Peripheral LESC Pairing: Just Works with Bond

Hi,

Yes, you can perform bonding using LESC Just Works (LE security mode 1 level 2). Keep in mind that LESC Just Works will not have MITM protection, which you get using the Passkey entry method.

Best regards,

Marjeris

Hello,

Thanks for the reply. I am aware of that MITM protection won't be available.  My peer_manager Security configuration is stated below:

/*secure connection*/
#define LESC_MITM_NC 0 /**< Use MITM (Numeric Comparison). */

#define LESC_DEBUG_MODE 0 /**< Set to 1 to use the LESC debug keys. The debug mode allows you to use a sniffer to inspect traffic. */
#define SEC_PARAM_BOND 1  /**< Perform bonding. */
#if LESC_MITM_NC
#define SEC_PARAMS_MITM 1                                        /**< Man In The Middle protection required. */
#define SEC_PARAMS_IO_CAPABILITIES BLE_GAP_IO_CAPS_DISPLAY_YESNO /**< Display Yes/No to force Numeric Comparison. */
#else
#define SEC_PARAMS_MITM 0                               /**< Man In The Middle protection required. */
#define SEC_PARAMS_IO_CAPABILITIES BLE_GAP_IO_CAPS_NONE /**< No I/O caps. */
#endif
#define SEC_PARAMS_LESC 1          /**< LE Secure Connections pairing required. */
#define SEC_PARAMS_KEYPRESS 0      /**< Keypress notifications not required. */
#define SEC_PARAMS_OOB 0           /**< Out Of Band data not available. */
#define SEC_PARAMS_MIN_KEY_SIZE 7  /**< Minimum encryption key size in octets. */
#define SEC_PARAMS_MAX_KEY_SIZE 16 /**< Maximum encryption key size in octets. */

I am initializing the LESC in Peer_manager_init() and also generate keys there. Is it correct?

void peer_manager_init(void) {
  ble_gap_sec_params_t sec_param;
  ret_code_t err_code;

  err_code = pm_init();
  APP_ERROR_CHECK(err_code);

  memset(&sec_param, 0, sizeof(ble_gap_sec_params_t));

  // Security parameters to be used for all security procedures.
  sec_param.bond = SEC_PARAM_BOND;
  sec_param.mitm = SEC_PARAMS_MITM;
  sec_param.lesc = SEC_PARAMS_LESC;
  sec_param.keypress = SEC_PARAMS_KEYPRESS;
  sec_param.io_caps = SEC_PARAMS_IO_CAPABILITIES;
  sec_param.oob = SEC_PARAMS_OOB;
  sec_param.min_key_size = SEC_PARAMS_MIN_KEY_SIZE;
  sec_param.max_key_size = SEC_PARAMS_MAX_KEY_SIZE;
  sec_param.kdist_own.enc = 1;
  sec_param.kdist_own.id = 1;
  sec_param.kdist_peer.enc = 1;
  sec_param.kdist_peer.id = 1;


    err_code =  nrf_ble_lesc_init ();
  APP_ERROR_CHECK(err_code);

  err_code = pm_sec_params_set(&sec_param);
  APP_ERROR_CHECK(err_code);

  err_code = pm_register(pm_evt_handler);
  APP_ERROR_CHECK(err_code);

    err_code= nrf_ble_lesc_keypair_generate();
    APP_ERROR_CHECK(err_code);
}

This is my log:

 <info> app: PERIPHERAL: BLE_GAP_EVT_AUTH_STATUS: status=0x0 bond=0x1 lv2: 1 kdist_own:0x3 kdist_peer:0x2

The AUTH_STATUS shows the security level to be correct. 

Hello,

Thanks for the reply. I am aware of that MITM protection won't be available.  My peer_manager Security configuration is stated below:

/*secure connection*/
#define LESC_MITM_NC 0 /**< Use MITM (Numeric Comparison). */

