Is it possible to support pairing and bonding only with v4.2 or higher

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Is it possible to support pairing and bonding only with v4.2 or higher

9,435 Views
kishansaralaya
Contributor III

Using QN908x controller would like to limit the usage of BLE Application with a Central device whose BLE version is 4.2 or higher. As I read the BLE connection starts with the Security Mode 1 and Level 1, all the BLE stacks are backward compatible so would like to others input on this. 

0 Kudos
Reply
16 Replies

9,055 Views
_Roman_
Contributor II

Hello.
I'm trying to setup the application for the peripheral device to use a mode 1 level 2 LE secure connection.
As a central device, I'm using the Nordic dongle and nRF Connect.
I can connect, pair, and bond (nRF Connect says: Security updated, mode:1, level:2 and Storing bond info for device xx:xx:xx:xx:xx:xx).
Then I send a command to disconnect.
After disconnect occurs I'm trying to connect again, but can't.
After deleting the bonding data in the central device, central can connect. 
If I'm not mistaken when LE secure is used the BLE stack responsible for storing the SMP keys.
But it is not clear to me, how and where (at which event) these keys should be used.
A screenshot of the nRF Connect log is attached.

0 Kudos
Reply

9,226 Views
kishansaralaya
Contributor III

Sorry am not fully following here, kindly bare with me.
Can you please tell me what pairing options I need to select in order to support pairing for only BLE stacke version 4.2 and above.  This is purely with respect to QN908x controller - 

as per my understanding it is : 
   gSecurityMode_1_Level_4_c
 .leSecureConnectionSupported = TRUE,

Does QN908x controller support unauthenticated pairing in gSecurityMode_1_Level_4_c ?

Regards,

 kishan
  

0 Kudos
Reply

9,226 Views
mario_castaneda
NXP TechSupport
NXP TechSupport

Hi Kishan,

Please enable the define in the app_preinclude.h 

/*! Enable/disable use of bonding capability */
#define gAppUseBonding_d   1

/*! Enable/disable use of pairing procedure */
#define gAppUsePairing_d   1

Does the QN908x controller support unauthenticated pairing in gSecurityMode_1_Level_4_c?

The unauthenticated is not supported if you have the IO Capabilities as just works.

.localIoCapabilities = gIoNone_c

It depends on the capabilities that the device has.

Regards,

Mario

9,226 Views
kishansaralaya
Contributor III

Thanks for the update Mario.

As you said in the above thread Unauthenticated pairing is not supported if you have the IO Capabilities as the Just works, so in this configuration can we have the LE Secure Connection ?

Regards,

kishan

0 Kudos
Reply

9,226 Views
mario_castaneda
NXP TechSupport
NXP TechSupport

Hi Kishan,

As you said in the above thread Unauthenticated pairing is not supported if you have the IO Capabilities as the Just works, so in this configuration can we have the LE Secure Connection?

Yes, you will have the LE Secure Connections without the protection to the MITM.

Regards,

Mario

0 Kudos
Reply

9,227 Views
kishansaralaya
Contributor III

Thanks a lot Mario. 

Just to be clear on the SMP Data configuration : 

/* SMP Data */
gapPairingParameters_t gPairingParameters = {
    .withBonding = (bool_t)gAppUseBonding_d,
    .securityModeAndLevel = gSecurityMode_1_Level_2_c,
    .maxEncryptionKeySize = mcEncryptionKeySize_c,
    .localIoCapabilities = gIoNone_c, //gIoDisplayOnly_c,
    .oobAvailable = FALSE,
    .centralKeys = gIrk_c,
    .peripheralKeys = (gapSmpKeyFlags_t) (gLtk_c|gIrk_c),
    .leSecureConnectionSupported = TRUE, //FALSE,
    .useKeypressNotifications = FALSE,
};

 

Here configuring the 

.leSecureConnectionSupported = TRUE

to TRUE means only LE Secure connection is allowed or does it support modes - which is legacy and LE Secure connection ?

0 Kudos
Reply

9,227 Views
mario_castaneda
NXP TechSupport
NXP TechSupport

Hi Kishan,

That is the set up that you have to do. Also, you have to enable the paining and bonding feature.

Remember that the security services must be 

gSecurityMode_1_Level_2_c

The Secure connection is the feature for the BLE 4.2, but if the other device should have to support this feature, otherwise the process will be with the security that supports the other device.

Regards,

Mario

0 Kudos
Reply

9,227 Views
kishansaralaya
Contributor III

Hi Mario,

If we configure our peripheral device with 

gSecurityMode_1_Level_2_c
.leSecureConnectionSupported = TRUE,

will it limit the pairing to BLE 4.2 and higher BLE stack version? 

