Best practices to secure a BLE NRF51 to NRF51 link ?

RE: Best practices to secure a BLE NRF51 to NRF51 link ?

Petter Myhre — Wed, 07 Oct 2015 14:28:31 GMT

It is on the roadmap, but I can't give you a timeline. One of our Sales Manager may be able to give you more information though. If you send me a PM with your location I can give you the details of the Sales Manager in your area. What do you mean by "Can I active at least AES encryption without key pairing ?" Do you mean bonding with Just Works? I don't think the authentication method matters, it is handling the bonds that is challenging. If you mean pairing (not bonding) you should be able to do it with both central and peripherals no matter what authentication method(Just Works, Passkey Entry, OOB) you use.

RE: Best practices to secure a BLE NRF51 to NRF51 link ?

Fabien Comte — Tue, 06 Oct 2015 11:45:33 GMT

You was right sd_ble_gap_sec_params_reply() was called on both sides. I fixed it but it still not work. Is there any roadmap about that ? Can I active at least AES encryption without key pairing ?

RE: Best practices to secure a BLE NRF51 to NRF51 link ?

Petter Myhre — Mon, 05 Oct 2015 07:31:23 GMT

I took a look at your trace. It seems you bond and then call sd_ble_gap_sec_params_reply()? Also, sd_ble_gap_sec_params_reply() should only be called by the peripheral when it receives BLE_GAP_EVT_SEC_PARAMS_REQUEST. The central should not handle this event.

It can however handle BLE_GAP_EVT_SEC_REQUEST.

However, 0x00000007 means NRF_ERROR_INVALID_PARAM.

RE: Best practices to secure a BLE NRF51 to NRF51 link ?

Fabien Comte — Sat, 03 Oct 2015 07:52:25 GMT

Please can you look at my edit traces.txt

RE: Best practices to secure a BLE NRF51 to NRF51 link ?

Fabien Comte — Sat, 03 Oct 2015 07:48:25 GMT

I have "Security parameter reply request failed, reason 0x00000007" on central side

RE: Best practices to secure a BLE NRF51 to NRF51 link ?

Fabien Comte — Thu, 01 Oct 2015 11:13:15 GMT

Of course 5 minutes is an expression but files are very similar so an expert look can probably merge it quickly. And yes i need both because i do scatternets. Ps : thank you for your help

RE: Best practices to secure a BLE NRF51 to NRF51 link ?

Petter Myhre — Thu, 01 Oct 2015 09:02:18 GMT

I think it will require more than 5 minutes, or else we would have done it already. We are working on S130 Device Manager, but I can't give you a timeline. Do you need bonding in both the peripheral and central role on both devices?

RE: Best practices to secure a BLE NRF51 to NRF51 link ?

Fabien Comte — Wed, 30 Sep 2015 13:15:15 GMT

Yes please. It should be useful for S130 users. It's probably easy for you but my knowledge is too limited to do that myself.

RE: Best practices to secure a BLE NRF51 to NRF51 link ?

Petter Myhre — Wed, 30 Sep 2015 13:13:00 GMT

How to merge device_manager_peripheral and device_manager_central?

RE: Best practices to secure a BLE NRF51 to NRF51 link ?

Fabien Comte — Wed, 30 Sep 2015 13:10:05 GMT

Hello, I used winmerge to visualise the differences between the 2 files. There is just some significant changes in functions dm_security_setup_req, dm_distributed_keys_get and dm_ble_evt_handler but I'm not sur how to merge it. Could you take 5 minutes to do a quick look on it please ?

RE: Best practices to secure a BLE NRF51 to NRF51 link ?

Petter Myhre — Wed, 30 Sep 2015 11:06:40 GMT

Now I understand. Maybe I should have done that earlier. Anyways, I recommend getting the examples I provided to work with S110 and S120 first, then port them to S130. Let me know how it goes.

RE: Best practices to secure a BLE NRF51 to NRF51 link ?

Fabien Comte — Tue, 29 Sep 2015 15:36:33 GMT

Changing device_manager_central.c to device_manager_peripheral.c make me receive BLE_GAP_EVT_AUTH_KEY_REQUEST on one side. I will look for your last infos asap, thank you.

RE: Best practices to secure a BLE NRF51 to NRF51 link ?

Petter Myhre — Tue, 29 Sep 2015 15:18:38 GMT

Have you found BLE_GAP_EVT_SEC_PARAMS_REQUEST in the code now? If the peripheral application doesn't receive BLE_GAP_EVT_SEC_PARAMS_REQUEST most likely the central hasn't sent a pairing request. The central application triggers a pairing request by calling sd_ble_gap_authenticate(), in the attached ble_app_hrs_c this is done when the BLE_HRS_C_EVT_DISCOVERY_COMPLETE event is received, through dm_security_setup_req()->initiate_security_request()->sd_ble_gap_authenticate().

