- Email: [email protected]
On security of bluetooth wireless system
Copyright© IFAC Programmable Devices and Embedded Systems Bmo, Czech Republic, 2006
l~
1()C
C>
Publications
ON SECURITY OF BLUETOOTH WIRELESS SYSTEM Pavel Kucera, Petr Fiedler, Zdenek Bradac, Ondrej Hyncica Bmo University o/Technology Faculty 0/ Electrical Engineering and Communication Department o/ Control and Instrumentation Kolejni 4, 61200, kucera(lj2{eec, vutbr,cz
Abstract: This paper describes security features of Bluetooth PAN wireless network, Security aspects are explained step-by-step /Tom the basic items and key management to the authentication and data ellcryption. Finally, current problem with the Bluetooth security are presented. Copvright !i;;' 2005lF/ IC Keywords: System security, Wireless. PAN , Authentication, Encryption.
ensured. Every I3luetooth device has four identi fication items used for the security features at the link layer (Bluetooth , 2001):
1. BLUETOOTII TECIINOLOGY Bluetooth tcchnology is intcndcd ior wirelcss connection between human-oriented devices: PC, keyboard, mouse . headset, mobile phone. PDA. (lPS .. ., (SIG, 1998). IEEE approved Bluctooth-bascd wireles s PAN standard in 2002 as IEEE 802.15.1 BI uetooth v 1.1 specification (IEEE 802 .15. 2002). The Bluetooth technology provides peer-to-peer communication over relatively close proximity. The range for Bluetooth transmission varies fonn about 10 meters up to 100 meters for the most powerful devices (Class I), similar to a typical wi-li network. Typical application of BI uclooth is to create a temporary computer network . For example. several people in a meeting room are able to connect their laplops and PDAs to ea"h other to share liles. When you use Bluetooth to create a network, it is usuall y an ad hoc network. Computers communicate directl y "'lth each other; thcrc is not a wireless access point, which can ensure security control over the network . Thus, sccurity becomcs a major conccn! becausc important data are exposed to the other member of the network not only in the meeting room but also anywhere in the above mentioned transmi ssion range even not within your sight (Toms. 2005).
I. Rluetooth device address (RD_ADDR) - every Bluctooth transceiver has a unique 48 bits address that is derived from the IEEE802 standard. Structure of BD _ADDR is shown in Fig. 1. LAP and UAP arc significant part of the RD _ADDR and enable total address space 232. BD_ADDR of the device is publiciy known: it can be obtained either manually via test system interlace, or automatically via inquiry command al every Bluctooth device.
LB8
Fig. I. Structure of the Bluetooth device address 2. Private authentication key, whieh is always 128 bits random number used by the authentication algorithm . 3. Private encryption key is derived from the authentication key during the authentication process. The size of the key may vary between 8-128 bit s due to different requirements imposed on cryptographic algorithms III different countries and due to the increasing computing power of the attackers . The
2. SECUTIRY ITMES In order to provide protection of the wmmunication. the security at the link layer and application layer is
442
encryption key is entirely diITerent from the authentication key and each time the encryption is activated a new encryption key is generated; thus, the life time of the encryption key is different to the authentication key. 4. A random number RAND, which can be derived from a random or pseudo-random process in the Bluetooth device. The RAND is always 128 bits and it is changed frequently. For practical reasons, a software based solution witb a pseudo-random generator is oilen used. Within Bluetooth, the requirements placed on the random numbers used are that they be ' non rcpeating' and 'randomly gcncratcd '. 'Non repeating' means that the number shall not be repeated during the lifetime of the authentication key. The expression ' randomly gcncratcd ' means that it shall not bc possible to predict its value with the likehood that is greater than 1I2L, where L is a key length). Bluetooth can operate in one of three security models shown in Fig. 2.
