50 |
|
Bluetooth Security |
|||||||
|
|
|
|
|
|
|
|
|
|
|
|
Device A |
|
Device B |
|
||||
|
|
|
|
|
|
|
|
|
|
|
LK_RANDA |
|
BD_ADDRA |
LK_RANDB |
|||||
|
|
|
|
|
|
||||
|
|
|
|
BD_ADDRB |
|||||
KA = E21 (LK_RANDA, BD_ADDRA) |
|
KB = E21 (LK_RANDB, BD_ADDRB) |
|||||||
|
|
CA |
|
|
|||||
CA = LK_RANDA K |
|
|
CA K= LK_RANDA |
||||||
|
|
|
|
|
|||||
|
|
|
|
|
|
|
|
||
CB K= |
LK_RANDB |
|
|
CB |
CB = LK_RANDB K |
||||
|
|
|
|
|
|
|
|||
KB = E21 (LK_RANDB, BD_ADDRB) |
|
|
|
|
|
KA = E21 (LK_RANDA, BD_ADDRA) |
|||
|
KAB = KA KB |
|
|
|
|
|
KAB = KB KA |
||
|
Erase K |
|
|
|
|
|
Erase K |
||
Figure 3.3 Process of generating the combination key KAB between units A and B using the current link key K. The current link key K is erased after the successful establishment of KAB.
3.4.4Authentication
In the authentication process, a device will take either the role of claimant or verifier. In case of a mutual authentication, the roles will be interchanged in the process. Prior to the authentication, the host or user determines which device is the claimant and which device is the verifier. Which role to take depends on the security policy and security mode for each device. A more thorough discussion on security policies and security modes can be found in Section 2.5 and in Chapter 6.
Suppose device A is the verifier and device B is the claimant. Then A challenges device B by sending the random 128-bit value AU_RAND and expects from B the response
SRES = E 1 (K , AU _ RAND, BD _ ADDR B ) |
(3.11) |
where K is the exchanged link key and E1 is the Bluetooth authentication function. E1 is described in Section 4.2.1. The claimant B receives the challenge
AU_RAND and sends A the response SRES = E1(K, AU_RAND, BD_ADDRB ). The verifier A receives SRES’ and compares its value with that of the expected SRES. If the values are equal, A declares that it has successfully authenticated device B. If the values differ, the authentication has failed. When A has successfully authenticated B, the LM may want to conduct a mutual authentication, in
Bluetooth Pairing and Key Management |
51 |
|
|
which case the above procedure is repeated with the roles of A and B interchanged. The random value used in the challenge of device A this time is a completely new random value.
It is important to note that it is not necessarily the master that starts as verifier. It is the application via the LM that determines the order in which authentication is performed and if one-way or mutual authentication is required. Figure 3.4 shows a mutual authentication.
Besides the peer authentication, the Bluetooth authentication procedure also results in the creation of the authenticated ciphering offset (ACO). The ACO is used when computing the ciphering key. In the case of mutual authentication, the ACO of the last authentication is retained. The ACO is produced by the mechanism E1 at the same time SRES is computed. For details on the computation of SRES and ACO, see Section 4.2.1.
Finally, the Bluetooth authentication uses a simple method to reduce the impact of repeated erroneous authentications. This could, for example, be a component in a denial-of-service (DoS) attack. If authentication fails, a certain amount of time must elapse before the verifier will initiate a new attempt to the same claimant and before the claimant sends a response to an authentication attempt by a unit using the same identity as the unit that notified an authentication failure. For each additional authentication failure, the waiting interval should be exponentially increased until a certain maximum value is obtained. The Bluetooth specification speaks about a doubling of the waiting interval time. When no authentications take place, the waiting interval is exponentially reduced until a certain lowest value is reached. Moreover, if a successful authentication event takes place, the waiting interval may immediately be reset to the minimum value, To obtain some protection against a DoS attack, a Bluetooth
Link key K |
|
|
|
Link key K |
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Device A |
|
Challenge A |
Device B |
|||
as claimant: |
|
as verifier: |
||||
|
|
|
||||
|
Response A |
|||||
|
|
|
|
|
||
as verifier |
|
Challenge B |
|
as claimant |
||
|
Response B |
|||||
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
ACO |
|
|
|
ACO |
||
Figure 3.4 The mutual authentication process between devices A and B and the generation of the ACO.
52 |
Bluetooth Security |
device should keep a list containing, for each unit it has connected with, the corresponding waiting interval.
3.4.5Master key generation
The master key is a temporary key that is used to protect data sent in broadcast messages where a master is communicating the same data to several slaves. See Chapter 5. The master key will replace the link key until the broadcast situation
is terminated. The key Kmaster is computed by using the algorithm E22 and from two locally generated (secret) 128-bit random values LK_RAND1 and
LK_RAND2:
K master = E 22 (LK _ RAND1, LK _ RAND 2, 16) |
(3.12) |
The value of Kmaster is sent to slave B. However, Kmaster is not sent by itself; instead, A sends first a third (but now public) 128-bit random value RAND3 followed by
K AB = K master K ovl |
(3.13) |
where Kovl is an overlay key computed as |
|
K ovl = E 22 (K , RAND3, 16) |
(3.14) |
using the current link key K. Hence, the master key is encrypted by using the overlay key. See Figure 3.5. Since the slave B also knows the link key K and receives LK_RAND3, the recovery of the master key is simply performed by B through the computation
K AB E 22 (K , RAND3, 16) = K AB |
K ovl |
= K master |
K ovl K ovl |
= K master |
|
The above procedure is carried out between the master and all the slaves involved in the broadcast. For each slave, a mutual authentication with the master will be performed using the master key as link key. The ACO values of these authentications should not replace the existing ACO values of the links between the master and slaves. These original ACO values are needed to recompute the original ciphering keys when the master terminates the broadcast and wants to