If the BLE_GAP_EVT_AUTH_KEY_REQUEST event is not received it is most likely because there is something wrong with the IO capabilites.

You can test with the nRF Sniffer.Or you can use the debugger.To test you can put a breakpoint on the BLE_GAP_EVT_SEC_PARAMS_REQUEST in device_manager_peripehral.c If BLE_GAP_EVT_SEC_PARAMS_REQUEST is not received I would check if sd_ble_gap_authenticate() is called on the central side.

RE: Best practices to secure a BLE NRF51 to NRF51 link ?

Fabien Comte — Tue, 29 Sep 2015 15:08:17 GMT

Maybe i have a clue, mu project is build with device_manager_central.c but you talk about device_manager_peripheral.c How to merge both because i am peripheral and central (S130) ?

RE: Best practices to secure a BLE NRF51 to NRF51 link ?

Fabien Comte — Tue, 29 Sep 2015 14:37:51 GMT

Any idea of test to do ?

RE: Best practices to secure a BLE NRF51 to NRF51 link ?

Fabien Comte — Tue, 29 Sep 2015 14:26:42 GMT

Done and done as in your code but you dont show how to manage BLE_GAP_EVT_SEC_PARAMS_REQUEST and BLE_GAP_EVT_AUTH_KEY_REQUEST is never fired ???

RE: Best practices to secure a BLE NRF51 to NRF51 link ?

Petter Myhre — Tue, 29 Sep 2015 14:22:27 GMT

//pemy start //#define SEC_PARAM_MITM 0 /< Man In The Middle protection not required. */ #define SEC_PARAM_MITM 1 /< Man In The Middle protection not required. */ //#define SEC_PARAM_IO_CAPABILITIES BLE_GAP_IO_CAPS_NONE /< No I/O capabilities. */ #define SEC_PARAM_IO_CAPABILITIES BLE_GAP_IO_CAPS_KEYBOARD_ONLY /< No I/O capabilities. */ //end

This tells the central that the peripheral requires man in the middle protection and that it only has keyboard as IO capability (even though it doesn't really have a keyboard)

RE: Best practices to secure a BLE NRF51 to NRF51 link ?

Petter Myhre — Tue, 29 Sep 2015 14:22:13 GMT

I took at look at your traces. BLE_GAP_EVT_SEC_PARAMS_REQUEST is handled by the device manager, device_manager_peripheral.c. If you search for BLE_GAP_EVT_SEC_PARAMS_REQUEST in all files in the project you will get three hits. Two in ble_gap.h and one in device_manager_peripheral. When this event is received the device manager will respond with sd_ble_gap_sec_params_reply() with the security parameters that is set in the start of main.c Where I have written pemy:

RE: Best practices to secure a BLE NRF51 to NRF51 link ?

Fabien Comte — Tue, 29 Sep 2015 14:04:29 GMT

Can you take a look on my edit attached traces please ?

RE: Best practices to secure a BLE NRF51 to NRF51 link ?

Fabien Comte — Tue, 29 Sep 2015 13:21:56 GMT

but in the documents that you proposed there is something to do with BLE_GAP_EVT_SEC_PARAMS_REQUEST and in your codes there is not BLE_GAP_EVT_SEC_PARAMS_REQUEST

RE: Best practices to secure a BLE NRF51 to NRF51 link ?

Petter Myhre — Mon, 28 Sep 2015 14:54:40 GMT

BLE_GAP_EVT_SEC_PARAMS_REQUEST is not handled by the SoftDevice, it is handled by the device manager. BLE_GAP_EVT_AUTH_KEY_REQUEST is handled in on_ble_evt() in main.c

RE: Best practices to secure a BLE NRF51 to NRF51 link ?

Fabien Comte — Mon, 28 Sep 2015 12:18:47 GMT

You don t have to manage event in your code because that is implicitly done by softdevice ? 2 times (1 for answer and 1 for response)

RE: Best practices to secure a BLE NRF51 to NRF51 link ?

Petter Myhre — Mon, 28 Sep 2015 11:25:22 GMT

They work. Device manager manages the BLE_GAP_EVT_SEC_PARAMS_REQUEST event. What do mean by the passkey should appear twice in each example?

RE: Best practices to secure a BLE NRF51 to NRF51 link ?

Fabien Comte — Sat, 26 Sep 2015 14:45:26 GMT

And passkey should appear twice in each exemple but it's not the case. Are you sure that this exemples were tested ?

RE: Best practices to secure a BLE NRF51 to NRF51 link ?

Fabien Comte — Sat, 26 Sep 2015 14:28:21 GMT

I don't understand, do your exemples work ? You are not managing BLE_GAP_EVT_SEC_PARAMS_REQUEST event ???