Questions about GATT properties/permissions

Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob
dasmc_2125571
Level 4
Level 4
5 likes given First like received First like given

Hello,

I have several characteristics that I want to make readable and writable(no response) ONLY when the link is encrypted.  I've searched the forum, but haven't found a definitive answer to the following questions:

1) Do the permissions logically AND with the properties?  For example, if I enabled the read property and the read(authenticated) permission, does that allow reading only over an encrypted link?

2) Does the "authenticated" modifier on permissions solely indicate encryption required, or is MITM authentication being performed as well?

3) What combination of properties/permissions would result in requiring an encrypted link before the characteristic can be accessed?

4) I've seen mentions in a few other threads on the forum (late last year & earlier this year) a security app note that was in the process of being developed.  Is it available yet, and if so, where?

Thank you for any assistance,

David

0 Likes
1 Solution
Anonymous
Not applicable

Hello.

1). I don't know how permissions and properties are implemented at the lower level and if they are logically AND. But here is what our document says about permissions:

How to Write WICED Smart Applications on page 11:

"The permission parameter specifies whether the characteristic value can be read and/or written by the client

and identifies the security level required for the read, write, notify, and indicate procedures. These are

permissions set up by this application (Table 2 on page 12 lists the defined permission bits)"

So yes if you want a read property, also give read permissions. Now depending on which permission you give, it will define the security level required. The Table 2 on page 12 has the definitions of the permissions.

if I enabled the read property and the read(authenticated) permission, does that allow reading only over an encrypted link? yes.

2). This depends on what kind of pairing has been established.

I think our implementation of the stack allows three types of pairing: Just Works, Passkey, Out of Box(OOB)

According to Bluetooth SIG (LE Security | Bluetooth Development Portal), "MITM protection is obtained by using the passkey entry pairing method or may be obtained using the out of band pairing method."

You can refer to hello_client to for passkey and OOB implementations

3). as an example you can do something like this:

CHARACTERISTIC_UUID128 (HDLC_TEST_TEST, HDLC_TEST_TEST_VALUE,

            __UUID_TEST_TEST,

            LEGATTDB_CHAR_PROP_READ,

            LEGATTDB_PERM_AUTH_READABLE,

            1),

You can try playing around with WICED Bluetooth Designer to create a new GATT DB.

(File->New->WICED Bluetooth Designer)

WICED Smart Video BLOG: SDK 2.1 Smart Designer Tool Walk-Thru

4). Can you give us the links to the forums you are referring to? Don't know what you are referring to.

Does this help? Let us know.

Thanks.

James

View solution in original post

0 Likes
2 Replies
Anonymous
Not applicable

Hello.

1). I don't know how permissions and properties are implemented at the lower level and if they are logically AND. But here is what our document says about permissions:

How to Write WICED Smart Applications on page 11:

"The permission parameter specifies whether the characteristic value can be read and/or written by the client

and identifies the security level required for the read, write, notify, and indicate procedures. These are

permissions set up by this application (Table 2 on page 12 lists the defined permission bits)"

So yes if you want a read property, also give read permissions. Now depending on which permission you give, it will define the security level required. The Table 2 on page 12 has the definitions of the permissions.

if I enabled the read property and the read(authenticated) permission, does that allow reading only over an encrypted link? yes.

2). This depends on what kind of pairing has been established.

I think our implementation of the stack allows three types of pairing: Just Works, Passkey, Out of Box(OOB)

According to Bluetooth SIG (LE Security | Bluetooth Development Portal), "MITM protection is obtained by using the passkey entry pairing method or may be obtained using the out of band pairing method."

You can refer to hello_client to for passkey and OOB implementations

3). as an example you can do something like this:

CHARACTERISTIC_UUID128 (HDLC_TEST_TEST, HDLC_TEST_TEST_VALUE,

            __UUID_TEST_TEST,

            LEGATTDB_CHAR_PROP_READ,

            LEGATTDB_PERM_AUTH_READABLE,

            1),

You can try playing around with WICED Bluetooth Designer to create a new GATT DB.

(File->New->WICED Bluetooth Designer)

WICED Smart Video BLOG: SDK 2.1 Smart Designer Tool Walk-Thru

4). Can you give us the links to the forums you are referring to? Don't know what you are referring to.

Does this help? Let us know.

Thanks.

James

0 Likes

Thank you for the answer jamesle1.  I think it clarifies the situation somewhat for me.

The security document/app note I was asking about in #4 above was mentioned in the following posts ...

Re: BCM20737S security features

mwf_mmfae said -- "A security AppNote was originally due out this quarter, but I'm not sure if that is still the case as this may move to Q4." [2014]

Re: Update on RSA and/or app note for BCM20737?

andrew997 said -- "Any updates on the availability of an app note and/or example app demonstrating the RSA capabilities of the BCM20737?" [2015]

Thanks,

David

0 Likes