- •Contents
- •Preface
- •1 Introduction
- •1.1 Bluetooth system basics
- •1.1.1 Background
- •1.1.2 Trade-offs
- •1.1.3 Bluetooth protocol stack
- •1.1.4 Physical layer
- •1.1.5 Baseband
- •1.1.6 Link manager protocol
- •1.1.7 Logical link control and adaptation protocol
- •1.1.8 Host control interface
- •1.1.9 Profiles
- •1.2 Bluetooth security basics
- •1.2.1 User scenarios
- •1.2.2 Notions and terminology
- •References
- •2.1 Key types
- •2.2 Pairing and user interaction
- •2.3 Authentication
- •2.4 Link privacy
- •2.4.1 Protect the link
- •2.4.2 Encryption algorithm
- •2.4.3 Mode of operation
- •2.4.4 Unicast and broadcast
- •2.5 Communication security policies
- •2.5.1 Security modes
- •2.5.2 Security policy management
- •References
- •3 Bluetooth Pairing and Key Management
- •3.1 Pairing in Bluetooth
- •3.2 HCI protocol
- •3.3 LM protocol
- •3.4 Baseband events
- •3.4.1 Initialization key generation
- •3.4.2 Unit key generation
- •3.4.3 Combination key generation
- •3.4.4 Authentication
- •3.4.5 Master key generation
- •3.5 User interaction
- •3.6 Cipher key generation
- •3.7 Key databases
- •3.7.1 Unit keys generation requirements
- •3.7.2 Combination key generation requirements
- •3.7.3 Key databases
- •3.7.4 Semipermanent keys for temporary use
- •References
- •4 Algorithms
- •4.1 Crypto algorithm selection
- •4.1.1 Block ciphers
- •4.1.2 Stream ciphers
- •4.2 SAFER+
- •4.3 Encryption engine
- •4.4 Ciphering algorithm E0
- •4.4.1 Initialization
- •4.5 Implementation aspects
- •References
- •5 Broadcast Encryption
- •5.1 Overview
- •5.2 Preparing for broadcast encryption
- •5.3 Switching to broadcast encryption
- •References
- •6 Security Policies and Access Control
- •6.1 Objectives
- •6.1.1 Trust relations
- •6.1.2 Security levels
- •6.1.3 Flexibility
- •6.1.4 Implementation considerations
- •6.2 Security manager architecture
- •6.2.1 Overview
- •6.2.2 Device trust level
- •6.2.3 Security level for services
- •6.2.4 Connection setup
- •6.2.5 Database contents and registration procedure
- •Reference
- •7 Attacks, Strengths, and Weaknesses
- •7.1 Eavesdropping
- •7.2 Impersonation
- •7.3 Pairing
- •7.4 Improper key storage
- •7.4.1 Disclosure of keys
- •7.4.2 Tampering with keys
- •7.4.3 Denial of service
- •7.5 Unit key
- •7.6 Location tracking
- •7.6.1 Bluetooth device address and location tracking
- •7.6.2 Five different types of location tracking attacks
- •7.7 Implementation flaws
- •References
- •8 Providing Anonymity
- •8.1 Overview of the anonymity mode
- •8.2 Address usage
- •8.3 Modes of operation
- •8.4 Inquiry and paging
- •8.4.1 Connectable mode
- •8.4.2 Private connectable mode
- •8.4.3 General connectable mode
- •8.5 Alias authentication
- •8.6 Pairing
- •8.7 Anonymity mode LMP commands
- •8.8 Pairing example
- •References
- •9 Key Management Extensions
- •9.1 Improved pairing
- •9.1.1 Requirements on an improved pairing protocol
- •9.1.2 Improved pairing protocol
- •9.1.3 Implementation aspects and complexity
- •9.2 Higher layer key exchange
- •9.2.2 Higher layer key exchange with EAP TLS
- •9.3 Autonomous trust delegation
- •9.3.1 Security group extension method
- •9.3.3 Group extension method versus public key method
- •References
- •10 Security for Bluetooth Applications
- •10.1 Headset
- •10.1.1 Headset security model
- •10.1.2 Pass-key and key management
- •10.1.3 Example
- •10.2 Network access
- •10.2.1 Common access keys
- •10.2.2 Security architecture
- •10.2.3 Network service subscription
- •10.2.4 Initial connection
- •10.2.5 Subsequent access to NAcPs
- •10.3 SIM access
- •10.3.1 The SIM access profile
- •10.3.2 Securing SIM access
- •References
- •Glossary
- •List of Acronyms and Abbreviations
- •About the Authors
- •Index
Glossary
Throughout the book, several terms have been used. Some are commonly used within the field of security research, while other terms are specifically related to Bluetooth. Below we give short definitions for all of these.
