equal to zero), the clock bits, and output bits.3 We are not aware of any attacks that exploit this, nor do we have complexity estimates for such an attack.

We conclude that currently there is no attack known that breaks the complete encryption procedure with reasonable effort. However, the security margin is insufficient to feel comfortable about the years to come. Therefore, a stronger encryption alternative in Bluetooth would be welcome as a backup solution in case future attacks succeed to reduce the cryptanalytic workload to a practical level. Such future attacks may well exploit the fact that the output bits can be expressed approximately (probabilistically) with an algebraic relation in terms of the initial state bits with a lower degree than the exact (deterministic) relation. This is a continuation of the work of Armknecht and Courtois that we discussed.

7.2 Impersonation

In the previous section, the main concern was the confidentiality of the data that two units exchange. Another concern is that receivers want to be sure that they indeed receive data from the original sending party identified through the Bluetooth authentication procedure. An attacker has mainly two options:

1.Impersonate the original sending (or receiving) unit;

2.Insert/replace data (payloads) that is sent.

The first option requires the attacker to provide the correct response on the authentication challenge by the receiving unit. Currently, no attack on the SAFER+-based E1 is known that achieves this within any realistic computational effort. Hence, the only realistic way to send wrong data to the receiver is by inserting/replacing data that is sent from the sending unit to the receiving unit. When no encryption is activated, this can easily be achieved by correctly setting the CRC check data in the payload after the data in the payload has been modified. This is indeed an easy task because the attacker knows the data bits that have been set/modified by the attacker and knows how to perform the CRC computation for the payload. When ciphering is activated, the same attack applies because the ciphering consists of adding (modulo 2) the bits of the key stream to the data. This is a linear operation, and since the CRC calculation is a linear operation too, the attacker can compute how to modify the CRC to make it agree with modifications in the encrypted data bits. Thus, the CRC mechanism combined with activated encryption is capable of detecting a modification

3.We use the fact that we can write the affine equation St (C ) = (S0) + H(C ) for fixed C, where H is a linear transformation and C the vector of 26 clock bits.

Concluding, we see that the payload data in the Bluetooth 1.1 system is easily tampered with. Yet, in a practical system were encryption is activated, it is not at all easy to make something useful of this attack beyond the point of just disrupting the communication.4 The attacker must somehow know the context of the payload data to conduct changes that are meaningful or effective. This is because some payload data is most likely intended for service operation in the higher layers of the communication stack, and other data is actual enduser/application data. Without knowing what data is sent, it is unlikely that the attacker achieves a particular desired change in the end-user data. Here Bluetooth benefits from the fact that encryption is performed at a very low level in the communication stack.

7.3 Pairing

The Bluetooth 1.1 specification is sensitive to passive and active attacks on the pairing procedure. The attacks only work if the attacker is present at the pairing occasion, which typically only occurs once between one pair of devices. Anyway, if pairing is performed in public places during a connection to an access point, point-of-sale machine, or printer, this can indeed be a dangerous threat. In this section we describe how a passive or active attack against the pairing works. In order to simplify the description, we only describe the combination key case. However, the attack can easily be generalized to the unit key pairing case. On the other hand, unit keys have other specific security issues. These issues will be discussed in Section 7.5.

The Bluetooth combination key is calculated as shown in Figure 3.3. In the figure, K denotes the current link key. In the pairing procedure, the current link is the initialization key KINIT, which is derived as the output of the algorithm E22. E22 takes as input the address of one of the Bluetooth units, BD_ADDR_A, a random value, IN_RAND, and the secret pass-key, that is,

K INIT = E 22 (BD _ ADDR _ A,IN _ RAND,PKEY )

The random value, IN_RAND, is sent in cleartext from unit B to unit A over the Bluetooth radio channel.

As shown in Figure 3.3, the initialization key is then used to encrypt random values, LK_RANDA, and LK_RANDB, which are used to derive the combination key KAB (a similar procedure is used to exchange a unit key, as was shown in Chapter 3). A third part, or a “man in the middle,” who observes all the

4.If disrupting the communication is a goal of the attacker, there are simpler ways to set up an attack.

communication between A and B during the pairing procedure obtains all parameters exchanged over the air interface. The parameters needed for an attack are the device address of A, BD_ADDR_A; the device address of B, BD_ADDR_B; the random value, IN_RAND; and the encrypted random values, KINIT LK_RANDA and KINIT LK_RANDA . Hence, as is shown in Figure 3.3, the only unknown parameter used in the calculations of KAB, is the pass-key. Given that attackers observe all these values, they might then try to guess which pass-key value that was used during the pairing. Each pass-key value then corresponds to a unique link key value. However, in order to check if the guess is correct, the attackers must have some additional information. This information is obtained if they also observe the authentication message exchange that always follows the link key calculation exchanges. At the authenticating procedure, the verifier sends a random value, AU_RAND, to the claimant unit. The claimant then sends a response, SRES = E2(BD_ADDR_claimant, AU_RAND, KAB), where E2 is the Bluetooth authentication algorithm. In summary, the attacker can observe the following parameters during the pairing procedure:

A1 = IN_RAND

A2 = KINIT LK_RAND_A

A3 = KINIT LK_RAND_B

A4 = AU_RAND

A5 = SRES

Using these observations, the attacker can guess the pass-key value PKEY ′ and calculates the corresponding link key, K ′AB , as is shown in Figure 7.2. Given the observed values A1, A2, . . ., A4 and a guess of the pass-key value, the corresponding SRES ′ value can then be calculated. If the calculated value equals the observed value SRES, the attackers can check whether they have made a correct guess or not. If the size of the pass-key is smaller than the size of the SRES value, they can be almost sure of whether or not the guess was correct. Furthermore, if the size of the pass-key value is small, they can check all possible values and see where they get a match between SRES ′ and SRES. If further confidence is needed, the second authentication exchange can be used (mutual authentication is always performed at the pairing). Hence, short pass-key values do not protect the users from a passive eavesdropper or man in the middle present at the pairing occasion.

The security problems with short pass-key values have been reported in several papers and official reports. The Bluetooth specification also recommends the use of longer pass-keys for sensitive applications [18]. Jakobsson and Wetzel [19] indicated that it would be possible to obtain the link key at the initialization through passive eavesdropping or a man-in-the-middle attack. In a recent