BLE Security Overview
ZentriOS BLE supports Security Mode 1 (encryption) with its first three levels:
- Level 1 : No encryption - default
- Level 2 : Unauthenticated/"Just works" encryption with no passkey
- Level 3 : Authenticated encryption with a passkey
ZentriOS BLE encryption is managed with two encryption variables:
ZentriOS BLE supports encryption using three of the possible key types: "Just Works" (keyless), keyed with a 6 digit pin code, or keyed with a 128 bit hex string.
The table below provides details of the available systems.
References are to Specification of the Bluetooth System, core package version 4.0. See https://www.bluetooth.org.
bl e e
bl e k
|Advantages||Disadvantages||Use Case||BLE pairing procedure||BLE security mode|
|no||N/A||no security or encryption involved, should work with any device||data is sent in clear text||When eavesdropping is not an issue||none||Mode 1 Level 1|
|yes||none||Simplest to use, just works with a range of devices||Does not protect against "Man in the Middle" attack||When the other device has no IO capabilities to enter a pin code or when the user is not concerned about "Man in the Middle" attack||Just Works Procedure (Vol 3, Part H, 220.127.116.11)||Mode 1 Level 2|
|yes||6 digit pin code||Gives better protection, works best with smart phones||A 6 digit key is vulnerable to a brute force attack.|
If an attacker manages to capture the pairing procedure security keys can be obtained (also known as a "Passive Eavesdropper" attack)
|When the other device has pin code input capabilities, such as a smart phone||Pass key entry Procedure (Vol 3, Part H, 18.104.22.168)||Mode 1 Level 3|
|yes||128 bit hex string||Gives the best protection||Not possible to pair with smart phones||When the other device is also a Zentri BLE module, or the other device has OOB (out of band) capabilities||OOB Procedure (Vol 3, Part H, 22.214.171.124)||Mode 1 Level 3|