Ble secure authentication

Ludok · January 7, 2025, 12:15pm

Hi,
Have a ble server on esp32 with arduino. When connecting with nrfconnect, I get a pop up window to enter a passkey for pairing/authentication. How can I get this pop up to show in my mit app inventor app?
I use the Bluetooth le extension.
Thank you
Regards
Ludo

ChrisWard · January 7, 2025, 2:47pm

You simply make your own Ludo. Pop-up a Notification Block that the User has to enter a pass key to. The Arduino doesn't need to know about it, just the App.

Ludok · January 7, 2025, 4:21pm

Hi John,

Thanks for your quick feedback.

But it needs to take the arduino passkey request to reply to... Isn't it?

I understood from chatgpt that android stack is normally taking care of that, but since it works with nrfconnect, and not with mit app, I would assume something should be done in mit app... But what? Any help is welcome

Regards

Ludo

ChrisWard · January 7, 2025, 5:19pm

Well, how would the Arduino retain a passkey? You could implement a key in the Sketch, but that would then require a connection first. Better then to use my suggestion - have the pass key in the App. If the User fails to enter the correct key, the App can be closed.

Ludok · January 7, 2025, 6:36pm

Chris,
I really need to implement a secure link according ble secure specification.
I have on my server a passkey, that immediately changes after first use, and that is transmitted in an encrypted way, so I am trying to find a solution.
Regards
Ludo

Ludok · January 7, 2025, 9:32pm

does anyone know how to initiate a bonding with the arduino app, it looks as ESP_GAP_BLE_PASSKEY_REQ_EVT: in GAPeventhandler must be triggered to start the bonding. With nrfconnect, it works, with MIT app , I am not sure how to initiate. Does anyone know where to find specifications on bluetoothLE extension, so I can check if it may be in there ?

ChrisWard · January 7, 2025, 10:57pm

BLE is secure by design, without pass keys.

Where did you find: "ESP_GAP_BLE_PASSKEY_REQ_EVT" - that looks like it is from a script?

There is a BLE Security study guide:

... and here is someone trying to do what you want to do:

Ludok · January 8, 2025, 8:35am

Chris,
Thank you for your reply.
You mentioned : BLE is secure by design, without pass keys....yes, but first you must authenticate with a passkey, which is done when using nrfConnect, but cannot find how to do this with the MIT app.
Thank you for the attached guides, but I am looking for the manual/guide on the BluetoothLE extension , used in mit app inventor, to see if there is a way to initiate pairing/bonding.
ESP_GAP_BLE_PASSKEY_REQ_EVT is in the esp_gap_ble_api.h from espressif for the Arduino. Gapeventhandler is used in Arduino ESP32 program.

ChrisWard · January 8, 2025, 2:07pm

I have passed your Topic to the developer of the MIT BLE extension, Evan.

ChrisWard · January 8, 2025, 2:09pm

I think that is only because your Sketch/Script includes that method of authentication?

Ludok · January 9, 2025, 9:25am

Hi Chris,
You can delete this request, I finally got it to work by arduino code. I am still trying to figure out which lines did it, as I just added several lines of param settings at once, and just tried... It then asked if I accepted paring and could give in the passkey by android popup...
Amazing that a pop up can make you happy . Thank you for helping out.
Note : I still do not understand why android pops up when using nrfconnect with less arduino parameters set up, and needs more parameters with mit app... I still assume they invoke it.... So, if mit people would find out why, I am still interested to understand...
Regards
Ludo

ABG · January 9, 2025, 12:12pm

We would love to see what worked for you.

Could you post the working code and blocks?

Ludok · January 12, 2025, 12:39pm

// Security parameters :
I had following 2 lines :
////esp_ble_auth_req_t auth_req = ESP_LE_AUTH_REQ_SC_MITM_BOND; // Secure Connections, MITM, Bonding
////esp_ble_io_cap_t iocap = ESP_IO_CAP_KBDISP; // Passkey entry (display on device)

and changed to :
esp_ble_auth_req_t auth_req = ESP_LE_AUTH_REQ_SC_MITM_BOND;
esp_ble_io_cap_t iocap = ESP_IO_CAP_OUT;
uint8_t key_size = 16;
uint8_t init_key = ESP_BLE_ENC_KEY_MASK | ESP_BLE_ID_KEY_MASK;
uint8_t rsp_key = ESP_BLE_ENC_KEY_MASK | ESP_BLE_ID_KEY_MASK;
uint32_t passkey = fixedPasskey;
uint8_t auth_option = ESP_BLE_ONLY_ACCEPT_SPECIFIED_AUTH_DISABLE;

and in setup, from the //// lines to the next :
////esp_ble_gap_set_security_param(ESP_BLE_SM_AUTHEN_REQ_MODE, &auth_req, sizeof(auth_req)); // SC + MITM + BOND
////esp_ble_gap_set_security_param(ESP_BLE_SM_IOCAP_MODE, &iocap, sizeof(iocap)); // IO capabilities
////esp_ble_gap_set_security_param(ESP_BLE_SM_SET_STATIC_PASSKEY, &fixedPasskey, sizeof(fixedPasskey)); // Fixed passkey
esp_ble_gap_set_security_param(ESP_BLE_SM_SET_STATIC_PASSKEY, &passkey, sizeof(uint32_t));
esp_ble_gap_set_security_param(ESP_BLE_SM_AUTHEN_REQ_MODE, &auth_req, sizeof(uint8_t));
esp_ble_gap_set_security_param(ESP_BLE_SM_IOCAP_MODE, &iocap, sizeof(uint8_t));
esp_ble_gap_set_security_param(ESP_BLE_SM_MAX_KEY_SIZE, &key_size, sizeof(uint8_t));
esp_ble_gap_set_security_param(ESP_BLE_SM_ONLY_ACCEPT_SPECIFIED_SEC_AUTH, &auth_option, sizeof(uint8_t));
esp_ble_gap_set_security_param(ESP_BLE_SM_SET_INIT_KEY, &init_key, sizeof(uint8_t));
esp_ble_gap_set_security_param(ESP_BLE_SM_SET_RSP_KEY, &rsp_key, sizeof(uint8_t));

I assume, but could not check further in detail that SET_INIT_KEY and SET_RSP_KEY were missing from my previous settings. ...and it is not the MIT app code/blocks that excecute, but it is android stack that takes care of the authentication procedure.