Security Mode 2 securrty al the service level, after the communication channel is established
Security Mode 3 securrty al the link level , after Ihe communication channel is establtshed
·ig. 2. Bluetooth security modes )ifferent security levels for Bluetooth devices and ervices are shown in Fig. 3. Bluetooth Device
~:: ~ ~ ~~~e;ed
level 1 - au1horisation and authentication IS required 31uetooth Ser....ice l.evel 2 - onl.,. authentication is required
l evel 3· open all devIces
depends on whether it is a semi-permanent or a temporary key. A semi-permanent link key is stored in non volatile memory and may be used after the current session is terminated. The session is defined as the time interval for which the unit is a member of a particular piconet. A temporary key lasts only until the current session is tenninated and it cannot be reused. Temporary keys are commonly used in pointto-multi point connections, where the same information is transmitted to several recipients. In order to accommodate for different types of applications, four types of I ink keys have been defined: • • • •
the combination key KAB thc unit kcy KA (Ko) the temporary key Km"'" the initialization key Ko"
The comhination key KAB and the unit key KA (K Il) arc functionally indistinguishable. The unit key KA (K Il ) is generated in a single unit A (13). The unit key is generated once at installation of the l3Iuetooth unit. The combination key KA13 is derived from information in both units A and n. and is therefore always dependent on two units . The master key Km",", is a temporary key, which replaces the current link kcy . lt can be used whcn thc master unit wants to transmit information to more than one recipient simultaneously using the same encryption key . The initialization key KUrit is used as link key during the initialization process when there are not yet any unit or combination keys or whcn a link key has bcen lost. The key is derived from a random number, Personal Identification Number (PIN) code. and a IlD_ADDR. This key is only to be used during initialization. The length of the PIN code used in Bluetooth devices can vary between I and 16 bytes. For the longer lengths the units exchange PIN codes not through human interaction, but rather through methods supported by software at the application layer. The PIN code of the device can be fixed. so that it needs to bc entered only to the device wishing to connect. Another possibility is that the PIN code must be entered to thc both deviccs during thc initialization.
·ig. 3. Security Levels for devices and services
4. KEY GENERATION AND INITIALIZA nON 3. KEY MANAGEMENT
The link keys have to be generated and distributed among the Illuetooth units in order to be used in the authentication procedure. The exchange of the keys takes place during an initialization phase which has to be carried out separately 10r each two units that want to implement authentication and encryption. All initialization proccdurcs consist of the following five parts:
'hc cncryption key used during communication has specific size and cannot be set by the user. The .cy' s sizc is sct by a factory and thc Bluetooth ,asehand processing does not accept an encryption :ey given from higher software layers in order to 'revent thc uscr ovcr-riding the permittcd kcy sizc. ;hanging a link key should also be done through the lefined baseband procedures. ,11 security transactions between two or more parties re handled by thc link kcy. Thc link kcy is a 128 ,its random number which is used in the uthentication routine and during the generation of he encryption key. The lifetime of a link key
• • • • •
443
generation of an initialization key, generation of link key, link key cxchangc, authentication, generating of encryption key in each unit.
Afkr the initialization procedure, the units "an proceed to communicate, or the link can be disconnected. If encryption is implemented, the EO algorithm is used with the proper eneryption key derived from the current link key.
4.1 Generation of an initialization key The initiali7.ation key is needed when two devices with no prior engagements need to communicate. During the initiali7.ation process, the PIN code is entered to both devices. The initialization key itself is gcneratcd by the E22 algorithm shown in Fig. 4, which uses the PIN code, the length of the PIN code IN RAND L and a 128 bits random number generated by the verifier device as inputs.
time. first, both of the units generate a random number. With the key generating algorithm E2l, both devices generate a key, combining the random number RAND - A and RAND- B and their DT device addresses. After that the two random numbers are exchanged securely by XORing with the current link key and each unit recalculates the other unit contribution to the combination key. This is possible since I:lIch unit knows the Dluetooth device addn:ss of the other unit.
