<?xml version="1.0" encoding="UTF-8" ?>
<?xml-stylesheet type="text/xsl" href="https://devzone.nordicsemi.com/cfs-file/__key/system/syndication/rss.xsl" media="screen"?><rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:slash="http://purl.org/rss/1.0/modules/slash/" xmlns:wfw="http://wellformedweb.org/CommentAPI/" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Out Of Band Methods</title><link>https://devzone.nordicsemi.com/f/nordic-q-a/87375/out-of-band-methods</link><description>Hi, 
 I would like to secure my application using security mode 1 level 3. LE Legacy pairing with OOB key sharing. (both master and slave device does not have I/O Capabilities). what are the possible OOB methods which I can follow here? Is only NFC can</description><dc:language>en-US</dc:language><generator>Telligent Community 13</generator><lastBuildDate>Mon, 01 Aug 2022 07:16:37 GMT</lastBuildDate><atom:link rel="self" type="application/rss+xml" href="https://devzone.nordicsemi.com/f/nordic-q-a/87375/out-of-band-methods" /><item><title>RE: Out Of Band Methods</title><link>https://devzone.nordicsemi.com/thread/379442?ContentTypeID=1</link><pubDate>Mon, 01 Aug 2022 07:16:37 GMT</pubDate><guid isPermaLink="false">137ad170-7792-4731-bb38-c0d22fbe4515:13015ee1-683e-49d9-99e7-2b6406a5a392</guid><dc:creator>Edvin</dc:creator><description>&lt;p&gt;Hello Sreejith,&lt;/p&gt;
&lt;p&gt;1: Looking at the rest of this discussion. How do you plan to exchange the keys? Did you consider any of the things we discussed in the my previous replies? If you plan to pre-program these 128 bit keys, you can generate the 128 bit key however you want (on a computer).&amp;nbsp;&lt;/p&gt;
&lt;p&gt;2: If you plan to create and store bonding information before programming the devices (and not to let them pair and bond over the air directly after programming), then you need to look at how the devices typically do this. As I said before, look at the ble_app_hrs and ble_app_hrs_c examples.&amp;nbsp;They need to know the pre-shared LTK (128-bit key) that they will both use, and they need to know the BLE address of the other device.&lt;/p&gt;
&lt;p&gt;BR,&lt;/p&gt;
&lt;p&gt;Edvin&lt;/p&gt;&lt;div style="clear:both;"&gt;&lt;/div&gt;</description></item><item><title>RE: Out Of Band Methods</title><link>https://devzone.nordicsemi.com/thread/379295?ContentTypeID=1</link><pubDate>Fri, 29 Jul 2022 11:20:01 GMT</pubDate><guid isPermaLink="false">137ad170-7792-4731-bb38-c0d22fbe4515:bde7957a-ed15-4f29-9cfb-3a281c06f546</guid><dc:creator>Sreejith Sundh</dc:creator><description>&lt;p&gt;Hi Edvin,&lt;/p&gt;
&lt;p&gt;&lt;/p&gt;
&lt;p&gt;Thanks for your response, I would like to secure my app.&lt;/p&gt;
&lt;p&gt;1. How can I create 128 bit key for my peripheral device ?&lt;/p&gt;
&lt;p&gt;2. How a central device possible to connect with my peripheral device if central device knows this generated 128 bit key? What method or example should I follow here for the better reference?&lt;/p&gt;
&lt;p&gt;&lt;/p&gt;
&lt;p&gt;Thanks for your valuable time and suggestion.&lt;/p&gt;
&lt;p&gt;with Regards,&lt;/p&gt;
&lt;p&gt;Sreejith&lt;/p&gt;&lt;div style="clear:both;"&gt;&lt;/div&gt;</description></item><item><title>RE: Out Of Band Methods</title><link>https://devzone.nordicsemi.com/thread/373645?ContentTypeID=1</link><pubDate>Wed, 22 Jun 2022 11:26:01 GMT</pubDate><guid isPermaLink="false">137ad170-7792-4731-bb38-c0d22fbe4515:dee435bc-52dc-4334-a8cb-f6c408bf2aef</guid><dc:creator>Edvin</dc:creator><description>&lt;p&gt;Hello Sreejith,&amp;nbsp;&lt;/p&gt;
&lt;p&gt;Just be aware that this pre-bonding during production falls a bit outside the typical guides and theories.&lt;/p&gt;
