Out Of Band Methods

Hi,

I would like to secure my application using security mode 1 level 3. LE Legacy pairing with OOB key sharing. (both master and slave device does not have I/O Capabilities). what are the possible OOB methods which I can follow here? Is only NFC can use here? what are the OOB methods other than NFC? I have heard about hardcoded data, what is mean by hardcoded data from factory? is there any example or reference to learn more about this?

I am really looking forward for your recommandation what I can follow here to secure my application.

Thanks and Regards,

Sreejith

  • If you want to use method 1, then the device needs to know the preshared LTK, which needs to be the same on both devices. This is fine, as you can generate one key for every pair. You also need to know the BLE address of the device you want to bond to. There are two ways of achieving this. Either you can generate addresses that you use for your devices. This way you can generate the LTK and two addresses. Or you can use the preprogrammed address, but in that case, you need to read out the address from flash, and then store it on the other device. That is not difficult, but you need to consider this process for a potential production line.

    Hi Edvin,

    Do you know any of atricle or any vlogs related to BLE security in detail and how can they implemented especially Nordic? Because I could not understand the concept of security in BLE, also it makes confusing some parameters such as Link Key, 128 bit Secret code etc...

    It would be great if you share any useful sources to learn more about BLE security and their code implementation (would be plus if it is from Nordic).

    Thanks and Regards,

    Sreejith

  • Hello Sreejith, 

    Just be aware that this pre-bonding during production falls a bit outside the typical guides and theories.

    Sreejith Sundh said:
    It would be great if you share any useful sources to learn more about BLE security and their code implementation (would be plus if it is from Nordic).

    From the top of my head, I can't think of anything in particular, but you can check out this "Bluetooth LE Security Study guide" from Bluetooth.com.

    What I meant to point out is that once two devices are bonded, it doesn't really matter how they were bonded. The result of a bonding information is to exchange a common key between two devices. Whether this key is sent over the air (BLE), sent over the air via a temporary encrypted link using either a 6 digit passkey or using LESC (Diffie Hellman), doesn't matter. The end result is always that the two devices will have a LTK (Long Term Key) and an LTK if any of the devices uses address resolution (not relevant in your case, I think). 

    Best regards,

    Edvin

  • Hi Edvin,

    Thanks for your response, I would like to secure my app.

    1. How can I create 128 bit key for my peripheral device ?

    2. How a central device possible to connect with my peripheral device if central device knows this generated 128 bit key? What method or example should I follow here for the better reference?

    Thanks for your valuable time and suggestion.

    with Regards,

    Sreejith

  • Hello Sreejith,

    1: Looking at the rest of this discussion. How do you plan to exchange the keys? Did you consider any of the things we discussed in the my previous replies? If you plan to pre-program these 128 bit keys, you can generate the 128 bit key however you want (on a computer). 

    2: If you plan to create and store bonding information before programming the devices (and not to let them pair and bond over the air directly after programming), then you need to look at how the devices typically do this. As I said before, look at the ble_app_hrs and ble_app_hrs_c examples. They need to know the pre-shared LTK (128-bit key) that they will both use, and they need to know the BLE address of the other device.

    BR,

    Edvin

Related