0 Kudos
Reply

9,227 Views
mario_castaneda
NXP TechSupport
NXP TechSupport

Hi Kishan

There are no limitations with the pairing limitation, but the connection won't have any protection with the MITM, because you can not authenticate without capabilities. For the high versions will be the same.

Please look at the BLE Specification 

C.2.2.2.1 Successful Numeric Comparison (or Just Works)

Regards,

Mario

0 Kudos
Reply

9,227 Views
kishansaralaya
Contributor III

Thank you Mario. 
To summarize my understanding : We can limit pairing to devices with BLE 4.2 or above by checking the authentication method used by the Central Devices. If the Authentication does not take place using LE Secure then the device can reject the pairing process. QN908x supports LE Secure connection only in "gSecurityMode_1_Level_4_c" where pairing needs to be authenticated which means the device needs to have IO Capability.   

0 Kudos
Reply

9,227 Views
mario_castaneda
NXP TechSupport
NXP TechSupport

Hi Kishan,

The limitation will depend on the IO Capabilities from both devices. 

If the Authentication doesn't take place the connection could be established but you won't be protected to the MITM.

QN908x supports LE Secure connection only in "gSecurityMode_1_Level_4_c" where pairing needs to be authenticated which means the device needs to have IO Capability.   

No, the QN9080 supports secure connections, 

.leSecureConnectionSupported = TRUE,

The device doesn't need to have IO capabilities, the pairing process could be executed without the MITM Security.

Regards,

Mario

0 Kudos
Reply

9,227 Views
mario_castaneda
NXP TechSupport
NXP TechSupport

Hi Kishan,

I am not sure if I am following your question.

As I read the BLE connection starts with the Security Mode 1 and Level 1

This will depend on how you are setting the security in your device.

Remember if one of the BLE devices supports a previous version, the security will be related to the old version. In other words, if you connect 1 device with 4.0 with a device with 4.2, the device will adapt to the features of the 4.0. 

Regards,

Mario

0 Kudos
Reply

9,227 Views
kishansaralaya
Contributor III

Hello Mario,

we have a peripheral device designed using QN908x, this device does not has any IO capabilities. Is it possible to restrict this device to get connected (paired and bonded) only with central device supports BLE 4.2 or above. 

Regards ,

 kishan

0 Kudos
Reply

9,227 Views
mario_castaneda
NXP TechSupport
NXP TechSupport

Hi Kishan,

It is possible, the QN9080 supports the 5 and it could pair and bond with the devices with the limitations fo this release.

Please look at the https://community.nxp.com/thread/332191 for better information for the Security on BLE.

Regards,

Mario

9,227 Views
kishansaralaya
Contributor III

Thank you Mario, this link provides clear view on the security configuration.

And as per this document we wont be able to have BLE secure connection feature (security mode 4). Encryption with LE Secure Connections pairing is the only version supported in QN908x, since our product does not have any IO capability we will not be able to config our product to support only 4.2 or above.

0 Kudos
Reply

9,227 Views
mario_castaneda
NXP TechSupport
NXP TechSupport

Hi Kishan,

It is possible. but the connections won't have MITM protection, it is unauthenticated

When IO capabilities is set to gIoNone_c, the key generation method is Just Works Unauthenticated. Please see below describe in spec.

IO-Key generation method.png

IO-Key generation method2.png

The gSecurityMode_1_Level_4_c means Authenticated LE Secure Connections pairing with encryption, Authentication provides against MITM attacks.

 

Therefore, to have  LE Secure Connections pairing in Just Works, you need to set  securityModeAndLevel = gSecurityMode_1_Level_2_c to have unauthenticated pairing with encryption and set leSecureConnectionSupported = TRUE.

 

Please let me know if you have any further questions.

For example, it should be like this.

/* SMP Data */
gapPairingParameters_t gPairingParameters = {
    .withBonding = (bool_t)gAppUseBonding_d,
    .securityModeAndLevel = gSecurityMode_1_Level_2_c,
    .maxEncryptionKeySize = mcEncryptionKeySize_c,
    .localIoCapabilities = gIoNone_c, //gIoDisplayOnly_c,
    .oobAvailable = FALSE,
    .centralKeys = gIrk_c,
    .peripheralKeys = (gapSmpKeyFlags_t) (gLtk_c|gIrk_c),
    .leSecureConnectionSupported = TRUE, //FALSE,
    .useKeypressNotifications = FALSE,
};


static const gapServiceSecurityRequirements_t serviceSecurity[] = {
  {
    .requirements = {
        .securityModeLevel = gSecurityMode_1_Level_2_c,
        .authorization = FALSE,
        .minimumEncryptionKeySize = gDefaultEncryptionKeySize_d
    },
.
.
.
.
.

Regards,

Mario