• State Verified Answer
  • Replies 3 replies
  • Subscribers 87 subscribers
  • Views 748 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 259938
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

gzll keycode 2 (optional host id validation stage)

astella

To the kind attention of Nordic support team,

Releted to this: https://devzone.nordicsemi.com/f/nordic-q-a/68238/gzll-keycode-optional-host-id-validation-stage

We noticed that in our case we may gzll connect two devices that can previously be connected in ble mode also. Is it possible to reuse, when in gzll mode, work that has been done from the ble code?

For example, we could avoid implementing an ecdh exchange when in gzll mode, if private and public keys generated during ble stage are easily accessible.

Do you think it is possible?

Are those ble data easily accessible?

So a more secured gzp could be in this case:

1. ble connection

2. gzp connection that is using private and public keys generated during previous ble bonding. and use public key to substitute the gzp pre-programmed production key.

In case those ecdh private/public keys are available, where? In normal bonding infos flash? We should get them asking directly to the softdevice?

Hope my meaning is very clear. And thank you for your kind attention,

Best regards

  • +1

    Hi Stella

    I think your principle is sound. If you first do a secure BLE bonding using LESC then you have a known secure link, and you can use that to establish a secret key for the GZP library. 

    It is not necessary to use the same keys as you use for the ECDH exchange for the GZP pairing. It should be enough to generate a random key on one side of the link, and send this key to the other side after you have established a secure BLE channel. Just make sure you use the random number generator in the chip to ensure a totally random key that cannot be predicted externally. 

    Out of the box GZP does not allow you to set the secret key, as this is defined by a constant in the code, but since GZP is provided with source code it should be possible to change this. 

    Essentially the secret key is defined on line 81 of nrf_gzp.c, and you would need to add some function allowing you to overwrite this key with your own:

    /**
 * Constant holding pre-defined "secret key".
 */
static const uint8_t gzp_secret_key[16] = GZP_SECRET_KEY;

    Then after you have set this key on both sides of the link you can start a GZP pairing, and establish a link over GZP/Gazell. 

    Best regards
    Torbjørn

  • 0 in reply to astella

    I am happy to help Stella Slight smile

    Unless you have more questions I will consider the case closed. 

Related
Terms of service