4.4 Generation of a master key The master key is a temporary key of the link keys. It is generated by the master device by using the key generati ng algorithm E22 with two 12R-bit random numbers and L - 16. The rcason to use the kcy generating algorithm E22 in the first place is just to make sure the resulting random number is random enough. A third rao~om number is then transmitted to the slave and with the key generating algorithm and the current link key an overlay is computed by both the master and the slave. The master key is then sent to the slave, bitwise XORed with the overlay and slave can calculate the master key. This proccdure is thcn rcpcated for cach slavc who shall receive the new link key.
Fig. 4. Generation of an initiali7.ation key When the initialization key is generated, the PIN is augmen!t:d with the DD ADDR. If one unit has a fixed PIN the BD ADDR of the other unit is used . If both units have a variable PIN the DD ADDR of the device that rccci vcd IN RAND is used. If both units have a fixed PIN they cannot be paired.
4.5 Generation of the encryption key The encryption key KC is derived by E3 algorithm (Fig. 6) from the current link key, a % bits Ciphering Offset number (COF), and a 128 bits random numbcr. Thc COF is dctcnnincd in onc of two ways. If the current link key is a master key, then COF is derived from the master BD ADDR. Othemisc the valuc of COF is sct to thc value of Authenticatcd Ciphering Ollset (ACO), which is generated during the authentication procedure. The encryption key is automatically changed every time the Bluetooth device enters the eneryption mode.
4. 2 Generation of a unit key
The unit key KA (K R ) is generated with the key generating algorithm E21 (Fig. 5) when the Dluetooth device is in operation for the first time: i.e. not during each initialization. Once created, the unit key is stored in non-volatile memory and is rarely changed. Another device can use the other device's unit key as a link key between these devices. During the initialization process, the application decides which party should provide its unit key as the link key.
fig. 6. Generation of the encryption key
5. ENCRYFTION Fig. 5. Generation of a unit key and a combination key
The Bluctooth eneryption system enerypts thc pay loads of the packets: the access code and the packct hcadcr arc nevcr cncryptcd. Encryption is done with a stream cipher EO, which IS re-synchronized for every new payload, which disrupt so-called correlation attacks. At each iteration, EO generates a bit using four shift registers of differing lengths and two internal states, each 2 bits long. At each clock tick, the registers are shifted
4.3 Generation of a comhination key The combination key is generated during the initialization process if the devices have decided to use one. It is generated by both devices at the same
444
and the two states are updated with the current state, the previous state and the values in the shift registers. Four bits are then extracted from the shift registers and added together. The algorithm XORs that sum ",ith the value in the 2-bit register. The first bit of the result is output for the encoding. The EO stream cipher system consists of the payload key generator, the key stream generntor and the encryptionldecryption part - Fig. 7.
the random number, the claimants Bluetooth Device Address BD_ADDRB and the current link key to get a response . The claimant sends the response SRES to the verifier, who then makes sure the responses match. Authentication scheme is shown in Fig. 8. When the authentication attempt fails, a certain waiting interval must pass before the verifier will initiate a new authentication attempt to the same claimant, or before it will respond to an authentication attempt initiated by a unit claiming the same identity as the suspicious unit. For each suhsequent authentication failure with the same Bluetooth address, the waiting interval shall be increased exponentially.
