Bluetooth LE connection mode
According to Bluetooth Core V5.3, Vol. 3, Part C, Section 10, titled “SECURITY ASPECTS - LE PHYSICAL TRANSPORT”, the modes and procedures are defined in the same manner for both asynchronous ACL and synchronous CIS connections. This section aims to establish how BLE devices will be paired in terms of security. It’s important to note that each mode and procedure comes with specific requirements that are not elaborated here, and it will be essential to consult the mentioned section of the standard for detailed information.
In Bluetooth LE, there are five connection modes that are subdivided into levels:
LE Security Mode 1:
- Level 1: No Security (no security or encryption)
- Level 1: Unauthenticated pairing with encryption
- Level 1: Authenticated pairing with encryption
- Level 1: Authenticated pairing with LE Secure Connection pairing using a secure 128-bit key
LE Security Mode 2:
- Level 1: Unauthenticated pairing with data signing
- Level 1: Authenticated pairing with data signing
Mixed security Mode:
- These are security configurations based on each type of security mode and configuration supported on each device.
Secure Connections Only Mode:
- Only secure and authenticated connections are allowed
LE Security Mode 3:
- Level 1: No Security
- Level 2: Use of an unauthenticated broadcast code
- Level 3: Use of an authenticated broadcast code
The procedures are not exclusive to any specific mode but are necessary to access a security mode in Bluetooth LE.
- The authentication procedure covers LE Security Mode 1 and is only performed after the connection has been established.
- Authenticationo in LE Security Mode 1 is achieved by enabling encryption.
- Data signing is used to transfer authenticated data between two devices in an unencrypted communication.
- When _LE Security Mode 2_is requested, the connection data must be signed.
- A service may require authorization before granting access, which is user confirmation to proceed with the procedure.
- Authentication does not necessarily provide authorization. Authorization may be granted through user confirmation after successful authentication.
- Central device encrypts the connection using Encryption Session Setup to provide integrity and confidentiality.
- Peripheral device could encrypt the connection with the Security Request command.