1st connection is bonded authenticated encrypted link, but 2nd connection becomes not bonded unencrypted link

Hi,

That is odd. I tested now with the ANCS example form SDK 17.0.2 and nRF Connect for desktop BLE, and after bonding the link is automatically encrypted upon reconnection (as expected). Which SDK version are you using, and do you see this with the ANCS example, or only your custom firmware? If only your custom firmware, can you explain the changes you have made? Also, can you explain in detailed steps how you reproduce this?

I am using nRF5 SDK v16.0.0. I am testing my custom firmware. Which example can I reference for bonding the link is automatically encrypted upon reconnection?

snowuyl said:

Do you mean this example?

nRF5_SDK_16\examples\ble_peripheral\ble_app_ancs_c

Yes (though any BLE peripheral example that use bonding should do).

snowuyl said:

Beside I can't see disconnect button on nRF Connect, which method do you suggest to disconnect from nRF Connect?

Click on the gears icon on the device, and then select disconnect:

I test ble_app_ancs_c example. But nRF Connect shows "Not bonded, Unencrypted link". But what I need to do is  encrypted link.

ble_app_ancs_c.rar

It does not bond automatically with nRF Connect by default. First connect, like you did and then:

1. Click the gears icon on the device
2. Click "Pair..."
3. Check the "Bonding" checkbox
4. Click the "Pair" button

Now the devices are bonded.

If you now disconnect and reconnect again the link will be automatically encrypted as the devices was bonded from before.

(You can also change the nRF Connect configuration by clicking the gears icon on the device close to the right, which is the one used for connectivity. There select "Security parameters..." and check the "Perform bonding" box. This is used by default if the peripheral request security, which is the case here, and then bonding will be automatic".)

Both of the above procedures works with any Bluetooth LE device that supports bonding, like for instance the ANCS example in the SDK. However, if you look at the log from nRF while pairing/bonding you get a timeout, and that is because of your main loop where you wait for RTT etc, so your idle state handler with the here important app_sched_execute() does not run. So I fixed it simply by removing everything in your main loop except for the call to idle_state_handle().

In a nutshell, the root cause of the issue you are seeing is that you block in your main loop, preventing the app scheduler from running.

It does not bond automatically with nRF Connect by default. First connect, like you did and then:

1. Click the gears icon on the device
2. Click "Pair..."
3. Check the "Bonding" checkbox
4. Click the "Pair" button

Now the devices are bonded.

If you now disconnect and reconnect again the link will be automatically encrypted as the devices was bonded from before.

(You can also change the nRF Connect configuration by clicking the gears icon on the device close to the right, which is the one used for connectivity. There select "Security parameters..." and check the "Perform bonding" box. This is used by default if the peripheral request security, which is the case here, and then bonding will be automatic".)

Both of the above procedures works with any Bluetooth LE device that supports bonding, like for instance the ANCS example in the SDK. However, if you look at the log from nRF while pairing/bonding you get a timeout, and that is because of your main loop where you wait for RTT etc, so your idle state handler with the here important app_sched_execute() does not run. So I fixed it simply by removing everything in your main loop except for the call to idle_state_handle().

In a nutshell, the root cause of the issue you are seeing is that you block in your main loop, preventing the app scheduler from running.

Thanks for your reply! I have another question that is how can I modify nRF52832 firmware to reject unencrypted link connecting?

Hi,

It depends a bit on what you mean. Do you want to only allow already bonded peers to connect? If so, advertising with whitelisting is what you want, and in that case you add the bonded peer(s) to the whitelist, an ignore connections from any non-whitelisted device. This is commonly done, and you can see an example of this in the ANCS example that you are using (search for "whitelist").

If you on the other hand want to allow any device to connect, but disconnect if the link is not encrypted there is no standard way to do this. You could achieve it by for instance starting a timer when you get the BLE_GAP_EVT_CONNECTED event, and stop the timer if you get the PM_EVT_CONN_SEC_SUCCEEDED event. If not, and the timer runs out, disconnect.

In any case though, you can configure security restrictions on each characteristic to prevent a peer from accessing them without having the right level of security (for instance minimum just works legacy pairing, or minimum LESC with authentication), etc.

I am using nRF Connect v3.0.1. And I check "Enable LE Secure Connection" and "Performing bonding". And then I click But when I click "Pair ...". But nRF Connect doesn't show window for me to enter paskey and still shows "Not bonded, Unencrypted link". Do I need to check other options? 

The following is log messages of nRF52832 device with ble_app_ancs_c example.

00> BLE_ADV_EVT_WHITELIST_REQUEST
00> BLE_ADV_EVT_FAST
00> Hello World!..

Did you initiate pairing here? I do not see that from the log? And did you do the fixes to your firmware that I described in my previous post, ensuring that your main loop is not blocked? With that this should work and does on my end.