This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

Enforcing LESC Encryption

Additional Information:

1. SDK: v15.3

2. Softdevice: v6.1.1

3. IDE: IAR v7.80.1

Problem Statement:

Is there a way I could enforce Secure connections just works? I want to use LESC for encrypting the link. But as I see, it also gets connected with legacy pairing with devices which doesn't support BLE v4.2.

Is it possible to configure the stack in such a way that it always declines a connection when tried to encrypt anything other than LESC? Could the device just disconnect if legacy pairing is triggered by host?
I know I can do that in the application by checking in the AUTH_STATUS event, but I wanted to know if I can do it by configuring the stack in some way?

Parents

0 Amanda Hsieh over 5 years ago

Hi,

The LESC with Just Work, the security level will be considered Mode 1 level 2 which is equal to Legacy Pairing just work. If you are in security level 2, it would execute legacy pairing (with just works) with the devices which don't support BLE v4.2. You could change the security level or check in the AUTH_STATUS event. Here we have a similar question. If you use MITM to get to level 4 and that is when the lesc bit can be 1. Please see LE Secure Connections Multirole Example.

-Amanda H.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Jay_Shah over 5 years ago in reply to Amanda Hsieh

Hello Amanda,

Due to power constraints I can not use MITM (Numeric Comparison) and hence will stick to this only.

Is there a way to do what I mentioned?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Amanda Hsieh over 5 years ago in reply to Jay_Shah

Hi,

Unfortunately, there is no such configuration in the SDK as your requirement.

-Amanda H.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Jay_Shah over 5 years ago in reply to Amanda Hsieh

Hello Amanda,

I see that "sd_ble_gap_sec_params_reply" is called in security_dispatcher.c file.

And in BLE_GAP_EVT_SEC_PARAMS_REQUEST event, I can read whether LESC is requested or not from the device side by reading the LESC flag.

So what would be the right way to handle if LESC is 0? I want to disconnect from the device in such case. What should be the process?

Disconnecting the connection in BLE_GAP_EVT_SEC_PARAMS_REQUEST doesn't seem to be right to me as a sec_params_reply must be sent to the device requesting encryption. Thus, what is the right way to achieve it?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Amanda Hsieh over 5 years ago in reply to Jay_Shah

Hi,

You can reply with BLE_GAP_SEC_STATUS_PAIRING_NOT_SUPP when you get the BLE_GAP_EVT_SEC_PARAMS_REQUEST event. Please also see Pairing aborted by the application.

-Amanda H.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Jay_Shah over 5 years ago in reply to Amanda Hsieh

Hello Amanda,

So do you mean that in BLE_GAP_EVT_SEC_PARAMS_REQUEST event, if I see that the device is trying to use legacy instead of LESC then I should call sd_ble_gap_sec_params_reply(conn_handle, BLE_GAP_SEC_STATUS_PAIRING_NOT_SUPP , sec_params, p_sec_keyset) as response? And if it's LESC then I should let the stack handle the response. Is that right?

Also, what should I pass for sec_params and p_sec_keyset variables?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Amanda Hsieh over 5 years ago in reply to Jay_Shah
Hi Jay,

If you don't want to pair, you can call

err_code = sd_ble_gap_sec_params_reply(m_conn_handle, BLE_GAP_SEC_STATUS_PAIRING_NOT_SUPP, NULL, NULL);

-Amanda H.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Amanda Hsieh over 5 years ago in reply to Jay_Shah
Hi Jay,

If you don't want to pair, you can call

err_code = sd_ble_gap_sec_params_reply(m_conn_handle, BLE_GAP_SEC_STATUS_PAIRING_NOT_SUPP, NULL, NULL);

-Amanda H.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

No Data