BLE encryption

Hi,

If you just want to encrypt the data transmitted over BLE without any very specific needs, then I suggest you stick with standard BLE security. If you use pairing or bonding, the BLE link is encrypted with 128 bit AES-CCM. The nRF5 devices have HW support for this, and the SDK has a number of examples that use pairing or bonding (most BLE examples do).

You should be aware that there are two fundamentally different pairing procedures. LE legacy pairing, which has the weakness that an attacker that listens in on the pairing procedure can obtain the key. However, LE Secure Connections, which is also supported by the SDK, use a Diffie–Hellman key exchange to securely generate a shared key. You may also want to look into MITM protection, if relevant.

This site has a good introduction to BLE security.

Hi,

If you just want to encrypt the data transmitted over BLE without any very specific needs, then I suggest you stick with standard BLE security. If you use pairing or bonding, the BLE link is encrypted with 128 bit AES-CCM. The nRF5 devices have HW support for this, and the SDK has a number of examples that use pairing or bonding (most BLE examples do).

You should be aware that there are two fundamentally different pairing procedures. LE legacy pairing, which has the weakness that an attacker that listens in on the pairing procedure can obtain the key. However, LE Secure Connections, which is also supported by the SDK, use a Diffie–Hellman key exchange to securely generate a shared key. You may also want to look into MITM protection, if relevant.

This site has a good introduction to BLE security.

Hi,

Thank you for you reply.

I found in the some examples a peer_manager_init() function.

is that the function that responsible for the pairing ?

if it's implemented in both sides there is no need to handle the BLE_GAP_EVT_SEC_PARAMS_REQUEST event in the ble_evt_handler. is that right ?

In some examples that doesnot have the peer_manager_init function implements the handle the BLE_GAP_EVT_SEC_PARAMS_REQUEST, but in other example that implements the peer_manager_init there is no handling for BLE_GAP_EVT_SEC_PARAMS_REQUEST.

I am not sure that I am understanding what should be.

I just want to perform secure pairing between my peripheral device and the central device so  the data can be encrypted.

please help

BR

JK

Hi,

The peer manager handles the BLE_GAP_EVT_SEC_PARAMS_REQUEST and all other pairing related events. So generally example where you see this event handled do not use bonding. In fact, if you see an SDK example that does not initialize the peer manger (no call to pm_init()), it does not support pairing or bonding, and thus does not encrypt the link.

Just to pick an example you can, for instance, refer to the Heart Rate Application (<SDK>\examples\ble_peripheral\ble_app_hrs\main.c) to see how this is done. I also recommend you read up on the peer manager documentation, and you should look into pairing in Bluetooth context in general, as this is a core concept of Bluetooth, and it is important to understand the basics.

Hi,

I added the relevant code from the HRS example o my peripheral and central projects.

but the NUS service isn't working any more.

Hi,

I see. Please elaborate on what you have done and in what way it is not working.

Hi,

Thank you for your help.

after I added all the relevant c files and h files to the project for the ble pairing

what I should change in the SDK file ?

I started from the usb_ble_example.

BR

JK