LE Secure Connections

What Is LE Secure Connections?

pairing." data-category="Security">LE Secure Connections (LESC) is the enhanced pairing method introduced in Bluetooth 4.2 that uses Elliptic Curve Diffie-Hellman (ECDH) key agreement on the NIST P-256 curve. It replaces the weaker key-exchange mechanism of Legacy Pairing and provides protection against passive eavesdropping attacks.

Why LESC Was Needed

Legacy Pairing generates a Temporary Key (TK) directly from the association model output -- in the case of Just Works, this TK is simply zero. An attacker who records the entire pairing exchange can brute-force the TK (at most 1 million attempts for a 6-digit passkey) and derive all subsequent keys, decrypting both the current and future sessions. LESC closes this vulnerability by basing the shared secret on ECDH, which is computationally infeasible to reverse from the public keys exchanged on the air.

ECDH Key Exchange

During LESC pairing, each device generates an ephemeral P-256 key pair (public key + private key). The public keys are exchanged over the unencrypted link. Each device then computes the shared secret (DHKey) using its own private key and the peer's public key. From this DHKey, a MacKey and LTK are derived through AES-CMAC-based key derivation functions. The private keys never leave the device, so a passive eavesdropper who captures only the public keys cannot compute the DHKey.

Association Models with LESC

LESC supports three association models:

• Just Works -- no user interaction; provides encryption but no MITM protection (the ECDH exchange alone does not prevent active man-in-the-middle attacks).
• Passkey Entry -- a 6-digit code authenticates the ECDH exchange, providing MITM protection.
• Numeric Comparison -- both devices display a 6-digit value derived from the ECDH exchange; the user confirms they match. This is the most user-friendly MITM-protected method but requires both devices to have displays.

Implementation Requirements

LESC requires hardware or software support for P-256 elliptic curve operations. Most modern BLE SoCs (Nordic nRF52+, TI CC26x2, Espressif ESP32) include hardware cryptographic accelerators that handle ECDH in under 1 second. Older chips without hardware ECC can still perform LESC using software libraries, but key generation may take 2 -- 4 seconds, which is noticeable to users.

Specification Compliance

Since Bluetooth 5.0, the Bluetooth SIG strongly recommends LESC for all new products. Qualification testing verifies LESC support through dedicated test cases. Devices that implement only Legacy Pairing cannot claim Bluetooth 5.x compliance in many profiles. When both devices support LESC, the pairing procedure automatically selects it over Legacy Pairing.