Using QN908x controller would like to limit the usage of BLE Application with a Central device whose BLE version is 4.2 or higher. As I read the BLE connection starts with the Security Mode 1 and Level 1, all the BLE stacks are backward compatible so would like to others input on this.
Hello.
I'm trying to setup the application for the peripheral device to use a mode 1 level 2 LE secure connection.
As a central device, I'm using the Nordic dongle and nRF Connect.
I can connect, pair, and bond (nRF Connect says: Security updated, mode:1, level:2 and Storing bond info for device xx:xx:xx:xx:xx:xx).
Then I send a command to disconnect.
After disconnect occurs I'm trying to connect again, but can't.
After deleting the bonding data in the central device, central can connect.
If I'm not mistaken when LE secure is used the BLE stack responsible for storing the SMP keys.
But it is not clear to me, how and where (at which event) these keys should be used.
A screenshot of the nRF Connect log is attached.
Sorry am not fully following here, kindly bare with me.
Can you please tell me what pairing options I need to select in order to support pairing for only BLE stacke version 4.2 and above. This is purely with respect to QN908x controller -
as per my understanding it is :
gSecurityMode_1_Level_4_c
.leSecureConnectionSupported = TRUE,
Does QN908x controller support unauthenticated pairing in gSecurityMode_1_Level_4_c ?
Regards,
kishan
Hi Kishan,
Please enable the define in the app_preinclude.h
/*! Enable/disable use of bonding capability */
#define gAppUseBonding_d 1
/*! Enable/disable use of pairing procedure */
#define gAppUsePairing_d 1
Does the QN908x controller support unauthenticated pairing in gSecurityMode_1_Level_4_c?
The unauthenticated is not supported if you have the IO Capabilities as just works.
.localIoCapabilities = gIoNone_c
It depends on the capabilities that the device has.
Regards,
Mario
Thanks for the update Mario.
As you said in the above thread Unauthenticated pairing is not supported if you have the IO Capabilities as the Just works, so in this configuration can we have the LE Secure Connection ?
Regards,
kishan
Hi Kishan,
As you said in the above thread Unauthenticated pairing is not supported if you have the IO Capabilities as the Just works, so in this configuration can we have the LE Secure Connection?
Yes, you will have the LE Secure Connections without the protection to the MITM.
Regards,
Mario
Thanks a lot Mario.
Just to be clear on the SMP Data configuration :
/* SMP Data */
gapPairingParameters_t gPairingParameters = {
.withBonding = (bool_t)gAppUseBonding_d,
.securityModeAndLevel = gSecurityMode_1_Level_2_c,
.maxEncryptionKeySize = mcEncryptionKeySize_c,
.localIoCapabilities = gIoNone_c, //gIoDisplayOnly_c,
.oobAvailable = FALSE,
.centralKeys = gIrk_c,
.peripheralKeys = (gapSmpKeyFlags_t) (gLtk_c|gIrk_c),
.leSecureConnectionSupported = TRUE, //FALSE,
.useKeypressNotifications = FALSE,
};
Here configuring the
.leSecureConnectionSupported = TRUE
to TRUE means only LE Secure connection is allowed or does it support modes - which is legacy and LE Secure connection ?
Hi Kishan,
That is the set up that you have to do. Also, you have to enable the paining and bonding feature.
Remember that the security services must be
gSecurityMode_1_Level_2_c
The Secure connection is the feature for the BLE 4.2, but if the other device should have to support this feature, otherwise the process will be with the security that supports the other device.
Regards,
Mario
Hi Mario,
If we configure our peripheral device with
gSecurityMode_1_Level_2_c
.leSecureConnectionSupported = TRUE,
will it limit the pairing to BLE 4.2 and higher BLE stack version?
Hi Kishan
There are no limitations with the pairing limitation, but the connection won't have any protection with the MITM, because you can not authenticate without capabilities. For the high versions will be the same.
Please look at the BLE Specification
C.2.2.2.1 Successful Numeric Comparison (or Just Works)
Regards,
Mario
Thank you Mario.
To summarize my understanding : We can limit pairing to devices with BLE 4.2 or above by checking the authentication method used by the Central Devices. If the Authentication does not take place using LE Secure then the device can reject the pairing process. QN908x supports LE Secure connection only in "gSecurityMode_1_Level_4_c" where pairing needs to be authenticated which means the device needs to have IO Capability.
Hi Kishan,
The limitation will depend on the IO Capabilities from both devices.
If the Authentication doesn't take place the connection could be established but you won't be protected to the MITM.
QN908x supports LE Secure connection only in "gSecurityMode_1_Level_4_c" where pairing needs to be authenticated which means the device needs to have IO Capability.
No, the QN9080 supports secure connections,
.leSecureConnectionSupported = TRUE,
The device doesn't need to have IO capabilities, the pairing process could be executed without the MITM Security.
Regards,
Mario
Hi Kishan,
I am not sure if I am following your question.
As I read the BLE connection starts with the Security Mode 1 and Level 1
This will depend on how you are setting the security in your device.
Remember if one of the BLE devices supports a previous version, the security will be related to the old version. In other words, if you connect 1 device with 4.0 with a device with 4.2, the device will adapt to the features of the 4.0.
Regards,
Mario
Hello Mario,
we have a peripheral device designed using QN908x, this device does not has any IO capabilities. Is it possible to restrict this device to get connected (paired and bonded) only with central device supports BLE 4.2 or above.
Regards ,
kishan
Hi Kishan,
It is possible, the QN9080 supports the 5 and it could pair and bond with the devices with the limitations fo this release.
Please look at the https://community.nxp.com/thread/332191 for better information for the Security on BLE.
Regards,
Mario
Thank you Mario, this link provides clear view on the security configuration.
And as per this document we wont be able to have BLE secure connection feature (security mode 4). Encryption with LE Secure Connections pairing is the only version supported in QN908x, since our product does not have any IO capability we will not be able to config our product to support only 4.2 or above.
Hi Kishan,
It is possible. but the connections won't have MITM protection, it is unauthenticated
When IO capabilities is set to gIoNone_c, the key generation method is Just Works Unauthenticated. Please see below describe in spec.
The gSecurityMode_1_Level_4_c means Authenticated LE Secure Connections pairing with encryption, Authentication provides against MITM attacks.
Therefore, to have LE Secure Connections pairing in Just Works, you need to set securityModeAndLevel = gSecurityMode_1_Level_2_c to have unauthenticated pairing with encryption and set leSecureConnectionSupported = TRUE.
Please let me know if you have any further questions.
For example, it should be like this.
/* SMP Data */
gapPairingParameters_t gPairingParameters = {
.withBonding = (bool_t)gAppUseBonding_d,
.securityModeAndLevel = gSecurityMode_1_Level_2_c,
.maxEncryptionKeySize = mcEncryptionKeySize_c,
.localIoCapabilities = gIoNone_c, //gIoDisplayOnly_c,
.oobAvailable = FALSE,
.centralKeys = gIrk_c,
.peripheralKeys = (gapSmpKeyFlags_t) (gLtk_c|gIrk_c),
.leSecureConnectionSupported = TRUE, //FALSE,
.useKeypressNotifications = FALSE,
};
static const gapServiceSecurityRequirements_t serviceSecurity[] = {
{
.requirements = {
.securityModeLevel = gSecurityMode_1_Level_2_c,
.authorization = FALSE,
.minimumEncryptionKeySize = gDefaultEncryptionKeySize_d
},
.
.
.
.
.
Regards,
Mario