[Interest] BLE OOB authentication

Jérôme Godbout godboutj at amotus.ca
Fri Nov 23 15:04:25 CET 2018


Thanks. Yeah, this what I did found myself, I was hoping some class was exposing the authentication methods and capability at least. 

Any way to make the display to enter pin (I want the Android device to enter the pin)? Is the pairing authenticated (QBluetoothLocalDevice::requestPairing) will make it under the hood by itself? I'm not a big fan of using unexposed API especially when it work only on some device and not on others.

Maybe I will try to use the OS pairing instead and only list the paired devices with the mobile. This would make the pin process work at least properly. Now I understand why so many BLE device give fake PIN (0000 or 1234) or no authentication at all.

Back to drawing board of the application flow...

-----Original Message-----
From: Interest <interest-bounces at lists.qt-project.org> On Behalf Of Alex Blasche
Sent: November 23, 2018 2:14 AM
To: interest at qt-project.org
Subject: Re: [Interest] BLE OOB authentication

The official Qt Bluetoothy API does not support OOB authentication. In fact, the Android APIs do not have official support for it either. There is a hidden function for it in BluetoothDevice on Android though:

https://android.googlesource.com/platform/frameworks/base/+/master/core/java/android/bluetooth/BluetoothDevice.java#1040

With reflection you should be able to access it. There are quite a few examples on the Internet.

If Qt were to implement this type of pairing, the function would have to take the additional parameters into account.

--
Alex

________________________________________
From: Interest <interest-bounces at lists.qt-project.org> on behalf of Jérôme Godbout <godboutj at amotus.ca>
Sent: Thursday, 22 November 2018 8:54:11 PM
To: interest at qt-project.org
Subject: [Interest] BLE OOB authentication

Hi,
How does one can perform an OOB authentication for secure connection with Qt under Android (and iOS if possible but not 100% required, but would be sweet if I can manage both)? I was doing anonymous connection with the QLowEnergyController:: connectToDevice() but I also seen the QBluetoothLocalDevice::requestPairing<http://doc.qt.io/qt-5/qbluetoothlocaldevice.html#requestPairing>() but I'm a little confuse with the API, should the authentication be part of the connection when the capability are exchanged. I have a device that required authenticated connection and ideally with OOB capability, but I doubt I can specify this on the Android application when connecting. The requestPairing only have 2 option paired and authorizedPaired, but this only give the paired device capability, what I'm looking for is the authentication but I cannot find anything? Is authenticated and secure BLE connection impossible with those? I known that BLE is not top secure even with those, but I would still need to implement it.

Maybe someone have an example of NFC OOB pairing under Qt Android that (s)he could share? That would give some hint. The Qt Bluetooth connection API is hard to follow when I compare to the specs and other embedded BLE stack I work with. I have create the OOB pairing with BLE 4.0 with a few embedded stack, but I cannot figure out how to do this with Qt or Android properly. My device authentication is mandatory (anonymous and unsecure connection are not allowed).

Is there a way to do the following with Bluetooth with Qt or even Android java level:

  1.  Is there any configuration to device capability for authentication?
  2.  Specify the MITM options?
  3.  Make OOB capable?
  4.  PIN entry authentication?
  5.  Establish a secure 4.0 or secured 4.2 connection?



Seem like the pairing/connection/authentication have been highly confused with each other into Qt framework and Android API, it look like a huge ugly mess.
Pairing != Authentication
Connection != Pairing
Connection != Authentication


  1.  Connection is the way to establish a link with the Bluetooth device, at that point you are on anonymous connection.
  2.  Authentication is the ability to make sure the connected device is the right one and you can accept or reject the device if it failed to authenticate.
  3.  Pairing is the act of avoiding the authentication to be needed again by keeping the previous negotiated authentication with the other device between connection.


[36E56279]
une compagnie  [cid:image014.jpg at 01D48273.39D83E70]
RAPPROCHEZ LA DISTANCE

Jérôme Godbout
Développeur Logiciel Sénior /
Senior Software Developer

p: +1 (418) 800-1073 ext.:109

amotus.ca<http://www.amotus-solutions.com/>
statum-iot.com<http://statum-iot.com/>
[cid:image015.png at 01D48273.39D83E70]<https://www.facebook.com/LesSolutionsAmotus/> [cid:image016.png at 01D48273.39D83E70] <https://www.linkedin.com/company/amotus-solutions/>  [cid:image017.png at 01D48273.39D83E70] <https://twitter.com/AmotusSolutions>  [cid:image018.jpg at 01D48273.39D83E70] <https://www.youtube.com/channel/UCoYpQgsmj1iJZyDjTQ3x8Ig>








More information about the Interest mailing list