User Tools


Link to this comparison view

2.0:security [2015/09/14 00:10] (current)
Line 1: Line 1:
 +====== Security ======
  
 +
 +===== BLE Security Overview =====
 +
 +TruConnect supports Security Mode 1 (encryption) with its first three levels:
 +  * Level 1 : No encryption - default
 +  * Level 2 : Unauthenticated/"​Just works" encryption with no passkey
 +  * Level 3 : Authenticated encryption with a passkey
 +
 +TruConnect encryption is managed with two encryption variables:
 +
 +  * [[variables#​bl_e_e|bl e e]] - Encryption enabled
 +  * [[variables#​bl_e_k|bl e k]] - Encryption key
 +
 +TruConnect supports encryption using three of the possible key types: "Just Works" (keyless), keyed with a 6 digit pin code, or keyed with a 128 bit hex string. ​
 +
 +The table below provides details of the available systems.
 +
 +References are to //​Specification of the Bluetooth System//, core package version 4.0. See https://​www.bluetooth.org.
 +
 +^ Enabled \\ [[variables#​bl_e_e|bl e e]] ^ Key \\ [[variables#​bl_e_k|bl e k]]   ^ Advantages ^ Disadvantages ^ Use Case ^ BLE pairing procedure ^ BLE security mode ^
 +| no | N/A | no security or encryption involved, should work with any device ​ | data is sent in clear text | When eavesdropping is not an issue  | none | Mode 1 Level 1 |
 +| yes | none | Simplest to use, just works with a range of devices | Does not protect against "Man in the Middle"​ attack | When the other device has no IO capabilities to enter a pin code or when the user is not concerned about "Man in the Middle"​ attack| Just Works Procedure (Vol 3, Part H, 2.3.5.2) ​ | Mode 1 Level 2 |
 +| yes | 6 digit pin code | Gives better protection, works best with smart phones | A 6 digit key is vulnerable to a brute force attack. \\ If an attacker manages to capture the pairing procedure security keys can be obtained (also known as a "​Passive Eavesdropper"​ attack) ​  | When the other device has pin code input capabilities,​ such as a smart phone | Pass key entry Procedure (Vol 3, Part H, 2.3.5.3) | Mode 1 Level 3 |
 +| yes | 128 bit hex string | Gives the best protection | Not possible to pair with smart phones | When the other device is also an ACKme BLE module, or the other device has OOB (out of band) capabilities | OOB Procedure (Vol 3, Part H, 2.3.5.4) | Mode 1 Level 3 |