PTLS secured communication

After successful PTLS session establishment, you can start to communicate with the lock using an encrypted channel.

Send encrypted message

For sending encrypted messages to Tedee lock use API commands characteristic.

Every encrypted message should have DATA_ENCRYPTED header attached as a first byte of the message.

Encrypt the message using an encryption key and iv got in the last step of PTLS client verification stage. Before encryption of every message modify the last two bytes of iv array via XOR with a counter of send messages to lock:

iv[10] = iv_base[0] ^ (counter >> 8)
iv[11] = iv_base[1] ^ (counter & 0xFF)

Encrypt the message using the AEAD algorithm (AES GCM 128bit).

Increment counter after every encrypted message sent.

The decryption of received messages

You will receive encrypted responses on API commands and Notifications characteristic.

You can recognize encrypted message via DATA_ENCRYPTED header attached as a first byte of the message.

It is done in the same way as described in Send encrypted message using decryption key and iv got in the last step of PTLS client verification stage.

Increment received messages counter after every decrypted message.