL. After I implement static passkey and reflash to DK, I try reading or writing to custom characteristic from nrf_connect app and then the Android system's Bluetooth prompts pairing & passkey entry with DK. The read and write is now successful.

    But when I do BLE_GAP_CONN_SEC_MODE_SET_LESC_ENC_WITH_MITM with static passkey, Android system's Bluetooth prompts pairing & passkey entry before I can connect to the DK. Even after I correctly enter passkey and successfully connect & bond with DK, when I try to do read or write to custom characteristic I have this new error:Error 5(0x5) GATT INSUF AUTHENTICATION. I am pretty sure this error is because I use LESC without implementing micro-ECC library yet. 

     Yes. That looks reasonable. Does this mean that BLE_GAP_CONN_SEC_MODE_SET_ENC_WITH_MITM works when you implemented the passkey?

     

    thoric_fish said:
    But when I do BLE_GAP_CONN_SEC_MODE_SET_LESC_ENC_WITH_MITM with static passkey

     .. 

    thoric_fish said:
    I am pretty sure this error is because I use LESC without implementing micro-ECC library yet. 

    Yes. If the link is not encrypted using LESC, then you will have insufficient encryption.

    Best regards,

    Edvin 

Related