Enforcing LESC Encryption

Hi, 

The LESC with Just Work, the security level will be considered Mode 1 level 2 which is equal to Legacy Pairing just work. If you are in security level 2, it would execute legacy pairing (with just works) with the devices which don't support BLE v4.2. You could change the security level or check in the AUTH_STATUS event. Here we have a similar question. If you use MITM to get to level 4 and that is when the lesc bit can be 1. Please see LE Secure Connections Multirole Example. 

-Amanda H.

Hello Amanda,

Due to power constraints I can not use MITM (Numeric Comparison) and hence will stick to this only. 

Is there a way to do what I mentioned?

Hi, 

Unfortunately, there is no such configuration in the SDK as your requirement.

-Amanda H.  

Hello Amanda,

I see that "sd_ble_gap_sec_params_reply" is called in security_dispatcher.c file. 

And in BLE_GAP_EVT_SEC_PARAMS_REQUEST event, I can read whether LESC is requested or not from the device side by reading the LESC flag. 

So what would be the right way to handle if LESC is 0? I want to disconnect from the device in such case. What should be the process?

Disconnecting the connection in BLE_GAP_EVT_SEC_PARAMS_REQUEST doesn't seem to be right to me as a sec_params_reply must be sent to the device requesting encryption. Thus, what is the right way to achieve it?

Hello Amanda,

I see that "sd_ble_gap_sec_params_reply" is called in security_dispatcher.c file. 

And in BLE_GAP_EVT_SEC_PARAMS_REQUEST event, I can read whether LESC is requested or not from the device side by reading the LESC flag. 

So what would be the right way to handle if LESC is 0? I want to disconnect from the device in such case. What should be the process?

Disconnecting the connection in BLE_GAP_EVT_SEC_PARAMS_REQUEST doesn't seem to be right to me as a sec_params_reply must be sent to the device requesting encryption. Thus, what is the right way to achieve it?

Hi, 

You can reply with BLE_GAP_SEC_STATUS_PAIRING_NOT_SUPP when you get the BLE_GAP_EVT_SEC_PARAMS_REQUEST event. Please also see Pairing aborted by the application. 

-Amanda H.

Hello Amanda,

So do you mean that in BLE_GAP_EVT_SEC_PARAMS_REQUEST event, if I see that the device is trying to use legacy instead of LESC then I should call sd_ble_gap_sec_params_reply(conn_handle, BLE_GAP_SEC_STATUS_PAIRING_NOT_SUPP , sec_params, p_sec_keyset) as response? And if it's LESC then I should let the stack handle the response. Is that right?

Also, what should I pass for sec_params and p_sec_keyset variables?

Hi Jay, 

If you don't want to pair, you can call 

err_code = sd_ble_gap_sec_params_reply(m_conn_handle, BLE_GAP_SEC_STATUS_PAIRING_NOT_SUPP, NULL, NULL);

-Amanda H.