• State Verified Answer
  • Replies 9 replies
  • Subscribers 72 subscribers
  • Views 2466 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 241352
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

Ensuring 16 Byte of entropy in Security Mode 1v4

TobiasM

Hello,

I'm currently trying to implement a setup of BLE devices (nRF52 DK and nRF52840 DK) which is potentially secure against the KNOB attack (and also other attacks) and uses the full 16 bytes of entropy for the encryption. I've found this thread https://devzone.nordicsemi.com/f/nordic-q-a/54566/knob-attack-for-ble-nrf52840 which mentions that the attack is not applicable due to the min key length of 7 bytes (I guess this is also the same for the nRF52832) but that's still too low for my setup. Of course, I could set the min key length to 16 bytes for both devices, but I just want to use the full key length for specific services. According to

https://bluetooth.service-now.com/ess/knowledge.do?sysparm_document_key=kb_knowledge,3995cd29db7b3f007d6c808768961931

I could use Legacy Pairing which doesn't seem to be the best choice if it comes to different attacks such as passive eavesdropping. Therefore, I want to use the LE Security Mode 1v4 to ensure a 128-bit strength encryption key (Spec 5.1 p. 2186) which apparently is satisfied if I use a pairing procedure using either Numeric Comparison or Passkey Entry with Secure Connection. In the paper eprint.iacr.org/.../933.pdf on page 11 it is specifically mentioned that "even if a device using security mode 1 with level 4, the LTK's entropy can still be downgraded to 7 bytes". Am I missing something or this a bug of the tested devices? Is it possible to downgrade the nRF52840 or nRF52832 to use 7 bytes of entropy in Security Mode 1v4?

Best regards,

Tobias

  • 0

    HI Tobias, 

    I could set the min key length to 16 bytes for both devices, but I just want to use the full key length for specific services.

    it is possible to set the security requirement for individual attributes in the GATT table, i.e. a characterisistic can only be read or written to if the Security level is high enough, e.g.  Security Mode 1 level 4

    In the paper eprint.iacr.org/.../933.pdf on page 11 it is specifically mentioned that "even if a device using security mode 1 with level 4, the LTK's entropy can still be downgraded to 7 bytes". Am I missing something or this a bug of the tested devices? Is it possible to downgrade the nRF52840 or nRF52832 to use 7 bytes of entropy in Security Mode 1v4?

    Our SoftDevices for the nRF52 series will reject the pairing request if the key size is below the minimum set in the application, see GAP Failed Pairing: Keysize too small

     Best regards

    Bjørn

     

  • 0 in reply to bjorn-spockeli

    Hi Bjørn,

    bjorn-spockeli said:
    Our SoftDevices for the nRF52 series will reject the pairing request if the key size is below the minimum set in the application, see GAP Failed Pairing: Keysize too small

    if I understand correctly, in case of trying to read a characteristic with Security Mode 1 level 4 in the setup of two paired devices which have been paired let's say by Numeric Comparison, I would get a "Keysize too small" error if the entropy for the encryption key is lower than 16 bytes. Is this correct?

    Best regards,

    Tobias

  • 0 in reply to TobiasM

    My understanding is that the vulnerability is for the key negotiation process, i.e. pairing process. For Bluetooth Low Energy device and then both the central and peripheral device will store the negotiated key in internal memory and then use this key for all subsequent communication. So the "Keysize too small" error will be generated if the central device or an attacker tries to use a lower key size than SEC_PARAM_MIN_KEY_SIZE during the pairing process. 

    So if you attempt to read or write to a characteristic that has a its security level requirement set to  Security Mode 1 level 4, but the link securit level is not high enough, then you will get an error message stating Insufficient Authorization, see BLUETOOTH CORE SPECIFICATION Version 5.1 | Vol 3, Part F page 2335.

    Best regards

    Bjørn

  • 0 in reply to bjorn-spockeli

    Thank you for the clarification. Unfortunately after testing my setup I ran into problems.

    In case of pairing both devices with lower encryption key size than 16 byte I shouldn't be in security mode 1 level 4. After testing my nRF52840 DK and nRF52 DK with interactive app running on both devices I could confirm this behaviour by intentionally reducing the max encryption key size. After trying the same thing using nRF Connect on one device and the interactive app on the other, I encountered that nRF Connect assumes I have security mode 1 level 4 even if the key size was reduced. The interactive app shows security mode 1 level 3 in this case, which seems to be more reasonable to me.

    Therefore I was able to read characteristics from nRF Connect which should be only readable for security mode 1 level 4. Is this a bug? I was using nRF Connect v3.3.0 with BLE App v2.3.2 and the interactive app from the SDK16.0.0. I've used Numeric Comparison as pairing method.

    Best regards,

    Tobias

  • 0 in reply to TobiasM

    Hi Tobias,

    Just wanted to let you know that Bjørn is out on vacation until the 2nd week of January. He will come back to you then.

    Best regards,

    Marjeris

Related
Terms of service