What are some keywords on Bluetooth?
- 2.4 GHz ISM Band
- Form “Pico net” in close proximity
- Same frequency used for one network, using TDM
- Up to 50 Mbit/s
- Master - Slave concept
What are Bluetooth profiles? What are some examples?
- Profiles = Bluetooth applications
-Generic Access Profile: e.g. defines service discovery protocol
-Service Discovery Application Profile
-Headset Profile
-Human Interface Device Profile:
What are the security modes in classical Bluetooth?
- Security Mode 1: No encryption/ authentication
- Security Mode 2: Security configurable per service
- Security Mode 3: Link-level security enforced
- Security Mode 4: Service-level security enforced. Service defines which SSP option is allowed (Default for version >2.1)
What are the security levels in Bluetooth?
- Mode 4 only
Level 0: No security (for discovery only)
Level 1: No security
Level 2: Unauthenticated link key
Level 3: Authenticated link key establishment using secure simple pairing
Level 4: Authenticated link key establishment using secure simple pairing with stronger EC
What are the security procedures in Bluetooth?
- Pairing: First time establish long-term key
- Authentication and session key agreement: when devices meet again
- Link layer protection: Use session key for encryption and integrity protection on link layer
What are the modes of operation in Bluetooth?
- Discoverable Mode: Monitors inquiry scan channel and responds
- Non-discoverable Mode: Not scanning
- Connectable: Monitors specific page scan channel and responds
- Non-connectable: Do not connect to devices
How is pairing done in < BT 2.1?
Pin-based:
- PIN 1-16 Byte: Fixed or user-selected
- K_init derived from PIN and RAND
- K_A unit key - once generated with address and RAND
- K_AB combination key derived during pairing
- LK derived from either K_A or K_AB. Used for further auth and key-agreement:
LK = K_A xor K_init OR
LK = K_A xor K_B
How is authentication done in Bluetooth < 2.1?
- Challenge / response scheme using RAND, Address and LK
- Done in both directions
How is encryption done in Bluetooth < 2.1?
- Unicast encryption key Kc generated by LK, RAND and Authenticated Ciphering Offset (ACO)
- Key generator generates fresh key for encryption function E0
How is broadcast realized in Bluetooth < 2.1?
- Master devices generates K_master with two RANDs
- Sends K_master encrypted with LK to slave
- Slave generates Kc based of K_master
- Slave acknowledges with new Kc
What are the service levels in Bluetooth?
Service level 1: Requires authentication and authorization. Automatic access to trusted devices only
Service level 2: Requires authentication only.
Service level 3: Open to all devices
What are the known attacks against Bluetooth < 2.1?
- Unit keys as link key: any device ever connected can eavesdrop and impersonate the device
- Fixed pins: any device ever connected know the pin and can eavesdrop. Also short key and default 0
- PIN cracking: Record handshake and guess PIN. Then derive keys and check if RES* = RES in authentication. Attacker gains LK
- PIN cracking for fixed-PIN device: Attacker send RAND and makes a guess for the PIN. Then sends RAND_auth and checks if RES*=RES. Attacker gains fiixed PIN and K_A
What is Secure Simple Pairing in Bluetooth?
- Collection of new pairing methods based on elliptic curve DH:
Authenticated: - Numeric comparison: Compare numbers derived from DH
- Passkey entry: User enters number from one device on the other device
- Out of band: e.g. NFC, SMS
Unauthenticated: - Just works: Only DH. No Man-in-the-middle protection
How does numeric comparison work in SSP?
- First DH-key exchange
- B sends A commitment (hash of Nonce and PKs)
- A sends B Na
- B sends A Nb
- A verifies commitment
- A and B display V, which is hash of Na, Nb, PKa, PKb
How does passkey entry work in SSP?
- First DH-key exchange
- A and B each insert passkey
For each bit in passkey and each device: - Choose nonce
- Send commitment hash with bit and nonce
- Receive commitment
- Send nonce
- Receive nonce
- Verify other devices commitment is correct
What is the stage 2 in all SSP options?
- Compute hash over DH-key, nonces, passkey, capabilities and addresses
- Send and compare with received hash
- Compute LK with hash over DH-key, nonces, addresses
How is a device authenticated on an established LK in Bluetooth > 2.1?
Same as before: Send challenge RAND and compare RES with expected result
How are devices authenticated on an LK in BT version > 4.1?
- Both devices send challenge
- Calculate HMAC with challenges, addresses and LK
- Compare received results
How is an man-in-the-middle attack against passkey protected device done?
- Attacker listens on communication and cracks passcode bit per bit
- After last message, attacker jams the signal and causes a connection reset
- If user uses same passkey, attacker can be man in the middle
What are the BLE security modes and levels?
LE security mode 1:
- Level 1: No security
- Level 2: Unauthenticated pairing and (AEAD) encryption
- Level 3: Authenticated pairing and (AEAD) encryption
- Level 4: Authenticated LE Secure Connections pairing with 128 bit (AEAD) encryption
LE security mode 2:
- Level 1: Unauthenticated pairing with ”data signing” (AES-CMAC, not a digital signature)
- Level 2: Authenticated pairing with “data signing” (AES-CMAC, not a digital signature)
LE security mode 3:
- Level 1: No security
- Level 2: unauthenticated broadcast
- Level 3: authenticated broadcast
What are the phases in BLE pairing?
Phase 1: Select method of pairing and authentication
Phase 2: Short term key generation
LE Legacy Pairing (v4.0, v4.1), no DH: Passkey, OOB, Just works
Secure connections pairing (v4.2), DH: Passkey, OOB, Just works, Numberic comparison
Phase 3: Longterm key generation: LTK, CRSK, IRK
What is the problem with legacy BLE pairing?
- No DH, so when handshake is observed, key can be cracked offline
-
Chapter 1- Introduction3
-
Chapter 2 - GSM19
-
Chapter 3 - UMTS18
-
Chapter 4 - LTE16
-
Chapter 5 - 5G9
-
Chapter 6 - WLAN29
-
Chapter 7 - EAP7
-
Chapter 8 - Bluetooth22
-
Chapter 9 - Example for an Algebraic Attack on a Symmetric Stream Cipher2
-
Chapter 10 - CBC Mode padding oracle4
-
Chapter 11 - Bleichenbacher and Return of the Bleichenbacher Oracle Threat1
-
Chapter 12 - Practical Problems with DH3
-
Chapter 13 - Routing Security3