~---~i~-te~--t
'--I
K. address
payload key genera1Dr
ckx:k
RANOL-__,/L-____-Y
7. PROBLEMS IN TIlE SECURITY
cipher text :
__ .f!aJ~~~__ J encrypbon/
The encryption scheme of Bluetooth has some serious weaknesses. The most important is a fact that EO algorithm has flaw in the resynchronization mechanism and there were some investigation of conditional correlations in the Finite State Machine (FSM) governing the keystream output of EO (Lu, 2005) The best attack finds the original encryption key for two-level EO using the first 24 bits of 2 23 .8 frames and with 2 38 computations. The generation of the initialization key is also a problem. The strength of the initialization key is based on the used PIN code. The E22 initialization key generation algorithm derives the key from the PIN code, the length of the PIN code and a random number, which is transmitted over the air. When using 4 digit PIN codes there are only 10.000 different possibilities; in fact most of the PINs are like "1111". Thus. the security of the initialization key is quite low. The unique Bluetooth Device Address introduces another problem. Whcn a connection is made that a certain Bluetooth device belongs to a certain person, it is easy to track and monitor the behaviour of this person. For instance , with the appropriate equipment (casy accessible) it is possible to track Bluctooth devices from more than mile away (Toms. 2005). The initial key exchange takes place over an unencrypted link. so it is especially vulnerable becausc thcrc is no such thing as a secure location anvmore. Finally the well known Denial of Service (DoS) Attack. Ibis nuisance is vcry simply; a constant request for response from a hacker's Rluetooth enabled computer to another Bluetooth enabled dC\'ice such that it causes some temporar" battery degrddation in the receiving device, While Occup\'ing the Bluetooth link with invalid communication requests. the hacker can temporarily disable the product' s Bluetooth sen·ices.
decf)'pbon part
Fig. 7. Stream ciphering with EO Depending on whether a device u~es a semi-permanent link key (i.e. a combination key or a unit key), or a master key, there are severnl encryption modes available. If a unit key or a combination key is used , broadcast traffic is not encrypted. Individually addressed traffic can be either encrypted or not. If a master key is used , there are thn:e possible modes: mode I , nothing is encrypted, mode 2, broadcast traffic is not encrypted , but the individually addressed traffic is encrypted with the master key mode 3. all traffic is encrypted with the master key .
• •
•
G. AVTIlENTICATION The Bluetooth authentication sc heme uses a challenge response scheme in which a claimant's knowledge of a secret key is checked through a 2-move protocol using symmetric secret keys: a succcssful authentication is based on the fact that both participants share the same key . As a side product. the ACO is computed and stored in both devices and is used for cipher key generation later on. Verifier (Urlll A )
AU_RA.ND' { ) I I. BD ADDR,i
-
.
E.
'I
I
ClaIma nt (Un it B)
~~ ~ !
I
Link Key j
~ SRt:S
e
SRES'
! E.
I
I
i
ffl
a:
AU_RAND. 80 ADDR,
-
.
Link Key
~
8 4(
LOO _' ____________~
8, CONCLUSION
Fig. 8. Authentication scheme in Bluetooth
Security aspects are very important for \\ireless technologit:s due to easy access of the attackt:rs to the communication medium, Anyone with the appropriate HW can scan radio communication. log it
First. the verifier sends the claimant a random number AV RANDA to be authenticated . Then. both participants use the authcntication function El with
445
and use today ' s powerful computer performance to obtain sensitive information. Bluetooth has serious vulnerability due to EO cryptographic algorithm. IIowever even more secure algorithms, like AES-128 which seems to bee secure at present time , have side channels due to poor implementation of the algorithm in 32 bits processor (Bernstein, 200S). PAN technnlogy is primary designed for devices based on 8 bits microcontrollers where the correct implementation without side channels will be even more challenging,
ACKNOWLEDGEMENT This work was supported by the Centre of Applied Cybernetics and Brno University of Technology under the Project IMOS67, Ministry of Trade and Industry of the Czech Republic (FT- TA2/095), Grant agency of the Czech Republic (GA 102103/ \097, GA 102/0S/0663 and (TA 102:05/04(7).
REFERENCES SIG
(1998). Official home page: http://v.''Ww.bluetooth.com. IEEE 802 .IS (2002). Official home page: hllp:/iwv.w.iccc802 .org!lS/. Toms Networking (2005). How to build a m~~~~
fu~.
