Bluetooth LESC question

Question

Hi, I want to secure connection between our device (nRF52840 or nRF51822) and a smartphone. 
 I find that LESC uses ECDH which is more secure than RSA in same key length. 
 I want to apply lesc to our device. but, I have confused a few things. 
 The LESC should have I/O capabilities or OOB. 
 1) Why LESC should have I/O capabilities or OOB? 
 > I guess a scenario of secure connection. (1) each device generate key pair of ECDH (2) exchange public key (3) calculate shared secret (4) finally secure connection channel has create 
 --> I think human interface or another channel does not necessary i n this scenario. > Why human interface (I/O capabilities) should be necessary? > Why another channel (OOB) should be necessary? 
 2) It is basic, Is the word "bluetooth connection" equivalent to "bluetooth pairing"? 
 3) What differences has bluetooth pairing and bonding?

Dmitry · Accepted Answer

Hi, 
 _maibi said: 1) Why LESC should have I/O capabilities or OOB? 
 There are three ways to protect a link against Man-in-the-middle attack : 
 - OOB channel that cannot be eavesdropped 
 - human interface (user can ensure that keys are the same at both sides) 
 - device key signed with ECDSA (ensuring strong readout protection of private key achievable only using external Secure Element chip). 
 In LESC, first two methods are used. Of course, you can set up LESC in "just works" mode, but security level will be the same as with legacy pairing. 
 _maibi said: 2) It is basic, Is the word "bluetooth connection" equivalent to "bluetooth pairing"? _maibi said: 3) What differences has bluetooth pairing and bonding? 
 See this answer.

Karl Ylvisaker · Answer

Hello, In addition to Dmitry's reply I highly recommend reading Emil's reply in this ticket for a more detailed explanation of both LESC, and how it is different from Legacy pairing. Best regards, Karl

Bluetooth LESC question

Top Replies