• State
  • Locked Locked
  • Replies 3 replies
  • Subscribers 50 subscribers
  • Views 2574 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

OOB Pairing question

Matthias Mueller
Intellectual 380 points
Other Parts Discussed in Thread: CC2540

Hello everybody

We are developing a BLE remote control application on a CC2540 (stack 1.4) configured as peripheral. This application uses a serial interface to share out-of-band keys for pairing. Because the application will be used in an industrial environment, we would like to use a authenticated connection only (by using the shared OOB keys obviously).

I have some problems to implement this application and have following questions:

1: I'm not quite sure if it is possible to configure the peripheral to use be authenticated connections only. Is that possible in the stack?

2: Now I have configured the peripheral bond managers pairing mode to initiate the pairing. I set the OOB flag to true and the MITM flag to false. Therefore, according to the standard, with no input and output capabilities either an authenticated link (using OOB) or an unauthenticated link (using Just Works) will be established.
I used this application with the TI HCI dongle and the BTool (which has the OOB flag not set): I connect with the BTool to the peripheral and the peripheral sends a pairing request. Even if I do not pair, I have access to the characteristics. Is it therefore possible to check, if the device is paired and if yes, what pairing mode was used?


I really hope you guys could help me because we have spent already some time with this issue.

Thank you

Matthias

  • 0
    TI__Mastermind 34660 points

    Hello.

    1. Obviously unauthenticated connections have to be allowed so that the connection can become authenticated and bonded.  However you can set the GAPBOND_BOND_FAIL_ACTION to GAPBOND_FAIL_TERMINATE_LINK using the GAPBondMgr_SetParameter function. This will cause the connection to drop if your pairing parameters are not met. You can set the various pairing parameters such as GAPBOND_MITM_PROTECTION (authentication) using this function.

    2.  If you pass callback functions from the application to the bond manager when registering, the application will be notified of the bond manager's various state changes. An example of this in the glucosesensor project where the following callbacks are defined:

    // Bond Manager Callbacks
    static const gapBondCBs_t glucoseBondCB =
    {
      glucosePasscodeCB,
      glucosePairStateCB
    };


    The glucosePairStateCB will notify you of gap bond manager state changes.

    Another option is the linkDB_Authen() funciton which will return the following:

     * @return      SUCCESS if link is authenticated.
     *              bleNotConnected - connection handle is invalid
     *              LINKDB_ERR_INSUFFICIENT_AUTHEN - link is not encrypted
     *              LINBDB_ERR_INSUFFICIENT_KEYSIZE - key size encrypted is not large enough
     *              LINKDB_ERR_INSUFFICIENT_ENCRYPTION - link is encrypted, but not authenticated

    There is no function to check which type of authentication is used. You would have to modify the bond manager to accomplish this. Perhaps, set a global variable here:

      // Is bond manager setup for OOB data?
      if ( gapBond_OOBDataFlag )
      {
        VOID osal_memcpy( params.secReqs.oob, gapBond_OOBData, KEYLEN );
      }

  • 0 in reply to Tim C
    Intellectual 380 points

    Hi Tim

    Thank you very much for your detailed answer, I really appreciate it.

    I'll try to use GAPBOND_FAIL_TERMINATE_LINK and set only the OOB-flag (no MITM). Then the OOB-pairing should be used. Then in the bond manager callback PairStateCb I check linkDB_Authen(): if it returns LINKDB_ERR_INSUFFICIENT_ENCRYPTION, obviously Just Works was used and I terminate the link. Otherwise, OOB was sucessfully used.

    I will try this solution and will respond again if this was not working well

    Thanks again

  • 0 in reply to Matthias Mueller
    Intellectual 380 points

    Hi Tim


    I guess it works: the connection is terminated automatically after a simple pairing by the peripheral.

    But on the other hand, the OOB pairing does still not work properly: the peripheral receives a key (16 byte TK according to the standard) which is stored in the GAP-Bond-Manager as OOB_DATA:

    GAPBondMgr_SetParameter( GAPBOND_OOB_DATA, sizeof ( uint8 ), &uartTxBuffer[1] );

    Apparently, the TK is not updated by this function: during the pairing a SMP Error Confirm value failed (0x04) appear, the wrong keys are used for STK. If a OOB-Key of 16 bytes of '0' is used it works. But the connection is terminated because this is "just works". Because the key initialisation is 16 times 0 I assume the function I use does not properly update the key.

    Could you provide an idea to update the TK which I can use to store the key received by OOB, other than the function above?


    Thank you in advance

    Matthias