Communicating Securely with a Passkey
Connecting, pairing, and bonding in BLE
The main purpose of the Bluetooth Security Manager is to set up tools and procedures to allow secure connections and protect communication from passive eavesdropping, man-in-the-middle attacks and privacy/identity tracking. BLE provides for connecting, pairing and bonding between devices.
Connecting is the act of establishing a communication link. Neither pairing nor bonding is required to communicate over BLE at this stage. Once two devices are connected, they will perform a pairing process in which they will exchange the necessary information to establish an encrypted connection.
Pairing is the act of exchanging keys after connection, usually to set up and maintain an encrypted connection. A procedure authenticates two devices and creates a common link key (passkey) that can be used as a basis for a secure connection.
Pairing entails three phases:
- This phase starts when the initiating device sends a pairing request to the other device. The two devices then exchange I/O capabilities, authentication requirements and bonding requirements. They exchange their capabilities and determine how they will set up a secure connection. (Note that all data being transferred during this phase is unencrypted.)
- Once phase 1 is complete, the devices generate and/or exchange the TK (Temporary Key) using a pairing mechanism (passkey). They exchange Confirm and Random values to verify that they both are using the same TK. Once that has been determined, they use the TK along with the Random values to create the STK (Short Term Key). The STK is then used to encrypt the connection.
- This is an optional phase which is used if bonding requirements were exchanged in phase 1. Here, several transport-specific keys are exchanged.
In this method, the TK is a 6-digit number that will pass between two devices. The way of transferring this number may vary. For example, one of the devices may generate a random, 6-digit number and display it on an LCD display, or it may display a pre-defined, 6-digit number already known to the user. The user would then enter the number into the other device using a keypad, as shown in the image below:
Pairing dialog in the Home Automation Android Application
The pairing dialog can be invoked as follows:
Method mBond = device.getClass().getMethod("createBond", (Class) null); mBond.invoke(device, (Object) null);
The devices may also bond, or store, the information from the pairing process, so that they do not need to pair every time they reconnect. Bonding is the act of storing the exchanged keys after pairing, mainly to re-establish an encrypted connection without needing to exchange keys again.