Beware that this post is related to an SDK in maintenance mode
More Info: Consider nRF Connect SDK for new designs

Implementing BLE security for the application

Greetings to Nordic team!

I would like to provide BLE security for my application (to my BLE Peripheral device). I am planning to apply the following features such as

1. Generate a 128 bit key for my BLE Peripheral and share this via a secure channel (not important here) to central device. (As I can use here the passkey or 6 digit pin but inorder to improve the security I would suggeste to use 128 bit key)

2. Central device initiates pairing, encrypt and distribute the key.

Is it possible to implement this security type? If so how can I generate a 128 bit key key for my peripheral device? and is it possible for a central device to implement pairing by reading this 128 bit value ? I am really not good in BLE and BLE Security...looking forward to hearing from you.

Thanks and Regards,

Sreejith

Top Replies

Emil Lenngren over 2 years ago +1

Assuming you have control over both devices, it seems pairing with OOB (out-of-band) could be the perfect fit here. That is part of the BLE standard and can be used to get better security than the 6 digit…

Parents

0 Vidar Berg over 2 years ago

Hello,

Does your application already include the Peer Manager module? In that case, it should be sufficient to increase the required security level of your Bluetooth characteristics. The peer manager will handle the pairing/bonding procedure initiated by the central device.

The passkey, which is an optional security mechanism in BLE, is used to enable man-in-the-middle (MITM) protection during the bonding procedure where the 128-bit encryption key gets exchanged. It does affect how the encryption key is generated.

Best regards,

Vidar
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Sreejith Sundh over 2 years ago in reply to Vidar Berg

Hi Vidar,

Thank you for your response and time. Yes my application included the Peer Manager.

Vidar Berg said:
The passkey, which is an optional security mechanism in BLE, is used to enable man-in-the-middle (MITM) protection during the bonding procedure where the 128-bit encryption key gets exchanged. It does affect how the encryption key is generated.

Ok. I have to implement the MITM protection then. I have to make a sensor product (BLE Peripheral) which has a constant 128 bit key, which can be used by the central device in order to pair with my device. Is it possible?

If possible, how can I generate the 128 bit keys for my peripheral device? I do not want to generate 6 digit pass key, instead I have to use 128 bit pass key (as TK or LTK).

BR,

Sreejith
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Vidar Berg over 2 years ago in reply to Sreejith Sundh

Yes, the TK and STK keys are used for Legacy Pairing and is supported by all BLE examples that include the Peer manager module.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Sreejith Sundh over 2 years ago in reply to Vidar Berg

Thanks Vidar,

Here is my main question, can I generate TK (128 bit) as constant key for my sensor peripheral device while manufacturing, and cental device can use these 128 bit key for the connection?

Is there any example in this direction?

Thank for your help!

with Regards,

Sreejith
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Emil Lenngren over 2 years ago in reply to Sreejith Sundh

Actually, if you use legacy pairing with oob, the 128-bit oob key will be used as TK. As long as the attacker can't retrieve the key, your pairings will be secure.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Sreejith Sundh over 2 years ago in reply to Emil Lenngren

Hi Emil,

This is exactly I am looking for and I would like to ask you some doubts because I am completely new in BLE.

1. How can I generate 128 bit key for my peripheral device (TK)

2. Implementation of this Legacy Pairing with TK, how can implement? Is there any example to refer or any Vlogs from Nordic to implement this type of security. It helps me to refer for more information.

Thanks Emil.

with Regards,

Sreejith
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Vidar Berg over 2 years ago in reply to Sreejith Sundh

Thanks for the clarification, Emil. I thought the idea was to exchange a pre-defined LTK out-of-band and my security concern was related to the key management of said key.

Sreejith, will the end user have a central device which can support this OOB input? If it doesn't, then an alternative may be to look at adding an additional layer of security in your application as discussed in this blog post: Intro to Application-level Security Using the ECB Peripheral
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Vidar Berg over 2 years ago in reply to Sreejith Sundh

Thanks for the clarification, Emil. I thought the idea was to exchange a pre-defined LTK out-of-band and my security concern was related to the key management of said key.

Sreejith, will the end user have a central device which can support this OOB input? If it doesn't, then an alternative may be to look at adding an additional layer of security in your application as discussed in this blog post: Intro to Application-level Security Using the ECB Peripheral
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 Sreejith Sundh over 2 years ago in reply to Vidar Berg

Thanks Vidar,

Vidar Berg said:
Sreejith, will the end user have a central device which can support this OOB input? If it doesn't, then an alternative may be to look at adding an additional layer of security in your application as discussed in this blog post: Intro to Application-level Security Using the ECB Peripheral

We were planning to share the key in different manner and the central device get this key finally (But not yet planned) of course central device will get those key. Thanks for sharing the reference website.

I am trying to implement BLE security on the peripheral side as Emil mentioned. Is there any documentation, vlogs or any example in oredr to impment this so that I can refere it.

Thanks Vidar for the support,

with Regards,

Sreejith
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Vidar Berg over 2 years ago in reply to Sreejith Sundh

Hi Sreejith,

Implementing this pairing method on the nRF side should be fairly straight forward. Emil already described the required steps for this in his other reply. The question is if you will be able to do the same on the central side. As I have indicated earlier, the Bluetooth framework in Android and iOS does expose this level of control to the app.

There are some Android phones which support OOB pairing, but that is through NFC. I do not know of any other OOB channels that are supported.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel