Mbed forum

Modifying the TLS library to encrypt over BLE


(Matthew Heida) #1

I am looking for resources to help adjust the sockets used in the mbedtls library to communicate over Bluetooth Low Energy. I haven’t been able to find any posts on the knowledge base addressing this topic, but there was one glimmer of hope on Stack Overflow hinting that it might be possible. Does anyone have any experience with this, or some other recommendations?

To preemptively answer the questions about “why not just do this using BLE standard protocols”: I have a use case where bonding is going to be prohibited, thus also prohibiting standard BLE encryption. I would also be open to other solutions that work with this limitation, assuming it does not require building my own crypto library.

Thanks in advance for any advice!


(Ron Eldor) #2

@mheida17 If I understand your requirement, you want to use TLS over BLE transport. Am I right?
TLS stands for Transport Layer Security, and can be used for any Transport Layer. This can be done with Mbed TLS! You only need to implement your own bio callbacks, and set them using mbedtls_ssl_set_bio().

Note that Mbed OS already has BLE enabled, and integrated, and has support for many platforms. Have you considered using Mbed OS?

I suggest you read the following articles:

There are other articles in the knowledge base that may interest you as well.
I hope this answers your question.

Regards,
Mbed TLS Team member
Ron


(Matthew Heida) #3

Hi Ron,

Thanks for the info. I still want to use the GATT as intended to write to meaningful attributes and avoid creating a “virtual serial port” over BLE.

If I am understanding the suggestion correctly, we would either need to (1) change the bio callbacks after the handshake has occurred to read/write to different attributes or (2) use an external means to modify the internal parameters of the mbedtls_ssl_send_t and mbedtls_ssl_recv_t callbacks to read/write to different attributes.

Is it recommended to call mbedtls_ssl_set_bio() after the handshake, or to modify the parameters of the mbedtls_ssl_send_t and mbedtls_ssl_recv_t callbacks with our own implementation?

Best Regards,
Matt


(Ron Eldor) #4

Hi Matt,

I am suggesting you set the bio prior to the handshake. The TLS negotiation and data transfer should be on the same transport. that is, if you wish to protect your data using TLS, and not the BLE defined cryptographic protocols.
I am not sure what you mean by `virtual serial port" over BLE. I am suggestion you write a wrapper code that will implement the callbacks, calling your BLE API and sockets.

Why do you wish to change the attributes of your callbacks after the handshake?
I may be missing something in your use case, but once you implement your callbacks using BLE, all TLS encrypted communication will be over those callbacks, using the Mbed TLS API.