Implementing BLE security for the application

Hello,

Does your application already include the Peer Manager module? In that case, it should be sufficient to increase the required security level of your Bluetooth characteristics. The peer manager will handle the pairing/bonding procedure initiated by the central device.

The passkey, which is an optional security mechanism in BLE, is used to enable man-in-the-middle (MITM) protection during the bonding procedure where the 128-bit encryption key gets exchanged. It does affect how the encryption key is generated.

Best regards,

Vidar

Hi Vidar,

Thank you for your response and time. Yes my application included the Peer Manager.

Vidar Berg said:

The passkey, which is an optional security mechanism in BLE, is used to enable man-in-the-middle (MITM) protection during the bonding procedure where the 128-bit encryption key gets exchanged. It does affect how the encryption key is generated.

Ok. I have to implement the MITM protection then. I have to make a sensor product (BLE Peripheral) which has a constant 128 bit key, which can be used by the central device in order to pair with my device. Is it possible? 

If possible, how can I generate the 128 bit keys for my peripheral device? I do not want to generate 6 digit pass key, instead I have to use 128 bit pass key (as TK or LTK).

BR,

Sreejith

The key exchange you outline here is not supported by the pairing procedures defined by the Bluetooth specification, so this could only work if you were developing an accompanying BLE central that would allow the user to inject this pre-shared key. An app running on Android or iOS will not be able to do this.

Hi Vidar, 

Thanks for the response. Is there any example/ SDK Example for any type of security implementation (Not with 6 digit passkey, Glucose example) with TK, STK ?

Thanks and Regards,

Sreejith

Yes, the TK and STK keys are used for Legacy Pairing and is supported by all BLE examples that include the Peer manager module.

Thanks Vidar,

Here is my main question, can I generate TK (128 bit) as constant key for my sensor peripheral device while manufacturing, and cental device can  use these 128 bit key for the connection?

Is there any example in this direction?

Thank for your help!

with Regards,

Sreejith

Actually, if you use legacy pairing with oob, the 128-bit oob key will be used as TK. As long as the attacker can't retrieve the key, your pairings will be secure.

Actually, if you use legacy pairing with oob, the 128-bit oob key will be used as TK. As long as the attacker can't retrieve the key, your pairings will be secure.

Hi Emil,

This is exactly I am looking for and I would like to ask you some doubts because I am completely new in BLE.

1. How can I generate 128 bit key for my peripheral device (TK)

2. Implementation of this Legacy Pairing with TK, how can implement? Is there any example to refer or any Vlogs from Nordic to implement this type of security. It helps me to refer for more information.

Thanks Emil.

with Regards,

Sreejith

Thanks for the clarification, Emil. I thought the idea was to exchange a pre-defined LTK out-of-band and my security concern was related to the key management of said key.

Sreejith, will the end user have a central device which can support this OOB input? If it doesn't, then an alternative may be to look at adding an additional layer of security in your application as discussed in this blog post:  Intro to Application-level Security Using the ECB Peripheral

Thanks Vidar,

Vidar Berg said:

Sreejith, will the end user have a central device which can support this OOB input? If it doesn't, then an alternative may be to look at adding an additional layer of security in your application as discussed in this blog post:  Intro to Application-level Security Using the ECB Peripheral

We were planning to share the key in different manner and the central device get this key finally (But not yet planned) of course central device will get those key. Thanks for sharing the reference website.

I am trying to implement BLE security on the peripheral side as Emil mentioned. Is there any documentation, vlogs or any example in oredr to impment this so that I can refere it.

Thanks Vidar for the support,

with Regards,

Sreejith

Hi Sreejith,

Implementing this pairing method on the nRF side should be fairly straight forward. Emil already described the required steps for this in his other reply. The question is if you will be able to do the same on the central side. As I have indicated earlier, the Bluetooth framework in Android and iOS does expose this level of control to the app.

There are some Android phones which support OOB pairing, but that is through NFC. I do not know of any other OOB channels that are supported.