- •Contents
- •Preface
- •1 Introduction
- •1.1 Bluetooth system basics
- •1.1.1 Background
- •1.1.2 Trade-offs
- •1.1.3 Bluetooth protocol stack
- •1.1.4 Physical layer
- •1.1.5 Baseband
- •1.1.6 Link manager protocol
- •1.1.7 Logical link control and adaptation protocol
- •1.1.8 Host control interface
- •1.1.9 Profiles
- •1.2 Bluetooth security basics
- •1.2.1 User scenarios
- •1.2.2 Notions and terminology
- •References
- •2.1 Key types
- •2.2 Pairing and user interaction
- •2.3 Authentication
- •2.4 Link privacy
- •2.4.1 Protect the link
- •2.4.2 Encryption algorithm
- •2.4.3 Mode of operation
- •2.4.4 Unicast and broadcast
- •2.5 Communication security policies
- •2.5.1 Security modes
- •2.5.2 Security policy management
- •References
- •3 Bluetooth Pairing and Key Management
- •3.1 Pairing in Bluetooth
- •3.2 HCI protocol
- •3.3 LM protocol
- •3.4 Baseband events
- •3.4.1 Initialization key generation
- •3.4.2 Unit key generation
- •3.4.3 Combination key generation
- •3.4.4 Authentication
- •3.4.5 Master key generation
- •3.5 User interaction
- •3.6 Cipher key generation
- •3.7 Key databases
- •3.7.1 Unit keys generation requirements
- •3.7.2 Combination key generation requirements
- •3.7.3 Key databases
- •3.7.4 Semipermanent keys for temporary use
- •References
- •4 Algorithms
- •4.1 Crypto algorithm selection
- •4.1.1 Block ciphers
- •4.1.2 Stream ciphers
- •4.2 SAFER+
- •4.3 Encryption engine
- •4.4 Ciphering algorithm E0
- •4.4.1 Initialization
- •4.5 Implementation aspects
- •References
- •5 Broadcast Encryption
- •5.1 Overview
- •5.2 Preparing for broadcast encryption
- •5.3 Switching to broadcast encryption
- •References
- •6 Security Policies and Access Control
- •6.1 Objectives
- •6.1.1 Trust relations
- •6.1.2 Security levels
- •6.1.3 Flexibility
- •6.1.4 Implementation considerations
- •6.2 Security manager architecture
- •6.2.1 Overview
- •6.2.2 Device trust level
- •6.2.3 Security level for services
- •6.2.4 Connection setup
- •6.2.5 Database contents and registration procedure
- •Reference
- •7 Attacks, Strengths, and Weaknesses
- •7.1 Eavesdropping
- •7.2 Impersonation
- •7.3 Pairing
- •7.4 Improper key storage
- •7.4.1 Disclosure of keys
- •7.4.2 Tampering with keys
- •7.4.3 Denial of service
- •7.5 Unit key
- •7.6 Location tracking
- •7.6.1 Bluetooth device address and location tracking
- •7.6.2 Five different types of location tracking attacks
- •7.7 Implementation flaws
- •References
- •8 Providing Anonymity
- •8.1 Overview of the anonymity mode
- •8.2 Address usage
- •8.3 Modes of operation
- •8.4 Inquiry and paging
- •8.4.1 Connectable mode
- •8.4.2 Private connectable mode
- •8.4.3 General connectable mode
- •8.5 Alias authentication
- •8.6 Pairing
- •8.7 Anonymity mode LMP commands
- •8.8 Pairing example
- •References
- •9 Key Management Extensions
- •9.1 Improved pairing
- •9.1.1 Requirements on an improved pairing protocol
- •9.1.2 Improved pairing protocol
- •9.1.3 Implementation aspects and complexity
- •9.2 Higher layer key exchange
- •9.2.2 Higher layer key exchange with EAP TLS
- •9.3 Autonomous trust delegation
- •9.3.1 Security group extension method
- •9.3.3 Group extension method versus public key method
- •References
- •10 Security for Bluetooth Applications
- •10.1 Headset
- •10.1.1 Headset security model
- •10.1.2 Pass-key and key management
- •10.1.3 Example
- •10.2 Network access
- •10.2.1 Common access keys
- •10.2.2 Security architecture
- •10.2.3 Network service subscription
- •10.2.4 Initial connection
- •10.2.5 Subsequent access to NAcPs
- •10.3 SIM access
- •10.3.1 The SIM access profile
- •10.3.2 Securing SIM access
- •References
- •Glossary
- •List of Acronyms and Abbreviations
- •About the Authors
- •Index
Key Management Extensions |
147 |
|
|
Table 9.1
RS-Code MAC Construction Examples with Probability for Successful Man-in-the-Middle Attack
Size of |
Pass-Key Size |
Pass-Key |
Probability of |
Message Hash |
(Decimal Digits) |
Size (Bytes) |
Successful Attack |
|
|
|
|
128 |
5 |
2 |
< 2−4 |
128 |
8 |
3 |
< 2−8 |
128 |
10 |
4 |
< 2−13 |
256 |
10 |
4 |
< 2−12 |
128 |
12 |
5 |
< 2−17 |
256 |
12 |
5 |
< 2−16 |
rapidly decreases with increased pass-key size for the chosen MAC. For small pass-key sizes like 2 bytes (5 decimal digits), the probability of a successful man-in-the-middle attack is less than 1/16. For most applications, a pass-key size of 4 bytes (10 decimal digits) provides a reasonable security level.
9.1.3Implementation aspects and complexity
In order to support the improved pairing procedure, there must be a transport protocol for transferring the key exchange messages. Currently, the Bluetooth specification does not contain any built-in support for the DH key exchange. Hence, no standard compliant implementation of a DH-based protocol can be implemented at the LMP level. There are several different higher layer candidates, though. When we look into the existing Bluetooth profiles, the most attractive candidates are the OBEX [15] or the PAN profile [16]. When using the PAN profile, several different possibilities exist. TCP is one rather natural choice. Another nice possible option in the PAN case would be to have it defined as the Internet Engineering Task Force (IETF) extensible authentication protocol (EAP) [17] mechanism and use the IEEE 802.1x port-based network access control framework [18]. We will discuss IEEE 802.1x in detail in Section 9.2, and we restrict the description here to the OBEX and TCP alternatives. Figure 9.2 illustrates the placement of the improved pairing protocol for the OBEX variant and Figure 9.3 shows the same thing for the PAN/TCP option.
From a protocol and usability point of view, there is no major difference between the two options, and other variants are possible as well. Independent of the chosen protocol solution, in order to be combined with the ordinary link security mechanisms, the agreed-on link key must be stored in the key database of the device. One can use the DH key as a long pass-key input to the “ordinary”
148 |
Bluetooth Security |
Improved pairing protocol
OBEX
RFCOMM SDP
LMP L2CAP
Baseband
Improved pairing protocol
OBEX
RFCOMM SDP
LMP L2CAP
Baseband
Figure 9.2 The protocol stack and the placement of the improved pairing protocol using the OBEX option.
Improved pairing protocol |
|
|
|
Improved pairing protocol |
||||
|
|
|
||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
TCP |
|
|
|
|
TCP |
||
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
IP |
|
|
|
|
IP |
||
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
BNEP |
|
SDP |
|
|
|
BNEP |
|
SDP |
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
LMP L2CAP
Baseband
LMP L2CAP
Baseband
Figure 9.3 The protocol stack and the placement of the improved pairing protocol using the PAN/TCP option.