Active wiretapper A wiretapper that is capable of injecting and modifying messages at will.
Ciphertext Data protected through the use of encipherment. The semantic context of the resulting data is not available.
Claimant The entity that claims to be a specific peer entity, that is, claiming a specific identity.
Connectable A Bluetooth device that regularly performs a page scan, and therefore can be reached by other devices knowing its device address.
Denial-of-service (DoS) attack The prevention of authorized access to resources or the delaying of time-critical operations. The resulting system degradation can, for example, be the result of the system being fully occupied by handling bogus connection requests.
Discoverable A Bluetooth device that regularly performs inquiry scanning and therefore can be detected by other devices.
Eavesdropper See passive wiretapper.
187
188 |
Bluetooth Security |
Fixed pass-key A pass-key that cannot be arbitrarily chosen at the pairing instance.
Impersonation attack An attack whereby the attacker sends data and claims that the data originates from another entity.
Key management The generation, storage, distribution, deletion, archiving, and application of keys in accordance with a security policy.
Known plaintext attack Attack on a ciphering system using knowledge of ciphertext data and the matching cleartext.
Pairable A Bluetooth device for which the security policy is to accept pairing attempts.
Passive wiretapper A person that wiretaps a link by making a copy of the data that is sent via the link. The state of the system is not changed.
Peer-entity authentication The corroboration that a peer entity in an association is the one claimed.
Plaintext Intelligible data for which the semantic context of the resulting data is available.
Security policy The set of criteria for the provision of security services.
Trusted device A remote device with which a long-lasting security relation has been established. A trusted device is given unconditional access to all services running on the local device after it has been successfully authenticated.
Untrusted device A remote device with which a temporary or a long-lasting security relation has been established. An untrusted device does not get unconditional access to services running on the local device; authentication as well as authorization is required.
Variable pass-key A pass-key that can be arbitrarily chosen at the pairing instance.
Verifier The entity that challenges another entity for its claimed identity.
List of Acronyms and Abbreviations
Here we list the acronyms and abbreviations used in the book. In cases for which it is not obvious what the meaning of the listed item is, a short explanation has also been provided.
ACL Asynchronous connection-oriented (logical transport).
ACO Authenticated ciphering offset. A parameter binding devices to a particular authentication event.
AES Advanced Encryption Standard
AG Audio gateway. A mobile phone or other outloud-playing device (connected to a headset).
BB Baseband. This is the lowest layer of the Bluetooth specification.
BD_ADDR Bluetooth device address
BER Bit error rate. Average probability that a received bit is erroneous.
BNEP Bluetooth network encapsulation protocol. Emulation of Ethernet over Bluetooth links.
CA Certificate authority. Trusted issuer of certificates.
189
190 |
Bluetooth Security |
CAC Channel access code. A code derived from the master device address in a Bluetooth connection
CAK Common access key. A common key that can be used when connecting to different access points belonging to a particular network provider.
CID Channel identifier. End points at an L2CAP channel.
COF Ciphering offset. Additional secret input to ciphering key generation procedure.
