BLE security manager – pairing Phases in ble

bluetooth tutorial May 8, 2026 · 0 Comment

 

SM Part 3 — Pairing: Phases 1 & 2

Chapter 11 Part 3 of 5 — Three-Phase Overview · IO Capability · OOB · Key Size · Repeated Attempts · Phase 2 All Methods · LE SC ECDH

3Pairing phases
Table 11.1IO Capability
56–128 bitKey sizes
ExponentialBackoff
Keywords:

BLE pairing three phases BLE IO Capability table NoInputNoOutput DisplayOnly KeyboardDisplay BLE OOB authentication NFC BLE encryption key size 56-128 bits BLE repeated attempts exponential backoff BLE phase 2 TK STK generation BLE LE Secure Connections ECDH DHKey P256 BLE authentication stage 1 stage 2

11.8 — Pairing Overview

Three Phases — Two Mandatory, One Optional

Pairing establishes the cryptographic keys needed to encrypt the link. It always starts with a feature exchange to decide what each device can do, then runs an authentication procedure to generate a session key, and optionally distributes long-term keys for future reconnections.

Figure 11.4 — Three-Phase Pairing Process
Initiator (Master) Responder (Slave)
Both in Connection State

Phase 1 — Pairing Feature Exchange (MANDATORY)
IO capabilities, OOB flag, AuthReq, max key size, key distribution lists
Result: both devices know each other’s capabilities → pairing method selected

Phase 2 — Authentication & Encryption (MANDATORY)
LE legacy: TK → STK; LE Secure Connections: ECDH → LTK
Result: link encrypted with STK (legacy) or LTK (secure connections)

← Link is now encrypted with STK →

Phase 3 — Transport Specific Key Distribution (OPTIONAL)
LTK, EDIV, Rand, IRK, CSRK distributed bidirectionally over the encrypted link
Result: both devices store keys for future encrypted reconnections

Phases 1 and 2 can run on an unencrypted link. Phase 3 must run on an encrypted link — the keys being distributed in Phase 3 are sensitive, so they must already be protected before distribution begins. The STK generated in Phase 2 provides that protection.

11.8.1 — Phase 1: Pairing Feature Exchange

Everything Both Sides Need to Know Before Pairing Can Start

The Initiator (Master) always starts Phase 1 by sending a Pairing Request. The Responder (Slave) replies with a Pairing Response. After this one-round-trip exchange, both devices know exactly what the other supports and can deterministically select a pairing method for Phase 2 without further negotiation.

11.8.1.1 — IO Capability

The IO Capability field tells the peer what input and output hardware this device has. The combination of both devices’ IO capabilities determines which pairing method Phase 2 will use.

Input capabilities — three options:

No Input — No buttons or keyboard of any kind. Example: a weighing scale or a simple temperature sensor. Cannot confirm yes/no, cannot enter digits.
Yes/No — Has two buttons for yes and no but no numeric keypad. Example: a key fob with two buttons. Can confirm a match but cannot enter a passkey number.
Keyboard — Has a full numeric keypad (0–9) plus yes/no buttons. Example: a remote control or a Bluetooth keyboard. Can both confirm and enter a 6-digit passkey.

Output capabilities — two options:

No Output — Cannot display a 6-digit number to the user. Example: a remote control that has buttons but no screen.
Numeric Output — Can display a 6-digit decimal number. Example: a smartwatch or a phone screen.
Table 11.1 — IO Capability Mapping
Input Capability No Output Numeric Output
No Input NoInputNoOutput DisplayOnly
Yes / No NoInputNoOutput DisplayYesNo
Keyboard KeyboardOnly KeyboardDisplay
Example: a smartwatch (No Input, Numeric Output) → IO Capability = DisplayOnly

11.8.1.2 — OOB Authentication Data

A device sets the OOB flag if it has an out-of-band channel available for authentication data. The most common OOB mechanism is NFC — the user taps the two devices together to exchange authentication material. Because NFC only works at a few centimetres, an attacker cannot intercept this exchange without being physically present.

OOB provides stronger security than keyboard/display methods because the authentication material never travels over Bluetooth at all. The OOB flag in the Pairing Request tells the peer whether this device’s OOB data is available and should be used.

11.8.1.3 — Encryption Key Size

Both devices state their maximum supported encryption key length. Valid range: 7 octets (56 bits) minimum to 16 octets (128 bits) maximum. During Phase 1 both values are exchanged, and the lesser of the two is used for the session. This ensures compatibility — a high-end device connecting to a resource-constrained sensor will use the sensor’s supported key length.

128 bits
Maximum — full AES-128
56 bits
Minimum — 7 octets
8-bit steps
56, 64, 72, 80…128

Keys shorter than 128 bits have their high-order bytes set to zero. This keeps the implementation uniform — all functions always operate on 128-bit values, but some bits are predetermined zeros.

11.8.1.4 — Repeated Attempts Protection

If a pairing attempt fails — wrong passkey, confirm value mismatch, or deliberate abort — the responding device does not allow another immediate attempt. It starts a waiting timer whose value doubles with each consecutive failure. This exponential backoff makes brute-force attacks on the pairing process impractical.