http://wv.w.tomsnetworking.comlSectionsarticle lOo-page l.php. BI uctooth specification (200 I). Version 1.1 , February 22 200 I. Lu, Y. , W. Mcicr and S. Vaudcnay (2005). The Conditional Correlation Attack. A Practical Allack on Bluelooth Encryplioll. Crypto'05, Santa Barbara, Aug 05,14-18. Bernslein DJ. Cache-timing attacks on AES. (2005) http ://cr.yp.loianliforgervicHchetiming20050414.pdl'
446
l~
1()C
C>
Publications
ON SECURITY OF BLUETOOTH WIRELESS SYSTEM Pavel Kucera, Petr Fiedler, Zdenek Bradac, Ondrej Hyncica Bmo University o/Technology Faculty 0/ Electrical Engineering and Communication Department o/ Control and Instrumentation Kolejni 4, 61200, kucera(lj2{eec, vutbr,cz
Abstract: This paper describes security features of Bluetooth PAN wireless network, Security aspects are explained step-by-step /Tom the basic items and key management to the authentication and data ellcryption. Finally, current problem with the Bluetooth security are presented. Copvright !i;;' 2005lF/ IC Keywords: System security, Wireless. PAN , Authentication, Encryption.
ensured. Every I3luetooth device has four identi fication items used for the security features at the link layer (Bluetooth , 2001):
1. BLUETOOTII TECIINOLOGY Bluetooth tcchnology is intcndcd ior wirelcss connection between human-oriented devices: PC, keyboard, mouse . headset, mobile phone. PDA. (lPS .. ., (SIG, 1998). IEEE approved Bluctooth-bascd wireles s PAN standard in 2002 as IEEE 802.15.1 BI uetooth v 1.1 specification (IEEE 802 .15. 2002). The Bluetooth technology provides peer-to-peer communication over relatively close proximity. The range for Bluetooth transmission varies fonn about 10 meters up to 100 meters for the most powerful devices (Class I), similar to a typical wi-li network. Typical application of BI uclooth is to create a temporary computer network . For example. several people in a meeting room are able to connect their laplops and PDAs to ea"h other to share liles. When you use Bluetooth to create a network, it is usuall y an ad hoc network. Computers communicate directl y "'lth each other; thcrc is not a wireless access point, which can ensure security control over the network . Thus, sccurity becomcs a major conccn! becausc important data are exposed to the other member of the network not only in the meeting room but also anywhere in the above mentioned transmi ssion range even not within your sight (Toms. 2005).
I. Rluetooth device address (RD_ADDR) - every Bluctooth transceiver has a unique 48 bits address that is derived from the IEEE802 standard. Structure of BD _ADDR is shown in Fig. 1. LAP and UAP arc significant part of the RD _ADDR and enable total address space 232. BD_ADDR of the device is publiciy known: it can be obtained either manually via test system interlace, or automatically via inquiry command al every Bluctooth device.
LB8
Fig. I. Structure of the Bluetooth device address 2. Private authentication key, whieh is always 128 bits random number used by the authentication algorithm . 3. Private encryption key is derived from the authentication key during the authentication process. The size of the key may vary between 8-128 bit s due to different requirements imposed on cryptographic algorithms III different countries and due to the increasing computing power of the attackers . The
2. SECUTIRY ITMES In order to provide protection of the wmmunication. the security at the link layer and application layer is
442
encryption key is entirely diITerent from the authentication key and each time the encryption is activated a new encryption key is generated; thus, the life time of the encryption key is different to the authentication key. 4. A random number RAND, which can be derived from a random or pseudo-random process in the Bluetooth device. The RAND is always 128 bits and it is changed frequently. For practical reasons, a software based solution witb a pseudo-random generator is oilen used. Within Bluetooth, the requirements placed on the random numbers used are that they be ' non rcpeating' and 'randomly gcncratcd '. 'Non repeating' means that the number shall not be repeated during the lifetime of the authentication key. The expression ' randomly gcncratcd ' means that it shall not bc possible to predict its value with the likehood that is greater than 1I2L, where L is a key length). Bluetooth can operate in one of three security models shown in Fig. 2.
