Note: This KBA has been marked as deprecated. A more updated KBA can be found here:
Introduction of OOB
Below is the description of Out of Band from BLUETOOTH SPECIFICATION Version 5.0 | Vol 1, Part A, 18.104.22.168
The Out of Band (OOB) association model is primarily designed for scenarios where an Out of Band mechanism is used to both discover the devices as well as to exchange or transfer cryptographic numbers used in the pairing process. In order to be effective from a security point of view, the Out of Band channel should provide different properties in terms of security compared to the Bluetooth radio channel. The Out of Band channel should be resistant to MITM attacks. If it is not, security may be compromised during authentication.
The user's experience differs a bit depending on the Out of Band mechanism. As an example, with a Near Field Communication (NFC) solution, the user(s) will initially touch the two devices together, and is given the option to pair the first device with the other device. If "yes" is entered, the pairing is successful. This is a single touch experience where the exchanged information is used in both devices. The information exchanged includes discovery information (such as the Bluetooth Device Address) as well as cryptographic information. One of the devices will use a Bluetooth Device Address to establish a connection with the other device. The rest of the exchanged information is used during authentication.
The OOB mechanism may be implemented as either read only or read/write. If one side is read only, a one-way authentication is performed. If both sides are read/write, a two-way authentication is performed.
The OOB protocol is selected only when the pairing process has been activated by previous OOB exchange of information and one (or both) of the device(s) gives OOB as the IO capabilities. The protocol uses the information which has been exchanged and simply asks the user to confirm connection.
The OOB association model supports any OOB mechanism where cryptographic information and the Bluetooth Device Address can be exchanged. The OOB association model does not support a solution where the user has activated a Bluetooth connection and would like to use OOB for authentication only.
Purpose of the example
There are 2 OOB pairing modes, one is OOB with legacy pairing and the other is OOB with secure connection pairing. This example implements both modes for user’s reference.
There are 2 projects in the example, implementing the central and peripheral rolls.
Due to the different property of these two characteristics, if the pairing and bonding procedure succeeds, the client will receive notifications and the server will receive write requests. Otherwise if pairing and bonding procedure fails, the client should not be able to write the characteristic value due to unauthenticated connection, but it should be able to receive notifications because it doesn’t require authentication.
Key points of the example
In both projects, there is a symbol definition - PAIRING_MODE, it can either be LEGACY_PAIRING or SECURE_CONNECTION_PAIRING. This symbol determines which pairing mode will be used in the connection.
#define LEGACY_PAIRING 1 #define SECURE_CONNECTION_PAIRING 2 #define PAIRING_MODE SECURE_CONNECTION_PAIRING
Test the example
As shown above, the example requires 2 devices (BRD4104a Rev A00) and serial terminal, VCOM has been enabled in the example, so the serial print information will go out from the USB cable.
Central device (#D1) – the device programmed with the project “KBA_oob_central”.
Peripheral device (#D2) - the device programmed with the project “KBA_oob_peripheral”.
Serial terminal (#S1) connected to central device.
Serial terminal (#S2) connected to peripheral device.
Figure 1. OOB with legacy pairing succeed
Figure 2. OOB with legacy pairing failed
Figure 3. OOB with Secure Connection pairing succeed
Figure 4. OOB with Secure Connection pairing failed
Hello Mr Kevin Fu,
This article is really helpful for me.
I have question about using function gecko_cmd_sm_use_sc_oob.
I want to renew oob data for each new connection, so I put gecko_cmd_sm_use_sc_oob in the gecko_evt_le_connection_closed_id event block.
gecko_cmd_sm_use_sc_oob returns success for the only first time, after that every call of gecko_cmd_sm_use_sc_oob return fail.
Is it impossbile to renew oob data/confirmdata unless I reset the device?