© Sil Janssens - Vrije Universiteit Brussel - Katholieke Universiteit LeuvenLast update Date : 2005/08/1823 : 34 : 23, Revision : 1.39

Abstract

Bluetooth is a wireless technology standard specification developed and maintained by the

Bluetooth Special Interest Group (SIG). This thesis focuses on the low-level security aspects

of the Bluetooth specification. Most of the security features are covered in this thesis, but the

E0 encryption system is discussed in more detail. Both strong and weak points of the Blue-

tooth specification are identified, thus covering the architecture but also many of the recently

discovered security attacks.

The E0 Bluetooth encryption algorithm is based on a stream cipher with four linear feed-

back shift registers (LFSRs) in combination with a memory, linear and nonlinear combiner

function. Stream ciphers and the different types of attacks on stream ciphers will be covered

in detail in this thesis. A simulation of the E0 system and some theoretical attacks on the E0

algorithm are implemented as a way to get a better understanding of their working. But since

these attacks have a high time complexity, between approximately O(280) and O(260), and re-

quire more keystream bits than available in a real Bluetooth system, the implementation will

not have a practical purpose.

Beside the stream ciphers, we also shortly introduce block ciphers, as these are used in the

explored pairing and authentication systems of the Bluetooth architecture.

For completeness, we cover some attacks which are discovered to be functional on some

types of Bluetooth devices. Only a short overview will be given for these attacks, as most of

these attacks are not based on the failing of the Bluetooth protocol, but on the malfunction of

the specific implementations.

ii

Acknowledgements

This dissertation could not have been written without Dr. Philippe Cara who not only served

as my supervisor but also encouraged and challenged me throughout my academic program. He

and the faculty members of the Katholieke Universiteit Leuven from the COSIC Departement,

Robert Maier and Dave Singelee, guided me through the dissertation process, never accepting

less than my best efforts. I thank them all.

iii

CONTENTS

Abstract ii

Acknowledgements iii

List of Figures viii

Chapter 1. Introduction 1

Chapter 2. Bluetooth System Architecture 3

2.1. Connection specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2.2. The Bluetooth name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2.3. Baseband modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2.3.1. Active mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2.3.2. Sniff mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2.3.3. Hold mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2.3.4. Parked mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2.3.5. Adaptive transmission power . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2.4. Network Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2.5. Protocol Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Chapter 3. Security Model 13

3.1. Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

3.2. Wireless Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

3.3. Shannon’s Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

3.4. Theorems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

3.4.1. Perfect Secrecy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

3.4.2. Kerckhoffs’ principle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

3.4.3. Order notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

3.4.4. Functions and Correlations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

3.4.5. Berlekamp-Massey Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

iv

3.5. Hypothesis Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Chapter 4. Stream Ciphers 28

4.1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

4.2. One-time pads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

4.3. Stream Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

4.3.1. Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

4.4. Pseudo-random generator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

4.5. Linear Feedback Shift Register . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Chapter 5. Stream Cipher Attacks 40

5.1. Stream Ciphers Weaknesses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

5.2. Evaluation criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

5.3. Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

5.3.1. Brute-force attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

5.3.2. Trade-off attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

5.3.3. Guess-and-determine attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

5.3.4. Correlation attacks or Siegenthaler’s attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

5.3.5. Fast Correlation attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

5.3.6. Divide and Conquer attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

5.3.7. Algebraic attacks or Linearisation attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

5.3.8. Fast Algebraic attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

5.3.9. Side Channel attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Chapter 6. Block Ciphers 52

6.1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

6.2. History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

6.3. Mode of Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

6.3.1. Iterative Block Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

6.3.2. Electronic Code Block Cipher (ECB) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

6.3.3. Cipher Block Chaining (CBC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

6.3.4. Cipher Feedback (CFB) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

6.3.5. Output Feedback (OFB) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

6.3.6. Counter mode (CTR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

v

6.4. Advantages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Chapter 7. Bluetooth Security overview 56

7.1. Security mode 1: non-secure mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

7.2. Security mode 2: Service-level enforced security mode . . . . . . . . . . . . . . . . . . . . . . . . 57

7.3. Security mode 3: Link-level enforced security mode . . . . . . . . . . . . . . . . . . . . . . . . . . 57

7.4. Link-level security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

7.4.1. Pairing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

7.4.2. Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

7.4.3. Encryption Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

7.5. Problems with the Bluetooth Standard Security [Karygiannis02a] [Muller99] . . 60

7.6. Bluetooth security attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

7.6.1. Bluejacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

7.6.2. Bluetooth Wardriving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

7.6.3. Impersonation attack by inserting/replacing data . . . . . . . . . . . . . . . . . . . . . . . . 65

7.6.4. Nokia 6310i Bluetooth OBEX Message DoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

7.6.5. Brute-Force attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

7.6.6. Denial-of-Service attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

7.6.7. Disclosure of keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

7.6.8. Backdoor attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

7.6.9. BlueStumbling or BlueSnarfing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

7.6.10. BlueBug attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

7.6.11. Pairing attack, Offline PIN recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

7.6.12. On-line PIN recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

7.6.13. Impersonate original sending/receiving unit . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

7.6.14. Attack on the Bluetooth Key Stream Generator . . . . . . . . . . . . . . . . . . . . . . . . . 69

7.6.15. Replay attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

7.6.16. Man-in-the-middle attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Chapter 8. Bluetooth Stream Cipher E0 71

8.1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

8.2. Encryption process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

8.3. Bluetooth Stream Cipher E0 Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

8.3.1. Divide-and-conquer, Correlation attack, Hermelin and Nyberg . . . . . . . . . . . . 78

vi

8.3.2. Divide-and-conquer attack, Correlation attack, Ekdahl and Johansson . . . . . 79

8.3.3. Faster correlation attack, Y. Lu and S. Vaudenay . . . . . . . . . . . . . . . . . . . . . . . . . 82

8.3.4. Guess-and-determine attack, M. O. Saarinen . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

8.3.5. Guess-and-determine attack, S.R. Fluhrer and S. Lucks . . . . . . . . . . . . . . . . . . . 83

8.3.6. Improved guess-and-determine attack, C. De Cannière, T. Johansson, B. Preneel 84

8.3.7. FBDD-attack, M. Krause . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

8.3.8. Algebraic attack, F. Armknecht . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

8.3.9. Fast Algebraic attack, N. Courtois and F. Armknecht . . . . . . . . . . . . . . . . . . . . . 91

Chapter 9. Bluetooth Pairing and Authentication process 92

9.1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

9.2. SAFER+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

9.3. Bluetooth Pairing process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

9.4. Bluetooth Authentication process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

9.5. PIN recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Chapter 10. Conclusion 102

References 105

Appendix A. Abbreviations 113

vii

List of Figures

2.1 The official Bluetooth logo 6

2.2 A scatternet with piconets, masters and slaves [Miller01] 8

2.3 The Bluetooth stack 9

3.1 Shannon’s model: process of encryption, transmission and decryption 16

4.1 Stream cipher classifications [Kiviharju04] 30

4.2 Synchronous stream cipher structure 31

4.3 Asynchronous stream cipher structure 33

4.4 Linear Feedback Shift Register [Wikipedia05] 37

5.1 Meier and Staffelbach’s fast correlation attack model 47

7.1 Bluetooth Key Generation from PIN [Karygiannis02a] 58

7.2 Bluetooth Encryption Process [Karygiannis02a] 60

8.1 Bluetooth encryption process 73

8.2 The E0 keystream generator 76

8.3 Model of attack, [Ekdahl03] 80

9.1 SAFER+ key scheduling [SIG03]. 93

9.2 Initialization key KINIT generation with the E22 algorithm [Shaked05]. 95

9.3 Link key KAB generation with the E21 algorithm [Shaked05]. 96

9.4 Bluetooth Authentication [Karygiannis02a]. 98

9.5 Flowchart of the PIN recovery attack [Shaked05]. 100

10.1 Complexities of the E0 attacks. [Kiviharju04] 104

viii

CHAPTER 1

Introduction

Bluetooth wireless technology is a short-range radio technology that is designed to fulfill the

particular needs of wireless interconnections between different personal devices. The devel-

opment of Bluetooth started in 1994, when a team of researchers at Ericsson Mobile Com-

munications, led by Dr. Jaap Haartsen and Dr. Sven Mattisson, required a way to connect a

keyboard to a computer without a cable. They initiated a feasibility study of universal short-

range, low-power wireless connectivity as a way of eliminating cables between mobile phones

and computers, headsets and other devices. The wireless link turned out to be useful for many

other things and it was developed into a very generic tool for connecting devices. A syn-

chronous mode for voice traffic and support for up to seven slaves was introduced. In order

to gain momentum for the technology and to promote acceptance, the Bluetooth Special In-

terest Group (SIG) was founded in May 1998. The group consists of almost all the biggest

companies from various fields like Ericsson, Nokia, Intel, IBM, Toshiba, Microsoft, Apple,

3Com, Motorola, Toyota, Lexus, BMW, etc. The number of participating companies is now

over 3,000. By joining forces, the SIG members have evolved the radio link to what is now

known as Bluetooth wireless technology. A variety of products is available on the market to-

day, including printers, laptops, keyboards, cars and mobile phones.1 Every week, more than

5 million Bluetooth-enabled products are shipping, according to IDC 2 there will be more than

922 million Bluetooth enabled devices worldwide by 2008.

The Bluetooth specification [SIG03] introduces a fast, short ranged and low cost technology.

The specification is public, all the parts that have adopted it, can have access to it. The compa-

nies within the SIG are responsible for the development and marketing of Bluetooth.

1Mobile phones are the most popular type of Bluetooth enabled devices, with 60% of the Bluetooth market.2IDC is the premier global market intelligence and advisory firm in the information technology and telecom-

munications industries, http://www.idc.com

1

Bluetooth is equipped with encryption, quality of service (QoS) and an authentication mech-

anisms. A stream cipher is used to enable secure exchange of information. The Bluetooth

stream cipher is defined as the E0 algorithm, a nonlinear combination generator. This combi-

nation generator produces key sequences that are used to encipher the Bluetooth data.

A combination generator, as in the Bluetooth E0 algorithm, uses Linear Feedback Shift Regis-

ters (LFSRs). These registers produce pseudo-random sequences. The system is extended with

a memory and a nonlinear combination function. This is needed to introduce sufficient nonlin-

earity (less correlation between the input and output) to make it difficult to recompute the initial

state by observing key stream data. The Bluetooth stream cipher E0 uses a four-bit memory.

Combined with the fact that the E0 system is frequently re-initialized and only generates rather

short key streams (max 2,745 bits ≈ 211 bits), the cryptographical properties are quite adequate

for the intended usage. The best theoretical attack known today works in 239 time given 239

consecutive bits after O(237) precomputations, clearly this is not usable in practice.

This thesis is organized as follows: first we describe the details of the Bluetooth system speci-

fications in Chapter 2. Then we explore some general topics and theorems concerning security

in Chapter 3. Chapters 4 and 5 will cover specific details of stream ciphers and the attacks on

stream ciphers, while Chapter 6 will discuss block cipher generally. Finally Chapters 7, 8 and

9 will describe all details and attacks on the specific Bluetooth encryption, pairing and authen-

tication. We will end this thesis with an overview and the conclusion of the research in Chapter

10.

Since, within the topic of this thesis, a lot of abbreviations appear, Appendix A is included with

a short explanation of all abbreviations used.

The objective of this thesis is not only to explore the Bluetooth system and the security (weak-

nesses) of the Bluetooth system, but also to get a familiar feeling with theoretical and practical

research in cryptography. We will try to cover the security research of wireless networks as

widely as possible, but we will also explore Bluetooth specific security research. As the topic

of research was completely new to me it was not possible to examine each term or algorithm

completely. In order to avoid escalation in the code theory, certain terms shall be introduced in

a brief manner, yet every introduction will hold references to more elaborated research.

2

CHAPTER 2

Bluetooth System Architecture

From the beginning, the Bluetooth specification has been written with use cases for handheld

personal devices in mind. It is designed targeting devices with particular needs and constraints

with main points being low cost and power consumption. Consequently, the assessment be-

tween cost and power consumption on one side and performance on the other was made during

the development. It is now possible to implement rather cheap one-chip radios. But the lack

of external components on the chip (such as filters) decreases the sensitivity of the chips and

thus shortens the range. On the other hand, special attention was paid to handle interference at

frequencies near the intended signal (through adjacent channel rejection). This helps to keep

up the desired throughput when many links are running simultaneously. The Bluetooth system

is designed to function in noisy environments, where interference rather than range is expected

to be the limiting factor of the perceived performance.

With the target devices in mind, there was no need to have an infrastructure (base stations) in

place. Therefore, a flexible master-slave concept was introduced to fit well in a dynamically

changing environment of devices that communicate with each other.

The designers of the Bluetooth implementation added support to a wide range of requirements

for the traffic types for different applications; Bluetooth can handle various data transport chan-

nels: asynchronous (e.g. data), isochronous (e.g. streaming audio/video) and synchronous (e.g.

real-time audio/video). They made it possible to mix asynchronous and synchronous traffic at

the same time. This is one of the reasons that Bluetooth holds so much potential, it promises to

link up many divergent devices such as PDAs, cell phones, GPS systems, car systems, comput-

ers, music systems etc. to different types of hardware and software platforms, linking different

networks and bringing "pervasive connectivity" [Anand01].

3

2.1. Connection specifications

The most important technical connection specification details of the Bluetooth system [SIG03]

are assembled in the following list:

• Bluetooth devices form piconets (wireless ad-hoc networks for the mobile devices) and

share a common communication data channel. The channel has a total capacity of 723.2

kilobits per second (2.1 Mbps for the newest devices). The headers and handshaking

information consume about 20 percent of this capacity.

