20732 support for "out of band" pairing

Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob
Anonymous
Not applicable

1.I have requirement where we want to use the Out of Band pairing mechanism. Assuming that we have the encryption keys on both sides , which API should be used to provide these keys for all subsequent BLE exchanges.

2.Additionally does the hardware(20732) have support for doing Elliptic Curve Cryptography? For this a good source of entropy would be essential. Specifically access to something like a hardware generated random number would be key. Is this exposed to application code on the 20732?

3. Is there a provision to store these keys between reboots?

4. Once keys have been provided, is there a way to revoke these keys ? Which API?

Thanks

0 Likes
1 Solution

Unfortunately that would be a clear violation of the Bluetooth spec.  We cannot do that.  The spec defines how to use out of band data if it is available.  If out of band data is available it is used to generate keys.  But it cannot be used to replace keys.

View solution in original post

0 Likes
4 Replies
VictorZ_46
Employee
Employee
5 comments on blog 25 sign-ins 250 likes received

The NFC although it is short range is not secure.  There were studies showing that you can eaves drop NFC connection from meters or more.  You cannot send encryption keys in open.  Actually you shall not send encryption keys at all. 

For BLE the version of the Bluetooth Secure Simple Pairing Using NFC whitepaper is not ready yet (NFC forum is working with Bluetooth SIG), but it will be pretty close to the current version which supports BR/EDR. 

There are 2 types of NFC tags passive (10-20cents) and active ($5+).  The difference is that active NFC Tags you can write over the wire.  I am guessing your query is about the passive tag.  You will need to have NFC Tag connected to 20732 and you will program the tag with BDADDR/Appearance/Name.  A GPIO will be running from the NFC Tag to 20732 so that 20732 knows that there was a "touch".  The application on 20732 will need to get out of sleep or power on and start High Scan allowing anybody to connect.  The application on the peer side will need to listen for advertisements from BDADDR/Appearance/Name and establish connection.  After that you will need to perform standard pairing using Just Works or Passkey methods.  Generated keys will be stored in the NVRAM. 

If by any chance you are allowed $5+ to use active tags, you will be able to program the NFC tag from 20732.  In this case OOB information on the tag can have an addition TK value which is used during SMP exchange and pairing can be made more secure than Just Works.  But I do not think anybody will use it, so I will not go into the details.

Anonymous
Not applicable

Thanks for your response. The more important question that I had was the following

Assuming that I had a set of encryption keys(obtained out of band or elsewhere) , could I direct the BLE stack to use these instead of the default keys that it provides. In other words I would want the BLE security mechanism to use my keys instead of its keys.

It will be great if someone can point me to the API's that provide this functionality.

Thanks

0 Likes

Unfortunately that would be a clear violation of the Bluetooth spec.  We cannot do that.  The spec defines how to use out of band data if it is available.  If out of band data is available it is used to generate keys.  But it cannot be used to replace keys.

0 Likes
Anonymous
Not applicable

Could you point me to API  that will enable supplying of encryption keys.

Thanks

0 Likes