BLE Pairing and security stack implementation

Hi,

1. The BLE device at factory reset will be active to pair and send/ receive data via the services, These services are currently open and I used nrf connect APP to communicate, can I make then hidden so that no one else can see those?How?

No, there is no way to "hide" services. Once a device connects it can discover all services. There is no need to include the service(s) in advertising packets or scan response packets, though.

2. At the time when device is not bonded with any central, what should be the architecture to enable pairing. Note that the device is headless and does not have any HMI. Is there any application note or literature that I can follow to do the same?

That is entirely application specific, and up to you. What fits your product? Is it possible to power cycle or reset it to put it in pairing mode, for instance?

3. Once the pairing is complete, I want the communication to be encrypted, I guess the nordic supports AES encryption, is there any example or literature I can follow?

The nRF SDKs support standard Bluetooth pairing, both legacy pairing and LE Secure Connections. Regardless of how you pair, a secured link is always encrypted with 128 bit AES-CCM (according to the Bluetooth specification). I suggest you check out the peer manger library in nRF5 SDK 12.3.

4. Also should the authorisation process involve a digital certifacate method to make sure the pairing is safe and avoids any MITM. 

There is no use of certificates in the bluetooth specification. However, there are MITM protection features supported as defined in the Bluetooth specification, but all those depends on having a HMI of some sort. Without it, Bluetooth does not provide any way to guarantee MITM protection.

Hi,

1. The BLE device at factory reset will be active to pair and send/ receive data via the services, These services are currently open and I used nrf connect APP to communicate, can I make then hidden so that no one else can see those?How?

No, there is no way to "hide" services. Once a device connects it can discover all services. There is no need to include the service(s) in advertising packets or scan response packets, though.

2. At the time when device is not bonded with any central, what should be the architecture to enable pairing. Note that the device is headless and does not have any HMI. Is there any application note or literature that I can follow to do the same?

That is entirely application specific, and up to you. What fits your product? Is it possible to power cycle or reset it to put it in pairing mode, for instance?

3. Once the pairing is complete, I want the communication to be encrypted, I guess the nordic supports AES encryption, is there any example or literature I can follow?

The nRF SDKs support standard Bluetooth pairing, both legacy pairing and LE Secure Connections. Regardless of how you pair, a secured link is always encrypted with 128 bit AES-CCM (according to the Bluetooth specification). I suggest you check out the peer manger library in nRF5 SDK 12.3.

4. Also should the authorisation process involve a digital certifacate method to make sure the pairing is safe and avoids any MITM. 

There is no use of certificates in the bluetooth specification. However, there are MITM protection features supported as defined in the Bluetooth specification, but all those depends on having a HMI of some sort. Without it, Bluetooth does not provide any way to guarantee MITM protection.