T-79.4501 Cryptography and Data Security Lecture 11 Bluetooth Security Outline Security threats Objectives of Bluetooth security The Bluetooth Baseband security Pairing procedure Authentication/Encryption key generation Algorithms Summary 1
Threats in communication networks Application Presentation Service and application theft; Database & document read, modify, insertion; wildlife(viruses, worms, Trojan Horses, etc.); Administrator services (Accts., privilege enhancement, etc.) Message-level encryption attack, copying of user display contents Session Password theft Transport Network Transit attacks (vs. 3rd party networks); Back/trap doors; Port scanning; Buffer overflows; NAKs Address spoofing, routing table corruption MAC Physical DoS, Bulk encryption, EDAC, RX, Location attacks, key theft Radio intercept, Eavesdropping, Jamming, Traffic Analysis, Physical damage Protection in bluetooth Application Service and application theft; Database & document read, modify, insertion; wildlife(viruses, worms, Trojan Horses, etc.); Administrator services (Accts., privilege enhancement, etc.) LAN Access LAN Access applications Existing or modified Presentation Message-level encryption attack, copying of user display contents PPP PPP protocol stack Existing PPP COM port Session Password theft SDP RFCOMM L2CAP Transport Transit attacks (vs. 3rd party networks); Back/trap doors; Port scanning; Buffer overflows; NAKs Link Mgr Bluetooth Authentication Network Address spoofing, routing table corruption Baseband RF Bluetooth Data Encryption MAC DoS, Bulk encryption, EDAC, RX, Location attacks, key theft Physical Radio intercept, Eavesdropping, Jamming, Traffic Analysis, Physical damage 2
End-to-end security vs. link Level security Bluetooth provides link level security Many applications require end-to-end security dial-up networking for corporate clients (IPSEC) e-mail (PGP,S/MIME) Browser transactions (TLS) Bluetooth SIG encourage reuse of existing network, transport, session and application layer security mechanisms Bluetooth Security Overview Basic objectives Provide means for a secure link layer: Entity authentication Authenticated connections between personal devices Hardware identification 128 bits key Link privacy Allow private exchange of data between devices Examples: File transfer, phone book/calendar/task synchronisation 8-128 bits key 3
Bluetooth Security Overview What it does not do... Message authentication Originating application is not identified Secure end-to-end links Plain text in, plain text out... Bluetooth Security Overview Basic concept Key types Link keys (128 bit) Encryption keys (8-128 bit) Pairing Establishing secret keys Encryption algorithm Stream cipher 4
Key Types (I) Link keys Encryption key Temporary Semi-permanent Master Key Unit Key Combination Key Initialisation Key Initialisation key Key Types (II) Derived from supplied number Relatively short PIN direct user interaction Super PIN key agreement protocol at application layer Used once, then discarded Combination key Combination of two contributions Unique for each pair of units 5
Unit key Key Types (III) Generated in one unit Restricted memory resources Encryption key Derived from current link key Renewed every session Configurable key length (8-128 bit) Maximal length HW restricted Pairing Procedure First time connection Generate initialisation key Generate link key Generate encryption key Exchange link key Authenticate 6
Pairing Procedure Non-first time connections Get current link key Authenticate Generate encryption key Pairing Procedure Generate Initialization Key Unit A Unit B ADDR_A RND PIN ADDR_A ADDR_A RND PIN E 22 RND E 22 7
Unit A Pairing Procedure Unit key Unit B ADDR_A RND_A E 21 + + K A K A Pairing Procedure Combination key Unit A Unit B ADDR_A RND_A E 21 + + RND_A + RND_B ADDR_B E 21 ADDR_B RND_B + + RND_B + RND_A ADDR_A E 21 E 21 K AB LK_K B LK_K A LK_K A LK_K B + + K BA 8
Key Usage Semi-permanent or temporary link keys? D K AD A K MD K MA M K MC K MB B C Point-to-point configuration Key Usage Semi-permanent or temporary link keys? D K AD A K master K master M K master K master B C Point-to-multipoint configuration 9
Encryption Key Generation (I) Authentication+K C Authentication AU_RND SRES =? SRES Claimant ADDR E 1 SUCCESS/FAIL ACO Link keys Master key? ADDR ADDR ACO COF EN_RND E 3 K C Encryption Key Generation (II) Kc is 128 bits Governmental attitudes/export issues Different key lengths needed Negotiation necessary (1-16 bytes) Generates Kc in HW of correct length Part of E 0 algorithm Initiate the LFSRs of the encryption machine 10
The Algorithms E 0 Encryption algorithm Blend K C K C LFSR 1 CLK EN_RND Form input data LFSR 2 LFSR 3 Summation Combiner Enc. stream ADDR LFSR 4 Stream cipher The Algorithms E 0 Encryption algorithm Fast and easy HW implementation Improved correlation properties Blend register feedback Initially clocked 240 times Frequent re-synchronising LFSR starting state updated for each slot Point-to-point or point-to-multipoint 11
The Algorithms E 1 Authentication algorithm Computationally secure authentication code Based on SAFER+ Runs for 17 rounds Modified to be non-invertible The Algorithms E 21, E 22 Link key generation E 21 : Input: RAND, BD_ADDR (48 bit) Output: Key (128 bit) Unit and combination keys E 22 : Input: RAND, PIN, Length(PIN) Output: Key (128 bit) Initialisation and master keys 12
Key usage summary PIN First time connections PIN E 22 E 22 LINK KEY Authentication LINK KEY E 3 EN_RAND E 3 ENCRYPTION KEY Encryption ENCRYPTION KEY E0 Algorithm summary HW implementation Subject to export regulations E1, E21, E22, E3 Based on the same block cipher Suitable for SW implementation 13
Summary There exists many security threats in communication networks The Bluetooth specification provides authentication protection and link level encryption The Bluetooth specification meets security industry level for protection 14