4
Algorithms
In this chapter, the internal workings of the Bluetooth cryptographic algorithms will be described. These algorithms can be divided into two groups. On one hand we have the four algorithms E1, E21, E22, and E3, which all use the same underlying 128-bit block cipher SAFER+. On the other hand, we have the Bluetooth encryption mechanism E0, which uses a stream cipher with a 132-bit initial state. Because of SAFER+’s and E0’s central position, we will focus in this chapter on describing these two algorithms. Some implementation aspects will be discussed at the end of the chapter. We start by returning to the basic description of cryptographic algorithms from Chapter 1.
4.1 Crypto algorithm selection
4.1.1Block ciphers
In Chapter 1, block ciphers and stream ciphers were introduced as reversible transformations to encrypt plaintext information into cipher text. In Chapter 3, we saw that the key management in the Bluetooth systems involves several key derivation and generation methods. By simply looking at the way the key derivation algorithms E1, E21, E22, and E3 are defined (as mappings from inputs to an output), one can see that these are very similar to block ciphers. It is rather easy to modify a block cipher for use in these four algorithms. This is typical and block ciphers are therefore often found in key derivation mechanisms for other systems. Since keys in the Bluetooth system are 128 bits long, it is natural to use a block cipher that can transform 128-bit data with a 128-bit key, since keys can then be directly used as data input as well. Besides this interface requirement,
65
66 |
Bluetooth Security |
one wants a block cipher with a high strength level and that is cryptographically well understood. There are a number of block ciphers available that would fit into these requirements. An additional requirement is that the use of the algorithm was free, that is, not limited by patent rights or license fees. The designers of the Bluetooth system chose SAFER+. The algorithm was at the time of selection for Bluetooth one of the contenders1 for the AES. It was taken out of the competition mainly because of the results in performance measurements using reference implementations and because the 256-bit key version had a weakness that reduced the effective key size somewhat. Yet SAFER+ was available with very thorough cryptanalysis using state-of-the-art block cipher analysis techniques. The latter, in combination with the experience of its predecessor SAFER [1], convinced the Bluetooth designers to put their trust in SAFER+. As of today, no weaknesses in SAFER+ have been reported that constitute a threat to its use in Bluetooth.
4.1.2Stream ciphers
Stream ciphers are ideal in communication systems, since they very easily handle plaintexts of various length. Block ciphers can be used as well but require padding schemes. Furthermore, traditionally, stream ciphers have been designed with (low) implementation complexity in mind. There are mainly two approaches toward designing a stream cipher: direct or indirect via a block cipher. This split is not very well defined, and it may well happen that one cannot tell which design type a specific construction belongs to.
In a block cipher–based design, the block cipher is complemented with memory registers to keep a state and with a feedback mechanism to create an altogether autonomous finite state machine. The overall key to the stream cipher system is often used as the key to the block cipher but could also determine the initial state of the registers. To be attractive, this kind of design requires the block cipher to be very implementation friendly in either software or hardware or both. An example of such a design is the Universal Mobile Telecommunications System (UMTS) encryption algorithm f8 [2], which uses the KASUMI block cipher. In a direct design, one constructs the autonomous finite state machine directly, potentially offering an easier way for keeping implementation complexity down. Compared to block ciphers, it is somewhat more difficult to meaningfully define the strength requirements of a stream cipher. For our purposes it is sufficient to state that even if the attackers have access to a very long key stream, they should not be able to recover the key that was used to generate that key stream. Let us now turn to the Bluetooth system.
1.It was submitted by Cylink, Corp., Sunnyvale, CA, and designed by J. L. Massey and G. H. Khachatrian.