• A piconet has a master and up to seven slaves. A master can be a slave in another

piconet at the same time, but it cannot be a master in 2 piconets at the same time.

• Many piconets can be operated in parallel before mutual interference cancels the traffic

benefits of the parallelism.

• The master transmits in even time slots, slaves in odd time slots, what is called "Time

Division Duplex" (TDD) [Paulraj02].

• Only master-to-slave or slave-to-master communication is possible, slave-to-slave traf-

fic is relayed through the master.

• All devices have the ability to take the role of either slave or master. The master role

generally is assumed by the device that initiates the communication.

• There are two types of data transfer between devices: SCO (synchronous connection

oriented) for sound/voice and ACL (asynchronous connectionless) for data transmis-

sions.

• In a piconet, there can be up to three SCO links (with one, two or three slaves) of 64,000

bits per second each.

• The SCO point-to-point links use reserved slots set up by the master to avoid collision

problems.

• ACL slaves can only transmit when requested by the master.

• ACL is either a point-to-point (master to one slave) link or a point-to-multipoint (broad-

cast) link to all the slaves in a piconet.

• In the United States and Europe, the frequency range used by Bluetooth is 2,400 to

2,483.5 MHz in the license-free ISM radio band, with 79 1-MHz radio frequency (RF)

4

channels. In practice, the range is 2,402 MHz to 2,480 MHz. In Japan, the frequency

range is 2,472 to 2,497 MHz with 23 1-MHz RF channels.

• A data channel hops randomly 1,600 times per second between the 79 (or 23) RF chan-

nels. This hopping is called frequency hopping [WaveWireless00] and minimizes the

interference with other devices in the ISM band.

• Each channel is divided into time slots 625 microseconds long.

• Packets can be up to five time slots wide.

• Data in a packet can be up to 2,745 bits in length.

• The maximum transmit power is restricted to 100mW reaching approximately 100 me-

ters. But low power devices operate at 2.5mW and have an operating range up to 10

meter.

• The sensitivity level is defined such that the raw Bit Error Rate (BER) 10−3 is met,

limiting the average probability that a received bit is erroneous.

• For data traffic, Cyclic Redundancy Check (CRC) is applied and error correction codes

are optional, thus retransmission occurs on transmission error detections.

2.2. The Bluetooth name

The name Bluetooth comes from Haral Blåtand, who was King of Denmark from approxi-

mately A.D. 940 to 986. He managed to unite Denmark and part of Norway into a single

kingdom and introduced Christianity. He left a large monument, the Jelling rune stone, in

memory of his parents. Harald Bluetooth was killed in 986 during a battle with his son, Svend

Forkbeard. The name Bluetooth has been chosen for the standard, to indicate how important

companies from the Scandinavian region (Denmark, Sweden, Norway and Finland) are to the

communication industry and to unify multinational companies after a Scandinavian king who

united countries, although the name says little about the way the technology works. The name

Bluetooth was initially an unofficial code name for the project but has become the trademark

name of the technology and the special interest group. The logo, Figure 2.1, was inspired by

the initials "H B" for Harald Bluetooth.

5

FIGURE 2.1. The official Bluetooth logo

2.3. Baseband modes

Beside the normal active state mode, the Bluetooth specification also includes various baseband

modes which enables energy conservation by allowing the radios of slaves to enter a parked,

sniff or hold modes for a Bluetooth connection (thus not for the whole device). When a device

is not in a connected state, the baseband is in a standby mode.

2.3.1. Active mode

When a slave is in active mode, it will essentially always listen for transmissions from the

master. The master will send packets to the active slave to keep them synchronized and to

inform them when they may transmit packets back. The slaves in active state will listen to all

the packets from the masters. Although they do not need to listen for the entire packet, just the

packet headers, when it is known that another slave is communicating with the master at that

time. The active state provides the fastest response time but also consumes the most power,

since the slave is always receiving packets and is always prepared to transmit packets.

2.3.2. Sniff mode

The sniff mode makes it possible to reduce the power consumption of a slave by letting the

slave only become active periodically. The master agrees to transmit only at certain regular

intervals for a particular slave (although it may not transmit packets at every such interval).

The slave needs to listen for packets from the master only at the start of each interval (with

some timing tolerances). If packets are sent, the slave receives the packets; otherwise it can

"sleep" until the next interval. The power and responsiveness in the sniff mode depends upon

the length of the sniff interval, although it is likely to be less responsive than the active mode

and to have reduced power consumption.

6

2.3.3. Hold mode

Within the hold mode, a slave agrees upon a hold time with the master and then stops listening

for packets entirely for the specified time interval. During the hold time, the slave can do other

things such as establishing links to other devices, or just sleep. At the end of the hold time

period, the slave resumes listening for packets from the master. The hold mode may be less

responsive than the sniff mode. The power saving depends upon the hold time duration and

what the slave does during the hold time.

2.3.4. Parked mode

Slaves in the parked mode maintain synchronization with the master, but they are no longer

considered as an active part of the piconet. This mode allows the master to organize communi-

cation with more than the seven slaves allowed in a piconet, by exchanging active and parked

slaves. A parked slave stays synchronized with the master by periodically listening to the mas-

ter. The parked mode is the least responsive mode since the slave must make a transition to

become an active member of the piconet before general communication can be resumed. The

parked mode allows greater power conservation than the other modes.

2.3.5. Adaptive transmission power

Besides the different baseband modes, Bluetooth has another power-saving feature which is

called adaptive transmission power. This feature allows slaves to inform the master when the

master’s transmissions power is not appropriate. By using a Received Signal Strength Indicator

(RSSI) value the slave can request a lower power transmission (e.g. on close proximity) to

safe energy or a higher power transmission (e.g. on large distance or weak signal). The master

maintains and adapts transmission power settings for each slave separately in the piconet.

2.4. Network Topology

Bluetooth devices form a so-called piconet when they communicate with each other. A piconet

can contain up to 8 active devices and 3 voice channels per piconet. Within a piconet, a specific

7

hopping pattern is used and all channel access is controlled and synchronized by the master, so

the slaves can only talk to the master and not to other slaves directly.

Multiple piconets can form a scatternet (see Figure 2.2). A master in one piconet can be a

slave in another piconet, and devices can be slaves in different piconets at the same time. To

switch between piconets, time multiplexing is used. The scatternet topology provides a flexible

method by which devices can maintain multiple connections. This can be very useful for mobile

devices which frequently move into and out of proximity to other devices.

When a device establishes a point-to-point link with another device, the role that each device

assumes (master or slave) is often unimportant and irrelevant to higher-level protocols and to

the users.

FIGURE 2.2. A scatternet with piconets, masters and slaves [Miller01]

2.5. Protocol Architecture

The architecture used for Bluetooth consists of Bluetooth specific protocols combined with

adopted protocols such as WAP, WAE, TCP/UDP/IP, PPP, vCard and IrMC. Bluetooth also

8

supports cable replacement protocols as RFCOMM and telephony adapter protocols as AT-

commands. The reason for this mixed architecture of Bluetooth specific and adopted protocols,

is that it allows integration of Bluetooth directly into existing application and transport proto-

cols, without having to build up an entirely separate and parallel architecture. This also allows

application specific security controls to be implemented that would be transparent to the lower

layer security controls (Data Link Layer) at which Bluetooth operates.

The Bluetooth protocol stack is layered according to Figure 2.3 on this page.

FIGURE 2.3. The Bluetooth stack

9

At the bottom of the Bluetooth system stack is the Physical Layer, which is basically the modem

part where the radio signals are processed.

Above the Physical Layer is the Baseband Layer where the packets are formatted. The Base-

band Layer takes care of the header creation, checksum calculations, retransmission procedure

and the encryption and decryption. The Link Controller (LC), in the Lower Baseband Layer,

implements the baseband protocol and procedures. In the Upper Baseband Layer links are

managed by the Link Manager (LM) and are set up using the Link Manager Protocol (LMP).

The Logical Link Communication and Adaption Protocol (L2CAP) takes care of reformatting

the large chunks of user data into smaller units to be transmitted over the Bluetooth link. For

example, a higher level TCP/IP traffic packet is too large to fit a Bluetooth baseband packet.

Therefore, it will be cut into smaller chunks of data, sent to the baseband for transmission and

reassembled on the receiving side.

Since Bluetooth modules are integrated in different types of devices with different types of

architecture and capabilities, the Bluetooth controller (radio part) can be separated from higher

level protocol layers. The higher layers will then be implemented in the host entity and can

communicate with lower layers of the Bluetooth module through the Host Controller Interface

(HCI), separating the radio hardware-related functions from higher layer protocols. Not all

Bluetooth implementations run the lower and higher layer processing on separated processors.

Consequently, integrated implementations will not have the HCI.

The Bluetooth Security Manager [Muller99] forms the key component in the general security

architecture on top of the link-level security features of Bluetooth. The security manager has

the following tasks:

• Initiate pairing and query PIN entry by the user. The PIN entry can also be done by

an application.

• Answer access requests by protocol implementations or applications (access granted or

refused).

• Enforce authentication and/or encryption before connecting to the application.

10

• Store security-related information on services and devices.

• Initiate or process input from an External Security Control Entity (ESCE) 1. It could be

a device user, or a utility application executed on behalf of the user based on prepro-

grammed security policies. In the latter case, this utility could reside within or outside

a particular BT-enabled device, to set-up trusted relationships on device level.

Since this thesis concentrates on the (lower) link-level security, the Bluetooth Security Manager

will not further be analyzed.

A brief description of some higher layer protocols:

• SDP: Service Discovery Protocol. The (Bluetooth specific) Service Discovery Protocol

makes it possible for Bluetooth enabled devices to get information about the device type

and services so that a connection between devices can be set up.

• RFCOMM. Emulates an RS-232 [Association69] serial connection and is thus a cable-

replacement protocol. For a number of upper layer protocols (OBEX, TCP/UDP, IP,...)

no separate standard has to be designed since they interface with the RFCOMM protocol

layer, which in turn interfaces with the core Bluetooth protocols.

• TCS Binary: Telephony Control Specification. TCS specifies the call control signaling

necessary to establish voice and data calls between Bluetooth devices.

• AT Command. The standard Audio/Telephony modem commands.

• OBEX: OBject EXchange protocol. This protocol takes care of data exchange in a

client/server model and file synchronization.

• TCP/IP: Transmission Control Protocol / Internet Protocol. TCP/IP is a protocol for

controlling Internet communications, package of protocols which regulate connections

between computers and the Internet [Comer88]

• PPP: Point-to-Point Protocol. This protocol defines how Internet Protocol (IP) is trans-

mitted over serial point-to-point links.

• WAP: Wireless Application Protocol[Forum01] is an open standard and application

environment for wireless information and telephony services on digital mobile phones

1ESCE typically represents a human operating a device who decides how to proceed with security relatedmatters, e.g., provide a PIN whenever needed, decide to create a trust relation with a device, etc. In generalthough, an ESCE represents an entity with the authority and knowledge to make decisions on how to proceed in amanner consistent to this security architecture.

11

specified by WAP Forum. The WAE (Wireless Application Environment) is the top-

most level in the WAP architecture.

To provide support for specific applications and to offer interoperability, the Bluetooth SIG

has developed a set of profiles. Profiles for fundamental and advanced procedures define the

communication interface between two units for a service. Efficient reuse of existing protocols

and procedures is possible by building new profiles on existing ones. The hierarchical structure

of the profiles can be seen in Figure 2.3. The most fundamental profile relates to connection

and channel setup and modes of operation and is defined in the Generic Access Profiles (GAP).

All other profiles make use of the GAP. The Serial Port Profiles defines the original purpose

of Bluetooth: short-range cable replacement. The Generic Object Exchange Profiles is used

for file transfer, push services, synchronization, etc. New profiles are constantly developed,

independently of the core specification.

12

CHAPTER 3

Security Model

3.1. Security

To define the notion of security, it is necessary to introduce a third party that has access to all

public information and tries to derive private secret information. Such a third party is denoted

as an attacker or cryptanalyst. The notion of security can then be defined as: "A system is

secure if an attacker is unable to derive the private secret information".

It is not possible to break a perfectly secure encryption scheme and such schemes do exist.

However, a perfectly secure scheme needs a key with length no smaller than the entropy of the

message that is to be encrypted and this key may never be reused. If the key is smaller than the

entropy of the message, there will always be a correlation between the input and output. An

example of a perfectly secure encryption scheme is the One-time pad or Vernam cipher (see

Section 4.2).

3.2. Wireless Security

Risks are inherent to any wireless technology. Some of these risks are similar to those of wired

networks; some are exacerbated by wireless connectivity; others are new. Perhaps the most

significant source of risks in wireless networks is that the technology’s underlying communica-

tions medium, the airwave, is open to intruders, making it the logical equivalent of an Ethernet

port in the parking lot.

13

Specific threats and vulnerabilities to wireless networks and handheld devices include the fol-

lowing:

• All vulnerabilities that exist in a conventional wired network apply to wireless tech-

nologies.

• Malicious entities may gain unauthorized access to a (company’s) computer network

through wireless connections, bypassing any firewall protections. For example by using

special long distance antenna’s 1 which can connect to internal private unprotected or

weakly protected wireless access points.

• Sensitive information that is not encrypted (or that is encrypted with poor cryptographic

techniques) and that is transmitted between two wireless devices may be intercepted and

disclosed. Several applications 2 exist to "sniff" all the data that is transmitted wirelessly

in some area and recover encrypted passwords.

• DoS attacks may be directed at wireless connections or devices. Such a Denial of

Service attack can take down the functionality of devices: make them unstable, make

them lose data, make them consume a lot of power (drain batteries) or it can be used as

a method to make other attacks possible.

• Malicious entities may steal the identity of legitimate users and masquerade as them on

internal or external corporate networks. Since wireless connections may allow invisible

(or less visible) connections, masquerade and legitimation can be easy(er).

• Sensitive data may be corrupted during improper synchronization. For example by

"sniffing" and inserting or disturbing wireless data connections.

• Malicious entities may be able to violate the privacy of legitimate users and be able to

track their movements. Since data connections need identification, this identification

can be tracked easily on most wireless networks. 3.

• Malicious entities may deploy unauthorized equipment (e.g. client devices and access

points) to surreptitiously gain access to sensitive information. A well known example

of this attack is the so called "Evil Twins", fake clones of wireless hotspots managed by

hackers to intercept sensitive data.

1John Hering from Flexilis explains in detail how to make such a long distance Bluetooth rifle on this site:http://www.tomsnetworking.com/Sections-article106.php.

2For example: Airsnort http://airsnort.shmoo.com and BlueSniferhttp://trifinite.org/.

3Tracking movements of wireless devices and their users, is often called "wardriving".

14

• Handheld devices are easily stolen and can reveal sensitive information.

• Data may be extracted without detection from improperly configured devices.

• Viruses or other malicious code may corrupt data on a wireless device and subsequently

be introduced to a wired network connection. .

• Malicious entities may, through wireless connections, connect to other agencies or or-

ganizations for the purposes of launching attacks and concealing their activities.

• Intruders, from inside or out, may be able to gain connectivity to network management

controls and thereby disable or disrupt operations.

• Malicious entities may use third-party, suspicious wireless network services to gain

access to an agency’s or other organization’s network resources.

• Internal attacks may be possible via ad hoc transmissions.

It should be clear that maintaining secure wireless networks is a process that requires greater

effort than that required for other networks and systems. It is much harder to gain a certain guar-

antee of security within the deployment of wireless networks. Routine security tests, assess-

ments and evaluations of the system security are important. The National Institute of Standards

and Technology (NIST) recommends [Karygiannis02b] agencies not to undertake wireless

deployment for essential operations, until they have examined and can acceptably manage and

mitigate the risks of their information, system operations and continuity of essential operations.

3.3. Shannon’s Model

Shannon introduced the basic settings of cryptography in [Shannon49] as a modification of his

well-known communication model proposed in [Shannon48]. The most basic task of cryptog-

raphy is encryption. When two entities, a sender and a receiver, want to transmit a message in

complete confidentiality, an encryption scheme or cipher is needed. Such an encryption scheme

is defined as a cryptosystem.

DEFINITION 1 (Cryptosystem). A cryptosystem is a five-tuple (P,C,K,E,D) that satisfies:

a) Plaintext space P , a finite set of possible plaintexts.

b) Ciphertext space C, a finite set of possible ciphertexts.

15

c) Key space K, a finite set of possible keys.

d) Encryption functions E = {ek : k ∈ K}, a family of functions ek : P → C.

e) Decryption functions D = {dk : k ∈ K}, a family of functions dk : C → P .

f) For each ke ∈ K, there is a kd ∈ K such that dkd(eke

(p)) = p for every plaintext p ∈ P .

The sender and receiver need to agree on an encryption scheme. They also need to exchange a

secret key k ∈ K or a secret key pair (ke, kd) ∈ K, using a secret channel. After this exchange,

the secret key is all that distinguishes a legitimate sender and receiver from an arbitrary third

party.

Once the secret key has been exchanged, the sender and receiver can communicate privately,

using a public channel, see Figure 3.1. Given a message m ∈ P , the sender encrypts m under

the key k by calculating c = ek(m). This ciphertext can be transmitted over the public channel.

The receiver decrypts the received message c into m = dk(c) and gets the original message m.

FIGURE 3.1. Shannon’s model: process of encryption, transmission and decryption

The process of encryption, transmission and decryption can be seen in Figure 3.1. All infor-

mation on gray background is private and may only be seen by the sender and receiver. All

information on white background is publicly visible for everyone.

3.4. Theorems

3.4.1. Perfect Secrecy

If an attacker learns nothing about the plaintext by observing the ciphertext, the cryptosystem

is said to have perfect secrecy. This property can be formalized mathematically.

16

DEFINITION 2 (Perfect secrecy). A cryptosystem has perfect secrecy if the events that a par-

ticular ciphertext occurs and that a particular plaintext has been encrypted are independent.

P(p|c) = P(p), (1)

for all plaintexts p and all ciphertexts c.

3.4.1.1. Shannon’s Theorem. Claude E. Shannon states in his famous paper [Shannon49]

that a good cipher should require as much work as solving a system of simultaneous equations

in a large number of unknowns of a complex type. Shannon also defined a theorem for perfect

secrecy which states the following:

A cryptosystem, with |C| = |K| and P(p) > 0, has perfect secrecy if and only if the probability

distribution on the key space is the uniform distribution and if for any plaintext p and any

ciphertext c there is exactly one key k with ek(p) = c

Proof:

a) Suppose the cryptosystem has perfect secrecy.

To prove the first assertion we fix a ciphertext c. For a plaintext p, let kp be the key with

ekp(p) = c. From the definition of perfect secrecy (Definition (1)) and by knowing that

P(B)P(A|B) = P(A)P(B|A), for any events A and B with P(A) > 0 and P(B) > 0,

we get:

P(p|c) =P(c|p)P(p)

P(c)=

P(kp)P(p)

P(c)(2)

for each plaintext p. Since the cryptosystem has perfect secrecy, we have from Def-

inition (1): P(p|c) = P(p). And (2) implies P(kp) = P(c). Hence, the probability

P(kp) is the same for each plaintext p. But any key k is equal to kp for some plaintext

p. Therefore, the probability for all keys is the same, which means that the probability

distribution on the key space is the uniform distribution.

The second assertion can be proven by supposing the cryptosystem has perfect secrecy.

Let p be a plaintext. If there is a ciphertext c for which there is no key k with ek(p) = c,

17

then P(p) 6= P(p|c) = 0 since P(p) 6= P(p). This contradicts the perfect secrecy (Equa-

tion (1)). So, for any ciphertext c there is a key k with ek(p) = c. But the number

of keys is equal to the number of ciphertexts. Therefore, for each ciphertext c there is

exactly one key k with ek(p) = c, which proves the second assertion.

b) Prove the cryptosystem has perfect secrecy.

Assume that the probability distribution on the key space is the uniform distribution and

that for any plaintext p and any ciphertext c there is exactly one key k = k(p, c) with

ek(p) = c. Then

P(p|c) =P(p)P(c|p)

P(c)=

P(p)P(k(p, c))∑

q∈P P(q)P(k(q, c))(3)

Now P(k(p, c)) = 1/|K| since all keys are equally probable. Hence,

∑

q∈P

P(q)P(k(q, c)) =

∑

q∈P P(q)

|K|=

1

|K|. (4)

If we use this in equation (3), then we obtain P(p|c) = P(p) and the cryptosystem has

perfect secrecy.

3.4.2. Kerckhoffs’ principle

Auguste Kerckhoffs stated in the 19th century in [Kerckhoffs83] that a cryptosystem should

be secure even if everything about the system, except the key, is publicly known. So instead of

using security through obscurity we suppose security through transparency and assume "the en-

emy knows the system", as Shannon (re)formulated Kerckhoffs’ principle in Shannon’s maxim.

Kerckhoffs’ law consists of six design principles 4:

a) The system must be substantially, if not mathematically, undecipherable.

b) The system must not require secrecy and can be stolen by the enemy without causing

trouble.

c) It must be easy to communicate and remember the keys without requiring written notes,

it must also be easy to change or modify the keys with different participants.

d) The system ought to be compatible with telegraph communication.

4Translated from French by F. Petitcolas.

18

e) The system must be portable, and its use must not require more than one person.

f) Finally, regarding the circumstances in which such system is applied, it must be easy to

use and must neither require stress of mind nor the knowledge of a long series of rules.

3.4.3. Order notation

When evaluating the security and discussing the complexities, the order notation is used [Grimaldi99].

Typically, the order notation indicates how the complexity of the attack grows depending on,

for example, the length of the LFSR or the size of the key.

DEFINITION 3 (Big-Oh). Let f , g be two functions mapping the natural numbers to themselves.

We say that g dominates f , or f is dominated by g, or f ∈ O(g) if and only if there exist natural

numbers N and c such that, for all n ≥ N , we have |f(n)| ≤ c · |g(n)|.

As we consider the values of f(1), g(1), f(2), g(2), · · · , there is a point (namely N ) after which

the size of f(n) is bounded above by a positive multiple (c) of the size of g(n). When g

dominates f , f is of order g, then |f(n)/g(n)| ≤ c. That is, the size of the quotient f(n)/g(n)

is bounded by c for those n where n ≥ N and g(n) 6= 0. As suggested by the notation

f ∈ O(g), O(g) represents the set of all functions dominated by g.

When dealing with the concept of function dominance, we seek the best (or highest) bound

[Grimaldi99]. If we suppose f ∈ O(g) and g ∈ O(h), then we also have f ∈ O(h). But

if h /∈ O(g), the statement f ∈ O(g) provides a better bound on |f(n)| than the statement

f ∈ O(h). For example, if f(n) = 5, g(n) = 5n, and h(n) = n2, for al natural numbers n,

then f ∈ O(g), g ∈ O(h), and f ∈ O(h), bug h /∈ O(g). Therefore, we are provided more

information by the statement f ∈ O(g) than by the statement f ∈ O(h).

The special names that are designated for certain orders that often occur are listed in Table 1.

3.4.4. Functions and Correlations

Throughout this thesis we shall consider the field GF (2n) as a linear space with a given fixed

basis. xt denotes an n-dimensional vector in GF (2n) as xt = (x1t , x

2t , · · · , xn

t ).

19

Order NameO(1) ConstantO(log2 n) LogarithmicO(n) LinearO(n log2 n) n log2 nO(n2) QuadraticO(n3) CubicO(nm),m = 0, 1, 2, · · · PolynomialO(cn), c > 1 ExponentialO(n!) Factorial

TABLE 1. Names of frequently occurring orders.

The inner product "·" between two vectors v = (v1, v2, · · · , vn) and w = (w1, w2, · · · , wn) of

the space GF (2n) is defined as:

v · w = v1w1 ⊕ v2w2 ⊕ · · · ⊕ vnwn (5)

The linear function Lu(x) is then Lu(x) = u · x, u ∈ GF (2n).

DEFINITION 4. We say a function L : GF (2n) → GF (2n) is linear if for any vectors v and w

in GF (2n):

L(v + w) = L(v) + L(w), (6)

and for any vector x in GF (2n) and scalar a,

L(av) = aL(v). (7)

An affine function is just a linear function plus a translation.

DEFINITION 5. We say a function A : GF (2m) → GF (2n) is affine if there is a linear function

L : GF (2m) → GF (2n) and a vector b in GF (2n) such that:

A(x) = L(x) + b (8)

for all x in GF (2m)

A Boolean function f is a mapping from GF (2n)n into GF (2n). The support of f is defined

as sup(f) = v ∈ GF (2n)n : f(v) = 1. The cardinality of sup(f) represents the weight wt(f)

of the function.

20

A Boolean function can be uniquely represented by means of its algebraic normal form (ANF):

f(v) = f(xn−1,··· ,x0) = ⊕(an−1,··· ,a0)∈GF (2n)nh(an−1, · · · , a0)xan−1

n−1 · · · xa0x , (9)

where f and h are Boolean functions on GF (2n)n. The algebraic degree of f , denoted by

deg(f), is defined as the highest number of variables in the terms xan−1

n−1 · · · xa00 in the ANF of

f .

Alternatively, a Boolean function can be represented by its Walsh spectrum:

Wf (w) =∑

v∈GF (2n)n

(−1)f(v)⊕v·w = 2n−1 − 2wt(f ⊕ v · w). (10)

Several properties of Boolean functions are important from a cryptographic viewpoint:

• A function is said to be balanced if wt(f) = 2n−1. .

• The nonlinearity Nf of the function f is defined as the minimum distance between f

and any affine function; it can be calculated as Nf = 2n−1 − 1

2maxw∈GF (2n)n |Wf (w)|.

The best affine approximation l(v) is associated with this notion.

• f has bias ε if it has the same output as its best affine approximation with probability

0.5 + ε. ε = Nf/2n − 0.5 =

maxw∈GF (2n)n |Wf (w)|

2n+1 .

• A function is said to be correlation-immune of order ρ, CI(ρ), if and only if its Walsh

transform Wf satisfies Wf (w) = 0, for 1 ≤ wt(w) ≤ ρ. If the function is also balanced,

then the function is called t-resilient.

• The lowest degree of the function g from GF (2n)n into GF (2n) for which f · g = 0 or

(f + 1) · g = 0 is called the algebraic immunity of the function f .

• The function g is said to be an annihilator of f if f · g = 0.

• A vectorial Boolean function F from GF (2n)n into GF (2n)m, also called (n,m) S-box,

can be represented by an m-tuple (fm−1, · · · , f 0) of Boolean functions f i on GF (2n)n

(corresponding to the output bits).

DEFINITION 6 (Correlation). Let f, g = GF (2n) → GF (2) be a Boolean functions. The

correlation between f and g is:

C(f, g) =#{x ∈ GF (2n)|f(x) = g(x)} − #{x ∈ GF (2n)|f(x) 6= g(x)}

2n(11)

21

3.4.5. Berlekamp-Massey Algorithm

The Berlekamp-Massey algorithm is used for finding the minimal polynomial of a linearly re-

current sequence. Before we can handle the algorithm, we need to introduce the linear recurrent

sequences and the minimal polynomial.