CPU Central processing unit
CRC Cyclic redundancy check. A checksum added to the payload by the sender that the receiver can use to detect transmission errors.
DAC Device access code
DH Diffie-Hellman. The name of the first public key exchange scheme.
DoS Denial of service
DSP Digital signal processor
DT Data terminal
EAP Extensible authentication protocol. An authentication protocol standardized by the IETF organization.
EAPOL EAP encapsulation over LANs
ECDH Elliptic-curve Diffie-Hellman
eSCO Enhanced synchronous connection-oriented. A logical channel for transport of prioritized synchronous user data.
FEC Forward error correction. Another notion for an error correcting code.
FH Frequency hopping
FHS Frequency hop synchronization
List of Acronyms and Abbreviations |
191 |
|
|
GAP Generic access profile. A Bluetooth profile that determines common connection handling functions for all other Bluetooth profiles.
GSM Global Mobile System
HC Host controller
HCI Host controller interface
HS Headset
IAC Inquiry access code
ICC Integrated circuit card
ID Identifier
IEEE Institute of Electrical and Electronics Engineers. A nonprofit technical professional association for engineers in this area.
IETF Internet Engineering Task Force
IIR Infinite impulse response
IKE Internet key exchange. An IETF protocol used to authenticate IP connections and to exchange IPSEC keys.
IP Internet protocol.
IPSEC IP security protocol. An IETF security protocol used to protect IP packets.
ISM Industrial, scientific, and medical. A part of the radio spectrum reserved for these kinds of applications.
L2CAP Logical link communication and adaptation protocol.
LAN Local area network
LAP Lower address part. Bits 0 to 23 of the unique 48-bit IEEE device address.
192 |
Bluetooth Security |
LC Link controller. Entity |
that implements the baseband protocol and |
procedures. |
|
LFSR Linear feedback shift register
LM Link manager. Entity that sets up and maintains the Bluetooth link.
LMP Link manager protocol
LSB Least significant bit
LT_ADDR Logical transport address. A logical 3-bit address assigned to each slave in a piconet.
MAC Message authentication code
MANA Manual authentication
MSB Most significant bit
NAcP Network access point
NAP Nonsignificant address part. Bits 32 to 47 of the unique 48-bit IEEE device address.
OBEX Object exchange
OpCode Operation code_A code used to identify different types of PDUs.
PAN Personal area network
PCD Personal certification device
PDA Personal digital assistant
PDU Protocol data unit
PIN Personal identification number
PKI Public key infrastructure
List of Acronyms and Abbreviations |
193 |
|
|
PSM Protocol/service multiplexor. An identifier used by L2CAP during channel establishment to route the connection request to the right upper layer protocol. Several protocols can be multiplexed over L2CAP.
QoS Quality of service. Defines the specific requirements on the link (e.g., with respect to bit rate, delay, latency) needed by certain applications.
RFCOMM A serial cable emulation protocol based on ETSI TS 07.10
RS-code Reed-Solomon code.
RSA Rivest, Shamir, and Adleman. The name of a public-key cryptosystem for both encryption and authentication.
SCO Synchronous connection-oriented. A logical channel for transport of synchronous user data.
SDP Service discovery protocol. A protocol for locating services provided by or available through a Bluetooth device.
SIG Special Interest Group. The organization owning the Bluetooth trademark, also responsible for the evolution of Bluetooth wireless technology.
SIM Subscription identity module. An ICC used in the GSM mobile telephony system. The module stores subscription and user data.
TCP Transmission control protocol. An IETF protocol for reliable IP communication.
TLS Transport layer security. An IETF security protocol used to authenticate peers, exchange keys, and protect TCP traffic.
UAP Upper address part. Bits 24 to 31 of the unique 48-bit IEEE device address.
UART Universal asynchronous receiver/transmitter. An integrated circuit used for serial communication with the transmitter and receiver clocked separately.
USB Universal serial bus
WLAN Wireless local area network