Security Mode 2 securrty al the service level, after the communication channel is established
Security Mode 3 securrty al the link level , after Ihe communication channel is establtshed
·ig. 2. Bluetooth security modes )ifferent security levels for Bluetooth devices and ervices are shown in Fig. 3. Bluetooth Device
~:: ~ ~ ~~~e;ed
level 1 - au1horisation and authentication IS required 31uetooth Ser....ice l.evel 2 - onl.,. authentication is required
l evel 3· open all devIces
depends on whether it is a semi-permanent or a temporary key. A semi-permanent link key is stored in non volatile memory and may be used after the current session is terminated. The session is defined as the time interval for which the unit is a member of a particular piconet. A temporary key lasts only until the current session is tenninated and it cannot be reused. Temporary keys are commonly used in pointto-multi point connections, where the same information is transmitted to several recipients. In order to accommodate for different types of applications, four types of I ink keys have been defined: • • • •
the combination key KAB thc unit kcy KA (Ko) the temporary key Km"'" the initialization key Ko"
The comhination key KAB and the unit key KA (K Il) arc functionally indistinguishable. The unit key KA (K Il ) is generated in a single unit A (13). The unit key is generated once at installation of the l3Iuetooth unit. The combination key KA13 is derived from information in both units A and n. and is therefore always dependent on two units . The master key Km",", is a temporary key, which replaces the current link kcy . lt can be used whcn thc master unit wants to transmit information to more than one recipient simultaneously using the same encryption key . The initialization key KUrit is used as link key during the initialization process when there are not yet any unit or combination keys or whcn a link key has bcen lost. The key is derived from a random number, Personal Identification Number (PIN) code. and a IlD_ADDR. This key is only to be used during initialization. The length of the PIN code used in Bluetooth devices can vary between I and 16 bytes. For the longer lengths the units exchange PIN codes not through human interaction, but rather through methods supported by software at the application layer. The PIN code of the device can be fixed. so that it needs to bc entered only to the device wishing to connect. Another possibility is that the PIN code must be entered to thc both deviccs during thc initialization.
·ig. 3. Security Levels for devices and services
4. KEY GENERATION AND INITIALIZA nON 3. KEY MANAGEMENT
The link keys have to be generated and distributed among the Illuetooth units in order to be used in the authentication procedure. The exchange of the keys takes place during an initialization phase which has to be carried out separately 10r each two units that want to implement authentication and encryption. All initialization proccdurcs consist of the following five parts:
'hc cncryption key used during communication has specific size and cannot be set by the user. The .cy' s sizc is sct by a factory and thc Bluetooth ,asehand processing does not accept an encryption :ey given from higher software layers in order to 'revent thc uscr ovcr-riding the permittcd kcy sizc. ;hanging a link key should also be done through the lefined baseband procedures. ,11 security transactions between two or more parties re handled by thc link kcy. Thc link kcy is a 128 ,its random number which is used in the uthentication routine and during the generation of he encryption key. The lifetime of a link key
• • • • •
443
generation of an initialization key, generation of link key, link key cxchangc, authentication, generating of encryption key in each unit.
Afkr the initialization procedure, the units "an proceed to communicate, or the link can be disconnected. If encryption is implemented, the EO algorithm is used with the proper eneryption key derived from the current link key.
4.1 Generation of an initialization key The initiali7.ation key is needed when two devices with no prior engagements need to communicate. During the initiali7.ation process, the PIN code is entered to both devices. The initialization key itself is gcneratcd by the E22 algorithm shown in Fig. 4, which uses the PIN code, the length of the PIN code IN RAND L and a 128 bits random number generated by the verifier device as inputs.
time. first, both of the units generate a random number. With the key generating algorithm E2l, both devices generate a key, combining the random number RAND - A and RAND- B and their DT device addresses. After that the two random numbers are exchanged securely by XORing with the current link key and each unit recalculates the other unit contribution to the combination key. This is possible since I:lIch unit knows the Dluetooth device addn:ss of the other unit.
