Proper use of Cy_BLE_GAP_GenerateSetLocalP256Keys for BLE security

Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob
Morty
Level 1
Level 1
5 sign-ins First reply posted First question asked

I'm trying to create a secure BLE application. I see the following comment in the docs for Cy_BLE_GAP_GenerateSetLocalP256Keys,  "If this function is not called before pairing process starts, the BLE Stack will use a debug public-private key pair defined in Bluetooth Core specification.".

Having a well known private key does seem like a security problem.

I don't see any sample code that calls this function. I can imagine the following implementation might be correct, but with security code like this its hard to know whether it is secure and not if it just works. I'd much prefer a known good sample.

 

 

 

case CY_BLE_EVT_STACK_ON:
    Cy_BLE_GAP_GenerateSetLocalP256Keys();
    delayAdvertStart = true;
    // don't StartAdvertisment until keys set
    break;

case CY_BLE_EVT_GAP_GEN_SET_LOCAL_P256_KEYS_COMPLETE:
    Cy_BLE_GAP_SetLocalP256Keys((cy_stc_ble_gap_smp_local_p256_keys_t *)eventParam);
    if (delayAdvertStart)
        Cy_BLE_GAPP_StartAdvertisement(CY_BLE_ADVERTISING_FAST, 0u);
    delayAdvertStart = false;
    break;

case CY_BLE_EVT_GAP_DEVICE_CONNECTED:
        // For robust security Cypress recommends every pairing (successful or failed) attempt to update public-private key pair
        Cy_BLE_GAP_GenerateSetLocalP256Keys();
        ...
        break;

case CY_BLE_EVT_GAP_DEVICE_DISCONNECTED:
        // For robust security Cypress recommends every pairing (successful or failed) attempt to update public-private key pair
        Cy_BLE_GAP_GenerateSetLocalP256Keys();
        ...
        break;

 

 

 

 

0 Likes
1 Solution
Yugandhar
Moderator
Moderator
Moderator
500 solutions authored 1000 replies posted 5 likes given

Hello,

The function Cy_BLE_GAP_GenerateSetLocalP256Keys() has to be called before pairing process starts, so you can call this function in CY_BLE_EVT_GAP_DEVICE_CONNECTED event. Successful completion of this API is informed by CY_BLE_EVT_GAP_GEN_SET_LOCAL_P256_KEYS_COMPLETE event. Event parameter cy_stc_ble_gap_smp_local_p256_keys_t will contains the keys that are generated and set for LE Secure connection pairing procedure.

Thanks,
P Yugandhar.

View solution in original post

0 Likes
3 Replies
DheerajPK_41
Moderator
Moderator
Moderator
750 replies posted 500 likes received 500 replies posted

Hi,

May I know the software version which you are using for your app development? Also please share the BT chip/module name.

Thanks,

-Dheeraj.P.K

0 Likes

PSoC Creator 4.4

PDL 3.1.4

CYBLE-416045-02

0 Likes
Yugandhar
Moderator
Moderator
Moderator
500 solutions authored 1000 replies posted 5 likes given

Hello,

The function Cy_BLE_GAP_GenerateSetLocalP256Keys() has to be called before pairing process starts, so you can call this function in CY_BLE_EVT_GAP_DEVICE_CONNECTED event. Successful completion of this API is informed by CY_BLE_EVT_GAP_GEN_SET_LOCAL_P256_KEYS_COMPLETE event. Event parameter cy_stc_ble_gap_smp_local_p256_keys_t will contains the keys that are generated and set for LE Secure connection pairing procedure.

Thanks,
P Yugandhar.

0 Likes