This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

BLE pairing with NFC (LE Secure connection with OOB)

Hi,

Our plan is to develop a BLE device (GATT peripheral) and to have all the data coming from this device being encrypted. We want to use OOB pairing with NFC.

I read a bit about pairing and bonding, and I'm playing a bit with the various examples in the SDK but I have some difficulties to understand the concepts first. Here are few questions I have:

1. It seems that we can set a security level for the NFC tag. How is it used/applied?
2. How is the security level decided for a given connection? By the peripheral?
3. Is it possible to use different security levels (or pairing mode) with the Android App nRF Connect? If yes, how? If no, how can test the SDK examples with NFC pairing and be sure I have eventually an encrypted link ?
4. Using nRF Connect for Android and the example "Heart Rate Application with BLE Pairing Using NFC", I cannot make the Heart Rate notifications work. If I want to see them I have to switch from SEC_MITM to SEC_OPEN for hrs_init.hrm_cccd_wr_sec. What could be wrong? I did the NFC pairing and I'm bonded.
5. Using the example "Heart Rate Application with BLE Pairing Using NFC" I can still connect with the peripheral and get information unencrypted. Why? How can I forbid that?

Sorry if these are newbie questions... And thank you for any help!

0 Kenneth over 5 years ago
Just linking to the example here that show use of BLE with NFC pairing:
https://infocenter.nordicsemi.com/topic/sdk_nrf5_v17.0.2/ble_sdk_app_hid_keyboard_pairing_nfc.html

This example support pairing with NFC provided the peer support it, some Android phones should.

I believe that in the specification by BT SIG regarding HRS service and profile state the required security level for each characteristic:
https://www.bluetooth.com/specifications/gatt/

In general you may find this thread useful:
https://stackoverflow.com/questions/38963836/bluetooth-low-energy-gatt-security-levels

There are message sequence charts that describe the softdevice events and api calls, for instance see here for the peripheral security procedures:
https://infocenter.nordicsemi.com/topic/com.nordic.infocenter.s140.api.v7.2.0/group___b_l_e___g_a_p___p_e_r_i_p_h___s_e_c___m_s_c.html

If you include peer manager in your application this module will handle this for you, you just need to configure what you want to support.

You should be able on the BLE_GAP_EVT_AUTH_STATUS event to read out if bonding is successful and the security level from:
p_ble_evt->evt.gap_evt.params.auth_status;

/**@brief Event structure for @ref BLE_GAP_EVT_AUTH_STATUS. */ typedef struct { uint8_t auth_status; /**< Authentication status, see @ref BLE_GAP_SEC_STATUS. */ uint8_t error_src : 2; /**< On error, source that caused the failure, see @ref BLE_GAP_SEC_STATUS_SOURCES. */ uint8_t bonded : 1; /**< Procedure resulted in a bond. */ uint8_t lesc : 1; /**< Procedure resulted in a LE Secure Connection. */ ble_gap_sec_levels_t sm1_levels; /**< Levels supported in Security Mode 1. */ ble_gap_sec_levels_t sm2_levels; /**< Levels supported in Security Mode 2. */ ble_gap_sec_kdist_t kdist_own; /**< Bitmap stating which keys were exchanged (distributed) by the local device. If bonding with LE Secure Connections, the enc bit will be always set. */ ble_gap_sec_kdist_t kdist_peer; /**< Bitmap stating which keys were exchanged (distributed) by the remote device. If bonding with LE Secure Connections, the enc bit will never be set. */ } ble_gap_evt_auth_status_t;

There is no direct requirement between what security levels that is supported by the peripheral, and the security level you set to access the various characteristics. However you should not set the security level of the characteristics higher than what the peripheral can support.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel