- •Contents
- •Preface
- •1 Introduction
- •1.1 Bluetooth system basics
- •1.1.1 Background
- •1.1.2 Trade-offs
- •1.1.3 Bluetooth protocol stack
- •1.1.4 Physical layer
- •1.1.5 Baseband
- •1.1.6 Link manager protocol
- •1.1.7 Logical link control and adaptation protocol
- •1.1.8 Host control interface
- •1.1.9 Profiles
- •1.2 Bluetooth security basics
- •1.2.1 User scenarios
- •1.2.2 Notions and terminology
- •References
- •2.1 Key types
- •2.2 Pairing and user interaction
- •2.3 Authentication
- •2.4 Link privacy
- •2.4.1 Protect the link
- •2.4.2 Encryption algorithm
- •2.4.3 Mode of operation
- •2.4.4 Unicast and broadcast
- •2.5 Communication security policies
- •2.5.1 Security modes
- •2.5.2 Security policy management
- •References
- •3 Bluetooth Pairing and Key Management
- •3.1 Pairing in Bluetooth
- •3.2 HCI protocol
- •3.3 LM protocol
- •3.4 Baseband events
- •3.4.1 Initialization key generation
- •3.4.2 Unit key generation
- •3.4.3 Combination key generation
- •3.4.4 Authentication
- •3.4.5 Master key generation
- •3.5 User interaction
- •3.6 Cipher key generation
- •3.7 Key databases
- •3.7.1 Unit keys generation requirements
- •3.7.2 Combination key generation requirements
- •3.7.3 Key databases
- •3.7.4 Semipermanent keys for temporary use
- •References
- •4 Algorithms
- •4.1 Crypto algorithm selection
- •4.1.1 Block ciphers
- •4.1.2 Stream ciphers
- •4.2 SAFER+
- •4.3 Encryption engine
- •4.4 Ciphering algorithm E0
- •4.4.1 Initialization
- •4.5 Implementation aspects
- •References
- •5 Broadcast Encryption
- •5.1 Overview
- •5.2 Preparing for broadcast encryption
- •5.3 Switching to broadcast encryption
- •References
- •6 Security Policies and Access Control
- •6.1 Objectives
- •6.1.1 Trust relations
- •6.1.2 Security levels
- •6.1.3 Flexibility
- •6.1.4 Implementation considerations
- •6.2 Security manager architecture
- •6.2.1 Overview
- •6.2.2 Device trust level
- •6.2.3 Security level for services
- •6.2.4 Connection setup
- •6.2.5 Database contents and registration procedure
- •Reference
- •7 Attacks, Strengths, and Weaknesses
- •7.1 Eavesdropping
- •7.2 Impersonation
- •7.3 Pairing
- •7.4 Improper key storage
- •7.4.1 Disclosure of keys
- •7.4.2 Tampering with keys
- •7.4.3 Denial of service
- •7.5 Unit key
- •7.6 Location tracking
- •7.6.1 Bluetooth device address and location tracking
- •7.6.2 Five different types of location tracking attacks
- •7.7 Implementation flaws
- •References
- •8 Providing Anonymity
- •8.1 Overview of the anonymity mode
- •8.2 Address usage
- •8.3 Modes of operation
- •8.4 Inquiry and paging
- •8.4.1 Connectable mode
- •8.4.2 Private connectable mode
- •8.4.3 General connectable mode
- •8.5 Alias authentication
- •8.6 Pairing
- •8.7 Anonymity mode LMP commands
- •8.8 Pairing example
- •References
- •9 Key Management Extensions
- •9.1 Improved pairing
- •9.1.1 Requirements on an improved pairing protocol
- •9.1.2 Improved pairing protocol
- •9.1.3 Implementation aspects and complexity
- •9.2 Higher layer key exchange
- •9.2.2 Higher layer key exchange with EAP TLS
- •9.3 Autonomous trust delegation
- •9.3.1 Security group extension method
- •9.3.3 Group extension method versus public key method
- •References
- •10 Security for Bluetooth Applications
- •10.1 Headset
- •10.1.1 Headset security model
- •10.1.2 Pass-key and key management
- •10.1.3 Example
- •10.2 Network access
- •10.2.1 Common access keys
- •10.2.2 Security architecture
- •10.2.3 Network service subscription
- •10.2.4 Initial connection
- •10.2.5 Subsequent access to NAcPs
- •10.3 SIM access
- •10.3.1 The SIM access profile
- •10.3.2 Securing SIM access
- •References
- •Glossary
- •List of Acronyms and Abbreviations
- •About the Authors
- •Index
Algorithms |
79 |
|
|
4.5 Implementation aspects
When building a Bluetooth device, one has to decide how to implement the algorithms. A hardware implementation is the best alternative when speed and power consumption are important. Software implementations allow fast development and are flexible. In this section we discuss the implementation of SAFER+ and E0. Since the authentication process and KC derivation are not very time critical in most Bluetooth usage scenarios, a natural choice for SAFER+ is to implement it in software. Good software implementations can easily be found on various Web sites [14].
The implementation choice for E0 is not that obvious. Since E0 is always running when transmitting encrypted data, it is advantageous to implement E0 in hardware on devices that should have very low power consumption. Because encryption takes place at the physical layer in the communication stack, a hardware implementation fits well together with an implementation where other low-layer functionality is realized in hardware. The design of E0 allows for a further simplification that reduces the number of times one has to clock the four LFSRs. The reader might have observed the special structure of the feedback polynomials. These are so-called windmill polynomials, which have the property that one can construct a linear sequential machine that, provided it is correctly initialized, for each clock cycle generates four consecutive symbols of the sequence that the normal LFSR would generate (see also [15]).
The way a windmill construction works is best shown in Figure 4.9 using the example windmill polynomial t4 + t3 + 1. Shown first is a classical LFSR construction. The output at the third register element forms the maximum length, period 15 sequence starting with the symbols 00010011 . . . . Next is shown a windmill construction that generates the same sequence, but now three symbols for each tick of the clock.
It is now easy to see that the number of required clock cycles in a windmill realization of E0 is only a quarter of that of a direct LFSR implementation.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
0 |
|
|
0 |
|
|
0 |
|
|
|
|
1 |
|
|
Xt |
= 000100110... |
|
|
0 |
|
|
|
|
|
0 |
|
|
|
|
|
|
0 |
|
|
|
1 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
0 |
|
|
|
|
0 |
|
|
|
|
0 |
|
|
|||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1 |
|
|
|
|
0 |
|
|
|
|
0 |
|
|
|||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1 |
|
|
|
|
1 |
|
|
|
|
0 |
|
|
|||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
… |
… |
… |
|
||||||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
X3t |
|
X3t+1 |
|
X3t+2 |
|
|||||||||||
|
|
|
|
|
(a) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(b) |
|
|
|
|
|
Figure 4.9 A windmill construction using windmill polynomial t 4 + t 3 + 1.
80 |
Bluetooth Security |
Hence it is possible to clock a windmill variant of E0 only at one-fourth of the clock frequency of a variant with direct LFSRs. The lower clock frequency reduces power consumption in most very large scale intergration (VLSI) implementations. The windmill implementation is also feasible in software.
References
[1]van Oorschot, P. C., A. J. Menezes, and S. A. Vanstone, Handbook of Applied Cryptography, Boca Raton, FL: CRC Press, 1997.
[2]SAGE, 3GPP TS 35.201, the 3GPP Confidentiality and Integrity Algorithms; Document 1: f8 and f9 specifications, Version 5.0.0, 3rd Generation Partnership Programme, 2002.
[3]Massey, J. L., and R. A. Rueppel, “Method of, and Apparatus for, Transforming a Digital Sequence into an Encoded Form,” U.S. Patent No. 4,797,922, 1989.
[4]Rueppel, R. A., “Correlation Immunity and the Summation Combiner,” Advances in Cryptology, Crypto 85, LNCS, Berlin: Springer-Verlag, 1986, pp. 260–272.
[5]Meier, W., and O. Staffelbach, “Correlation Properties of Combiners with Memory in Stream Ciphers,” J. Cryptology, Vol. 5, No. 1, 1992, pp. 67–86.
[6]Golic, J. Dj., “Computation of Low-Weight Parity-Check Polynomials,” Electronic Letters, Vol. 32, No. 21, October 1996, pp. 1981–1982.
[7]Salmasizadeh, M., J. Dj. Golic, and E. Dawson, “Fast Correlation Attacks on the Summation Combiner,” J. Cryptology, Vol. 13, No. 2, 2000, pp. 245–262.
[8]Hermelin, M., and K. Nyberg, “Correlation Properties of the Bluetooth Summation
Combiner,” in J. Song, ed., Proc. ICISC’99, 1999 International Conf. Information Security and Cryptography, No. 1787 in LNCS, Berlin: Springer-Verlag, December 2000,
pp.17–29.
[9]Knudsen, L. R., “A Detailed Analysis of Safer k,” J. Cryptology, Vol. 13, No. 4, 2000,
pp.417–436.
[10]Kuregian, M., G. H. Khachatrian, and J. L. Massey, “Differential Cryptanalysis of Safer+,” Technical Report, Cylink Corporation, Sunnyvale, CA, 20 April, 1999.
[11]ENS Ed, “Nessie Security Report,” Technical Report Version 1.0, NESSIE Project, IST-2000-12324, 2002.
[12]Lidl, R., and H. Niederreiter, Finite Fields, Encyclopedia of Mathematics and Its Applications, Reading, MA: Addison-Wesley, 1983.
[13]Gill, A., Linear Sequential Circuits: Analysis, Synthesis, and Applications, New York: McGraw-Hill, 1966.
[14]Safer+ Development Kit, Available at http://us.cryptosoft.de/html/safer.htm, accessed November 2003.
[15]Smeets, B., and W. G. Chambers, “On Windmill pn-Sequence Generators,” IEE Proc-E, Vol. 136, 1989, pp. 401–404.