Selective provisioning?

Hi,

In Bluetooth mesh, device addresses and device keys are given to the device during the provisioning. At the beginning of the provisioning procedure, the device can identify itself through using its outputs, for instance blinking an LED, making sound, or vibrating. In order to protect against man-in-the-middle (MITM) attacks you do need to use out-of-band authentication.

Subscription and publishing are generally managed through configuration of the device. Configuration is done over the Bluetooth mesh network, and uses the device key (which the provisioner has in its database.) The provisioner (or set of provisioners) is the gatekeeper for the Bluetooth mesh network.

Regarding the protection against third-party devices: Bluetooth mesh do provide the mechanisms required for an operator to include only the nodes that they want to include in the network, but if the operator wants to provision a third-party device into the network and configure it to communicate with other devices in the network then they will be able to do so. That is, if you trust the people setting up and configuring the network, then you can rely on the Bluetooth mesh mechanisms.

If however you want to make devices that can be added to any Bluetooth mesh network, and they should only talk to each other (and not to third-party devices on the same network), then we are entering a complex area (regardless of mesh technology used - not only Bluetooth mesh). You may be thinking of storing secrets and use those for authentication, but this is very hard to get right. If someone has physical access to a device it is usually only a matter of time and resources for extracting secrets from it, and if you have some "master key" stored in all of your devices then it only has to be extracted once for getting the key to communicating with all of the other devices.

Regards,
Terje

Hi,

In Bluetooth mesh, device addresses and device keys are given to the device during the provisioning. At the beginning of the provisioning procedure, the device can identify itself through using its outputs, for instance blinking an LED, making sound, or vibrating. In order to protect against man-in-the-middle (MITM) attacks you do need to use out-of-band authentication.

Subscription and publishing are generally managed through configuration of the device. Configuration is done over the Bluetooth mesh network, and uses the device key (which the provisioner has in its database.) The provisioner (or set of provisioners) is the gatekeeper for the Bluetooth mesh network.

Regarding the protection against third-party devices: Bluetooth mesh do provide the mechanisms required for an operator to include only the nodes that they want to include in the network, but if the operator wants to provision a third-party device into the network and configure it to communicate with other devices in the network then they will be able to do so. That is, if you trust the people setting up and configuring the network, then you can rely on the Bluetooth mesh mechanisms.

If however you want to make devices that can be added to any Bluetooth mesh network, and they should only talk to each other (and not to third-party devices on the same network), then we are entering a complex area (regardless of mesh technology used - not only Bluetooth mesh). You may be thinking of storing secrets and use those for authentication, but this is very hard to get right. If someone has physical access to a device it is usually only a matter of time and resources for extracting secrets from it, and if you have some "master key" stored in all of your devices then it only has to be extracted once for getting the key to communicating with all of the other devices.

Regards,
Terje

Thanks for the detailed info!

I have one more question:

Let's say I have two different kinds of devices in the Mesh Network like Lights and Switches.

How do I differentiate between the two kinds during provisioning so that the Switch publishes and the Light subscribes to the Light Group for example.

Do they get some sort uf unique ID that identifies a node as a Switch or Light?

Hi,

All of the examples in the nRF5 SDK for Mesh includes a unique Uniform Resource Identifier (URI) in the beacon (that the node sends when not yet provisioned.) To see how this works, have a look at the Provisioner example.

Another way to differentiate nodes is to look at what models are present. (E.g. Generic OnOff Client on the switch, and Generic OnOff Server on the light.)

Regards,
Terje