https://devzone.nordicsemi.com/f/nordic-q-a/87254/nrf52840-sdk16-sd140---pairing-and-bonding-general-questionsHi, I want to include the pairing and bonding features in my application. I want to use the LE secure connection method. For both initiator and responded the IO capabilities are no input / no output and hence it will be used the Just Works pairing modeen-USTelligent Community 13Tue, 26 Apr 2022 12:26:52 GMThttps://devzone.nordicsemi.com/thread/364948?ContentTypeID=1Tue, 26 Apr 2022 12:26:52 GMT137ad170-7792-4731-bb38-c0d22fbe4515:10e2a6ea-64d6-4b3f-b7bb-d6ff439493d8ovrebekk<p>Hi Nikos</p> [quote user="Nikosant03"]I suppose this is how most of the commercial products work, right?[/quote] <p>Correct. I believe Apple describe something similar in their guidelines, in order to make Bluetooth devices that integrate well with iOS devices.&nbsp;</p> [quote user="Nikosant03"]Is there any example in SDK16 implementing these steps with&nbsp;<strong>Just Works pairing mode?</strong>[/quote] <p>Any example using the peer_manager should support this procedure.&nbsp;</p> <p>As an example you can use the ble_app_hrs sample, which by default is set up to use LESC and not use authentication (which means you revert to just works):</p> <p><pre class="ui-code" data-mode="text">// Excerpt from the main.c file of the ble_app_hrs example: #define SEC_PARAM_BOND 1 /**&lt; Perform bonding. */ #define SEC_PARAM_MITM 0 /**&lt; Man In The Middle protection not required. */ #define SEC_PARAM_LESC 1 /**&lt; LE Secure Connections enabled. */ #define SEC_PARAM_KEYPRESS 0 /**&lt; Keypress notifications not enabled. */ #define SEC_PARAM_IO_CAPABILITIES BLE_GAP_IO_CAPS_NONE /**&lt; No I/O capabilities. */ #define SEC_PARAM_OOB 0 /**&lt; Out Of Band data not available. */ #define SEC_PARAM_MIN_KEY_SIZE 7 /**&lt; Minimum encryption key size. */ #define SEC_PARAM_MAX_KEY_SIZE 16 /**&lt; Maximum encryption key size. */</pre></p> <p>Best regards<br />Torbjørn</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/364772?ContentTypeID=1Mon, 25 Apr 2022 16:36:00 GMT137ad170-7792-4731-bb38-c0d22fbe4515:97130ebb-2dd0-45f6-a60e-bfb3c2328b71Nikosant03<p>Thank you for your detailed answer <a href="https://devzone.nordicsemi.com/members/ovrebekk">ovrebekk</a>&nbsp;</p> [quote userid="2116" url="~/f/nordic-q-a/87254/nrf52840-sdk16-sd140---pairing-and-bonding-general-questions/364704#364704"]The normal procedure for a client to access a protected characteristic is as follows[/quote] <p>I suppose this is how most of the commercial products work, right?</p> <p>Is there any example in SDK16 implementing these steps with&nbsp;<strong>Just Works pairing mode?</strong></p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/364704?ContentTypeID=1Mon, 25 Apr 2022 12:04:17 GMT137ad170-7792-4731-bb38-c0d22fbe4515:f438569a-0e85-4a75-98ae-1968f4d64d05ovrebekk<p>Hi Nikos</p> [quote user=""]A secure communication link provides data encryption through&nbsp;AES-CCM cryptography, right?[/quote] <p>That is correct.&nbsp;</p> <p>BLE encryption is based on a traditional symmetric AES-CCM encryption algorithm, with a standard key size of 128 bits.&nbsp;&nbsp;</p> <p>The AES key used for the AES-CCM cipher (also referred to as the Long Term Key) is exchanged during the pairing phase, which&nbsp;in the case of LE secure pairing is&nbsp;using an asymmetric ECDH scheme to avoid someone sniffing the pairing procedure to be able to get hold of the AES key.&nbsp;</p> [quote user=""]Does this mean that all the data exchanged after pairing through characteristics are encrypted? e.g the value of the sensors, battery level, etc?[/quote] <p>Correct, encryption in BLE is all or nothing. Once encryption is enabled all the attribute data will be encrypted, even for attributes that don&#39;t require it.&nbsp;</p> [quote user=""]<p>Also, after testing the heart rate example, I see that I&nbsp;have access to all characteristics without previously having paired the devices. This doesn&#39;t make sense to me. I mean it would make sense for the central to have access to the GATT server after the pairing process. For example, when I connect my wireless headphones with the smartphone, I have to pair the device before start hear music.</p> <p><strong>So this is something that should but doesn&#39;t be demonstrated in the hrs example or do I miss something?</strong></p>[/quote] <p>The Bluetooth specification doesn&#39;t require you to pair and enable encryption before you do service discovery, and normally the initial service discovery is done without encryption enabled.&nbsp;</p> <p>Still,&nbsp;you can configure a characteristic to require encryption enabled in order for the client to read and/or write to it, which means you will not be able to access the characteristic data before pairing is done.&nbsp;</p> <p>This is why you can see all the services and characteristics from the nRF Connect app, even if some of them might require encryption to be accessed.&nbsp;</p> <p>The normal procedure for a client to access a protected characteristic is as follows:</p> <p>1) The two devices connect.&nbsp;</p> <p>2) The client performs service discovery, and gets a list of all the services and characteristics in the server.&nbsp;</p> <p>3) The client tries to access the protected characteristic</p> <p>4) The server responds with an &#39;insufficient authentication&#39; error, letting the client know that this characteristic requires encryption in order to be accessed.&nbsp;</p> <p>5) The client start the pairing procedure.&nbsp;</p> <p>6) Once pairing is completed, the client can access the characteristic.&nbsp;</p> <p>Best regards<br />Torbjørn</p><div style="clear:both;"></div>