4.4 Generation of a master key The master key is a temporary key of the link keys. It is generated by the master device by using the key generati ng algorithm E22 with two 12R-bit random numbers and L - 16. The rcason to use the kcy generating algorithm E22 in the first place is just to make sure the resulting random number is random enough. A third rao~om number is then transmitted to the slave and with the key generating algorithm and the current link key an overlay is computed by both the master and the slave. The master key is then sent to the slave, bitwise XORed with the overlay and slave can calculate the master key. This proccdure is thcn rcpcated for cach slavc who shall receive the new link key.
Fig. 4. Generation of an initiali7.ation key When the initialization key is generated, the PIN is augmen!t:d with the DD ADDR. If one unit has a fixed PIN the BD ADDR of the other unit is used . If both units have a variable PIN the DD ADDR of the device that rccci vcd IN RAND is used. If both units have a fixed PIN they cannot be paired.
4.5 Generation of the encryption key The encryption key KC is derived by E3 algorithm (Fig. 6) from the current link key, a % bits Ciphering Offset number (COF), and a 128 bits random numbcr. Thc COF is dctcnnincd in onc of two ways. If the current link key is a master key, then COF is derived from the master BD ADDR. Othemisc the valuc of COF is sct to thc value of Authenticatcd Ciphering Ollset (ACO), which is generated during the authentication procedure. The encryption key is automatically changed every time the Bluetooth device enters the eneryption mode.
4. 2 Generation of a unit key
The unit key KA (K R ) is generated with the key generating algorithm E21 (Fig. 5) when the Dluetooth device is in operation for the first time: i.e. not during each initialization. Once created, the unit key is stored in non-volatile memory and is rarely changed. Another device can use the other device's unit key as a link key between these devices. During the initialization process, the application decides which party should provide its unit key as the link key.
fig. 6. Generation of the encryption key
5. ENCRYFTION Fig. 5. Generation of a unit key and a combination key
The Bluctooth eneryption system enerypts thc pay loads of the packets: the access code and the packct hcadcr arc nevcr cncryptcd. Encryption is done with a stream cipher EO, which IS re-synchronized for every new payload, which disrupt so-called correlation attacks. At each iteration, EO generates a bit using four shift registers of differing lengths and two internal states, each 2 bits long. At each clock tick, the registers are shifted
4.3 Generation of a comhination key The combination key is generated during the initialization process if the devices have decided to use one. It is generated by both devices at the same
444
and the two states are updated with the current state, the previous state and the values in the shift registers. Four bits are then extracted from the shift registers and added together. The algorithm XORs that sum ",ith the value in the 2-bit register. The first bit of the result is output for the encoding. The EO stream cipher system consists of the payload key generator, the key stream generntor and the encryptionldecryption part - Fig. 7.
the random number, the claimants Bluetooth Device Address BD_ADDRB and the current link key to get a response . The claimant sends the response SRES to the verifier, who then makes sure the responses match. Authentication scheme is shown in Fig. 8. When the authentication attempt fails, a certain waiting interval must pass before the verifier will initiate a new authentication attempt to the same claimant, or before it will respond to an authentication attempt initiated by a unit claiming the same identity as the suspicious unit. For each suhsequent authentication failure with the same Bluetooth address, the waiting interval shall be increased exponentially.
~---~i~-te~--t
'--I
K. address
payload key genera1Dr
ckx:k
RANOL-__,/L-____-Y
7. PROBLEMS IN TIlE SECURITY
cipher text :
__ .f!aJ~~~__ J encrypbon/
The encryption scheme of Bluetooth has some serious weaknesses. The most important is a fact that EO algorithm has flaw in the resynchronization mechanism and there were some investigation of conditional correlations in the Finite State Machine (FSM) governing the keystream output of EO (Lu, 2005) The best attack finds the original encryption key for two-level EO using the first 24 bits of 2 23 .8 frames and with 2 38 computations. The generation of the initialization key is also a problem. The strength of the initialization key is based on the used PIN code. The E22 initialization key generation algorithm derives the key from the PIN code, the length of the PIN code and a random number, which is transmitted over the air. When using 4 digit PIN codes there are only 10.000 different possibilities; in fact most of the PINs are like "1111". Thus. the security of the initialization key is quite low. The unique Bluetooth Device Address introduces another problem. Whcn a connection is made that a certain Bluetooth device belongs to a certain person, it is easy to track and monitor the behaviour of this person. For instance , with the appropriate equipment (casy accessible) it is possible to track Bluctooth devices from more than mile away (Toms. 2005). The initial key exchange takes place over an unencrypted link. so it is especially vulnerable becausc thcrc is no such thing as a secure location anvmore. Finally the well known Denial of Service (DoS) Attack. Ibis nuisance is vcry simply; a constant request for response from a hacker's Rluetooth enabled computer to another Bluetooth enabled dC\'ice such that it causes some temporar" battery degrddation in the receiving device, While Occup\'ing the Bluetooth link with invalid communication requests. the hacker can temporarily disable the product' s Bluetooth sen·ices.