DEFINITION 7 (Linearly Recurrent Sequence). Suppose the infinite sequence a with elements

from a field K has the property that there exist constants c1, · · · , ck in K such that, for all

t > k,

at = at−1c1 + at−2c2 + · · · + at−kck.

Then a is called a linearly recurrent sequence.

The linear complexity of a recurrentor periodic sequence a is just the length of the shortest

linear recurrence which generates a, i.e., the degree of the corresponding characteristic poly-

nomial.

DEFINITION 8 (annihilator). Given a linearly recurrent sequence a, suppose c0 · · · ck ∈ K with

c0 6= 0 satisfy, for all t > k,

c0at = at−1c1 + at−2c2 + · · · + at−kck.

Then the polynomial

c0xk − c1x

k−1 − c2xk−2 − · · · − ck

is called an annihilator for a.

The annihilators of a form an ideal5 of K[x].

DEFINITION 9 (Minimal Polynomial). Since K[x] is a principal ideal domain, the ideal of a’s

annihilators have a unique monic generator of minimal degree. This annihilator is called the

minimal polynomial of a.

Let K/L be a finite field extension. Then the minimal polynomial of κ ∈ K, m(x) ∈ L[x] is the

unique, monic non-zero polynomial such that m(κ) = 0 and any other polynomial f ∈ L[x]

5An ideal is a non-empty, downward closed subset which is also closed under binary least upper bounds. I.e.anything less than an element is also an element and the least upper bound of any two elements is also an element.

22

with f(κ) = 0 is divisible by m.

Given κ, a polynomial m is the minimal polynomial of κ if and only if m is monic, irreducible,

and m(κ) = 0.

To find the minimal polynomial, we need to be given an upper bound m on its degree; having

done so, the minimal polynomial is uniquely determined by the first 2m elements of a (since

we need to get m equations to solve for the unknowns c1, · · · , cm).

There is another way to determine the minimal polynomial, which uses the Euclidean Algo-

rithm. It can be shown that the characteristic polynomial of a sequence is the unique monic

polynomial C(x) of least degree for which the infinite product

C(x)(a1 + a2x + a3x2 + · · · )

has finitely many nonzero terms. (In fact, the nonzero terms will have coefficients up to xk−1

where k is the degree of C).

We can rewrite this as

C(x) · (a1 + a2x + · · · + a2mx2m−1) − Q(x) · x2m = R(x)

where R(x) is a remainder polynomial of degree < m, and Q(x) is a quotient polynomial.

Denote by A(x) the sum Σ2mi=1aix

i−1.

This is where the Euclidean Algorithm comes in; if we take the GCD of A(x) and x2m, keeping

track of remainders, we get two sequences Pi(x), Qi(x) such that Pi(x) · A(x) − Qi(x) · x2m

forms a series of polynomials whose degree is decreasing; as soon as this degree is less than

m, we have the needed polynomials with C = Pi, Q = Qi.

23

3.5. Hypothesis Testing

An important part of cryptanalysis is based on hypothesis testing or statistical testing [Zenner04],

[Maurer90]. Choices and guesses must be made, but they should be made based on a hypothe-

sis, denoting which choice will have the best chance to be the correct one. Hypothesis testing is

also used when determining of whether a sequence of observations is more likely to be sampled

from a system with output distribution P0, or from a system having output distribution P1.

It is very important that no regularities can be observed in the output stream. An attacker could

predict additional bits of the output sequence if regularities occur, so it must not be possible to

tell the output stream apart from a truly random sequence.

The intention of hypothesis testing is to attempt to predict the quality of the sequence and

predict the reliability of the sequence. The basic theoretical background of hypothesis testing

will be discussed in this section.

Assume we have a sequence of n independent and identically distributed random variables

X1, X2, · · · , Xn over an alphabet N. The distribution of this sequence is denoted by

Q(x) = P(Xi = x), 1 ≤ i ≤ n (12)

and the sampled values are denoted by x = x1, x2, · · · , xn, where xi ∈ N, 1 ≤ i ≤ n. So we

can consider two hypotheses, one selecting P0 and one selecting P1:

• H0 : Q = P0.

• H1 : Q = P1.

To decide which hypothesis will be accepted, we use a decision function φ(x). If φ(x) = 0,

hypothesis H0 is accepted, φ(x) = 1 implies that H1 is accepted. Since φ(x) only takes two

possible values, we can specify a set A ∈ {N}n, over which φ(A) = 0 and its complementary

set A∗ ∈ {N}n, over which φ(A) = 1. Furthermore, let Pn0 (xi) denote the simultaneous

probability∏n

i=1 P0(xi) and Pn1 (xi) =

∏ni=1 P1(xi).

24

With this hypothesis, two types of errors can occur that we want to minimize. We can choose

H0, while H1 should have been chosen, which is seen in some cases as a false alarm (PF ), or

we can choose H1, while H0 was true, which is sometimes seen as a worse missed alarm (PM ).

PF = P(φ(x) = 1|H0 = true) = Pn0 (A∗), (13)

PM = P(φ(x) = 0|H1 = true) = Pn1 (A). (14)

To choose the optimum hypotheses, the lemma of Neyman-Pearson can be used:

LEMMA 10 (Neyman-Pearson[Neyman33]). Let X1, X2, · · · , XN be drawn identically dis-

tributed according to the mass function Q. Consider the decision problem corresponding to the

hypotheses Q = P0 versus Q = P1. For T ≥ 0 define a region

An(T ) =

{

P0(x1, x2, · · · , xn)

P1(x1, x2, · · · , xn)> T

}

Let PF = Pn0 (A∗

n(T )) and PM = Pn1 (An(T )) be the probabilities of error corresponding to the

decision region An(T ). Let Bn be any other decision region with associated probabilities of

error PBF and P

MF . If P

BF ≤ PF then P

BM ≥ PM .

So the region An(T ), determined by the likelihood ratio P0(x)P1(x)

≥ T , is the one that minimize

PF and PB.

Ekdahl rewrote, in [Ekdahl03], this test to the computational robust test of Equation (18), using

a 2-logarithmic measure and T = 1 (to make the probabilities of PF and PM equally large).

This test, called log-likelihood test, can tell us which of the two hypotheses H0 and H1 is the

most likely.

P0(x1, x2, · · · , xn)

P1(x1, x2, · · · , xn)> 1, (15)

∏ni=1 P0(xi)

∏ni=1 P1(xi)

> 1, (16)

log2

(∏ni=1 P0(xi)

∏ni=1 P1(xi)

)

> 0, (17)

n∑

i=1

(

log2

P0(xi)

P1(xi)

)

> 0. (18)

25

In this test we will have equally high probabilities for the two error events PF and PM . However,

it is sometimes desired to use an unsymmetrical threshold, by decreasing the "false" error PF

at the expense of the "missed" error PM . In [Cover91] it is shown that the probabilities of error

can be expressed as:

PM = 2−n D(Pλ||Pe), (19)

PF = 2−n D(Pλ||PU ), (20)

where Pλ is the probability distribution on the boundary between the two decision regions

determined by T , PU(X = 0) = 12

is the uniform distribution and D(P0||P1) is the relative

entropy defined as:

D(P0||P1) =∑

x∈N

P0(x) log2

P0(x)

P1(x)(21)

The boundary distribution Pλ is determined by the chosen threshold such that:

D(Pλ||Pe) − D(Pλ||PU) =log2 T

n. (22)

Another interesting hypothetical test tries to estimate the number of samples we will need in

order to achieve a certain level of confidence in the test, i.e. how large n must be so that the

probability of error is below a certain value.

We can write the overall probability of error as:

Pe = π0PF + π1PM , (23)

where π0 is the prior probability of H0 and π1 is the prior probability of H1 and π0 + π1 = 1.

In [Cover91] it is shown that this overall probability Pe is equal to:

Pe = 2−nC(P0,P1), (24)

where n is the number of samples and C(P0, P1) is the Chernoff information, defined by:

C(P0, P1) = −minO≤λ≤1 log2

(

∑

x∈N

(P0(x))λ(P1(x))1−λ

)

(25)

26

With λ = 0, 5 we can get an upper bound for Equation (24). Using this rule, the well-known

"rule of thumb" is derived; to separate the two binary distributions 12+ ε and 1

2we need approx-

imately 1/ε2 samples.

27

CHAPTER 4

Stream Ciphers

Parts of this chapter are based on RSA Laboratories’ very clear "Frequently Asked Questions

About Today’s Cryptography", Version 4.1 [Laboratories00], with permission of the author.

4.1. Introduction

A stream cipher is a type of symmetric encryption algorithm. Stream ciphers can be designed

to be exceptionally fast, much faster than any block cipher, which makes them very suitable for

use in telecommunication and low-level network encryption. While block ciphers operate on

large blocks of data, stream ciphers typically operate on individual symbols of the underlying

alphabet, usually bits. The encryption of any particular plaintext with a block cipher will result

in the same ciphertext when the same key is used. With a stream cipher, the transformation

of these smaller plaintext units will vary, depending on when they are encountered during the

encryption process, the encryption function is time-varying. Stream ciphers also have limited

error propagation if the encrypted data is corrupted and limited buffer requirements since the

symbol size is relatively small and each symbol is encrypted independently of the others.

A stream cipher generates what is called a keystream (a sequence of bits used as a key). Encryp-

tion is accomplished by combining the keystream with the plaintext, usually with the bitwise

XOR operation. The generation of the keystream can be independent of the plaintext and ci-

phertext, yielding what is termed a synchronous stream cipher, or it can depend on the data and

its encryption, in which case the stream cipher is said to be self-synchronizing. Most stream

cipher designs are for synchronous stream ciphers.

28

4.2. One-time pads

Current interest in stream ciphers is most commonly attributed to the appealing theoretical

properties of the one-time pad, attributed to the work of Shannon [Shannon49]. A one-time

pad, sometimes called the Vernam cipher [Vernam26], uses a string of bits that is generated

completely at random. This means usually measuring some random phenomena in nature, like

the movements of particles. The keystream is the same length as the plaintext message and

can only be used once, clearly a vast amount of keystreams might be required. The random

string is combined using bitwise XOR with the plaintext to produce the ciphertext. Since the

entire keystream is random, even an opponent with infinite computational resources can only

guess the plaintext if he or she sees the ciphertext. Such a cipher is said to offer perfect secrecy

[Shannon49], since the ciphertext is statistically independent of the plaintext. The analysis

of the one-time pad is seen as one of the cornerstones of modern cryptography. While the

one-time pad saw use during wartime over diplomatic channels requiring exceptionally high

security, the fact that the secret key (which can be used only once) is as long as the message

introduces severe key management problems. While perfectly secure, the one-time pad is in

general impractical.

4.3. Stream Ciphers

Stream ciphers were developed as an approximation to the action of the one-time pad. While

contemporary stream ciphers are unable to provide the satisfying theoretical security of the

one-time pad, they are at least practical. The keystream can be generated independently of the

plaintext or ciphertext, which gives the advantage that the keystream can be generated prior to

encryption or decryption with only an easy combining step left when the message or ciphertext

is to be processed. Clearly, the largest part of the strength (or the weakness) of the stream

cipher depends on the keystream combined with it. As can be seen in Figure 4.1, different

classifications for stream ciphers exist. The next section will introduce the synchronous and

asynchronous (or self-synchronous) stream ciphers.

29

FIGURE 4.1. Stream cipher classifications [Kiviharju04]

4.3.1. Classification

4.3.1.1. Synchronous. If the next state of the cryptosystem is defined independently of

both plaintext and ciphertext and only depending on the key, then the stream cipher is termed

(classified) synchronous1. In such a scheme each plaintext bit is encrypted independently of

the others and the corruption of a bit of the ciphertext during transmission will not affect the

decryption of other ciphertext bits. The cipher is described as having no error-propagation and

though this appears to be a desirable property, it has several implications. First, it limits the

opportunity to detect an error when decryption is performed, but more importantly, an attacker

is able to make controlled changes to parts of the ciphertext knowing fully well what changes

are being caused on the corresponding plaintext. Therefore, additional mechanisms for message

authentication are needed.

Both encryption and decryption units must remain in step since decryption cannot proceed

successfully unless the keystreams used to encrypt and decrypt are synchronized. The synchro-

nization is achieved by including ’marker positions’ or ’frames’ in the transmission; the effect

of the marker is that if a bit of ciphertext is lost during transmission, it results in an incorrect

decryption until one of the marker positions is attained.

1The E0 stream cipher used in the Bluetooth encryption process, uses a synchronous mechanism, which wewill discuss in Chapter 8.

30

A synchronous stream cipher can be described at a time t ≥ 0 by the equations:

st+1 = f(st, k), (26)

zt = g(st, k), (27)

ct = h(zt,mt), (28)

where s0 is the initial state, which may depend on the key k. f is the next-state function, g is the

function which produces the keystream zt, t ≥ 0, and h is the output function which combines

the keystream bits zt and the plaintext bits mt to produce the ciphertext ct. This procedure is

represented by Figure 4.2.

FIGURE 4.2. Synchronous stream cipher structure

DEFINITION 11 (Synchronous Stream Cipher). A synchronous stream cipher is a finite state

machine for which the keystream is generated from the key, but independently of the plaintext

message and the ciphertext.

