LE Secure Connections and Just Works

Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob
Zaborpila
Level 1
Level 1
First reply posted First question asked Welcome!

Hi,

   

This is my my first question in the forums, but I bet it will not be the last one.

   

While testing the different projects available in the "100 projects in 100 days" blog at crypress.com related to bonding, authentication and BLE privacy (with  CyBle-202007-01 BT 4.2 modules a PSoC creator 4.0) I noticed that the security level configuration option available in the BLE 3.30 component related to LE Secure Connections only offers an Authenticated variant. This will prevent me from configuring both modules so that an unauthenticated Just Works pairing method is used between them. The moment I try to set No Input No Output in the I/O capabilities, in order to force Just Works, a get a warning message signaling that this option is not available.

   

Is there any particular reason why Just Works unauthenticated method is not currently supported/cannot be configured  in LE Secure Connections the same way it is/can be in LE Legacy Pairing?

   

Thank you,

   

Zabor

0 Likes
1 Solution
lock attach
Attachments are accessible only for community members.
GyanC_36
Employee
Employee
250 replies posted 100 replies posted 50 replies posted

Hi Zabor,

   

   Welcome to the Forum!!

   

When you set the security Level as 'Authenticated Pairing with Encryption' or 'Authenticated LE Secure Connection Pairing with Encryption' you are supposed to go for Authentication means your device should have some I/O capabilities for authentication. So, if you set the I/O capabilities as 'No Input No output' you are pushing back your device for Un-authentication pairing which is not possible because you have set the security level for 'Authenticated Pairing before.

   

 

   

Please find a screenshot of BLE spec attached with this response. Here you can see that when you set 'Authenticated' pairing ,the MITM flag will set and it will check for I/O capabilities. Now if you do not have I/O capabilities , your pairing should be 'just work' means 'Un-Authenticated' .

   

So basically before setting the Security Level you are supposed to be known about your device I/O capabilities.

   

 

   

Hope this will help you!!

   

 

   

Please let us know if you have any further queries.

   

 

   

Regards,

   

Gyan

View solution in original post

3 Replies
lock attach
Attachments are accessible only for community members.
GyanC_36
Employee
Employee
250 replies posted 100 replies posted 50 replies posted

Hi Zabor,

   

   Welcome to the Forum!!

   

When you set the security Level as 'Authenticated Pairing with Encryption' or 'Authenticated LE Secure Connection Pairing with Encryption' you are supposed to go for Authentication means your device should have some I/O capabilities for authentication. So, if you set the I/O capabilities as 'No Input No output' you are pushing back your device for Un-authentication pairing which is not possible because you have set the security level for 'Authenticated Pairing before.

   

 

   

Please find a screenshot of BLE spec attached with this response. Here you can see that when you set 'Authenticated' pairing ,the MITM flag will set and it will check for I/O capabilities. Now if you do not have I/O capabilities , your pairing should be 'just work' means 'Un-Authenticated' .

   

So basically before setting the Security Level you are supposed to be known about your device I/O capabilities.

   

 

   

Hope this will help you!!

   

 

   

Please let us know if you have any further queries.

   

 

   

Regards,

   

Gyan

Anonymous
Not applicable

@GYAN It sounds like you are saying that the order in which you choose the I/O capability and the security level makes a difference for the IDE setting up the "just works" pairing/authentication.

   

Thus, if we set the I/O capability first, before setting the security settings, then there will be no error(s)?

0 Likes
Anonymous
Not applicable

No, the order of configuring IO capabilities and Security level will not solve the issue. It will still throw the error.

In Vol3, Part C of the Bluetooth spec, it is stated that the last security level or security level 4 is "Authenticated LE Secure Connections pairing with encryption.". It also says that security level 4 shall also satisfy the security requirements for security level 3. In simple words, Secure Connections always comes with "Authenticated". There is no way to have an unauthenticated secure connection (we can argue that the SMP says it's allowed but the GAP says authentication is mandatory).