• State Verified Answer
  • Replies 3 replies
  • Subscribers 73 subscribers
  • Views 1932 views
  • Users 0 members are here
Attachments (2) Download All
Nordic Case Info
  • Case ID: 241045
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

Sniffing BLE Diffie-Hellman Key Exchange

TobiasM
Hello,
I'm currently trying to sniff the DH Key Exchange as specified in Spec 5.1 p.2446. I'm using the nRF51 Dongle as sniffer, the nRF52 DK as slave and the nRF52840 DK as master for connection and pairing establishment. I've started by using the Interactive App of the SDK16.0.0 and couldn't see the public keys being exchanged between the devices. I don't use the micro-ecc backend, instead I'm working with the default backend, according to
infocenter.nordicsemi.com/index.jsp -> CC310 for the nRF52840 DK and Oberon for nRF52 DK.
After I played around some time I encountered a somehwat strange behaviour if it comes to sniffing the public keys of the key exchange. I will list the different setups I used for sniffing the pairing of 2 devices.

Some additional info about my setup: I always used the nRF52 DK as slave and the nRF52840 as master except for the RN4871 chip (from Microchip) which was used as slave in those cases and the nRF52840 DK as master. Also when I used the nRF Connect Mobile App, the nRF52 DK was used as slave and a Samsung tablet as master. For checking the sniffed data I was using Wireshark with the 2.0.0 sniffer plugin. If I was using the nRF Connect Programm on PC I will refer to it as Connect and the mobile version as Mobile.

First Device is using  -->  Second Device is using  :  Successfully sniffing public keys?
Interactive App --> Interactive App  :  No
Interactive App --> Mobile  :  Rcvd Pairing Public Key only
Interactive App --> Connect  :  No
Connect --> Interactive App  :  No
Connect --> Mobile  :  Yes
Connect --> Connect  :  Yes
Mobile --> Interactive App  :  Yes
Mobile --> Connect  :  Yes
Interactive App --> RN4871  :  No
Mobile --> RN4871  :  Yes
It depends on my setup if I'm able to see the public keys getting exchanged. I have attached 2 pcap files, one of them is showing a complete exchange of the DH keys in the other file there are only L2CAP fragments which don't seem to hold key data. Could there be any reason why the sniffer doesn't capture public keys in certain setups? I noticed that in some cases the capturing is a little bit unstable, sometimes I was only able to see one public key. But I have already tried several times to check whether or not I can sniff the key using only the Interactive App on both devices.
I would really appreciate some feedback about this issue and hope my sniffer does work as intended.
Best regards,
Tobias
Parents
  • 0

    Hi Tobias

    Can you try this out using an nRF52DK (Bluetooth 5 supported device) as you sniffer? The first thing that comes to mind is that the nRF51 is not able to detect the packets in a secure Bluetooth 5 connection, as the connections between Bluetooth 5 devices seem to be the ones you can't obtain the public key on, while you seem to be able to sniff the public keys of (I assume the tablet is not BLE 5 compatible) devices communicating using BLE 4.2. Please try sniffing the connections using a 52 DK and get back to me with the results.

    Best regards,

    Simon

Reply
  • 0

    Hi Tobias

    Can you try this out using an nRF52DK (Bluetooth 5 supported device) as you sniffer? The first thing that comes to mind is that the nRF51 is not able to detect the packets in a secure Bluetooth 5 connection, as the connections between Bluetooth 5 devices seem to be the ones you can't obtain the public key on, while you seem to be able to sniff the public keys of (I assume the tablet is not BLE 5 compatible) devices communicating using BLE 4.2. Please try sniffing the connections using a 52 DK and get back to me with the results.

    Best regards,

    Simon

Children
  • 0 in reply to Simonr

    Hello Simon,

    apparently my tablet does support Bluetooth 5.0 but I've tried the nRF52 DK as a sniffer now and was successfully sniffing the public key exchange for the setups:

    Interactive App --> Interactive App  :  Yes
    Interactive App --> Mobile  :  Yes
    Interactive App --> Connect  :  Yes
    Connect --> Interactive App  :  Yes

    Notes:

    Interactive App --> Interactive App  :  Cannot be checked with my current setup

    Interactive App --> RN4871  :  Cannot be checked right now but I'll hopefully can confirm success as well in a few days

    As I'm still quite new to the BLE subject, does the nRF51 Dongle have issues sniffing packets with length extension (251 byte) and therefore wasn't able to get the keys?

    So if the LL_LENGTH_RSP max octets (RX /TX) are set to 251 instead of 27 it will not work. Is this correct?

    Thanks for your help.

    Best regards,

    Tobias

Related
Terms of service