Bluetooth  mesh provisioning

A node may join a mesh by the act of provisioning. Provisioning is a secure process that takes an unprovisioned and insecure device and transforms it into a node in the mesh. The node will first secure a NetKey from the mesh. At least one NetKey must be on each device in the mesh to join. Devices are added to the mesh through a provisioner. The provisioner distributes the network key and a unique address to an unprovisioned device. The provisioning process uses elliptical-curve Diffie-Hellman key exchange to create a temporary key to encrypt the network key. This provides security from a man-in-the-middle attack during provisioning. The device key derived from the elliptical curve is used to encrypt messages sent from the provisioner to the device.

The provisioning process is as follows:

  1. An unprovisioned device broadcasts a mesh beacon advertising packet. 
  2. The provisioner sends an invitation to the device. The unprovisioned device responds with a provisioning capabilities PDU.

 

  1. The provisioner and device exchange public keys.
  2. The unprovisioned device outputs a random number to the user. The user enters the digits (or identity) into the provisioner and a cryptographic exchange starts to complete the authentication phase.
  3. A session key is derived by each of the two devices from the private key and the exchanged public keys. The session key is used to secure the data needed to complete the provisioning process, including securing the NetKey.
  4. The device changes state from an unprovisioned device to a node and is now in possession of the NetKey, a unicast address, and a mesh security parameter called the IV index.