At each time instance t ≥ 0, the cipher produces a new keystream symbol zt ∈ Z. Typically,

Z is the binary field F2. The symbol size for the stream cipher is defined to be W bits. The

message m is split into symbols of size W bits m = m0,m1,m2, · · · ,mN−1 where mt ∈ P , the

plaintext alphabet, and encrypted symbol by symbol using the output function h. The output

is a sequence of ciphertext symbols c = c0, c1, c2, · · · , cN−1 where ct ∈ C, the ciphertext

alphabet. Often the eXclusive OR (XOR) function is used as the output function h. The stream

cipher is then called an additive stream cipher, since XOR is the field addition operation. The

31

addition operation of the additive stream cipher requires that the plaintext alphabet P and the

ciphertext alphabet C are equal to Z, P = C = Z.

The additive stream cipher can also be described as a pseudo-random number generator or

a keystream generator whose output is XORed to the plaintext. The key is used to initialize

the generator, which will then produce pseudo-random bits. So, instead of using a complete

keystream as the secret key, like the one-time pad does, a (relative) short key is used for seeding

and the generator will produce a long keystream which is as random looking as possible.

Deciphering is done by adding the encrypted message ct and the keystream zt and applying the

inverse function of h (of Equation (28)).

h−1(zt, ct) = mt (29)

So receiver has to generate the same keystream zt as the sender. The inverse of the output

function, h−1, is the same as h for additive stream ciphers, h−1 = h. This useful property

makes the decryption device exactly the same as the encryption device.

4.3.1.2. Asynchronous. The other possible stream cipher class is called self-synchronizing

or asynchronous [Proctor85] [Daemen95]. Asynchronous stream ciphers have the property

that they will resynchronize after a finite number of received ciphertext symbols. Thus the state

of such a cipher is only dependent on the previous generated keystream symbols. It can be

described at a time t ≥ 0 by the equations:

st = (ct−v, ct−v+1, · · · , ct−1), (30)

zt = g(st, k), (31)

ct = h(zt,mt), (32)

where st is the initial state, k is the key, g is the function which produces the keystream zt,

and h is the output function which combines the keystream bits zt and the plaintext bits mt

to produce the ciphertext ct. The initial state st = (ct−v, ct−v+1, · · · , ct−1) may be publicly

known. In contrast to the synchronous stream ciphers, the encryption and decryption processes

differ for the asynchronous stream ciphers, as can be seen structure represented in Figure 4.3.

32

FIGURE 4.3. Asynchronous stream cipher structure

DEFINITION 12 (Asynchronous stream ciphers). An asynchronous stream cipher is a finite

state machine for which the keystream is generated as a function of the key and a fixed number

of the previous ciphertext symbols.

Asynchronous stream ciphers have the facility to resume correct decryption if the keystream

generated by the decrypting unit falls out of synchronization with the encrypting keystream.

Since the E0 encryption system of Bluetooth uses a synchronous stream cipher, the remainder

of this thesis will not take into account asynchronous stream ciphers.

4.4. Pseudo-random generator

Pseudo-random numbers are used if it is too time-consuming to generate true random num-

bers (e.g. with Johnson noise, semi-conductor diodes or Schmitt trigger [Davenport58]). The

pseudo-random generator is an algorithm that, given a short sequence of random bits, produces

33

a long sequence of bits that "looks" random. The output sequence cannot be distinguished in

polynomial time from a true random sequence.

As mentioned above, pseudo-random generators are used to extend a secret key into a keystream

for a stream cipher cryptosystem. Some of the earliest practical keystream generators were in-

tended to act as pseudo-random number generators.

The pseudo-random generator inputs some initial state vector {x0, · · · , xn−1}, which is derived

from the fixed-length key. The output of the generator is a bitstream {xi}i≥0, which is used to

encrypt the message m = (m0,m1, · · · ) as

mi + xi ≡ ci mod 2, 0 ≤ i ≤ len(m) − 1, (33)

where {ci}i≥0 is the ciphertext.

The period of a bitstream {xi}i≥0 is the smallest positive integer p that satisfies:

xi+p = xi, (34)

for all i ≥ 0. If the period of the keystream is too short then different parts of the plaintext

will be encrypted in an identical way and this constitutes a severe weakness. Knowledge of the

plaintext allows recovery of the corresponding portion of the keystream and the cryptanalyst

can then use the fact that this position of keystream is used elsewhere in the encryption to

successfully decrypt the ciphertext.

The autocorrelation [Golomb67] AC(k) of a periodic sequence {xi}i≥0 with period p is

AC(k) =A − D

p(35)

where

A = |{0 ≤ i < p|xi = xi+k}| (36)

and

D = |{0 ≤ i < p|xi 6= xi+k}| (37)

34

The autocorrelation is described by Golomb as the notion of independent trials: knowing some

previous value in the sequence is essentially of no help in deducing the current value. It is some

measure of the ability of being able to distinguish between a sequence and a copy of the same

sequence that has been started at some other point in the period.

If k is a multiple of period p, then the autocorrelation is said to be in-phase and the value of

AC(k) is 1. If this is not the case, the autocorrelation is called out-of-phase.

Golomb’s Randomness Postulates [vT88] state a few facts a pseudo-random generator should

fulfill regarding the quality:

G1: The number of zeros and ones are as equal as possible per period. Zeros and ones

occur with roughly the same probability.

G2: Half of runs2 in a cycle have length 1, one quarter have length 2, · · · , 2−k runs have

length k. Half of the runs of a certain length are gaps3 and the other half are blocks.

After 01 the symbol 0 has almost the same probability as the symbol 1.

G3: The out-of-phase autocorrelation AC(k) has the same value for all k. Counting the

number of agreements between a sequence and a shifted version of that sequence does

not give any information about the period of the sequence unless one shifts over a

multiple of the period.

Other cryptographical properties of a good pseudo-random generator are collected in the fol-

lowing list:

• The period p of {xi} has to be taken very long.

How long mainly depends on the computing power and application assumed to be in

use. So the size of the period can be different for different senders and receivers and

for different cryptosystems. The keystream should be long enough to ensure that it

is overwhelmingly unlikely that the same portion of keystream is used twice during

encryption. In general, if the result is exponential with respect to the length of the

pseudo-random generator’s initial state, the rule is fulfilled.

2A run of length k starts at moment t, if xt−1 6= xt = xt+1 = · · · = xt+k−1 6= xt+k.3A block and a gap of length k is a run of k consecutive 1’s and 0’s, respectively.

35

• The sequence {xi} should be easy to generate.

This states the properties of the hardware or software implementation.

• The system should resist the known-plaintext attack.

Knowledge of a part of the plaintext with corresponding ciphertext should not enable to

generate any more terms of the sequence {xi}.

4.5. Linear Feedback Shift Register

As mentioned above, the fundamental property of a keystream generator is to produce as ran-

dom looking symbols as possible. The distribution of symbols should be uniform and unpre-

dictable. To generate such a sequence of binary bits, a Linear Feedback Shift Register (LFSR)

can be used. Although the direct output of an LFSR is not a good keystream generator, since

each element is simply a linear combination of the previous symbols, LFSRs are widely used

inside stream ciphers.

A LFSR is a shift register whose input is the exclusive-or (XOR) of some of its outputs. The

register (see Figure 4.4) consists of a series of number of cells, able to hold one symbol at a

time. The outputs that influence the input are called tabs. The content of the register at time t

is called the state of the LFSR at time t.

DEFINITION 13. A Linear Feedback Shift Register (LFSR) of length n is a collection of n 1-bit

memory elements s0t , s

1t , · · · , sn−1

t . At each time t the memory is updated as follows:

sit = si+1

t−1 for i = 0, · · · , n − 2

sn−1t = ⊕n

i=1ci · sn−it−1

where the ci are fixed binary coefficients that define the feedback equation of the LFSR. The

LFSR stream (st)t≥0 consists of the successive values in the memory element s0.

A maximal LFSR produces an n-sequence, unless it contains all zeros. The tap sequence of an

LFSR can be represented as a polynomial mod 2, which is called the feedback polynomial

P (X) of degree n, P (X) = 1+∑n

i=1 ci ·Xi. The weight of the feedback polynomial is equal to

the number of its nonzero terms. If this polynomial is primitive, then the LFSR is maximal. A

36

polynomial is primitive if it has polynomial order 2n − 1. The state of the register, taken at any

time, together with the feedback polynomial, completely determines the produced sequence.

For example, if the taps are at the 1st, 3rd, 4th and 6th bits (as in Figure 4.4), the polynomial is

x16 + x5 + x3 + x2 + 1.

The behaviour of the register is regulated by a counter (in hardware this counter is often referred

to as a ’clock’). At each time t ≥ 0, the device is clocked and the contents of the cells of the

register are shifted right by one position, and the XOR of the contents of a subset of the cells

(the tabs) is placed in the leftmost cell. One bit of output is usually derived during this update

procedure.

FIGURE 4.4. Linear Feedback Shift Register [Wikipedia05]

37

Since there are only a finite number of possible states, the sequence produced by the LFSR

must repeat itself after a finite period p, i.e. every sequence s0s1 · · · of period p satisfies a linear

recurrence of length p, namely si+p = si for all i ≥ 0. A sequence may additionally satisfy a

shorter recurrence, that is each bit of the sequence can be defined using some linear expression

which involves bits that are less than p bits away. The length of the shortest recurrence is

defined to be the linear complexity of the sequence. A high linear complexity means that more

of the sequence has to be observed before the recurrence can be identified and that a longer

register is required to duplicate the sequence.

For a register of length n, a sequence with maximum period that satisfies Golomb’s Postulates,

has period 2n−1 (since there are 2n states and the state 0 ·0 cannot occur). An output sequence

of an LFSR of length n is called a PN (pseudo-noise) sequence if its period is 2n−1. Hence, all

non-zero sequences of this LFSR are shifted versions of each other. These sequences can easily

and quickly be generated and have good properties of random appearance. But the drawback is

that they only have linear complexity n since they are generated using a n-stage linear feedback

shift register.

The Berlekamp-Massey algorithm [Massey69], introduced in Section 3.4.5, can be used on 2n

successive bits of the output sequence to deduce the feedback and the initial state of the register

used to generate the sequence. The algorithm calculates the linear recurrence of the sequence

and this offers some indication for how difficult a sequence might be to replicate.

Sequences generated by maximum-length LFSRs have good statistical properties, desirable for

keystream generator construction, but it is needed to destroy the linearity. The linear complexity

has to be increased before the sequence can be used. A classical method is to use several LFSRs

and combine the output from each of them using a Boolean function.

A shift register cascade is a set of LFSRs connected together in such a way that the behaviour

of one particular LFSR depends on the behaviour of the previous LFSRs in the cascade. This

38

dependent behaviour is usually achieved by using one LFSR to control the counter of the fol-

lowing LFSR. For instance, one register might be advanced by one step if the preceding register

output is 1 and advanced by two steps otherwise.

A stream cipher based on the simple interaction between the outputs from two LFSRs is called

a shrinking generator. The shrinking generator was developed by Coppersmith, Krawczyk,

and Mansour[Coppersmith94]. The bits of one output are used to determine whether the

corresponding bits of the second output will be used as part of the overall keystream. The

shrinking generator is simple and scaleable, and has good security properties. One drawback

of the shrinking generator is that the output rate of the keystream will not be constant unless

precautions are taken. A variant of the shrinking generator is the self-shrinking generator,

where instead of using one output from one LFSR to "shrink" the output of another (as in the

shrinking generator), the output of a single LFSR is used to extract bits from the same output.

LFSRs are fast and easy to implement in both hardware and software. With a judicious choice

of feedback taps the sequences that are generated can have a good statistical appearance, al-

though still linear. LFSRs are useful as building blocks in more secure systems that require

very fast generation of a pseudo-random sequence, such as a direct-sequence spread spectrum

radio.

The next chapter covers different types of attacks on stream ciphers.

39

CHAPTER 5

Stream Cipher Attacks

5.1. Stream Ciphers Weaknesses

The most typical use of a stream cipher for encryption is to generate a keystream in a way that

depends on the secret key and then to combine this (typically using bitwise XOR) with the

message being encrypted.

It is imperative the keystream "looks" random; that is, after seeing increasing amounts of the

keystream, an adversary should have no additional advantage in being able to predict any of

the subsequent bits of the sequence. While there are some attempts to guarantee this property

in a provable way, most stream ciphers rely on ad hoc analysis. A necessary condition for

a secure stream cipher is that it passes a battery of statistical tests. These tests can estimate

(among other things) the frequencies with which individual bits or consecutive patterns of bits

of different sizes occur. Such tests might also check for correlation between bits of the sequence

occurring at some time instant and those at other points in the sequence. Clearly the amount

of statistical testing will depend on the thoroughness of the designer. It is a rare and poorly

designed stream cipher that does not pass most suites of statistical tests.

The only secret information (besides the plaintext) is the initial state, which must be exchanged

before starting the transmission using a suitable key-exchange protocol. It is usual to make the

assumption that an attacker knows not only the encrypted bit stream, but even some short piece

of the plaintext, and therefore, can easily compute some piece of the keystream. Consequently,

the security of keystream generators has to be based on the assumption that there is no feasible

way to compute the secret initial state.

40

The keystream will always leak information about the initial key and will always have statistical

deviations from a truly random sequence. An attacker can almost always derive some useful

information, given a long enough keystream sequence. The aim for any stream cipher is to

minimize that information leakage.

A keystream might potentially have structural weaknesses that allow an adversary to deduce

some information of the keystream. Most obviously, if the period of a keystream, that is, the

number of bits in the keystream before it begins to repeat again, is too short, the adversary can

apply discovered parts of the keystream to help in the decryption of other parts of the ciphertext.

