This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

INVALID PARAMS when migrating to security mode 1 level 4

I am attempting to migrate my BLE project to a higher security level with bonding. Was mode 1 level 2 and am upgrading to mode 1 level 4. When I change the configuration to the following:

#define SEC_PARAM_BOND                  1                                       /**< Perform bonding. */
#define SEC_PARAM_MITM                  0                                       /**< Man In The Middle protection not required. */
#define SEC_PARAM_LESC                  1                                       /**< LE Secure Connections not enabled. */
#define SEC_PARAM_KEYPRESS              0                                       /**< Keypress notifications not enabled. */
#define SEC_PARAM_IO_CAPABILITIES       BLE_GAP_IO_CAPS_NONE                    /**< No I/O capabilities. */
#define SEC_PARAM_OOB                   0                                       /**< Out Of Band data not available. */
#define SEC_PARAM_MIN_KEY_SIZE          7                                       /**< Minimum encryption key size. */
#define SEC_PARAM_MAX_KEY_SIZE          16                                      /**< Maximum encryption key size. */

I get [NRF ERROR INVALID PARAM] errors when adding my second service and even when trying to sd_ble_gap_device_name_set. I'm not sure where I should be looking for the problem and how to find out what which parameter is invalid.

I'm very new to this so any help would be great. Thanks

Top Replies

Parents

0 Amanda Hsieh over 4 years ago

Hi Bloq,

No, the setting is the LESC with Just Work, the security level will be considered Mode 1 level 2. See this post.

If you use MITM to get to level 4 and that is when the lesc bit can be 1. See Glucose Application.

I get [NRF ERROR INVALID PARAM] errors when adding my second service and even when trying to sd_ble_gap_device_name_set.

You have to debug and find out which function returns the error. Are you able to provide the debug log?

Which SDK and DK are you using?

-Amanda H.
Cancel
Vote Up +1 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Bloq over 4 years ago in reply to Amanda Hsieh

Thank you very much for your response Amanda,

I would like to clarify that I am working with the nRF52840-DK. We would like to use ECDH and bonding under security level mode 1 level 4 with "Just Works". Can you please clarify if this is possible to achieve.

Thank you for your help,

-Bloq
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Amanda Hsieh over 4 years ago in reply to Bloq

Hi Bloq,

If it's done using just work mode, the level of security is considered level 2. You should use MITM to get to level 4 and that is when the lesc bit can be 1.

Also, check out some links put in this thread:

https://devzone.nordicsemi.com/f/nordic-q-a/49674/le-secure-connections-when-there-is-no-io-capability/198279#198279

-Amanda H.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Dmitry over 4 years ago in reply to Bloq

Hi,

as Amanda has pointed out, your link is considered as SM1 level 2 - if you would like to keep these settings, you shouldn't pass a secutity mode parameter (ble_gap_conn_sec_mode_t) higher than sm=1,lv=2 to any softdevice function.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Bloq over 4 years ago in reply to Amanda Hsieh

Thank you both for the helpful responses. I have proceeded with two implementations. They are as follows, both WITH BONDING:

1: LESC With MITM Using Numeric Comparison (mode 1 level 4) : The only adjustment that I made was automatically accepting the numeric comparison on the peripheral side because of a lack of buttons or display. I know this is sort of cheating but we are still accepting the pairing on the IOS side. So only half cheating. How does this effect the level of security and allow for MITM attacks? Is this any safer than implementation 2?

2: LESC with JUST WORKS (mode 1 level 2) : This is basically what we will use if your answers to my questions above are level 2 security.

Lastly, with bonding, MITM attacks can only occur if the attacker is present during pairing. How would this attack work if we use implementation 1 with the half numeric comparison authentication.

Thanks in advanced,

Bloq
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
+1 Amanda Hsieh over 4 years ago in reply to Bloq

Hi Bloq,

Good question. It is certainly not how it should be used. I do not see how this would be better than just works. If only the iOS has input or output device, then this does not give you any benefit. There is no way to know if you have connected to the device you intend to or an attacker.

So this just gives an illusion of security, but that is all. It is better to use just works then in my opinion.

-Amanda H.
Cancel
Vote Up +2 Vote Down

Sign in to reply

Reject Answer

Cancel

Reply

+1 Amanda Hsieh over 4 years ago in reply to Bloq

Hi Bloq,

Good question. It is certainly not how it should be used. I do not see how this would be better than just works. If only the iOS has input or output device, then this does not give you any benefit. There is no way to know if you have connected to the device you intend to or an attacker.

So this just gives an illusion of security, but that is all. It is better to use just works then in my opinion.

-Amanda H.
Cancel
Vote Up +2 Vote Down

Sign in to reply

Reject Answer

Cancel

Children

No Data