• State Not Answered
  • Replies 21 replies
  • Subscribers 77 subscribers
  • Views 4629 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 293123
Options
Beware that this post is related to an SDK in maintenance mode
More Info: Consider nRF Connect SDK for new designs

Implementing BLE security for the application

Sreejith Sundh

Greetings to Nordic team!

I would like to provide BLE security for my application (to my BLE Peripheral device). I am planning to apply the following features such as

1. Generate a 128 bit key for my BLE Peripheral and share this via a secure channel (not important here) to central device. (As I can use here the passkey or 6 digit pin but inorder to improve the security I would suggeste to use 128 bit key)

2. Central device initiates pairing, encrypt and distribute the key.

Is it possible to implement this security type? If so how can I generate a 128 bit key key for my peripheral device? and is it possible for a central device to implement pairing by reading this 128 bit value ? I am really not good in BLE and BLE Security...looking forward to hearing from you.

Thanks and Regards,

Sreejith

Parents
  • 0

    Hello,

    Does your application already include the Peer Manager module? In that case, it should be sufficient to increase the required security level of your Bluetooth characteristics. The peer manager will handle the pairing/bonding procedure initiated by the central device.

    The passkey, which is an optional security mechanism in BLE, is used to enable man-in-the-middle (MITM) protection during the bonding procedure where the 128-bit encryption key gets exchanged. It does affect how the encryption key is generated.

    Best regards,

    Vidar

  • 0 in reply to Vidar Berg

    Hi Vidar,

    Thank you for your response and time. Yes my application included the Peer Manager.

    Vidar Berg said:
    The passkey, which is an optional security mechanism in BLE, is used to enable man-in-the-middle (MITM) protection during the bonding procedure where the 128-bit encryption key gets exchanged. It does affect how the encryption key is generated.

    Ok. I have to implement the MITM protection then. I have to make a sensor product (BLE Peripheral) which has a constant 128 bit key, which can be used by the central device in order to pair with my device. Is it possible? 

    If possible, how can I generate the 128 bit keys for my peripheral device? I do not want to generate 6 digit pass key, instead I have to use 128 bit pass key (as TK or LTK).

    BR,

    Sreejith

  • 0 in reply to Sreejith Sundh

    Hi Sreejith,

    There is no connection between the passkey and LTK. The passkey is only to provide MITM protection and generated randomly by the Bluetooth stack. You may try the Glucose Application to see how pairing with MITM protection works in practice (note: your device must have some kind of display capabilities to show the passkey to the user).

  • 0 in reply to Vidar Berg

    Thanks Vidar for the response. 

    So my attempt is to make 128 Bit key which is constant for a BLE Peripheral device and this can be used by the Central device (sharing the key to the central device through a secured document) in order to connect with the peripheral device (MITM protection). Is this attempt is possible?  If so how can I make a fixed constant 128 bit key for my peripheral device and how to implemenmt this type of security...

    Thanks and Regards,

    Sreejith

  • 0 in reply to Sreejith Sundh

    It's technically possible if you control the implementation on both sides, but there is no standard way to exchange a fixed LTK between the devices, and not really something I would recommend. Can  you say something the motivation for having of having a constant key in this case? It doesn't sound very secure..

  • 0 in reply to Vidar Berg

    I would like to develop a peripheral BLE sensor, so once the product ready I would like to give it to the client with a 128 bit key as security so the client can connect (MITM) with my device using this key. A kind of secret shared key. From this key the client can connect to my device. Is this meaningful?

    Thanks

Reply Children
Related
Terms of service