RE: BLE pairing with NFC (LE Secure connection with OOB)

Kenneth — Wed, 09 Dec 2020 12:44:29 GMT

Just linking to the example here that show use of BLE with NFC pairing:
https://infocenter.nordicsemi.com/topic/sdk_nrf5_v17.0.2/ble_sdk_app_hid_keyboard_pairing_nfc.html

This example support pairing with NFC provided the peer support it, some Android phones should.

I believe that in the specification by BT SIG regarding HRS service and profile state the required security level for each characteristic:
https://www.bluetooth.com/specifications/gatt/

In general you may find this thread useful:
https://stackoverflow.com/questions/38963836/bluetooth-low-energy-gatt-security-levels

There are message sequence charts that describe the softdevice events and api calls, for instance see here for the peripheral security procedures:
https://infocenter.nordicsemi.com/topic/com.nordic.infocenter.s140.api.v7.2.0/group___b_l_e___g_a_p___p_e_r_i_p_h___s_e_c___m_s_c.html

If you include peer manager in your application this module will handle this for you, you just need to configure what you want to support.

You should be able on the BLE_GAP_EVT_AUTH_STATUS event to read out if bonding is successful and the security level from:
p_ble_evt->evt.gap_evt.params.auth_status;

/**@brief Event structure for @ref BLE_GAP_EVT_AUTH_STATUS. */
typedef struct
{
  uint8_t               auth_status;            /**< Authentication status, see @ref BLE_GAP_SEC_STATUS. */
  uint8_t               error_src : 2;          /**< On error, source that caused the failure, see @ref BLE_GAP_SEC_STATUS_SOURCES. */
  uint8_t               bonded : 1;             /**< Procedure resulted in a bond. */
  uint8_t               lesc : 1;               /**< Procedure resulted in a LE Secure Connection. */
  ble_gap_sec_levels_t  sm1_levels;             /**< Levels supported in Security Mode 1. */
  ble_gap_sec_levels_t  sm2_levels;             /**< Levels supported in Security Mode 2. */
  ble_gap_sec_kdist_t   kdist_own;              /**< Bitmap stating which keys were exchanged (distributed) by the local device. If bonding with LE Secure Connections, the enc bit will be always set. */
  ble_gap_sec_kdist_t   kdist_peer;             /**< Bitmap stating which keys were exchanged (distributed) by the remote device. If bonding with LE Secure Connections, the enc bit will never be set. */
} ble_gap_evt_auth_status_t;

There is no direct requirement between what security levels that is supported by the peripheral, and the security level you set to access the various characteristics. However you should not set the security level of the characteristics higher than what the peripheral can support.