[Interest] BLE OOB authentication
Jérôme Godbout
godboutj at amotus.ca
Mon Dec 3 15:41:05 CET 2018
Thanks Alex for the clarification. I will try the pairing and along the connect to device call and see what I can do with it. I'm not sure what I will be able to do, since the Bluetooth device doesn't have any support for input or display so I would need to either hardcode a pin (which would not be supported by QBluetooth from what I understand).
For the OOB, it seem like under Android you need to simulate an NFC reading and send it over the dbus. But I'm not sure it will worth the devel time to make this work.
Thanks again,
Jerome
-----Original Message-----
From: Alex Blasche <alexander.blasche at qt.io>
Sent: December 3, 2018 8:52 AM
To: Jérôme Godbout <godboutj at amotus.ca>; interest at qt-project.org
Subject: Re: BLE OOB authentication
Hi Jérôme,
Sorry for the late reply, but I had a case where I had to dig through Bluez to find a related answer.
For starters QLowEnergyController::connectToDevice() & QBluetoothLocalDevice::requestPairing talk to the same layer (which is Bluez). You can initiate the paring before you call connectToDevice() and it will work.
However QtBluetooth is not setup for BLE OOB key sharing. QtBluetooth support traditional pairing only. It internally generates random password/pin for the traditional pairing setup. OOB pairing relies on sharing the key via a second transport bearer such as NFC. There is a Bluez plug-in which registers Bluez with neard (NFC handover agent). The pairing would not need input from QtBluetooth but QtBluetooth would benefit because at the end being paired property of the device is of relevance for all Bluez users (including QtBluetooth)
For details see: https://git.kernel.org/pub/scm/bluetooth/bluez.git/tree/plugins/neard.c
--
Alex
________________________________________
From: Jérôme Godbout <godboutj at amotus.ca>
Sent: Friday, 23 November 2018 3:12:02 PM
To: Alex Blasche; interest at qt-project.org
Subject: RE: BLE OOB authentication
I have a question about the QLowEnergyController and the pairing, my current flow with some BLE device is unauthenticated and use the QLowEnergyController, but If I want to add the pairing I cannot use the QLowEnergyController::connectToDevice() but I would need to use the QBluetoothLocalDevice::requestPairing, can I just replace the connecting part and reuse the services discovery inside the QLowEnergyController after or they will not see the connected device? Is the 2 talking to the same underlayer that keep the connected devices or do I have to convert all the services and characteristics discovery to the QBluetoothLocalDevice somehow. How does the 2 are linked or can be used together?
-----Original Message-----
From: Interest <interest-bounces at lists.qt-project.org> On Behalf Of Alex Blasche
Sent: November 23, 2018 2:14 AM
To: interest at qt-project.org
Subject: Re: [Interest] BLE OOB authentication
The official Qt Bluetoothy API does not support OOB authentication. In fact, the Android APIs do not have official support for it either. There is a hidden function for it in BluetoothDevice on Android though:
https://android.googlesource.com/platform/frameworks/base/+/master/core/java/android/bluetooth/BluetoothDevice.java#1040
With reflection you should be able to access it. There are quite a few examples on the Internet.
If Qt were to implement this type of pairing, the function would have to take the additional parameters into account.
--
Alex
________________________________________
From: Interest <interest-bounces at lists.qt-project.org> on behalf of Jérôme Godbout <godboutj at amotus.ca>
Sent: Thursday, 22 November 2018 8:54:11 PM
To: interest at qt-project.org
Subject: [Interest] BLE OOB authentication
Hi,
How does one can perform an OOB authentication for secure connection with Qt under Android (and iOS if possible but not 100% required, but would be sweet if I can manage both)? I was doing anonymous connection with the QLowEnergyController:: connectToDevice() but I also seen the QBluetoothLocalDevice::requestPairing<http://doc.qt.io/qt-5/qbluetoothlocaldevice.html#requestPairing>() but I'm a little confuse with the API, should the authentication be part of the connection when the capability are exchanged. I have a device that required authenticated connection and ideally with OOB capability, but I doubt I can specify this on the Android application when connecting. The requestPairing only have 2 option paired and authorizedPaired, but this only give the paired device capability, what I'm looking for is the authentication but I cannot find anything? Is authenticated and secure BLE connection impossible with those? I known that BLE is not top secure even with those, but I would still need to implement it.
Maybe someone have an example of NFC OOB pairing under Qt Android that (s)he could share? That would give some hint. The Qt Bluetooth connection API is hard to follow when I compare to the specs and other embedded BLE stack I work with. I have create the OOB pairing with BLE 4.0 with a few embedded stack, but I cannot figure out how to do this with Qt or Android properly. My device authentication is mandatory (anonymous and unsecure connection are not allowed).
Is there a way to do the following with Bluetooth with Qt or even Android java level:
1. Is there any configuration to device capability for authentication?
2. Specify the MITM options?
3. Make OOB capable?
4. PIN entry authentication?
5. Establish a secure 4.0 or secured 4.2 connection?
Seem like the pairing/connection/authentication have been highly confused with each other into Qt framework and Android API, it look like a huge ugly mess.
Pairing != Authentication
Connection != Pairing
Connection != Authentication
1. Connection is the way to establish a link with the Bluetooth device, at that point you are on anonymous connection.
2. Authentication is the ability to make sure the connected device is the right one and you can accept or reject the device if it failed to authenticate.
3. Pairing is the act of avoiding the authentication to be needed again by keeping the previous negotiated authentication with the other device between connection.
[36E56279]
une compagnie [cid:image014.jpg at 01D48273.39D83E70]
RAPPROCHEZ LA DISTANCE
Jérôme Godbout
Développeur Logiciel Sénior /
Senior Software Developer
p: +1 (418) 800-1073 ext.:109
amotus.ca<http://www.amotus-solutions.com/>
statum-iot.com<http://statum-iot.com/>
[cid:image015.png at 01D48273.39D83E70]<https://www.facebook.com/LesSolutionsAmotus/> [cid:image016.png at 01D48273.39D83E70] <https://www.linkedin.com/company/amotus-solutions/> [cid:image017.png at 01D48273.39D83E70] <https://twitter.com/AmotusSolutions> [cid:image018.jpg at 01D48273.39D83E70] <https://www.youtube.com/channel/UCoYpQgsmj1iJZyDjTQ3x8Ig>
More information about the Interest
mailing list