Hardware Reference
In-Depth Information
separate attribute. This is done so that clients that have not yet paired or bonded with
a server can at least perform basic service and characteristic discovery, without having
to resort to performing security procedures. The attribute layout and data hierarchy of
a server is not considered to be sensitive information and is therefore freely available
to all clients.
When accessing a characteristic value or a descriptor declaration (also called
service
request
), however, a client can receive an
error response
ATT packet (see
“ATT opera‐
tions” on page 26
), indicating that the connection's current security level is not high
enough for the request to be executed. The following two error codes are commonly
used for this purpose and placed in the error response packet:
Insufficient Authentication
Denotes that the link is not encrypted and that the server does not have a long-term
key (LTK, first introduced in
“Security Keys” on page 31
) available to encrypt the
link, or that the link is indeed encrypted, but the LTK used to perform the encryp‐
tion procedure is not authenticated (generated with man-in-the-middle protection;
see
“Authentication” on page 45
) while the permissions required authenticated en‐
cryption.
Insufficient Encryption
Denotes that the link is not encrypted but a suitable LTK is available.
GAP and GATT roles are not linked in any way and can be mixed and matched freely,
but security procedures are always initiated by the GAP central (see
“Security Manager
(SM)” on page 28
). Therefore, depending on which peer is acting as a central and which
as a peripheral, it can be up to either the GATT client or the GATT server to initiate the
pairing, bonding, or encryption procedure in order to raise the security level of the
connection. Once the security level matches the one required by the attribute's permis‐
sions, the client can send the request again to be executed on the server.
GATT Service
Just as GAP has its own SIG-specified service that is mandatory for all devices (described
extensively in
“GAP Service” on page 50
), GATT also has its own service (containing
up to one characteristic) that must be included in all GATT servers. The optional
service
changed
characteristic (introduced briefly in
“Attribute Caching” on page 66
), cannot
be read or written, and its value is communicated to the client only through
characteristic
value indications
.
As shown in
Table 4-8
, the value consists only of a handle range, which delimits a
particular area of attributes in the server. This is the area that has been affected by
structural changes and needs to be rediscovered by the client. The client will have to
perform service and characteristic discovery in that area, because the attributes it can
have cached might no longer be valid.
