LE Security Manager Question
28 views
Skip to first unread message
Sven Krauss
Oct 29, 2024, 11:17:51 AM10/29/24
to btstack-dev
Hi Matthias,
I have two questions about the LE security manager.
1. There is an event called SM_EVENT_AUTHORIZATION_REQUEST. I havn't seen this event in the documentation. What is the intention of this event?
2. The LE central device running the btstack has a button which can be pressed by the user. Voice output is also available. I want to realize the following workflow: The user starts a pairing procedure with a smartphone. The LE device shall output a voice message, something like "To accept the pairing request, please press the button." If the user presses the button the pairing will be accepted. After a timeout the pairing failed automatically if the button wasn't pressed.
What is the right configuration for this scenario (IO_CAPABILITY_NO_INPUT_NO_OUTPUT)
If an event occurs like SM_EVENT_JUST_WORKS_REQUEST, is it possible that the answer can be postponed to an later time. sm_just_works_confirm() is called later if the user pressed the button, sm_bonding_decline() is called on timeout. Does this work this way?
Kind regards
Sven
Matthias Ringwald
Nov 14, 2024, 4:15:12 AM11/14/24
to btsta...@googlegroups.com
Hi Sven
Sorry for the delay.
The Bluetooth Core Specification basically defines the following security levels: non encrypted, encrypted, authenticated, and authorized. Authorized is a bit vague in my view. Authentication already means that the devices have bonded with man-in-the-middle protection.
Authorization then means that a human has agreed that something happens. We've implemented something along this lines. If you declare a Characteristic as "Requires Authorization", BTstack will send the SM_EVENT_AUTHORIZATION_REQUEST event, which then need to be approved by the application. This happens on each new re-connect even though a secure pairing has happened before. That's the theory, I'm not aware of anybody using this in BTstack or have seen this in other customer devices.
As for your pairing procedure. As your setup does not provide any MITM protection, I would suggest to use IO_CAPABILITY_NO_INPUT_NO_OUTPUT which will result in Just Works pairing. You can then call sm_just_works_confirm if the user presses the button (as you've suggested).
Cheers
Matthias
> --
> You received this message because you are subscribed to the Google Groups "btstack-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to btstack-dev...@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/btstack-dev/eba4b8e7-3cdb-427e-a759-44aa7e2242dbn%40googlegroups.com.
Sorry for the delay.
The Bluetooth Core Specification basically defines the following security levels: non encrypted, encrypted, authenticated, and authorized. Authorized is a bit vague in my view. Authentication already means that the devices have bonded with man-in-the-middle protection.
Authorization then means that a human has agreed that something happens. We've implemented something along this lines. If you declare a Characteristic as "Requires Authorization", BTstack will send the SM_EVENT_AUTHORIZATION_REQUEST event, which then need to be approved by the application. This happens on each new re-connect even though a secure pairing has happened before. That's the theory, I'm not aware of anybody using this in BTstack or have seen this in other customer devices.
As for your pairing procedure. As your setup does not provide any MITM protection, I would suggest to use IO_CAPABILITY_NO_INPUT_NO_OUTPUT which will result in Just Works pairing. You can then call sm_just_works_confirm if the user presses the button (as you've suggested).
Cheers
Matthias
> You received this message because you are subscribed to the Google Groups "btstack-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to btstack-dev...@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/btstack-dev/eba4b8e7-3cdb-427e-a759-44aa7e2242dbn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages