Using alternative GAP security profiles for different GATT services

Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob
GeIo_1586191
Level 4
Level 4
50 replies posted 25 replies posted 10 replies posted

I am assuming this is an issue linked to the core Bluetooth LE specification but thought to test my assumption.

I was seeking to combine two GATT services inside one application but have come unstuck. So looking to learn from this exercise.

My aim was to combine the CTS service (which can only be used with an IOS device) to get the correct time for RTC and an Immediate Alert Service which would primarily be used by other embedded devices or Android smartphone device.

Now, using the CTS example I found that for this to work with an IOS service it requires a GAP settings security configuration of "Unauthenticated pairing with encryption". However, when using this setting the Immediate Alert Service stops working.

Then using the Immediate Alert example, I see that the GAP settings security configuration is set at "No Security (No authentication, no encryption). However, with this setting, the IOS device won't pair to exchange time information.

The CTS service is ignored by Android devices.

So was wondering if there is a way around this to combine the two.

Thanks

0 Likes
1 Solution
MeenakshiR_71
Employee
Employee
100 likes received 50 likes received 25 likes received

Hello GerrikoIoT​,

It appears like permission expectation between the two services are different. You can have different permissions for different characteristics. Since for CTS, you implement a client, you do not have much control on the permissions imposed by iOS's CTS server. Hence your overall device security configuration should at least match the minimum requirement imposed by the CTS server in iOS, which needs encryption (this translates to to a minimum setting for security - Unauthenticated pairing with encryption). However for immediate alert server/client, there is no minimum requirement - hence most device choose to implement "No authentication or encryption".

Now in order to have different permissions for different characteristics (say for Immediate Alert service's Alert level char), in the BLE component customizer, under the GATT settings where you configure your services, click on the "Alert Level". On the right side pane, you should see a section for "Permissions". Expand it and make sure that both read/write permissions have all the permissions to "No encryption, authentication or authorization". Also make sure you uncheck "Update after GAP security level change", otherwise these permissions will get updated every time you change the security configuration.

I am not at my desk and do not have a board to test the above. But if my understanding is correct, I would expect it to work Again I do not understand why Immediate alert service will have to fail, as unauthenticated pairing with encryption is above the min req. May be by fail do you mean the Android App not able to control it?? If yes, then that might be because the app might implement "No security" and does not satisfy the minimum requirement imposed by the Immediate alert server implemented in PSoC.

Let me know if this helps.

Regards,

Meenakshi Sundaram R

View solution in original post

0 Likes
1 Reply
MeenakshiR_71
Employee
Employee
100 likes received 50 likes received 25 likes received

Hello GerrikoIoT​,

It appears like permission expectation between the two services are different. You can have different permissions for different characteristics. Since for CTS, you implement a client, you do not have much control on the permissions imposed by iOS's CTS server. Hence your overall device security configuration should at least match the minimum requirement imposed by the CTS server in iOS, which needs encryption (this translates to to a minimum setting for security - Unauthenticated pairing with encryption). However for immediate alert server/client, there is no minimum requirement - hence most device choose to implement "No authentication or encryption".

Now in order to have different permissions for different characteristics (say for Immediate Alert service's Alert level char), in the BLE component customizer, under the GATT settings where you configure your services, click on the "Alert Level". On the right side pane, you should see a section for "Permissions". Expand it and make sure that both read/write permissions have all the permissions to "No encryption, authentication or authorization". Also make sure you uncheck "Update after GAP security level change", otherwise these permissions will get updated every time you change the security configuration.

I am not at my desk and do not have a board to test the above. But if my understanding is correct, I would expect it to work Again I do not understand why Immediate alert service will have to fail, as unauthenticated pairing with encryption is above the min req. May be by fail do you mean the Android App not able to control it?? If yes, then that might be because the app might implement "No security" and does not satisfy the minimum requirement imposed by the Immediate alert server implemented in PSoC.

Let me know if this helps.

Regards,

Meenakshi Sundaram R

0 Likes