Bluetooth Authentication Mechanism

By Sarosh Petkar – 

INTRODUCTION

Bluetooth has become ubiquitous in modern day devices such as mobile phones, laptops, speakers and even cars.

What is Bluetooth?

Bluetooth is a popular standard for close-range wireless communication. It provides the ability to pair two devices together and thereby exchange information with each other.

The aim of the experiment is to analyze the authentication mechanism utilized by Bluetooth devices. The tools used in the procedure are: MAC OSX Yosemite, Bluetooth speakers and an Iphone.

OVERVIEW

The pairing process, also known as the standard pairing, requires the two devices establish an initial symmetric key in order to communicate securely.

In this case there are two devices 1 and 2. The two parties at first handle two keys, share a PIN and know each other’s 48-bit Bluetooth device address (BD_Addr). The first is the symmetric initialization key (Kinit) to mutually authenticate each other and the second is a link key. The link key is generated during the pairing session with the help of the initialization key.

par2.png

Figure 1: Bluetooth traffic

KEYS INVOLVED

The ‘Unit key’ is generated when the device is first operated with the help of the key generation algorithm.

The ‘Initialization key’ is needed when two devices need to communicate with each other. It is used for exchanging link keys and for encryption as well as decryption of information during the link key generation protocol.

The ‘Link key’ can be used in two different methods. The devices’ unit key can be sent with encryption of the initialization key and this would constitute a link key or the device can generate a random number and then send it under the encryption of the initialization key and thereby generate a link key.

The ‘Combination key’ is generated during the Initialization process at the same time and is only valid for the session only. This key is exchanged when the two devices compute their link keys. It comprises of a 128 bit random number and the Bluetooth device address.

The ‘Encryption key’ is generated from the current link key during the authentication process. It is based on the COF (96 bit Ciphering Offset Number).

The ‘Master key’ is generally used as the link key if the master needs to transmit to multiple slaves. It is generated using the key generation algorithm by virtue of the 128 bit random number. The resultant link key is then sent to the slave, bitwise xored with overlay. With this, slave can compute master key.

par2-1.png

Figure 2: Mac-book Pro as the master

par2-2

Figure 3: I-phone as the slave

PAIRING MECHANISM

From the figure, initially both the devices share a low-entropy human-readable secret PIN. Typically the PIN comprises of a 4-digit code, which can be up to 128 bits

When device 1 initiates the connection it is referred to as the initiating device and it does so by generating a random nonce (number used once) n1, and then sending it to device 2. Both devices then compute a shared initialization key Kinit using the E22 algorithm. The key Kinit is a function of n1, BD_Addr1, and PIN.

par1

Figure 4: Authentication process (here device 1 is denoted as A and device 2 as B)

AUTHENTICATION

After the shared key generation, the two devices authenticate each other before generating the encryption key. It is based on the challenge response scheme. The verifier (device 2) sends a plain-text random value AV_RAND2, the receiver (device 1) then computes a response SRES = E1 (Kinit, BD_Addr1, AV_RAND2) where E1 is the algorithm. The verifier performs the same calculation and compares the response to the verifier. After the verification, a match is required for the mutual authentication process to be successful.

ENCRYPTION

The Bluetooth mechanism involves the use of block cipher algorithm for encryption and Link Key generation. Further, the encryption of packets is performed using a stream cipher and 4 linear feedback shift registers.

Process:

After authentication, a cipher key K3 is generated. The key length is 128 bits to ensure high level of security.

After the key is generated, the data payload is encrypted using the cipher stream engine E0 and takes as inputs the encryption key, BD_Addr, 128 bit random number and the 26 LSB of the master’s clock.

The input values are shifted into four linear feedback shift registers and then combined in the summation combiner FSM to produce the cipher. This generates a new cipher every time.

ATTACK ANALYSIS

One well-known weakness within this mechanism lays in its pairing mechanism, which leads to an attacker guessing the PIN number thereby leading to the guessing of the Initialization, Link and Encryption keys.

par3

Figure 5: Exchange of information during connection (here device 1 is denoted as A and device 2 as B)

An attacker can eavesdrop on the pairing session by first guessing the value for the PIN say ‘1234’. Then the attacker tries to compute the ‘Msg 3’ (when device 1 tries to authenticate itself to device 2) using this PIN. The value of n1 and AV_RAND2 are learned by the attacker from the first two messages while the value of BD_Addr1 is public. Thus, to verify whether the guess was correct or not, the attacker uses these values to compute the reply and compares the result to the third message.

The attacker can obtain the following parameters: random value n1, Bluetooth device address (BD_Addr1 & BD_Addr2), encrypted random values Kinit xor RAND1, Kinit xor RAND2, clear text values AV_RAND and SRES. This information is obtained by observing the authentication message exchange after the link key exchange. Hence the only unknown parameter in the calculation of Kinit is the PIN.

In order to impersonate a device it is sufficient to know Kinit and the public address of the device. The big conundrum arises when the attacker knows the shared PIN value, thus both the secrecy and authentication will be violated.

POSSIBLE SOLUTION

According to a few authors, one way to improve the key generation process and inhibit the chances of the mechanism being cracked is the introduction of another shared secret parameter referred to as the AU_ID. It is used in the generation of the initialization key and is exchanged via the Diffie Hellman key exchange method. This could potentially increase security, as this key is not easily guessed. One big reason for that is, the key is incremented as per the number of interactions between the two devices during the present session.

CONCLUSION

The discussion presents a basic idea of what happens when two devices perform a handshake via Bluetooth. It describes the steps and the keys involved during this authentication mechanism. It finally introduces a possible solution to remedy the popular security vulnerability of PIN guessing.

REFERENCES

Tarun Kumar, “Improving Pairing Mechanism in Bluetooth Security”, Dept. of Computer Science and Information Technology, Radha Govind Engineering College, Meerut (U.P.), India.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s