decf)'pbon part
Fig. 7. Stream ciphering with EO Depending on whether a device u~es a semi-permanent link key (i.e. a combination key or a unit key), or a master key, there are severnl encryption modes available. If a unit key or a combination key is used , broadcast traffic is not encrypted. Individually addressed traffic can be either encrypted or not. If a master key is used , there are thn:e possible modes: mode I , nothing is encrypted, mode 2, broadcast traffic is not encrypted , but the individually addressed traffic is encrypted with the master key mode 3. all traffic is encrypted with the master key .
• •
•
G. AVTIlENTICATION The Bluetooth authentication sc heme uses a challenge response scheme in which a claimant's knowledge of a secret key is checked through a 2-move protocol using symmetric secret keys: a succcssful authentication is based on the fact that both participants share the same key . As a side product. the ACO is computed and stored in both devices and is used for cipher key generation later on. Verifier (Urlll A )
AU_RA.ND' { ) I I. BD ADDR,i
-
.
E.
'I
I
ClaIma nt (Un it B)
~~ ~ !
I
Link Key j
~ SRt:S
e
SRES'
! E.
I
I
i
ffl
a:
AU_RAND. 80 ADDR,
-
.
Link Key
~
8 4(
LOO _' ____________~
8, CONCLUSION
Fig. 8. Authentication scheme in Bluetooth
Security aspects are very important for \\ireless technologit:s due to easy access of the attackt:rs to the communication medium, Anyone with the appropriate HW can scan radio communication. log it
First. the verifier sends the claimant a random number AV RANDA to be authenticated . Then. both participants use the authcntication function El with
445
and use today ' s powerful computer performance to obtain sensitive information. Bluetooth has serious vulnerability due to EO cryptographic algorithm. IIowever even more secure algorithms, like AES-128 which seems to bee secure at present time , have side channels due to poor implementation of the algorithm in 32 bits processor (Bernstein, 200S). PAN technnlogy is primary designed for devices based on 8 bits microcontrollers where the correct implementation without side channels will be even more challenging,
ACKNOWLEDGEMENT This work was supported by the Centre of Applied Cybernetics and Brno University of Technology under the Project IMOS67, Ministry of Trade and Industry of the Czech Republic (FT- TA2/095), Grant agency of the Czech Republic (GA 102103/ \097, GA 102/0S/0663 and (TA 102:05/04(7).
REFERENCES SIG
(1998). Official home page: http://v.''Ww.bluetooth.com. IEEE 802 .IS (2002). Official home page: hllp:/iwv.w.iccc802 .org!lS/. Toms Networking (2005). How to build a m~~~~
fu~.
http://wv.w.tomsnetworking.comlSectionsarticle lOo-page l.php. BI uctooth specification (200 I). Version 1.1 , February 22 200 I. Lu, Y. , W. Mcicr and S. Vaudcnay (2005). The Conditional Correlation Attack. A Practical Allack on Bluelooth Encryplioll. Crypto'05, Santa Barbara, Aug 05,14-18. Bernslein DJ. Cache-timing attacks on AES. (2005) http ://cr.yp.loianliforgervicHchetiming20050414.pdl'
446