Secure BLE connections in nrf52833

Hi Viswa, 

As you already find out, the example only allow SC pairing at security level 4. This mean your device should have at least display or keyboard capability. 

However, error 8 means  "BT_SECURITY_ERR_KEY_REJECTED" this mean your device may have paired with the phone earlier but one of the device has erased this bond information. Please try to erase the device's flash (erase all, chip erase) and remove any bond on the phone. 

Note that you don't need secure connection to pair and encrypt the link. You can do normal legacy pairing, or doing Secure Connection with justwork. Of course when doing that you will not at security level 4. Please try remove 

Hi Hung Bui

Hung Bui said:

You can do normal legacy pairing, or doing Secure Connection with justwork

May I know config/security levels to acheive that?

Regards

Visweswara Sarma.

Hi Sarma, 

Most of our sample support pairing. For example \zephyr\samples\bluetooth\peripheral_hr  sample or \nrf\samples\bluetooth\peripheral_hids_mouse sample. 
They don't require the peer device to bond but they can support if the peer device (the phone) request to bond/pair. 

If you want to request the peer device to bond you would need to configure the characteristic so that it require encryption. You can do that by configuring the permission of the characteristic, for example change from BT_GATT_PERM_READ to BT_GATT_PERM_READ_AUTHEN. 
You can read about that here.

In addition to support storing bond information, in addition to CONFIG_BT_SMP=y the following configuration needed: 

CONFIG_BT_SETTINGS=y
CONFIG_FLASH=y
CONFIG_FLASH_PAGE_LAYOUT=y
CONFIG_FLASH_MAP=y
CONFIG_NVS=y
CONFIG_SETTINGS=y

Hung Bui said:

This mean your device should have at least display or keyboard capability.

Our device has no dedicated Keyboard / Display. 

I have commented "CONFIG_BT_SMP_SC_ONLY=y"

/* Callback I've selected for secure connections */ 

static struct bt_conn_auth_cb auth_cb_display = {
	.passkey_display = auth_passkey_display,
	.passkey_entry = NULL,
	.cancel = auth_cancel,
	.pairing_complete = pairing_complete,
	.pairing_failed = pairing_failed,
}; 

/* Inside Connection callback */
if (bt_conn_set_security(conn, BT_SECURITY_L2)) {
		printf("Failed to set security\n");
	}

for above code I got below response, what shall I add in configuration to get legacy pairing.

W: opcode 0x200a status 0x09

Connected: 00:00:00:00:00:00 (public)
E: SMP Timeout

Security failed: 63:67:23:18:43:74 (random) level 1 err 9
Pairing Failed (9). Disconnecting.
{Disconnected (reason: 22)}

Hung Bui said:

This mean your device should have at least display or keyboard capability.

Our device has no dedicated Keyboard / Display. 

I have commented "CONFIG_BT_SMP_SC_ONLY=y"

/* Callback I've selected for secure connections */ 

static struct bt_conn_auth_cb auth_cb_display = {
	.passkey_display = auth_passkey_display,
	.passkey_entry = NULL,
	.cancel = auth_cancel,
	.pairing_complete = pairing_complete,
	.pairing_failed = pairing_failed,
}; 

/* Inside Connection callback */
if (bt_conn_set_security(conn, BT_SECURITY_L2)) {
		printf("Failed to set security\n");
	}

for above code I got below response, what shall I add in configuration to get legacy pairing.

W: opcode 0x200a status 0x09

Connected: 00:00:00:00:00:00 (public)
E: SMP Timeout

Security failed: 63:67:23:18:43:74 (random) level 1 err 9
Pairing Failed (9). Disconnecting.
{Disconnected (reason: 22)}

Hi Viswa, 
I don't think calling bt_conn_set_security() from the peripheral is a good idea. The better way is as mentioned, change the permission of the characteristic. But i need to correct my self, you should use BT_GATT_PERM_READ_ENCRYPT instead of BT_GATT_PERM_READ_AUTHEN. 
BT_GATT_PERM_READ_AUTHEN is used when you have keyboard, display.

I attached here an example that I modified the peripheral_ht so that when you enable indication on the characteristic it will require the central to bond. 

6443.peripheral_ht_smp.zip

Please notice how the hts.c file is modified: 

Hi Hung Bui

I have tried to add 

Hung Bui said:

use BT_GATT_PERM_READ_ENCRYPT

and removed the below code from callback.

if (bt_conn_set_security(conn, BT_SECURITY_L2)) {
		printf("Failed to set security\n");
	}

Then, it will connect directly without pairing and when I try read ccc characteristic then mobile app starts bonding process, still I get the same timeout response as I got earlier.

Hi, 

Have you tested with the example I provided ? 
Please make sure you erase the chip and remove bond on the phone. 

Hi Hung

I haven't tried you example as it is...but added those parts you mentioned into my code. I will try to build the example you shared and check it.

When mobile tries to connect, there should be some api to respond to that request, what is this api?

I've come across this pairing_accept() from Zephyr Documention, which I see no where used in peripheral_sc_only sample and example you provided.

This function returns following structure.

struct bt_conn_pairing_feat *const feat

Does this have anything to do pairing success?