• State Verified Answer
  • Replies 6 replies
  • Subscribers 73 subscribers
  • Views 3295 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 107412
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

Origianl Passkey

Yuichi

Hi

I'd like to realize below function for our product.

  1. The product has static passkey in factory.
  2. A user who use the product will pair with his smartphone using the factory static passkey.
  3. Then the user update the static passkey to arbitrary passkey.
  4. In result pairing with the product will be restricted/protected.

Is that possible? And our product is No-Input and No-Output device.

Are there points to be noted?

Thanks

Parents
  • 0

    Hi,

    Yes, this is possible. You could store the initial random passkey in the UICR register of the chip during flashing, or at least somewhere non-volatile. After the first pairing, a new value could be written to a certain flash page. The application can then detect if this flash area contain valid data and use that as a static passkey during the subsequent pairing attempts.

    However, I question the motive behind this type of application. It will only help you avoid that users connect to the wrong device in a multi-device environment. Security will be lower, because the key will be static for a long time and no bond is in place - giving attackers long enough time to try every pin. The pairing/bonding procedure is also the most vulnerable period of secure communications, because an eavesdropper could listen in and sniff the keys being used.

    A more secure approach would be to simply bond with really low transmitting power the first time, using the pin code. Subsequent connections would then use the long-term keys exchanged during the bonding.

Reply
  • 0

    Hi,

    Yes, this is possible. You could store the initial random passkey in the UICR register of the chip during flashing, or at least somewhere non-volatile. After the first pairing, a new value could be written to a certain flash page. The application can then detect if this flash area contain valid data and use that as a static passkey during the subsequent pairing attempts.

    However, I question the motive behind this type of application. It will only help you avoid that users connect to the wrong device in a multi-device environment. Security will be lower, because the key will be static for a long time and no bond is in place - giving attackers long enough time to try every pin. The pairing/bonding procedure is also the most vulnerable period of secure communications, because an eavesdropper could listen in and sniff the keys being used.

    A more secure approach would be to simply bond with really low transmitting power the first time, using the pin code. Subsequent connections would then use the long-term keys exchanged during the bonding.

Children
Related
Terms of service