• State Resolved
  • Locked Locked
  • Replies 6 replies
  • Subscribers 51 subscribers
  • Views 774 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

CC2642R: Send link encryption request from peripheral

Daan Schilder1
Intellectual 530 points

Part Number: CC2642R
Other Parts Discussed in Thread: SIMPLELINK-CC13X2-26X2-SDK

Details
Chip: CC2642R1
SDK: SIMPLELINK-CC13X2-26X2-SDK_4.40.04.04 (latest)
Security manager: GapBondManager

Summary
I would like to send an encryption request from the peripheral to the central in a later stage after the connection has been established

Extensive

We are working on a paired product that needs its encryption to be handled at a later stage during the connection. The connection flow looks as follows;

  • Central connects to peripheral without encryption
  • Central and peripheral will do some negotiation / communication
  • 5 minutes pass by
  • Central reads wants to read out a characteristic which requires authentication
  • Peripheral responds by sending an encryption request

The central itself in this flow is an iPhone, which means we can not change anything on the central side

What we have tried on the point where the characteristic is being read is the following:

  • GapBondMgr_Pair
  • gapBondMgrBondReq
  • MAP_GAP_Bond
  • MAP_SM_StartEncryption

What is the typical way to start an encryption request from the peripheral side on a TI BLE5 stack?

  • 0
    TI__Guru** 101490 points

    Hi,

    In theory, the pairing request will be sent only when the characteristic requiring authentication is accessed. You may want to verify this with our out-of-the-box simple_peripheral example. Considering the devices are not bonded / paired from a previous test, no pairing will occur before you try to access the characteristic 5 from the phone.

    (Note: you can use LightBlue or any other mobile app to run this test).

    Let us know if it helps,

    Regards,

  • 0 in reply to Clément
    Intellectual 530 points

    Hi Clement

    In theory, the pairing request will be sent only when the characteristic requiring authentication is accessed. You may want to verify this with our out-of-the-box simple_peripheral example. Considering the devices are not bonded / paired from a previous test, no pairing will occur before you try to access the characteristic 5 from the phone.

    I'm talking about an encryption request, not a pairing request. Also - pairing is also performed in an earlier stage as explained.

    Regards,

    Daan

  • 0 in reply to Daan Schilder1
    TI__Guru** 101490 points

    Hi Daan,

    Based on the summary of your problem "I would like to send an encryption request from the peripheral to the central in a later stage after the connection has been established" it looks like you want to pair the devices only after the 5 minutes have passed by. If you want not the device to be automatically paired at connection establishment, you may not want to use bonding.

    If you want to allow access of some GATT profiles without pairing/encryption required, you may want to modify the implementation of your GATT table (see here for details).

    Once again, I would recommend you to see if the behavior of our simple_peripheral example is what you are looking for. Based on your observations on this example, you may want to tell us what behavior modification you would expect

    To finish, I am not fully understanding the use case you are addressing here. If needed, don't hesitate to shed more light on it.

    Best regards,

  • 0 in reply to Clément
    Intellectual 530 points

    Hi Clementine, Evan knows more about what we would like to achieve.

    Based on the summary of your problem "I would like to send an encryption request from the peripheral to the central in a later stage after the connection has been established" it looks like you want to pair the devices only after the 5 minutes have passed by. If you want not the device to be automatically paired at connection establishment, you may not want to use bonding.

    First of all, please keep in mind that pairing has already been done, including bonding.

    As a reply on your question:

    No, the thing is that the encryption can only be established by one of the apps connecting with our product.
    If the first app connects, we don't want LTK encryption.
    If the second app connects while the first app is still connected:

    Sicne iOS will re-use the same connection for both apps, it means that we should have a trigger point (which we have) for the second app because no connection-event will occur (the iphone is already connected).

    At that trigger-point, we want to force the phone to start using encryption, so we want to send out an encryption request to the phone.

    I know about the simple peripheral and everything but that example does not take care of this either.
    Could you please tell me how to force a central to start encryption by sending an encryption request to it from the peripheral?

    Regards,

    Daan

  • 0 in reply to Daan Schilder1
    TI__Guru** 101490 points

    Hi Daan,

    I have aligned with Evan offline. We are still wondering why it would be a problem to have all the traffic encrypted (instead of only a subset of it).

    Generally speaking, the BLE stack will handle encryption for you. It means the BLE stack is going to turn on encryption when needed.
    If you have a BLE analyzer, you may want to run the following experiment.

    0- Flash a device with our out-of-the-box simple_peripheral example
    1- Turn on the BLE analyzer and connect the simple_peripheral using the iphone
    2- Access Char 4 or 5 to get the devices to pair
    3- (Verify if the data is encrypted on the BLE analyzer log)
    4- Disconnect the iphone
    5- Reconnect the iphone and verify if the link is encrypted even if you do not access Char 4 and 5

    Daan Schilder1 said:
    Could you please tell me how to force a central to start encryption by sending an encryption request to it from the peripheral?

    Let me remind you of Apple's Accessory Design Guidelines (see section 36.10). This is why we recommend "When pairing with smartphone Central devices, it is recommended to use GAPBOND_PAIRING_MODE_WAIT_FOR_REQ as undefined behavior may occur when a Slave Security Request is sent by the Peripheral. Both iOS and Android will initiate pairing when the peripheral responds with an Insufficient Authentication error response when a GATT secure characteristic is accessed".
    In other words, the CC26xx device does not send any pairing request but returns "ATT_ERR_INSUFFICIENT_AUTHEN" when the iphone tries accessing a GATT attribute with permission GATT_PERMIT_ENCRYPT_READ or GATT_PERMIT_ENCRYPT_WRITE. The iphone will then start the pairing procedure. Please see our documentation for more details.

    A second option might be to use authorization.

    Best regards,

  • 0 in reply to Clément
    Intellectual 530 points

    Hi Clement,

    One of your colleagues just picked this one up internally with us. Thanks for helping me out :)