#define LESC_DEBUG_MODE 0 /**< Set to 1 to use the LESC debug keys. The debug mode allows you to use a sniffer to inspect traffic. */
#define SEC_PARAM_BOND 1  /**< Perform bonding. */
#if LESC_MITM_NC
#define SEC_PARAMS_MITM 1                                        /**< Man In The Middle protection required. */
#define SEC_PARAMS_IO_CAPABILITIES BLE_GAP_IO_CAPS_DISPLAY_YESNO /**< Display Yes/No to force Numeric Comparison. */
#else
#define SEC_PARAMS_MITM 0                               /**< Man In The Middle protection required. */
#define SEC_PARAMS_IO_CAPABILITIES BLE_GAP_IO_CAPS_NONE /**< No I/O caps. */
#endif
#define SEC_PARAMS_LESC 1          /**< LE Secure Connections pairing required. */
#define SEC_PARAMS_KEYPRESS 0      /**< Keypress notifications not required. */
#define SEC_PARAMS_OOB 0           /**< Out Of Band data not available. */
#define SEC_PARAMS_MIN_KEY_SIZE 7  /**< Minimum encryption key size in octets. */
#define SEC_PARAMS_MAX_KEY_SIZE 16 /**< Maximum encryption key size in octets. */

I am initializing the LESC in Peer_manager_init() and also generate keys there. Is it correct?

void peer_manager_init(void) {
  ble_gap_sec_params_t sec_param;
  ret_code_t err_code;

  err_code = pm_init();
  APP_ERROR_CHECK(err_code);

  memset(&sec_param, 0, sizeof(ble_gap_sec_params_t));

  // Security parameters to be used for all security procedures.
  sec_param.bond = SEC_PARAM_BOND;
  sec_param.mitm = SEC_PARAMS_MITM;
  sec_param.lesc = SEC_PARAMS_LESC;
  sec_param.keypress = SEC_PARAMS_KEYPRESS;
  sec_param.io_caps = SEC_PARAMS_IO_CAPABILITIES;
  sec_param.oob = SEC_PARAMS_OOB;
  sec_param.min_key_size = SEC_PARAMS_MIN_KEY_SIZE;
  sec_param.max_key_size = SEC_PARAMS_MAX_KEY_SIZE;
  sec_param.kdist_own.enc = 1;
  sec_param.kdist_own.id = 1;
  sec_param.kdist_peer.enc = 1;
  sec_param.kdist_peer.id = 1;


    err_code =  nrf_ble_lesc_init ();
  APP_ERROR_CHECK(err_code);

  err_code = pm_sec_params_set(&sec_param);
  APP_ERROR_CHECK(err_code);

  err_code = pm_register(pm_evt_handler);
  APP_ERROR_CHECK(err_code);

    err_code= nrf_ble_lesc_keypair_generate();
    APP_ERROR_CHECK(err_code);
}

This is my log:

 <info> app: PERIPHERAL: BLE_GAP_EVT_AUTH_STATUS: status=0x0 bond=0x1 lv2: 1 kdist_own:0x3 kdist_peer:0x2

The AUTH_STATUS shows the security level to be correct. 

Hi,

It looks good.  I used the same parameters as you when testing:

#define SEC_PARAM_BOND                  1                                           /**< Perform bonding. */
#define SEC_PARAM_MITM                  0                                           /**< Man In The Middle protection required (applicable when display module is detected). */
#define SEC_PARAM_LESC                  1                                           /**< LE Secure Connections enabled. */
#define SEC_PARAM_KEYPRESS              0                                           /**< Keypress notifications not enabled. */
#define SEC_PARAM_IO_CAPABILITIES       BLE_GAP_IO_CAPS_NONE                        /**< Display I/O capabilities. */
#define SEC_PARAM_OOB                   0                                           /**< Out Of Band data not available. */
#define SEC_PARAM_MIN_KEY_SIZE          7                                           /**< Minimum encryption key size. */
#define SEC_PARAM_MAX_KEY_SIZE          16                                          /**< Maximum encryption key size. */

Just one comment, you don't need to call nrf_ble_lesc_init() or nrf_ble_lesc_keypair_generate() inside the peer_manager_init. All LESC functionality is handled inside the peer_manager when PM_LESC_ENABLED is set to 1 in sdk_config.h.

Keep in mind that when PM_LESC_ENABLED is true, you also need to call nrf_ble_lesc_request_handler function in the main context of the application.

You can take a look at the ble_app_gls example under examples/ble_peripheral in the SDK to see an example of the how the peer manager is used. This example has PM_LESC_ENABLED by default in sdk_config.h.

You can change the security parameters of the example to the ones above if you want to test LE security mode 1 level 2. If you want to test bonding you need to comment out the code under PM_EVT_CONN_SEC_SUCCEEDED so you drop checking if the link is MITM protected or not (in the example the application will disconnect in case that the peer does not use MITM).

You can then test bonding with the right security level using nRF Connect app for Desktop for example:

For more information take a look at the Peer Manager usage and Peer Manager architecture.

Best regards,

Marjeris