A stream cipher design should be accompanied by a guarantee of the minimum period for the

keystreams that might be generated or alternatively, good theoretical evidence for the value of

the lower bound to such a period. Without this, the user of the cryptosystem cannot be assured

that a given keystream will not repeat sooner than might be required for cryptographic safety.

A more involved set of structural weaknesses might offer the opportunity of finding alternative

ways to generate parts or even the whole of the keystream. Chief among these approaches might

be using a linear feedback shift register to replicate part of the sequence. The motivation to use a

linear feedback shift register is due to the algorithm of Berlekamp and Massey [Massey69] that

takes as input a finite sequence of bits and generates as output the details of a linear feedback

shift register that could be used to generate that sequence. This gives rise to the measure

of security known as the linear complexity of a sequence; for a given sequence, the linear

complexity is the size of the linear feedback shift register that needs to be used to replicate the

sequence. Clearly a necessary condition for the security of a stream cipher is that the sequences

it produces have a high linear complexity.

Other attacks attempt to recover part of the secret key that was used. Apart from the most

obvious attack (that always can be performed) of searching for the key by brute force (exhaus-

tive key search), a powerful class of attacks can be described by the term divide and conquer.

The security of stream ciphers is thus always measured relative to the complexity of exhaustive

searching for the correct key. If the complexity of an attack is less than that of the exhaustive

search, the cipher is said to be broken. For a stream cipher in practical application, the ac-

tual security is often much more dependent on other parts of the system than the cipher, e.g.

protocols, users, key management/storage, implementation problems like software bugs, etc.

41

During off line analysis the cryptanalyst identifies some part of the key that has a direct and

immediate effect on some aspect or component of the generated keystream. By performing a

brute-force search over this smaller part of the secret key and observing how well the sequences

generated match the real keystream, the cryptanalyst can potentially deduce the correct value

for this smaller fraction of the secret key [Koç95]. This correlation between the keystream

produced after making some guess to part of the key and the intercepted keystream gives rise

to what are termed correlation attacks and later the more efficient fast correlation attacks.

Finally there are some implementation considerations. A synchronous stream cipher allows an

adversary to change bits in the plaintext without any error-propagation to the rest of the mes-

sage. If authentication of the message being encrypted is required, the use of a cryptographic

Message Authentication Code (MAC) might be advisable. Sometimes the synchronization be-

tween sender and receiver might be lost with a stream cipher and some method is required to

ensure the keystreams can be put back into step. One typical way of doing this is for the sender

of the message to intersperse synchronization markers into the transmission so only that part of

the transmission, which lies between synchronization markers, might be lost.

Stream ciphers seem to be inherently weaker than block ciphers. Attacks on block ciphers (e.g.

differential attacks) are also applicable to stream ciphers, but specific stream cipher attacks (e.g.

correlation attacks) are not applicable to block ciphers. It also seems that algebraic attacks and

generic time-memory trade-off attacks are more effective against stream ciphers. Ultimately

most stream ciphers will be replaced with block ciphers in most departments, except in some

applications where a software oriented scheme with a very high speed or a hardware oriented

scheme with a very small footprint is required.

5.2. Evaluation criteria

While analyzing and evaluating the security of stream ciphers, the following criteria should be

considered [Dasgupta05]:

Time complexity: The required number of operations that are needed to carry out the at-

tack. It is of less theoretical importance to specify the operations that are performed,

42

as long as they can be performed in polynomial time. The time complexity can be

split up into pre-computational complexity and active attack complexity. The pre-

computational part can be performed without the observed keystream and is often re-

quired to be performed only once. The result can be used for attacking the cipher with

different keys. The active attack part is the complexity of the operations needed to be

performed while observing the keystream.

The best known attack should not be faster than an exhaustive search on the secret key.

Data complexity: The amount of observed keystream data required for the attack to be

successful with a certain probability.

Memory complexity: The required amount of memory needed to perform the attack. If

the complete observed keystream needs to be available during the attack, the memory

complexity will be equal to the data complexity.

An attack that requires fewer resources than supposed at the design of the stream cipher

makes the stream cipher less recommendable.

Environment: The evaluation should occur in the stated environment, considering side

channel attacks (these attacks are based on information gained form the physical imple-

mentation rather than the weakness in the algorithm).

Resistance: A stream cipher should be resistant to cryptanalytic attacks at the relevant

security level.

Different approaches for these cryptanalytic attacks should be considered:

Ciphertext only attack: This attack is the most powerful, since it only requires

passive eavesdropping on the ciphertext. The information known by the cryptan-

alyst is minimal, but may include information about the distribution of the plain-

text, e.g. the language of the encrypted plaintext.

Known Plaintext attack: For this attack it is assumed that the attacker already

knows a portion of the plaintext. The aim may be to recover the secret key of

the cipher or at least determine some unknown portion of the ciphertext.

Chosen Plaintext attack: This scenario gives the attacker the ability to encrypt a

chosen plaintext. This situation can occur if an encryption box with an unknown

secret key is available or when it is possible to send a chosen plaintext to the

owner of the secret key and then eavesdrop the transmission of the chosen text in

encrypted form.

43

Chosen Ciphertext attack: This attack is similar to the previous, but requires the

ability to choose the ciphertext for a decrypting device.

Adaptive chosen plaintext or ciphertext attack: This theoretically interesting sit-

uation assumes the ability of adaptive choice of encrypted text based on already

available results of encryption or decryption. This is only possible if the attacker

has a device with an unknown secret key.

Related keys: For this attack, the knowledge of a relation between keys in differ-

ent encryptions is assumed. This attack is combined with one of the scenarios

described above. Important flaws in the key scheduling algorithm of the cipher

may be discovered with this attack.

Partial knowledge of the key: In this scenario the attacker possess partial knowl-

edge of the secret key. This can occur for example due to a flaw in the random-

ization procedure which generates the encryption keys. In a good cipher, the

knowledge of a part of the key should not make finding the rest of the key easier.

Strength of Modified Primitives: This technique assess the strength of a stream

cipher by examining the strength of a modified one, by changing or removing a

component. Conclusions about the original stream cipher based on assessment of

the modified one have to be carefully considered as the influence may or may not

be straightforward.

While analyzing and evaluating the security of stream ciphers, it is customary to consider

known plaintext attacks. This is based on the famous principle of Kerckhoffs, discussed in

Section 3.4.2, Section 3.4.2.

5.3. Attacks

Different types of attacks on stream ciphers exist. In this section we will provide a basic

overview of the best-known attacks and the weakness they are building upon.

44

5.3.1. Brute-force attack

For the brute-force attack, or exhaustive key search attack, we consider a nonlinear combination

generator with k bits of key, where the length of the LFSR is k bits. The key initialization is

simply done by loading the LFSR with the key bits. The attack is performed by storing the

first 2k bits of the observed keystream. We then load each possible key into the cipher and

clock it 2k times and compare the output of each run with the stored sequence. When we find a

match, we have identified the correct key. We see that the time complexity is O(k2k), the data

complexity is O(k) and the memory complexity is O(k).

5.3.2. Trade-off attacks

In this type of attacks, the time taken to find the secret key is reduced at the expense of the

memory required to mount the attack. The attack has a pre-processing phase and a real-time

(active) processing phase. Within the pre-processing phase, the cryptanalyst explores the algo-

rithm and stores pre-computed data in a table. During the real-time or active phase, the actual

data, based on an unknown key, is provided and the pre-computed tables are to be used to find

the key as quickly as possible.

For many ciphers we can do a trade-off for the time, memory, and data complexity in the case

of an exhaustive key search.

Consider again the attack on a nonlinear combination generator of Section 5.3.1, but now we

start with a pre-computation of the generated sequences for 2k/2 randomly selected keys. We

store the first 2k bits of output for each chosen key together with the key used. In the active

phase we observe 2k/2 bits of keystream material, generated with the unknown key. Now, scan-

ning the observed sequence and for each position, we try to match the next 2k bits with the

sequences we have pre-computed. When we find a match we can directly get the state of the

LFSR that generated the subsequence. Reversing the LFSR to the initial state, we have now

found the correct key. This approach has time complexity O(2k/2) for scanning the observed

sequence and matching subsequences to our pre-computed database. The memory complexity

is O(k2k/2) for storing the pre-computed sequences and the respective key, and finally the data

complexity is O(2k/2).

45

This trade-off between time, memory and data complexities is not only limited to an exhaus-

tive key search, but could also be employed in other attack scenarios as well, using the same

basic ideas. The trade-off is based on the well known birthday paradox, which implies that two

random subsets of a space with N points are likely to intersect when the product of their sizes

exceeds N .

To protect the stream cipher against a trade-off attack, the state space of the cipher must be at

least twice the size of the key space. In the context of stream ciphers, this usually means that

the combined lengths of the LFSRs in the cipher must be twice as large as the key size and

during the initialization of the cipher, the key material must be spread into the state space in a

random fashion.

5.3.3. Guess-and-determine attacks

In this attack we start by guessing some internal variables of the cipher (e.g. a part of the LFSR)

and then try to determine the other variables based on the observed keystream and the evolution

of the cipher in time. If our guess is correct, we can confirm it by running the cipher for some

time and match the output from our trial generator with the observed sequence. If our guess is

false, we simply make a new guess and start over again. The time complexity of such an attack

is O(2b), where b is the number of bits we have to guess, since in the worst case we have to

try all possible combinations of the guessed bits. The difficult part of this attack is to discover

which part of the state space should be guessed in order to obtain the rest.

5.3.4. Correlation attacks or Siegenthaler’s attack

A correlation attack is a widely applicable type of attack which might be used with success

on generators which attempt to combine the output from several (cryptographically weak)

keystream generators.

Siegenthaler introduced the correlation attack in [Siegenthaler84] and [Siegenthaler85].

A correlation attack exploits the weakness in some combining function which allows informa-

tion about individual input sequences to be observed in the output sequence. In such a case,

46

there is a correlation between the output sequence and one of the (internal) input sequences.

This correlation can be used to extract information about the correlated input sequences. In the

simplest case, a correlation means that the output is equal to one of the input variables with a

probability not equal to 0.5. Siegenthaler showed in his paper [Siegenthaler84] that a smaller

linear complexity of the output sequence means greater correlation immunity.

As a protection against these correlation attacks, Rueppel introduced in [Rueppel86] the idea of

a combining function with memory that makes it possible to attain maximum-order correlation

and maximum linear complexity simultaneously making a separation to the ideas of correlation

immunity and linear complexity.

5.3.5. Fast Correlation attack

Meier and Staffelbach refined the correlation attack in [Meier89] and [Meier94]. This new

model (see Figure 5.1) is known as a fast correlation attack. The fast correlation attack is based

on using certain parity check equations created from the feedback polynomial of the LFSR.

FIGURE 5.1. Meier and Staffelbach’s fast correlation attack model

The attack assumes that there is a correlation between one shift register of the LFSR and the

output keystream zt,: P(s1t = zt) = p = 1

2+ ε, t ≥ 0. Meier and Staffelbach saw this as

if the sequence from LFSR1 was transmitted over a Binary Symmetric Channel (BSC)1, with

crossover probability 1 − p, i.e. the BSC transmits the symbol correctly with a probability

p. The combined effect of the other shift registers and the nonlinear combiner is modeled

as the BSC. Since the feedback polynomial of LFSR1 is linear, each st for different t must

satisfy a number of linear equations, based on how many taps the feedback polynomial has,

1A Binary Symmetric Channel (BSC) is an idealize model of a binary communication channel. Within aBSC, the probability of a 1 becoming a 0 is assumed to be the same as the probability of a 0 becoming a 1(symmetric). This assumption makes analysis much easier, but is often not valid in practical situations (e.g.pulses). [Wikipedia05]

47

and where the taps are located. If the correlation between st and zt is high enough, most of

the corresponding symbols in the keystream zt must also fulfill these linear equations. So, by

attempting to slightly modify the sequence zt to compensate for a possible crossover in the BSC

model, Meier and Staffelbach showed that the sequence s = s01, s

11, · · · , sN

1 can be recovered

and thus the initial state of the shift register.

The drawback of this algorithm is that it is only successful if the feedback polynomial has very

few terms which corresponds to a LFSR with few taps.

The idea of a communication channel was reconsidered by Johansson and Jönsson in [Johansson00]

where they identified an embedded convolution code2 in the sequences and could apply stan-

dard decoding techniques, e.g. the Viterbi algorithm3, to recover the initial state even if the

correlation probability was very close to 0.5. Typically, a shift register of length 40 with a cor-

relation probability of 0.45 can be attacked with modest computational effort. This algorithm

is independent of the number of taps of the feedback polynomial.

5.3.6. Divide and Conquer attack

In a Divide and Conquer attack, a part of the key is guessed and this constraint on the keystream

may make it possible to determine the rest of the key faster. This attack is mostly combined

with a correlation attack to determine the rest of the key.

5.3.7. Algebraic attacks or Linearisation attack

Algebraic attacks are based on a technique called relinearisation, introduced by Kipnis and

Shamir in [Kipnis99]. In most cases, the generated keystream can be described by a complex

system of multivariate polynomial equations with the key bits as the indeterminants.

2Essentially, a convoultional code is a linear system defined over a finite field.3The Viterbi algorithm, named after its developer Andrew Viterbi, is a dynamic programming algorithm for

finding the most likely sequence of hidden states U known as the Viterbi path U that result in a sequence ofobserved events, especially in the context of hidden Markov models.

48

The general idea behind algebraic attacks is to form (non-linear) equations consisting of the

observable keystreams zt for all clock ticks t, and the initial secret key bits of the LFSRs

as unknowns. The pre-computation of these equations need only to be performed once, the

attacker can use the same equations for attacking different keystream. Once the equations are

set up, the attacker has to observe the keystream and substitutes these keystream bits into the

algebraic equations. Now, the equations will merely depend on the initial secret LFSR key

bits. The equations have to be solved to determine the value of the LFSRs initialization keys.

