Hi,
I'm working on a legacy program (Peripheral) using nRF52833 and nRF5 SDK using SoftDevice S113.
Looking at the Peer Manager module, it seems peer_manager_handler.c is requesting the link to be encrypted immediately on connection (or after a delay, tunable with PM_HANDLER_SEC_DELAY_MS) when connected to a previously-bonded Host (bonding data is present in FDS).
It does so by calling conn_secure() on both:
- Connection establishment events:
pm_handler_secure_on_connection()andpm_handler_on_pm_evt() - Any GATT/ATT error due to insufficient auth level:
pm_handler_secure_on_error()
The SDK doesn't seem to have a way to disable this behavior and keep the link unencrypted for as long as the Central desires.
I have a couple of questions below:
- What's driving the requirement of needing to secure the link upon connection (either immediately or after a delay)? Is it specified in the BT Core Spec? If so, what's the max delay after connection, that can be configured before requiring encryption?
- What's the need for requesting encryption unconditionally on connection? My understanding is that if any GATT access requiring higher security is performed, then at that point the security/encryption would be triggered by SoftDevice automatically (for example if Central reads/write Characteristics with level higher than
SEC_OPEN)
- What's the need for requesting encryption unconditionally on connection? My understanding is that if any GATT access requiring higher security is performed, then at that point the security/encryption would be triggered by SoftDevice automatically (for example if Central reads/write Characteristics with level higher than
- What are the security implications and your recommendation about potentially removing the calls to
conn_secure()Connection establishment events (to leave control of when to start encryption to the Central), but keeping it (without any delay) in the ATT auth error handler ? This way if an operation requiring Auth is performed, encryption will still be triggered immediately.
The reason I'm asking is because this behavior interferes with our bonding procedure (which involves some back/forth on non-secured Characteristics with encryption done at the App layer, before triggering BLE bonding/auth).
This only applies to the case where the Peripheral is "Forgotten" in the Central Host's Bluetooth Settings UI, but not on the Peripheral side; so Peripheral thinks the Central is already bonded, while Host does not consider Peripheral a bonded device.
Thanks,
Marco
