android - Bluetooth Low Energy encryption and data safety -


i need send sensitive data on bluetooth low energy (ble) data connection between smartphone (ios & android) , embedded device (cc2540 chip).

since don't consider app-code on phones safe hacking, need rely on ble safety encrypted package delivered server device once , once (i must assume second attempt deliver package, must attacker).

i have been browsing net few days now, find out if data safe, , under conditions. unfortunately haven't been able come simple answer questions.

  1. is data safe if pair phone device? - suppose so, though understand pairing process flawed, theoretically possible man-in-the-middle (mitm) sniff encryption keys during pairing process , compromise connection.

  2. i need each device paired several phones (but communicating 1 @ time). what's maximum number of pairings pr. device? - unfortunately need pair rather large number of phones device(s).

  3. can perhaps pairing data (long term keys etc.) device , store on external memory, increase limit.

  4. can make safe data connection device without pairing, or maybe re-pairing when need so? - how safe procedure regards mitm attacks?

i can't seem find documents answer these questions unambiguously. ideas or pointers welcome.

here's 2 cents:

  1. afaik, ble pairing/encryption process not flawed. there 3 levels of mitm protection available encryption:

    • none, uses known key == 0, if eavesdropper catches packets in pairing process, can follow encrypted connection.
    • low mitm protection, when use user input pass key pairing, key < 1.000.000. here eavesdropper need try million keys.
    • high mitm protection, using out-of-band key. give full 128-bit strength encryption, , eavesdropper need know key follow conversation if catching whole pairing process. there no key-exchange method in ble (yet, @ least), weakest point here key distribution, same problem when having additional layer of encryption @ application level.

  2. this implementation dependant. device doesn't have bond, i.e. establish permanent relationship host. if devices don't bond, there no state telling earlier connections (other exchanged data, application domain, not ble stack). if devices not bonded, have pair again next time connect exchange protected data. if devices bonded, encrypted connection can continued without app/user interaction, same security level earlier. one-time-connect devices, bonding doesn't make sense, can have stateless implementation no restrictions on number of connected devices. multiple-times-connect, have stateless implementation, depending on how distribute/store key(s) independent of ble. availability of different options here depends on device/ble stack implementation using, though, spec allows this.

  3. if bond , exchange long term keys etc, these can, dependent on ble implementation you're building on, stored like.

  4. as said under 2., can establish secure (encrypted) connection without bonding. devices need pair again next time want establish secure connection. if don't want to/aren't able pair reason, can have plaintext communication.


Comments

Post a Comment

Popular posts from this blog

basic authentication with http post params android -

i doing basic authentication passing username , password , using basicnamevaluepair sending post params response service. my method: public stringbuilder callservicehttppost(string username, string password, string type) { // create new httpclient , post header httpclient httpclient = new defaulthttpclient(); httppost httppost = new httppost(webservice + type); httpresponse response = null; stringbuilder total = new stringbuilder(); try { url url = new url(webservice + type); /*string base64encodedcredentials = base64.encodetostring((username + ":" + password).getbytes(), base64.url_safe | base64.no_wrap);*/ string base64encodedcredentials = "basic " + base64.encodetostring( (username + ":" + password).getbytes(), base64.no_wrap); httppost.setheader("auth...
Read more

vb.net - Virtual Keyboard commands -

i wondering difference between virtual these keyboard commands is: keyeventf_extendedkey , keyeventf_keyup is. everywhere have looked gives me description based off integers , not want know each of them does. you've tagged question vb.net, these have nothing @ vb.net. they're constants defined in windows header files, use win32 api functions. as far difference, can't tell looking @ values. individual values not particularly important, that's why named identifiers used. what's important used , documentation functions tells mean. the first one, keyeventf_extendedkey , used keybdinput structure (which used along e.g. sendinput function) pass information synthesized keyboard input. if flag used, means scan code should interpreted extended key. technically, means scan code preceded prefix byte value 224 (&he0 in hexadecimal notation). the second one, keyeventf_keyup , 1 of flags available use structure. means key being released (going up)...
Read more

css - Firefox for ubuntu renders wrong colors -

Image
i've got following problem: i'm developing website, while testing around i've noticed firefox , chromium display css bar in different colors. when switched between several machine come conclusion firefox ubuntu problem. on other devices i've tested website. it's fine. the differences between chrome , firefox rendering: firefox: chromium: note: firefox ubuntu problem. does knows why , came solution? https://bugzilla.mozilla.org/show_bug.cgi?id=655637 bug 629312 - firefox displays wrong colors on image (only linux) open about:config , rechange gfx.color_management.mode 2 0.
Read more