Tài liệu Lecture-10-bluetooth security

Bluetooth Security Dr. Nguyen Tuan Nam [email protected] Security in Bluetooth •  3 basic services: –  Authentication •  Identity verification of communicating devices •  Address the question “Do I know with whom I’m communicating?” •  Provide an abort mechanism if a device cannot authenticate properly –  Confidentiality (privacy) •  Prevent information compromise caused by eavesdropping (passive attack) •  Address the question “Are only authorized devices allowed to view my data?” –  Integrity –  Authorization •  Allow the control of resources •  Address the question “Has this device been authorized to use this service?” Nguyen Tuan Nam/WNC 2010 2 Security in Bluetooth •  3 modes: –  Non-secure mode –  Service-level enforced security mode –  Link-level enforced security modes Nguyen Tuan Nam/WNC 2010 3 Non-secure Mode •  A device will not initiate any security procedures à security functionality (authentication + encryption) is completely bypassed •  Devices are in a promiscuous mode à allows other devices to connect to it •  Provide for application where security is not required •  Ex? Nguyen Tuan Nam/WNC 2010 4 Service-level Enforced Security Mode •  Security procedure initiated after channel establishment at the L2CAP level –  L2CAP resides in the data link layer –  L2CAP provides connection-oriented and connectionless data services to upper layers •  Centralized security manager –  Control access to services and devices –  Maintain polices for access control and interfaces with other protocols –  Varying security polices and trust levels may be defined for applications with different security requirements Nguyen Tuan Nam/WNC 2010 5 Link-level Enforced Security Mode •  Security procedure is initiated before channel establishment •  Support authentication (unidirectional or mutual) and encryption •  Based on a secret link key that is shared by a pair of devices •  Link key is generated during the pairing procedure Nguyen Tuan Nam/WNC 2010 6 Security in Bluetooth Security Mode Mode 1 – No Security Mode 2 – Servicelevel Insecured Flexible / Policy based why no authorization for mode 3 Authentication + Confidentiality + Authorization Nguyen Tuan Nam/WNC 2010 Mode 3 – Link-level Fixed Authentication + Confidentiality 7 Security Levels •  Devices –  Trusted: devices that have a fixed relationship à full access to all services –  Untrusted: no permanent relationship à restricted service access •  Services –  Require Authentication and Authorization •  Automatic access is granted only to trusted devices •  Untrusted devices need manual authorization –  Require Authentication Only •  Access to application is allowed only after an authentication procedure •  Authorization is not necessary –  Open to all devices •  Authentication not required •  Access is granted automatically Nguyen Tuan Nam/WNC 2010 8 Bluetooth Identifiers •  Unique IEEE Bluetooth Device Address (BD_ADDR) –  48 bits •  Link key for authentication (usually pair-wise) –  128 bits •  Encryption key (symmetric key) –  8 to 128 bits •  Random numbers (RAND) generated as required Nguyen Tuan Nam/WNC 2010 9 Link Key Generation – Bluetooth Bonding •  Generated during an initialization phase while 2 devices are paired –  When user enters an identical PIN into both devices –  PIN code can vary between 1 and 16 bytes •  Possible to create link key using higher layer key exchange methods and then import the link key into the Bluetooth modules •  Usage –  Provide means for a secure link layer –  Challenge-response authentication with knowledge of link key –  Encryption, thus assuring privacy Nguyen Tuan Nam/WNC 2010 10 Link Key Generation from PIN Nguyen Tuan Nam/WNC 2010 11 Key Types – Link Keys •  Initialization –  Initialization Key derived from PIN –  Created if there are no other keys –  Used once during the initialization then discarded •  Semi-permanent –  Unit Key •  Generated once in unit •  Device uses unit key in all its connections with other users •  Unit key is preferred when one single device is connecting a large group of user à store 1 key instead of 1 key for each user •  Used when memory constrained –  Combination Key •  Derived from contributions from 2 devices (based on information from both devices) •  Unique per pair of connection Nguyen Tuan Nam/WNC 2010 12 Key Types – Link Keys (cont.) •  Temporary –  Master Key •  For point-to-multipoint broadcasts •  Only used temporarily to replace an original link key in a current session •  Used when a master device wants to reach more than 1 slave using the same encryption key Nguyen Tuan Nam/WNC 2010 13 Key Types – Encryption Key •  Derived from current semi-permanent of temporary key •  Renewable for every connection •  Configurable key length (8-128 bits) Nguyen Tuan Nam/WNC 2010 14 Algorithms •  Authentication and key generation (all based on SAFER+ block cipher) –  E1 – Authentication algorithm –  E21 – Unit and combination keys generation –  E22 – Initialization and master keys generation –  E3 – Encryption key generation •  Encryption –  E0 – Stream cipher algorithm Nguyen Tuan Nam/WNC 2010 15 Typical Security Procedures Device A First Startup Device B First Startup Generation of Unit Key (E21) Generation of Unit Key (E21) Device A to Device B First Handshake Generation of Initialization Key (E22) Authentication (E1) Link Key Exchange (E21) Device A to Device B Following Handshake Authentication (E1) Generation of Encryption Key (E3) Encrypted Communication (E0) Nguyen Tuan Nam/WNC 2010 16 Unit Key Generation RAND 128 E21 BD_ADDR 128 Unit Key 48 Nguyen Tuan Nam/WNC 2010 17 Initialization Key Generation RAND PIN LENPIN BD_ADDR 128 E22 128 Initialization Key 48 –  If one device has a fixed PIN, use the BD_ADDR of the other device –  If both device have fixed PINs, they can’t be paired –  If both have non-fixed PIN, use BD_ADDR of the device received the RAND Nguyen Tuan Nam/WNC 2010 18 Authentication •  Using a share secret key – link key A B Authen Encrypt using link key tication REQ e Challeng Send encryp ted te xt ccess u S m r i f Con Challe nge Generate 128 bit challenge Decrypt the answer Mutual Authentication ypted r c n e d Sen Confir m Nguyen Tuan Nam/WNC 2010 19 Authentication Verifier A Claimant B RANDA RANDA BD_ADDRB E1 E1 SRES Link key ACO RANDA SRES’ = SRES BD_ADDRB Link key SRES ACO SRES = 32 most significant bits of resulted encrypted text, Why? Nguyen Tuan Nam/WNC 2010 20