By Sarosh Petkar –
Bluetooth has become ubiquitous in modern day devices such as mobile phones, laptops, speakers and even cars.
What is Bluetooth?
Bluetooth is a popular standard for close-range wireless communication. It provides the ability to pair two devices together and thereby exchange information with each other.
The aim of the experiment is to analyze the authentication mechanism utilized by Bluetooth devices. The tools used in the procedure are: MAC OSX Yosemite, Bluetooth speakers and an Iphone.
The pairing process, also known as the standard pairing, requires the two devices establish an initial symmetric key in order to communicate securely.
In this case there are two devices 1 and 2. The two parties at first handle two keys, share a PIN and know each other’s 48-bit Bluetooth device address (BD_Addr). The first is the symmetric initialization key (Kinit) to mutually authenticate each other and the second is a link key. The link key is generated during the pairing session with the help of the initialization key.
Figure 1: Bluetooth traffic
The ‘Unit key’ is generated when the device is first operated with the help of the key generation algorithm.
The ‘Initialization key’ is needed when two devices need to communicate with each other. It is used for exchanging link keys and for encryption as well as decryption of information during the link key generation protocol.
The ‘Link key’ can be used in two different methods. The devices’ unit key can be sent with encryption of the initialization key and this would constitute a link key or the device can generate a random number and then send it under the encryption of the initialization key and thereby generate a link key.
The ‘Combination key’ is generated during the Initialization process at the same time and is only valid for the session only. This key is exchanged when the two devices compute their link keys. It comprises of a 128 bit random number and the Bluetooth device address.
The ‘Encryption key’ is generated from the current link key during the authentication process. It is based on the COF (96 bit Ciphering Offset Number).
The ‘Master key’ is generally used as the link key if the master needs to transmit to multiple slaves. It is generated using the key generation algorithm by virtue of the 128 bit random number. The resultant link key is then sent to the slave, bitwise xored with overlay. With this, slave can compute master key.
Figure 2: Mac-book Pro as the master
Figure 3: I-phone as the slave
From the figure, initially both the devices share a low-entropy human-readable secret PIN. Typically the PIN comprises of a 4-digit code, which can be up to 128 bits
When device 1 initiates the connection it is referred to as the initiating device and it does so by generating a random nonce (number used once) n1, and then sending it to device 2. Both devices then compute a shared initialization key Kinit using the E22 algorithm. The key Kinit is a function of n1, BD_Addr1, and PIN.
Figure 4: Authentication process (here device 1 is denoted as A and device 2 as B)
After the shared key generation, the two devices authenticate each other before generating the encryption key. It is based on the challenge response scheme. The verifier (device 2) sends a plain-text random value AV_RAND2, the receiver (device 1) then computes a response SRES = E1 (Kinit, BD_Addr1, AV_RAND2) where E1 is the algorithm. The verifier performs the same calculation and compares the response to the verifier. After the verification, a match is required for the mutual authentication process to be successful.
The Bluetooth mechanism involves the use of block cipher algorithm for encryption and Link Key generation. Further, the encryption of packets is performed using a stream cipher and 4 linear feedback shift registers.
After authentication, a cipher key K3 is generated. The key length is 128 bits to ensure high level of security.
After the key is generated, the data payload is encrypted using the cipher stream engine E0 and takes as inputs the encryption key, BD_Addr, 128 bit random number and the 26 LSB of the master’s clock.
The input values are shifted into four linear feedback shift registers and then combined in the summation combiner FSM to produce the cipher. This generates a new cipher every time.
One well-known weakness within this mechanism lays in its pairing mechanism, which leads to an attacker guessing the PIN number thereby leading to the guessing of the Initialization, Link and Encryption keys.
Figure 5: Exchange of information during connection (here device 1 is denoted as A and device 2 as B)
An attacker can eavesdrop on the pairing session by first guessing the value for the PIN say ‘1234’. Then the attacker tries to compute the ‘Msg 3’ (when device 1 tries to authenticate itself to device 2) using this PIN. The value of n1 and AV_RAND2 are learned by the attacker from the first two messages while the value of BD_Addr1 is public. Thus, to verify whether the guess was correct or not, the attacker uses these values to compute the reply and compares the result to the third message.
The attacker can obtain the following parameters: random value n1, Bluetooth device address (BD_Addr1 & BD_Addr2), encrypted random values Kinit xor RAND1, Kinit xor RAND2, clear text values AV_RAND and SRES. This information is obtained by observing the authentication message exchange after the link key exchange. Hence the only unknown parameter in the calculation of Kinit is the PIN.
In order to impersonate a device it is sufficient to know Kinit and the public address of the device. The big conundrum arises when the attacker knows the shared PIN value, thus both the secrecy and authentication will be violated.
According to a few authors, one way to improve the key generation process and inhibit the chances of the mechanism being cracked is the introduction of another shared secret parameter referred to as the AU_ID. It is used in the generation of the initialization key and is exchanged via the Diffie Hellman key exchange method. This could potentially increase security, as this key is not easily guessed. One big reason for that is, the key is incremented as per the number of interactions between the two devices during the present session.
The discussion presents a basic idea of what happens when two devices perform a handshake via Bluetooth. It describes the steps and the keys involved during this authentication mechanism. It finally introduces a possible solution to remedy the popular security vulnerability of PIN guessing.
Tarun Kumar, “Improving Pairing Mechanism in Bluetooth Security”, Dept. of Computer Science and Information Technology, Radha Govind Engineering College, Meerut (U.P.), India.