Re: Using unsecure/unauthenticated RFCOM
Re: Using unsecure/unauthenticated RFCOM
- Subject: Re: Using unsecure/unauthenticated RFCOM
- From: Alexander Traud <email@hidden>
- Date: Sun, 04 Mar 2012 21:32:10 +0100
- Thread-topic: Using unsecure/unauthenticated RFCOM
>>> SSP requires that all L2CAP connections be authenticated ...
> Bluetooth 4 Section 5.2.2.8 ... mandates the use of encryption when the remote
> device is v2.1+EDR for all services other than SDP.
Incorrect cite in this context. Do not confuse encryption with
authentication. One moment, I know what you think:
Alexei is looking for a way connect two devices with minimal
user-interaction. For this, Simple-Secure Pairing offers the Just-Works
authentication scheme. Here, both devices connect only for this service like
a one-time use. Such a connection can be encrypted. And this is what the
above cite is about.
The problem: Apple's current API offers Man-in-the-Middle (MITM) secure
authentication *only*; asking for pass-key (numeric) comparison = Level 3.
We would need Level 1, see section 7.1.29 and 7.7.24: MITM Protection Not
Required No (or General) Bonding, numeric comparison with automatic accept
allowed.
To be honest, I am not aware of any Bluetooth stack which offers all
features of SSP, yet - and far too many stacks do SSP completely wrong, too.
Therefore, turning off SSP is one way I would love to see in more stacks.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Bluetooth-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden