• State Verified Answer
  • Replies 6 replies
  • Subscribers 61 subscribers
  • Views 6613 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 121604
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

Add security to service Characteristic

Renix

In the BLE Characteristics, a beginner's tutorial

Martin mentions: Since this is a beginners tutorial we will keep it simple and leave the doors wide open. No security, encryption, or passkey needed.

Is there an example to add security? I have a server, no IO, so it has to be Just Works bonding. I tried using BLE_GAP_CONN_SEC_MODE_SET_ENC_NO_MITM() as suggested, but then the advertising stops

I use SDK13, so perhaps there is something else I need to do.

Any help appreciated

  • 0

    Can you debug the application and see if you end up in the app_error_handler? If so, take a look at the call stack and see which function that caused the error and which error code it returned.

  • 0

    Bjørn

    code execution does not reach app_error_handler.

    With both char_md.char_props.read = 1; and char_md.char_props.write = 1;

    // OUR_JOB: Step 3.A, Configuring Client Characteristic Configuration Descriptor metadata and add to char_md structure ble_gatts_attr_md_t cccd_md; memset(&cccd_md, 0, sizeof(cccd_md)); //GvR BLE_GAP_CONN_SEC_MODE_SET_ENC_NO_MITM(&cccd_md.read_perm); BLE_GAP_CONN_SEC_MODE_SET_ENC_NO_MITM(&cccd_md.write_perm);

    //BLE_GAP_CONN_SEC_MODE_SET_OPEN(&cccd_md.read_perm);
//BLE_GAP_CONN_SEC_MODE_SET_OPEN(&cccd_md.write_perm);
cccd_md.vloc                = BLE_GATTS_VLOC_STACK;    
char_md.p_cccd_md           = &cccd_md;
char_md.char_props.notify   = 1;

    I see the following on the UART output:

    :ERROR:Fatal
SDH:WARNING:RAM start should be adjusted to 0x20001ff0.
SDH:WARNING:RAM size should be adjusted to 0xe010.

    In IAR I have

    define symbol __ICFEDIT_intvec_start__ = 0x1f000;
/*-Memory Regions-*/
define symbol __ICFEDIT_region_ROM_start__ = 0x1f000;
define symbol __ICFEDIT_region_ROM_end__   = 0x7ffff;
define symbol __ICFEDIT_region_RAM_start__ = 0x20002fff;
define symbol __ICFEDIT_region_RAM_end__   = 0x2000ffff;
export symbol __ICFEDIT_region_RAM_start__;
export symbol __ICFEDIT_region_RAM_end__;
/*-Sizes-*/
define symbol __ICFEDIT_size_cstack__ = 0x800;
define symbol __ICFEDIT_size_heap__   = 0x200;
/**** End of ICF editor section. ###ICF###*/

    I guess there is no point in trying to use BLE_GAP_CONN_SEC_MODE_SET_ENC_NO_MITM() if I am not using //char_md.char_props.read = 1; or //char_md.char_props.write = 1;

    Since it is the CCCD Notify property being displayed, I assume the MITH bonding is only for the read and write.

  • 0

    Could you post your IROM and IRAM settings for the application in Keil?

    No, if the characteristic does not have the read or write properties then setting BLE_GAP_CONN_SEC_MODE_SET_ENC_NO_MITM() will not have any effect as this will never be enforced since there is nothing to write to or read from.

  • 0

    Bjørn I believe I actually have the security working for the read / write property of the Characteristic, but still have trouble with the Notification side. Perhaps I do not understand it, or something else is wrong.

    Note: I added read/write properties back to the characteristics.

    I set the security level for the read / write:

    BLE_GAP_CONN_SEC_MODE_SET_ENC_NO_MITM(&attr_md.read_perm);
BLE_GAP_CONN_SEC_MODE_SET_ENC_NO_MITM(&attr_md.write_perm);

    Test: I cannot read or write to the Characteristic using iPhone. In MCP [10:23:42.3] Received Error Response: INSUFFICIENT_AUTHENTICATION, handle: 0x0020

    Once the iPhone is paired, I can read and write to the Characteristic. In MCP, If I hit Bond, I can also read / write. All seems GOOD then.

    What was confusing is if I tell iPhone to Forget the device, it does not ask to pair again. MCP still works as expected, just need to hit Delete bond info

    Question 1)

    Can the Notify property also have this security setting?

    1. This is how the Notify security is set? (I have it commented out for now)

      ble_gatts_attr_md_t cccd_md; memset(&cccd_md, 0, sizeof(cccd_md)); //GvR //BLE_GAP_CONN_SEC_MODE_SET_ENC_NO_MITM(&cccd_md.read_perm); //BLE_GAP_CONN_SEC_MODE_SET_ENC_NO_MITM(&cccd_md.write_perm);

      BLE_GAP_CONN_SEC_MODE_SET_OPEN(&cccd_md.read_perm); BLE_GAP_CONN_SEC_MODE_SET_OPEN(&cccd_md.write_perm); cccd_md.vloc = BLE_GATTS_VLOC_STACK;
      char_md.p_cccd_md = &cccd_md; char_md.char_props.notify = 1;

    As soon as I change to ENC_NO_MITM I get the ERROR Fatal output from the UART, and advertising stops.

    Any help appreciated.

  • 0

    **Q1:**Yes, you should be able configure the CCCD so that you must have an encrypted link, i.e. be paired or bonded in order to write to the CCCD to enable notifications.

    **Q2:**I did some testing with the ble_app_hrs example and I found that if I set the CCCD read permission to open and the write permissions to encrypted with no MITM protection, i.e.

    BLE_GAP_CONN_SEC_MODE_SET_OPEN(&cccd_md.read_perm);
BLE_GAP_CONN_SEC_MODE_SET_ENC_NO_MITM(&cccd_md.write_perm);

    then it should work fine. So it looks like you cannot set the security level of the read permission of a CCCD, which I assume it stted in the BLE spec.

Related