[quote user="Sreejith Sundh"]It would be great if you share any useful sources to learn more about BLE security and their code implementation (would be plus if it is from Nordic).[/quote]
&lt;p&gt;From the top of my head, I can&amp;#39;t think of anything in particular, but you can check out this &amp;quot;&lt;a href="https://www.bluetooth.com/bluetooth-resources/le-security-study-guide/"&gt;Bluetooth LE Security Study guide&lt;/a&gt;&amp;quot; from Bluetooth.com.&lt;/p&gt;
&lt;p&gt;&lt;/p&gt;
&lt;p&gt;What I meant to point out is that once two devices are bonded, it doesn&amp;#39;t really matter how they were bonded. The result of a bonding information is to exchange a common key between two devices. Whether this key is sent over the air (BLE), sent over the air via a temporary encrypted link using either a 6 digit passkey or using LESC (Diffie Hellman), doesn&amp;#39;t matter. The end result is always that the two devices will have a LTK (Long Term Key) and an LTK if any of the devices uses address resolution (not relevant in your case, I think).&amp;nbsp;&lt;/p&gt;
&lt;p&gt;&lt;/p&gt;
&lt;p&gt;Best regards,&lt;/p&gt;
&lt;p&gt;Edvin&lt;/p&gt;&lt;div style="clear:both;"&gt;&lt;/div&gt;</description></item><item><title>RE: Out Of Band Methods</title><link>https://devzone.nordicsemi.com/thread/373593?ContentTypeID=1</link><pubDate>Wed, 22 Jun 2022 07:52:55 GMT</pubDate><guid isPermaLink="false">137ad170-7792-4731-bb38-c0d22fbe4515:794a835c-80a7-4f25-9e1f-d8073680851c</guid><dc:creator>Sreejith Sundh</dc:creator><description>[quote userid="26071" url="~/f/nordic-q-a/87375/out-of-band-methods/365303"]If you want to use method 1, then the device needs to know the preshared LTK, which needs to be the same on both devices. This is fine, as you can generate one key for every pair. You also need to know the BLE address of the device you want to bond to. There are two ways of achieving this. Either you can generate addresses that you use for your devices. This way you can generate the LTK and two addresses. Or you can use the preprogrammed address, but in that case, you need to read out the address from flash, and then store it on the other device. That is not difficult, but you need to consider this process for a potential production line.[/quote]
&lt;p&gt;Hi Edvin,&lt;/p&gt;
&lt;p&gt;Do you know any of atricle or any vlogs related to BLE security in detail and how can they implemented especially Nordic? Because I could not understand the concept of security in BLE, also it makes confusing some parameters such as Link Key, 128 bit Secret code etc...&lt;/p&gt;
&lt;p&gt;It would be great if you share any useful sources to learn more about BLE security and their code implementation (would be plus if it is from Nordic).&lt;/p&gt;
&lt;p&gt;&lt;/p&gt;
&lt;p&gt;Thanks and Regards,&lt;/p&gt;
&lt;p&gt;Sreejith&lt;/p&gt;&lt;div style="clear:both;"&gt;&lt;/div&gt;</description></item><item><title>RE: Out Of Band Methods</title><link>https://devzone.nordicsemi.com/thread/365612?ContentTypeID=1</link><pubDate>Fri, 29 Apr 2022 13:43:52 GMT</pubDate><guid isPermaLink="false">137ad170-7792-4731-bb38-c0d22fbe4515:69270414-bf2d-445a-ab38-c73e27949ba6</guid><dc:creator>Edvin</dc:creator><description>[quote user=""]I would like to secure my application using security mode 1 level 3. LE Legacy pairing with OOB key sharing[/quote]
&lt;p&gt;And&lt;/p&gt;
[quote user="Sreejith Sundh"]SEC_PARAM_OOB set to 0 [/quote]