This is possible if sufficient equations can be constructed from the observed keystream and the

equations are of low degree in the bits of the initialization keys.

To solve a system of nonlinear equations, we have to linearize the equations. This can be done

by assigning a new unknown variable to each monomial term that appears in the system. If the

same monomial appears in a distinct equation, the same variable will be assigned. This results

in a system of linear equations, with a large number of unknown variables.

A straightforward example of a linearisation process:

x + y = 1

x + xy = 0

xy = 0

x = 0

y = 1→

a + b = 1

a + c = 0

c = 0

a = 0

b = 1

c = 0

5.3.8. Fast Algebraic attacks

Since the complexity of the algebraic attacks from Section 5.3.7 are exponential in the de-

gree of the equations, a way of reducing the degree of the equations was needed. Courtois

[Courtois03a] introduced a method to achieve this in his Fast Algebraic attacks. His method

requires an additional pre-computation step to determine a linear combination of equations in

the initial system of the algebraic attack. This linear combination can cancel out terms of high

degree, making it easier to solve the system of equations. His approach is based on the fact that

we can multiply the multivariate polynomial with another multivariate polynomial such that the

product is of a lower degree in the initial state bit variables.

49

Courtois proposes to use the Berlekamp-Massey algorithm (see Section 3.4.5) to determine the

linear combination for the pre-computation step. The algorithm finds the minimal polynomial

of a linear recurrent sequence.

5.3.9. Side Channel attacks

Side channel attacks [Quisquarter02] try to attack a certain implementation of an algorithm,

instead of a direct attack on the keystream generator algorithm. These attacks use information

leakage form other channels than the ciphertext or keystream output.

An example of such a side channel attack is the power analysis. The general idea in this attack

is to measure the power usage of a cryptographically system. For example, electromagnetic

emissions can be used. This kind of attack has been shown to be surprisingly efficient. Kocher,

Jaffe and Jun presented a paper on differential power analysis on DES [Kocher99]. Certain

implementations of DES revealed, in the power usage, the structure of the cipher and small

portions of the key could be guessed and verified independently.

Another example of such a side channel attack is the timing attack. The attacker measures the

execution time or delay of various steps in the algorithm. This can reveal information on the

secret key bits if they are evaluated in branching with different execution time. This attack

can also be applied to clock-controlled generators, which outputs keystream bits at irregular

intervals. By measuring these intervals, the attacker can obtain information on the clocking

sequence. Such weaknesses can be prevented by buffering the output.

Electromagnetic radiations can be used to attack a system with electromagnetic leakage side

channel attacks. The quality of the antennas and the frequency stability of local oscillators

are important for good results. The presence of electromagnetic radiations is often enough to

provide useful information to an attacker. Some systems recreate a false magnetic field around

them, in order to mask their presence or radiations. However, by repeating measurement, it is

still possible to remove the noise and obtain a high signal noise ratio.

The work of M. Kuhn [Kuhn98] indicates that it is also possible to extract useful information

50

from the light emitted by screens. He was able to reconstruct a video image starting from the

luminosity of a distant screen.

51

CHAPTER 6

Block Ciphers

6.1. Introduction

Block ciphers are symmetric cryptographic mechanisms that transform individually a fixed-

length amount of plaintext data (a block) to a block of ciphertext using a key. The decryption

algorithm uses the inverse transformation with the same key. So the key is a secret key that must

be protected and secured. The distinction between stream ciphers and block ciphers is not very

clear. If a block cipher is used in cipher block chaining (CBC) mode, we can consider this as a

stream cipher which operates on large symbols of the size of one block. To encrypt messages

longer than the block size, a mode of operation is used, these will be discussed in Section 6.3,

but we will first introduce the history of block ciphers.

6.2. History

Based on the work of Horst Feistel [Feistel73], the first block cipher Lucifer was developed at

IBM in the 1970s. The US National Bureau of Standards (NBS) adopted a revised version of

the algorithm as the Data Encryption Standard (DES) after a public invitation for submissions.

DES was publicly released in 1976 and has been widely used. DES was specifically designed

to resist differential cryptanalysis, a general attack against block ciphers. DES prompted a large

amount of other work and publications in cryptography and cryptanalysis in the open commu-

nity and it inspired many new cipher designs. A variant of DES, 3DES, triple-encrypts blocks

with (usually) two different keys. It was widely adopted as a replacement and is still considered

secure. DES has been superseded as a Federal Standard by the Advanced Encryption Standard

52

(AES), adopted by National Institute of Standards and Technology (NIST) in 2001 after a 5-

year public competition. The AES cipher was developed by two Belgian cryptographers, Joan

Daemen and Vincent Rijmen, and submitted under the name Rijndael.

Till the mid 90s all used block cipher were based on the Feistel structure. Later Substitution-

Permutation Networks (SPNs) were used to design new block ciphers. Together with the "Wide

trail design strategy" [Rijmen01], used to design Rijndael, block ciphers got valuable proper-

ties and bounds on the resistance against linear and differential attack were proved.

Whereas stream ciphers work in a particular mode of operation, block ciphers are just building

blocks to construct mode of operation. The next section will cover some of the different block

cipher modes.

6.3. Mode of Operation

We will give a short overview of the different types of block cipher modes of operation:

• Iterative Block Cipher

• Electronic Code Block Cipher (ECB)

• Cipher Block Chaining (CBC)

• Cipher Feedback (CFB)

• Output Feedback (OFB)

• Counter mode (CTR).

6.3.1. Iterative Block Cipher

Iterated block ciphers use several rounds to encrypt the plaintext. A set of subkeys is derived

from the original secret key and for each round, the same round function or transformation is

applied to the block of plaintext data using a subkey. Depending on the required security level,

the number of iterations can be adapted. The strength will improve by increasing the number

of rounds, but this will have a trade-off on the time performance.

53

The original block cipher algorithms of Feistel and DES were a special class of iterative block

ciphers.

6.3.2. Electronic Code Block Cipher (ECB)

In the Electronic Code Block cipher, each plaintext block is encrypted independently with the

block cipher. The data is thus encrypted in parallel, what makes the Electronic Code Block

cipher faster than the iterative Block cipher. But since each identical block of plaintext gives

an identical block of ciphertext, the plaintext can be easily manipulated by removing, repeating

or interchanging blocks.

6.3.3. Cipher Block Chaining (CBC)

The Cipher Block Chaining mode uses an initialization vector c0 as a "seed" for the process. It

then starts by seeding this random value and XORing that with the first block. The encrypted

result becomes the first block of ciphertext. That encrypted block is used to XOR itself with

the next block. This process continues, thus each plaintext block is XORed with the previous

ciphertext block and then encrypted. The advantage is that everything is concealed in the Arc-

ing process. Any random block gives no indication on what the other blocks are. Manipulation

of the plaintext is only possible in the first part of the ciphertext. The random value does not

have to be encrypted and can be transmitted with the ciphertext.

6.3.4. Cipher Feedback (CFB)

The Cipher Feedback mode is similar to the Cipher Block Chaining mode, but instead of en-

crypting the XORed blocks, the encrypted block is XORed with plaintext block. Again, the

initialization vector c0 is used as a seed for the process. In this mode, not the first block can

be attacked as in CBC, but the last block can be attacked. By removing blocks of from the

beginning or the end of the ciphertext, the resulting plaintext can be manipulated.

54

6.3.5. Output Feedback (OFB)

Output Feedback mode is similar to Cipher Feedback mode, except that the quantity XORed

with each plaintext block depends on a sequence of data blocks si, derived from the encryption

of the previous data block si−1. Again, an initialization vector s0 is used as the seed. This mode

has the advantage over CFB that transmission errors are not propagated in subsequent blocks

during decryption. But this mode makes it possible to easily manipulate the sent plaintext when

the original plaintext is known. If the observed ciphertext block is XORed with the plaintext

block known by the attacker, that result can be used to XOR a new plaintext and send it as

ciphertext without obstructing the decryption for the intended receiver.

Although in this mode the process cannot be parallelized, time can be saved by generating the

key stream before the actual encryption.

6.3.6. Counter mode (CTR)

This mode has been proposed by Diffie to resolve the shortcomings of the OFB mode. Instead

of deriving one data block as the encryption of the previous data block, Diffie proposed en-

crypting the quantity i + IV mod 264 for the ith data block, where IV is some initialization

vector.

6.4. Advantages

Block Cipher algorithms are very simple to implement. They also have the advantage that it

is not difficult to encrypt or decrypt the message, since the same key is used. Although Block

Cipher cannot operate as fast as Stream Ciphers, the convenience, ease of use and relative

secure algorithms make Block Ciphers a good choice for many communication security tasks.

55

CHAPTER 7

Bluetooth Security overview

The security architecture of Bluetooth is designed to provide built-in security features for al

types of security demanding cases. The baseband defines security algorithms and procedures

needed to authenticate devices, and if needed to encrypt the data flowing on the link between

them. The baseband part of the specification includes algorithms for the generation of authen-

tication and encryption keys and the operations for verifying the authenticity of a device.

Bluetooth has three different modes of security. Each Bluetooth device can operate in one mode

only at a particular time. The three modes are the following:

• Security mode 1: Non-secure mode.

• Security mode 2: Service-level enforced security mode.

• Security mode 3: Link-level enforced security mode.

7.1. Security mode 1: non-secure mode

In the non-secure mode, a device will not initiate any security procedures. In this mode, the

security functionality (authentication and confidentiality) is completely bypassed. In effect,

the Bluetooth mode 1 is an "open" mode that allows other Bluetooth devices to connect to it

without applying any security mechanisms. This mode is provided for applications for which

security is not required, such as exchanging business cards.

56

7.2. Security mode 2: Service-level enforced security mode

In the service-level enforced security mode, security procedures are initiated after channel es-

tablishment at the Logical Link Control and Adaptation Protocol (L2CAP) level (see Section

2.5). L2CAP resides in the data link layer and provides connection-oriented and connection-

less data services to upper layers. For this security mode, a security manager (as specified in

the Bluetooth architecture) controls access to services and to devices. The centralized security

manager maintains policies for access control and interfaces with other protocols and device

users. Varying security policies and "trust" levels to restrict access may be defined for appli-

cations with different security requirements operating in parallel. Therefore, it is possible to

grant access to some services without providing access to other services. Obviously, in this

mode, the notion of authorization – that is the process of deciding if device A is allowed to

have access to service X – is introduced.

7.3. Security mode 3: Link-level enforced security mode

In the link-level enforced security mode, a Bluetooth device initiates security procedures before

the channel is established. This is a built-in security mechanism, and it is not aware of any

application layer security that may exist. This mode supports authentication and confidentiality.

These features are based on a secret link key that is shared by a pair of devices. To generate

this key, a pairing procedure is used when the two devices communicate for the first time.

7.4. Link-level security

A number of different key types are used in the security provided by the Bluetooth system.

Symmetric-key cryptographic mechanisms are used for authentication, key generation and link

encryption. A link is a communication channel established between two Bluetooth devices.

The PIN entry, device association and key derivation are depicted conceptually in Figure 7.1.

57

FIGURE 7.1. Bluetooth Key Generation from PIN [Karygiannis02a]

7.4.1. Pairing

The pairing process requires a PIN code to be entered into both Bluetooth devices. The

Bluetooth system allows this PIN code to be 128 bits long. Such a large code would be rather

user unfriendly for manual input. However, by this feature it is possible to make use of a higher

level automated key agreement scheme which can feed the agreed PIN code into the pairing

procedure. For some (mostly small) devices, it is possible the PIN is a fixed key that cannot be

changed. These devices come with a factory preset PIN code when delivered to the customer.

The fixed PIN code is used when there is no user interface to input a value to the Bluetooth

device. In such cases, the fixed PIN must be entered into the peer device. Following this, it

is impossible to pair two devices with a fixed PIN , which means they can never communicate

with each other. An example of such devices with a fixed PIN code are mice and headsets.

On some devices with a fixed PIN code it is still possible to change this code in some way. A

wired connection could be used or it may be allowed to change the PIN code over Bluetooth

using an already paired device and a secure connection.

A number of keys are used within the pairing process, they are reviewed in depth in Chapter 9.

58

7.4.2. Authentication

The Bluetooth authentication procedure is in the form of a "challenge-response" scheme. Two

devices interacting in an authentication procedure are referred to as the claimant and the veri-

fier. The verifier is the Bluetooth device validating the identity of another device. The claimant

is the device attempting to prove its identity. The challenge-response protocol validates devices

by verifying the knowledge of a secret key (a Bluetooth link key). The authentication proce-

dure is only one way, so the procedure must be repeated with switched roles for the verifier and

claimant to achieve mutual authentication.

7.4.3. Encryption Process

The Bluetooth specification also allows three different encryption modes to support the confi-

dentiality service:

• Encryption mode 1:

No encryption is performed on any traffic.

• Encryption mode 2:

Broadcast traffic goes unprotected (not encrypted), but individually addressed traffic is

encrypted according to the individual link keys.

• Encryption mode 3:

All traffic is encrypted according to the master link key.

As shown in Figure 7.2, the Bluetooth encryption procedure is based on a stream cipher, E0.

A key stream output is exclusive-OR-ed with the payload bits and sent to the receiving device.