Exponential Backoff — Each Failed Attempt Doubles the Wait
Attempt 1 fails
Wait interval = i
Attempt 2 fails
Wait interval = 2 × i
Attempt 3 fails
Wait interval = 4 × i
Attempt N fails
Wait interval = 2^(N-1) × i (up to implementation max)
Device ignores Pairing Request and Security Request from the attacker during the wait interval

11.8.2 — Phase 2: Authentication and Encryption

Method Selection Rules

After Phase 1, both devices pick the pairing method for Phase 2 using a deterministic set of rules. The same rules are applied independently by both sides — they must reach the same conclusion:

1
In LE legacy pairing: if both devices have OOB data, use OOB.
2
In LE secure connections: if one or both devices have OOB data, use OOB.
3
If neither device set the MITM bit in AuthReq → use Just Works regardless of IO capability.
4
Otherwise, use IO capabilities (Table 11.1 from Phase 1) to determine the method.

Key types generated: LE legacy pairing generates two keys — a Temporary Key (TK) and a Short Term Key (STK). The STK encrypts the link at the end of Phase 2. LE secure connections skips the temporary key entirely and directly generates the Long Term Key (LTK) via ECDH.

11.8.2.1 — Just Works

The TK is set to zero by both sides. This is the “no user interaction” path — pairing completes without showing or entering any value. After Phase 2 completes, the link is encrypted, so data is protected from passive listeners. MITM protection does not exist — an attacker present during pairing could intercept the exchange since TK=0 is trivially known.

11.8.2.2 — Numeric Comparison (LE Secure Connections Only)

Both devices independently compute a 6-digit value using the g2 function (covered in Part 2). Both display their result. The user reads both displays and confirms they match by pressing “yes” on both devices. Pairing aborts if they do not match or if the user declines.

Device A displays: 147 392
Device B displays: 147 392
User confirms match → pairing continues ✓
If attacker M is in middle → M’s values would differ → user rejects ✓

11.8.2.3 — Passkey Entry

One device has a display, the other has a keyboard. The TK is the displayed 6-digit number (0–999999). The passkey is shown on the display device and the user types it on the keyboard device. Both devices compute the STK using this TK. MITM protection comes from the fact that the user’s physical typing action cannot be intercepted remotely.

Example 1: PC (DisplayOnly) + Bluetooth keyboard (KeyboardOnly) → PC shows “Enter PIN: 386421”, user types it on keyboard
Example 2: TV (DisplayOnly) + Remote (KeyboardOnly) → TV shows 6-digit number, user enters on remote

11.8.2.4 — Out of Band (OOB)

Both devices must have the OOB Authentication Data flag set. Security level depends entirely on the security of the OOB mechanism. NFC provides strong protection due to physical proximity requirements. If the OOB mechanism provides MITM protection, then MITM protection is achieved for the pairing.

11.8.2.5 — LE Secure Connections Phase 2 — Full ECDH Flow

LE Secure Connections Phase 2 is significantly more complex than legacy Phase 2 but provides much stronger security guarantees. Figure 11.5 in the textbook shows the full sequence:

Figure 11.5 — LE Secure Connections Pairing Phase 2 (Detailed Steps)
Initiator Responder

Step 1: Each device generates its P-256 ECDH key pair (PK_local, SK_local) independently

Step 2
Pairing Public Key (PKa — Initiator’s public key)
Pairing Public Key (PKb — Responder’s public key)

Step 3: Each computes DHKey = P256(SK_local, PK_remote) — same value on both sides

Step 4: Authentication Stage 1 (method-dependent)
Just Works/Numeric: exchange random nonces, verify using f4 confirm values
Passkey: 20-round bit-by-bit exchange of passkey bits using f4
OOB: exchange OOB data through alternate channel, verify with f4

Step 5: Authentication Stage 2 — Confirm the exchange completed correctly
Both compute LTK + MacKey using f5(DHKey, NonceM, NonceS, BDADDRm, BDADDRs)
Pairing DHKey Check (Initiator’s check value via f6)
Pairing DHKey Check (Responder’s check value via f6)
Both check values verified → LTK established → link encrypted with LTK
/* BlueZ SM layer handles LE Secure Connections automatically */
/* To check if both sides support SC before pairing:          */

/* Read LE local features — bit 6 = LL Privacy, not SC       */
/* SC support is indicated by the SC bit in SMP Pairing Req   */
/* (AuthReq byte, bit 3 = SC flag, introduced in BLE 4.2)    */

/* With bluetoothctl — SC is negotiated automatically:        */
/* [bluetooth]# pair AA:BB:CC:DD:EE:FF                        */
/* If both support SC, you may see Numeric Comparison prompt: */
/* Confirm passkey 384291 (yes/no): yes                       */

/* With btmon, SC pairing shows:                              */
/* SMP: Pairing Request (0x01)                                */
/*   IO capability: DisplayYesNo                              */
/*   Authentication requirement: Bonding, MITM, SC, Keypress */
/*                                                       ^^   */
/*                                    SC bit set = 4.2 mode   */

Chapter 11 Security Manager — 5-Part Series

Part 1
Intro, Breaches, Methods Part 2
Security Props, Crypto

Part 3 ✅
Pairing Phases 1 & 2

Part 4
Phase 3 Keys, SMP Protocol Part 5
Practical Examples

Next — Phase 3 Key Distribution & SMP Protocol Commands

Part 4 covers Phase 3 key distribution (LTK, EDIV, IRK, CSRK) with each key’s purpose and bit width, the SMP command format (Figure 11.6), the full Table 11.2 of command codes, and the Phase 1/2/3 signaling commands with Figure 11.7–11.10.

Next: Part 4 — Phase 3 & SMP Commands → ← Part 2

Leave a Reply

Your email address will not be published. Required fields are marked *

© 2026 embeddedpathashala.com - WordPress Video Theme by WPEnjoy