How Set Coordinator and Set Member Work, What CSIS Exposes, and How SIRK and RSI Enable Private Group Discovery
Quick Recap from Part 1
In Part 1 we established that CSIP solves the problem of BLE devices that need to be recognised and managed as a group. We defined the Coordinated Set (the group), the Set Coordinator (the phone that manages it), Set Members (the devices in the group), and the SIRK (the shared secret key that ties them together). If those terms are still fuzzy, revisit Part 1 before continuing.
In this part we zoom in on the two roles, examine every characteristic inside the CSIS service, and explain precisely how SIRK and RSI work together to allow private, secure discovery of group members during a BLE scan.
Keywords Covered in This Article
🧩 The Two Roles in CSIP
CSIP defines exactly two roles. Every device participating in CSIP must take on at least one of them. The roles map directly to the GATT client/server model you are already familiar with.
⇄
🎮 Set Coordinator Role — In Depth
The Set Coordinator is the device that takes the lead in any CSIP interaction. It actively scans, connects, discovers, and controls. Think of it as the team manager — it knows all the players, keeps track of who is available, and makes sure operations happen in an orderly fashion.
GATT Role
The Set Coordinator is always a GATT client. It reads and writes characteristics on the Set Members but does not host a GATT server of its own for CSIP purposes. Over LE it uses the GAP Central role; over BR/EDR it uses the GAP A-party (inquirer) role during discovery procedures.
Mandatory Capabilities
Discover all primary services or discover CSIS by UUID on a connected Set Member.
Discover all four CSIS characteristics and their descriptors (including the CCCD for notifications).
Use the obtained SIRK to resolve RSI values received in advertising data during scanning.
Support the Ordered Access procedure for coordinating access when bonding is not possible.
When Bondable mode is supported, must support Lock Request, Lock Release, and SIRK decryption.
The Lock Request and Lock Release procedures are only available when the Set Coordinator supports Bondable mode. If it does not, it must fall back to the Ordered Access procedure. This is because the SIRK decryption (needed to obtain the real SIRK from an encrypted Set Member) requires a Long Term Key (LTK) that comes from bonding.
📡 Set Member Role — In Depth
A Set Member is any device that belongs to a Coordinated Set. Its primary job is to make itself discoverable as part of that group, and to host the CSIS service so the coordinator can read its identity information and manage access.
GATT Role
The Set Member is always a GATT server. Over LE it uses the GAP Peripheral role; over BR/EDR it uses the GAP B-party (inquiry scanner) role during discovery phases.
One CSIS Instance Per Set
A Set Member must instantiate one CSIS service for every Coordinated Set it belongs to. This is an important design point: each CSIS instance carries its own SIRK, so if both instances had the same SIRK, there would be no way to tell them apart.
Each CSIS instance carries a different SIRK. The hosting service provides context for which set the instance belongs to.
RSI in Advertising
Every Set Member must include the RSI AD Type in its advertising data (or Scan Response) when using LE transport. For BR/EDR it goes in the Extended Inquiry Response (EIR). If the device belongs to multiple sets, it includes one RSI per set — derived from each respective SIRK.
📊 Inside the CSIS Service: The Four Characteristics
The CSIS service is the heart of CSIP. It contains four GATT characteristics. The Set Coordinator must discover all four of them after connecting to a Set Member. Here is what each one does:
🔑 SIRK — The Identity Secret of the Group
The Set Identity Resolving Key (SIRK) is the centrepiece of CSIP. It is a 16-byte cryptographic key that serves as the unique identity of the entire Coordinated Set. Every member holds the same SIRK value. The Set Coordinator reads it from the first member it connects to and uses it to identify all remaining members.
The SIRK Characteristic Format
The characteristic value is 17 bytes long: 1 byte for the Type field, followed by 16 bytes for the Value field. The Type field determines how the coordinator must interpret the Value field:
If any member in a Coordinated Set exposes its SIRK in encrypted form, then no other member in that same set is allowed to expose the SIRK in plaintext. The set must use one form consistently across all members. Mixing would allow an attacker to obtain the plaintext SIRK from one device and then use it against the others.
Coordinated Set Size Characteristic
This is a simple 1-byte read-only value that tells the coordinator how many members make up the complete set. It is optional — a Set Member is not required to expose it. When it is present, the value must be identical across all members that share the same SIRK. The coordinator uses this value to know when it has found all the members during the Set Members Discovery procedure.
Set Member Lock Characteristic
This characteristic has two possible values: Unlocked (0x01) and Locked (0x02). Writing “Locked” to this characteristic on a Set Member reserves exclusive access for the coordinator that wrote it — other coordinators will receive a “Lock Denied” error if they try to write it. The lock is released by writing “Unlocked” back.
Notifications are supported and are very useful: a coordinator waiting for a lock to become available can subscribe to notifications on this characteristic, then go idle until the current lock holder releases it.
Set Member Rank Characteristic
This is a 1-byte read-only value starting from 0x01. It gives each member a priority number within the set. Rank 0x01 represents the highest-priority member. The coordinator always performs lock and access operations in ascending rank order (starting from the member with the lowest rank number). The Rank value 0x01 should be assigned to the member that is most critical to the primary use case.
📡 RSI — How Members Identify Themselves During Scanning
Once the coordinator has obtained the SIRK, it needs to scan for and identify the other members of the set. The challenge: if members just advertised their group membership openly, any eavesdropper could track which devices belong together. CSIP solves this with a privacy-preserving mechanism called the Resolvable Set Identifier (RSI).
What Is the RSI?
The RSI is a compact 6-byte value that a Set Member places inside its BLE advertising data (the RSI AD Type). It is not a raw copy of the SIRK — it is a derived token computed from the SIRK using a hash function. This means that without knowing the SIRK, a scanner cannot determine that two RSI values come from the same set.
(3 bytes)
(3 bytes)
RSI and BLE Privacy
BLE devices that use resolvable private addresses (RPA) change their Bluetooth address periodically to prevent tracking. The RSI follows the same principle. A privacy-enabled Set Member generates a new RSI every time its private address changes — keeping the RSI and the address renewal in sync. This prevents a third party from correlating an address change to the same device by tracking the RSI.
Because of this design, a privacy-enabled Set Member should only use RSI values that are derived from an encrypted SIRK. Using a plaintext SIRK alongside privacy-enabled advertising would undermine the privacy guarantee.
📋 CSIP Roles and Characteristics — Quick Reference
| Item | Set Coordinator | Set Member |
|---|---|---|
| GATT Role | Client (reads/writes) | Server (hosts CSIS) |
| GAP Role (LE) | Central | Peripheral |
| CSIS Service | Discovers & reads | Instantiates (mandatory) |
| RSI | Resolves (using SIRK) | Advertises in ADV/EIR |
| Lock | Writes Locked/Unlocked | Accepts or denies lock |
| Rank | Reads, uses for ordering | Exposes its rank value |
Solid Foundation — Now See It All in Action
Part 3 walks through every CSIP procedure step-by-step with sequence diagrams: how a coordinator discovers the set identity, how it scans for other members using RSI, and how it uses locking to prevent race conditions.
→ Continue to Part 3: Procedures & Security ← Back to Part 1: Introduction