&lt;p&gt;That is true, but these modes and levels only apply to the procedure of generating keys and distributing them. The way that the devices generate a shared secret. If the shared secret is already pre-programmed, then this doesn&amp;#39;t apply.&lt;/p&gt;&lt;div style="clear:both;"&gt;&lt;/div&gt;</description></item><item><title>RE: Out Of Band Methods</title><link>https://devzone.nordicsemi.com/thread/365339?ContentTypeID=1</link><pubDate>Thu, 28 Apr 2022 08:42:06 GMT</pubDate><guid isPermaLink="false">137ad170-7792-4731-bb38-c0d22fbe4515:53142c62-11a3-48bf-a303-364960820c6f</guid><dc:creator>Sreejith Sundh</dc:creator><description>[quote userid="26071" url="~/f/nordic-q-a/87375/out-of-band-methods/365326#365326"]No, there are no samples doing this. What SDK do you plan to use? The &lt;a href="https://www.nordicsemi.com/Products/Development-software/nRF5-SDK"&gt;nRF5 SDK&lt;/a&gt; or the &lt;a href="https://www.nordicsemi.com/Products/Development-software/nRF-Connect-SDK"&gt;nRF Connect SDK&lt;/a&gt;?[/quote]
&lt;p&gt;I am using nRF5 SDK.&lt;/p&gt;
&lt;p&gt;but in example ble_app_hrs (peripheral), the SEC_PARAM_OOB set to 0 (that means it is not using OOB method). I got your point to monitor the procedure.&amp;nbsp;&lt;/p&gt;
&lt;p&gt;&lt;/p&gt;
&lt;p&gt;Please suggest me some reference documentation if you find regarding the security and implementation (Nordic family)&amp;nbsp;&lt;/p&gt;
&lt;p&gt;&lt;/p&gt;
&lt;p&gt;Thanks and Regards,&lt;/p&gt;
&lt;p&gt;Sreejith&lt;/p&gt;&lt;div style="clear:both;"&gt;&lt;/div&gt;</description></item><item><title>RE: Out Of Band Methods</title><link>https://devzone.nordicsemi.com/thread/365326?ContentTypeID=1</link><pubDate>Thu, 28 Apr 2022 08:17:24 GMT</pubDate><guid isPermaLink="false">137ad170-7792-4731-bb38-c0d22fbe4515:1426e07d-25f2-4b3e-8007-deb767338ed7</guid><dc:creator>Edvin</dc:creator><description>&lt;p&gt;Hello,&lt;/p&gt;
&lt;p&gt;No, there are no samples doing this. What SDK do you plan to use? The &lt;a href="https://www.nordicsemi.com/Products/Development-software/nRF5-SDK"&gt;nRF5 SDK&lt;/a&gt; or the &lt;a href="https://www.nordicsemi.com/Products/Development-software/nRF-Connect-SDK"&gt;nRF Connect SDK&lt;/a&gt;?&lt;/p&gt;
&lt;p&gt;If you use the nRF5 SDK I would suggest that you have a look at the example pair found in:&lt;/p&gt;
&lt;p&gt;nRF5 SDK\examples\ble_peripheral\ble_app_hrs&lt;/p&gt;
&lt;p&gt;nRF5 SDK\examples\ble_central\ble_app_hrs_c&lt;/p&gt;
&lt;p&gt;and monitor what they do when they connect for the first time. How they store the bonding data, and then try to intersect this and store the bonding data without connecting first.&lt;/p&gt;
&lt;p&gt;&lt;/p&gt;
&lt;p&gt;Best regards,&lt;/p&gt;
&lt;p&gt;Edvin&lt;/p&gt;&lt;div style="clear:both;"&gt;&lt;/div&gt;</description></item><item><title>RE: Out Of Band Methods</title><link>https://devzone.nordicsemi.com/thread/365309?ContentTypeID=1</link><pubDate>Thu, 28 Apr 2022 07:32:46 GMT</pubDate><guid isPermaLink="false">137ad170-7792-4731-bb38-c0d22fbe4515:0e9d86b3-7c60-4db1-ab8d-8b431e611b04</guid><dc:creator>Sreejith Sundh</dc:creator><description>&lt;p&gt;Hi Edvin,&lt;/p&gt;
&lt;p&gt;Thanks for your response.&lt;/p&gt;
[quote userid="26071" url="~/f/nordic-q-a/87375/out-of-band-methods/365303#365303"]Either, you can hard code bonding information directly into the devices on the factory. That would mean that you have two devices talking Bluetooth LE (BLE) with each other, without ever needing to connect to anything else (e.g. if you loose one of them, you would have to buy a new pair).[/quote]
&lt;p&gt;My application is a peripheral device and required to connect with only one client device. I think this can be one of the good option for me. is there any example to know further about the implementation of this method?&lt;/p&gt;
&lt;p&gt;Where can I find some references for this method. such as implementation, theoretical knowledge....&lt;/p&gt;
&lt;p&gt;&lt;/p&gt;
&lt;p&gt;Thanks for your time and effort.&lt;/p&gt;
&lt;p&gt;&lt;/p&gt;
&lt;p&gt;With Regards,&lt;/p&gt;
&lt;p&gt;Sreejith&lt;/p&gt;&lt;div style="clear:both;"&gt;&lt;/div&gt;</description></item><item><title>RE: Out Of Band Methods</title><link>https://devzone.nordicsemi.com/thread/365303?ContentTypeID=1</link><pubDate>Thu, 28 Apr 2022 07:03:43 GMT</pubDate><guid isPermaLink="false">137ad170-7792-4731-bb38-c0d22fbe4515:d65f77ea-cad1-4206-9ab7-75440f0961cc</guid><dc:creator>Edvin</dc:creator><description>&lt;p&gt;Hello,&lt;/p&gt;
&lt;p&gt;By hardcoded data there may be at least two different meanings.&lt;/p&gt;
&lt;p&gt;1) Either, you can hard code bonding information directly into the devices on the factory. That would mean that you have two devices talking Bluetooth LE (BLE) with each other, without ever needing to connect to anything else (e.g. if you loose one of them, you would have to buy a new pair).&amp;nbsp;&lt;/p&gt;
&lt;p&gt;2) The other option is to &amp;quot;pretend&amp;quot; that the devices have IO capabilities, and in the case that the users usually would be asked to enter/read a 6-digit passkey, these are already stored in flash. The first time they are turned on, they will find eachother, connect using the prestored 6 digit key, and then store bonding data (meaning that after this they will no longer use the 6-digit passkey, and they will behave like in 1).&lt;/p&gt;
&lt;p&gt;&lt;/p&gt;
&lt;p&gt;Note to 1): You wouldn&amp;#39;t typically store the actual bonding data in the application&amp;#39;s .hex file, but you would turn on, see that the module that handles bonding information (peer manager in the nRF5 SDK) doesn&amp;#39;t have any bonding data stored, and then read out the address and long term keys (LTK, the key used in bonding) from somewhere in flash (NRF_UICR-&amp;gt;CUSTOMER[] registers, perhaps), and use the peer manager API (nRF5 SDK, called something else in nRF Connect SDK) and store bonding data that way.&lt;/p&gt;
&lt;p&gt;&lt;/p&gt;
&lt;p&gt;Both of the options are viable. I would say that the first one is more secure* but the last one is probably easier to do.&lt;/p&gt;
&lt;p&gt;&lt;/p&gt;
&lt;p&gt;* The reason that the first one is more secure is that you are storing the bonding keys and address of the other device directly, so there is basically no way for any 3rd party device to interfere with this. If you use the 6 digit key, it is far easier to set up, but if someone was to try to bruteforce the 6-digit key when the devices turn on for the first time, there is a chance that they will be able to intersect the connection. Also, if they are actually able to crack the key, and you have no way of factory resetting the devices then it will store the wrong bonding data, and they will not be able to connect to the correct device.&amp;nbsp;&lt;/p&gt;
&lt;p&gt;If you want to use method 1, then the device needs to know the preshared LTK, which needs to be the same on both devices. This is fine, as you can generate one key for every pair. You also need to know the BLE address of the device you want to bond to. There are two ways of achieving this. Either you can generate addresses that you use for your devices. This way you can generate the LTK and two addresses. Or you can use the preprogrammed address, but in that case, you need to read out the address from flash, and then store it on the other device. That is not difficult, but you need to consider this process for a potential production line.&lt;/p&gt;
&lt;p&gt;&lt;/p&gt;
&lt;p&gt;Best regards,&lt;/p&gt;
&lt;p&gt;Edvin&lt;/p&gt;&lt;div style="clear:both;"&gt;&lt;/div&gt;</description></item></channel></rss>