• State Not Answered
  • Replies 3 replies
  • Subscribers 87 subscribers
  • Views 529 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 261284
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

Selective provisioning?

domij

OOB can be used to assure physically that the device provisioned is the wanted one.

In my application the devices won't allow for OOB.

How can I ensure that only my own devices are provisioned and not any other device.

I could selectively turn on the provisioning but during that time any device could be provisioned.

Is there a way to identify a device and to decide if it is a device of my application or any third party device?

How in general are application keys assigned to devices? How do I manage individual subscription/publishing?

Parents
  • 0

    Hi,

    In Bluetooth mesh, device addresses and device keys are given to the device during the provisioning. At the beginning of the provisioning procedure, the device can identify itself through using its outputs, for instance blinking an LED, making sound, or vibrating. In order to protect against man-in-the-middle (MITM) attacks you do need to use out-of-band authentication.

    Subscription and publishing are generally managed through configuration of the device. Configuration is done over the Bluetooth mesh network, and uses the device key (which the provisioner has in its database.) The provisioner (or set of provisioners) is the gatekeeper for the Bluetooth mesh network.

    Regarding the protection against third-party devices: Bluetooth mesh do provide the mechanisms required for an operator to include only the nodes that they want to include in the network, but if the operator wants to provision a third-party device into the network and configure it to communicate with other devices in the network then they will be able to do so. That is, if you trust the people setting up and configuring the network, then you can rely on the Bluetooth mesh mechanisms.

    If however you want to make devices that can be added to any Bluetooth mesh network, and they should only talk to each other (and not to third-party devices on the same network), then we are entering a complex area (regardless of mesh technology used - not only Bluetooth mesh). You may be thinking of storing secrets and use those for authentication, but this is very hard to get right. If someone has physical access to a device it is usually only a matter of time and resources for extracting secrets from it, and if you have some "master key" stored in all of your devices then it only has to be extracted once for getting the key to communicating with all of the other devices.

    Regards,
    Terje

  • 0 in reply to tesc

    Thanks for the detailed info!

    I have one more question:

    Let's say I have two different kinds of devices in the Mesh Network like Lights and Switches.

    How do I differentiate between the two kinds during provisioning so that the Switch publishes and the Light subscribes to the Light Group for example.

    Do they get some sort uf unique ID that identifies a node as a Switch or Light?

Reply
  • 0 in reply to tesc

    Thanks for the detailed info!

    I have one more question:

    Let's say I have two different kinds of devices in the Mesh Network like Lights and Switches.

    How do I differentiate between the two kinds during provisioning so that the Switch publishes and the Light subscribes to the Light Group for example.

    Do they get some sort uf unique ID that identifies a node as a Switch or Light?

Children
Related
Terms of service