This key stream is produced using a cryptographic algorithm based on linear feedback shift

registers (LFSR). The encryption function takes as inputs the master identity (BD_ADDR),

the random number (EN_RAND), a slot number, and an encryption key, which initialize the

LFSRs before the transmission of each packet. Since the slot number used in the stream cipher

changes with each packet, the ciphering engine is also reinitialized with each packet although

the other variables remain static. As shown in Figure 7.2, the encryption key provided to the

encryption algorithm is produced using an internal key generator (KG) E3. This key generator

59

produces stream cipher keys based on the link key, random number (EN_RAND again), and

the ACO value. The ACO parameter, a 96-bit Authenticated Cipher Offset, is another output

produced during the authentication procedure. The link key is the 128-bit secret key that is

held in the Bluetooth devices and is not accessible to the user. Moreover, this critical security

element is never transmitted outside the Bluetooth device. If forms the shared secret of two

devices, created after pairing, that can be used when they meet again. Further explanation of

the E0 stream cipher is given in Chapter 8.

FIGURE 7.2. Bluetooth Encryption Process [Karygiannis02a]

7.5. Problems with the Bluetooth Standard Security [Karygiannis02a] [Muller99]

Some of the known problems with the standard security of Bluetooth are listed here. The most

important problems will be discussed in furter details in Chapter 8 and Chapter 9.

60

• Strength of the challenge-response pseudorandom generator is not known:

The Random Number Generator (RNG) may produce static number or periodic num-

bers that may reduce the effectiveness of the authentication scheme.

• Short PIN codes are allowed:

Weak PIN codes, which are used for the generation of link and encryption keys, can

be easily guessed. Increasing the PIN length in general increases the security. People

have a tendency to select short PIN codes. A global agreement must be established on

minimum key length.

• An elegant way to generate and distribute PIN codes does not exist:

Establishing PIN codes in large Bluetooth networks with many users may be difficult.

Scalability problems frequently yield security problems.

• Encryption key length is negotiable:

The encryption key size varies from 8 to 128 bits. Each device has a parameter defining

the maximum allowed key length. The key length is negotiated between the master and

the slave. Applications can define a minimum acceptable key size to avoid situations

where malicious devices force the encryption to be low.

• Unit key is reusable and becomes public once used:

A unit key is a link key that one unit generates by itself and uses as a link key with

any other device. Unit keys can only be safely used when there is full trust among the

devices that are paired with the same unit key. This is because every paired device can

impersonate or eavesdrop any other device holding the same unit key. A unit key can

be used on very small units with very low resources. Since Bluetooth version 1.2, the

use of unit keys is not recommended. But, for legacy reasons, unit keys have not been

completely removed from the specification.

• The initialization key strength is based on the used PIN code:

The E22 initialization key generation algorithm derives the key from the PIN code, the

length of the PIN code and a random number, which is transmitted over the air. Only

the PIN code is secret, making the trustworthiness of most initialization keys low and

completely dependent of the users chosen PIN code.

• No user authentication exists:

Only device authentication is provided. Application level security and user authentica-

tion can be employed.

61

• Attempts for authentication may be repeated:

The Bluetooth specification requires a time-out period between repeated attempts that

will increase exponentially. But the Bluetooth SIG needs to develop a limit feature to

prevent unlimited requests. .

• E0 stream cipher algorithm is weak:

The stream cipher E0 has its roots in the so-called summation combiner stream cipher.

This was a stream cipher that was proposed by Massey and Rueppel in the mid-1980s

[Massey89]. The most powerful attacks on this type of stream ciphers are the corre-

lation attacks in combination with exhaustive search over a limited key space (this is

sometimes also referred to as initial guessing). The cryptanalysis, reviewed in Chapter

8, shows that the E0 cipher is weaker than the supposed exhaustive search attack.

• Privacy may be compromised if the Bluetooth device address (BD_ADDR) is cap-

tured. Once the BD_ADDR is associated with a particular user, that user’s activities

could be logged, resulting in a loss of privacy.

• End-to-end security is not performed:

Only individual links are encrypted and authenticated. Data is decrypted at intermediate

points. But applications running on top of Bluetooth can provide end-to-end security

mechanisms.

• Security services are limited:

Audit, no-repudiation, and other services do not exist. If needed, these can be developed

at particular points in a Bluetooth network.

• Denial-of-service attacks are possible:

Repeated refused requests can make the unit crash and drain the battery. The denial of

service attack can be combined with other attacks.

• Support for legacy applications:

The legacy application will not make calls to the security manager. Instead, a Bluetooth-

aware "adapter" application is required to make security-related calls to the Bluetooth

security manager on behalf of the legacy application.

• Preset per service authorization is not possible:

There is no mechanism defined to preset authorization per service. However, a more

flexible security policy could be implemented in the higher-level architecture, without

a need to change the Bluetooth protocol stack. Of course, modifications of the higher-

level security manager and the registration processes would be necessary.

62

• Enforce unidirectional traffic is not possible:

The approach only allows access control at connection set-up. The access check can be

asymmetric, but once a connection is established, data flow is in principle bi-directional.

It is not possible within the scope of this architecture to enforce unidirectional traffic.

7.6. Bluetooth security attacks

Although this thesis mainly concentrates on the link-level security of Bluetooth, we will also

give a brief overview of many popular and practical attacks on Bluetooth in this section. These

attacks are less significant, since most of them are not based on the failing of the Bluetooth

protocol, but on the malfunction of the specific implementation of the manufacturers.

We will take a closer look at the link level security and the known attacks on that part of the

Bluetooth protocol in Chapter 8 and Chapter 9.

7.6.1. Bluejacking

Although known to the technical community and early adopters for some time, the process now

known as "Bluejacking" has recently come to the fore in the consumer arena, and is becoming

a popular mechanism for exchanging anonymous messages in public places. The technique

involves abusing the Bluetooth pairing protocol, the system by which Bluetooth devices au-

thenticate each other, to pass a message during the initial handshake phase. This is possible

because the "name" of the initiating Bluetooth device is displayed on the target device as part

of the handshake exchange, and, as the protocol allows a large user defined name field - up to

248 characters - the field itself can be used to pass the message. This is fairly harmless, but,

there is a potential security problem with this. The more the practice grows and is accepted

by the user community, and leveraged as a marketing tool by the vendors, the worse it will

get. The problem lies in the fact that the protocol being abused is designed for information

exchange. The ability to interface with other devices and exchange, update and synchronize

data, is the reason of existence of Bluetooth. The Bluejacking technique is using the first part

of a process that allows that exchange to take place, and is therefore open to further abuse if

the handshake completes and the bluejacker successfully pairs with the target device. If such

an event occurs, then all data on the target device becomes available to the initiator, including

63

such things as phone books, calendars, pictures and text messages. As the current wave of PDA

and telephony integration progresses, the volume and quality of such data will increase with

the devices’ capabilities, leading to far more serious potential compromise.

7.6.2. Bluetooth Wardriving

This attack will map the physical whereabouts of users carrying Bluetooth-enabled devices.

Since each Bluetooth device freely broadcasts its unique 48-bit address, it is possible to track

the user movements.

To protect a device against location tracking, an anonymity mode is needed. Devices operating

in such an anonymous mode could regularly update their device address by randomly choosing

a new one.

Different types of location tracking attacks are possible:

7.6.2.1. Inquiry attack. The attack distributes one or more Bluetooth devices throughout a

region to locate Bluetooth users.

If the potential victim of such an attack has left his/her device in discoverable mode, attacking

device can simply interrogate the area using frequent inquiry messages for devices and maintain

a log of all the device addresses that are discovered.

7.6.2.2. Traffic monitoring attack. This attack succeeds even if the victim device is not

in discoverable mode. The attacker simply monitors the communication between two trusted

devices belonging to the victim. These devices will communicate using a specific Channel

Access Code (CAC). This CAC is computed from the device address of the master device in

the piconet.

Furthermore, the whole device address is sent in the Frequency Hop Synchronization (FHS)

packets of the devices, allowing an attacker to uniquely determine the identity of a device. But

the FHS packets are only used at connection establishment.

64

7.6.2.3. Pagin attack. This attack allows the attacker to determine if a given device with a

known BD_ADDR or Device Access Code (DAC)1 is present within range.

The attack requires that the victim’s device is connectable.

The attacking device pages the target device, waits for the ID packet to be returned, and then

does not respond. If an ID is returned, then the attacker knows that the victim device is present.

The target device, waiting for the response, will just time out and the incident will not be

reported to the application layer.

7.6.2.4. Frequency hopping attack. The frequency hopping scheme in Bluetooth is deter-

mined by a repeating hopping sequence. The hopping scheme is calculated from different input

parameters, such as an address and the master clock. In the connection state, the LAP and the

four least significant bits in the UAP of the master device are used. In the page state, the

LAP/UAP of the paged unit is used. Thus, it is (at least theoretically) possible to get informa-

tion of the LAP and four bits in the UAP based on the observed hopping scheme.

7.6.2.5. User-friendly name attack. A Bluetooth device can request the user-friendly name

anytime after a successful baseband paging procedure. The name request command can be used

to mount a location tracking attack.

7.6.3. Impersonation attack by inserting/replacing data

When no encryption is activated, an impersonation attack can easily be achieved by correctly

setting the CRC check data in the payload after the data in the payload has been changed.

When ciphering is activated, the attacker can compute how to modify the CRC to make it agree

with modifications in the encrypted data bits.

In a practical system or when encryption is activated, it is not at all easy to make something

useful of this attack beyond the point of just disrupting the communication. The attacker must

somehow know the context of the payload data to conduct changes that are meaningful or

effective.

1A Device Access Code (DAC) is a code derived from a specific connected slave device.

65

7.6.4. Nokia 6310i Bluetooth OBEX Message DoS

Many Nokia 6310i GSMs contain a flaw that allows a remote denial of service attack. The issue

is triggered when invalid Bluetooth OBEX messages are sent by an attacker, and will result in

loss of availability for the phone, without loss of data.

7.6.5. Brute-Force attack

The brute-force attack can make it possible to connect to a device, even while it is set in the

hidden (not discoverable) Bluetooth mode. A brute-force attack on the BD_ADDR of a device

can achieve this.

Some manufacturers claim this would take an unreasonable amount of time, more than 11

hours. However, the security company @stake build an application RedFang [Whitehouse03a]

with a multi-threaded version of the brute-force attack. This could simultaneously exploit up to

8 USB Bluetooth devices which would reduce the required time from 11hrs to approximately

90 minutes (based on one vendor’s range).

Once the BD_ADDR is discovered with the brute-force attack, other attacks could be mounted

without alerting the owner of the device, who thinks it is not discoverable.

7.6.6. Denial-of-Service attack

The Denial-of-Service (DoS) attack makes it possible for an attacker to prevent or prohibit

the normal use or management of communications facilities. The system degradation by DoS

attacks can, for example, be the result of the system being fully occupied by handling fake

connection requests or by inserting flawed data transmission packets.

7.6.7. Disclosure of keys

• A Bluetooth device attached to the computer may be exchanged for a false one, whose

only purpose is to ’suck’ out link keys from the host.

• A rightful USB plug or PCMCIA card may be removed from the owner’s computer and

inserted into a corresponding slot of the adversary’s computer. On this computer, one

66

or more keys stored on the Bluetooth controller can be read out. Once the list of keys

has been read out, the USB plug (or card) is returned to its proper owner, who may be

completely unaware.

• Malicious software

A Trojan horse disguised as something quite innocent can send the key database to some

place where the adversary can access it. If this malicious code is distributed through a

virus or worm, the attack can quickly spread to a large number of computers.

Once the link key of a computer and phone (and the BD_ADDR of the computer) is known,

the adversary can SsilentlyT connect to the mobile phone, impersonate the computer, and make

use of any service the phone offers over Bluetooth.

7.6.8. Backdoor attack

The Backdoor attack involves establishing a trust relationship through the vulnerable pairing

mechanism of some devices (e.g. some phones of Motorola), but ensuring that it no longer

appears in the target’s register of paired devices. In this way, unless the owner is actually

observing their device at the precise moment a connection is established, they are unlikely to

notice anything untoward, and the attacker may be free to continue to use any resource that

a trusted relationship with that device grants access to. This means that not only data can be

retrieved from the phone, but other services, such as modems or Internet, WAP and GPRS

gateways may be accessed without the owner’s knowledge or consent. Once the Backdoor

is installed, the Bluesnarf attack will function on devices that previously denied access, and

without the restrictions of a plain BlueSnarf attack (see Section 7.6.9).

7.6.9. BlueStumbling or BlueSnarfing

It is possible, on some Bluetooth phone types, to connect to the device without alerting the

owner of the target device of the request, and gain access to restricted portions of the stored

data, including the entire phonebook, images, the calendar data, the real-time clock, business

cards, properties, the change log and the IMEI (International Mobile Equipment Identity, which

uniquely identifies the phone to the mobile network, and is used in illegal phone ’cloning’).

67

This attack has been developed by Adam Laurie, Marcel Holtman and Martin Herfurt from

Trifinite [Herfurt05]. The attack is an OBEX Push attack. The OBEX Push profile, which

has been specified for easy exchange of business cards, allows to push items anonymously.

But some type of (phone-)devices had an erroneous implementation, which allows to perform

OBEX Get request through the OBEX Push connection and to retrieve all files where the name

is known or guessed correctly. Recently the developers of Trifinite made an improved version

of the BlueSnarf attack, the BlueSnarf++ attack, which allows to connect to the OBEX FTP

server through the OBEX Push connection. This gives the attacker full read and write access

to the device’s file system.

The impact of this attack can be high, since many popular phones are/were vulnerable for this

attack. Even long distance (1 mile) BlueSnarf attacks were proven to be possible with an ex-

tended Bluetooth antenna device. The attack has been demonstrated at CeBIT [Herfurt04] and

the Oscar nominations, which showed that a lot of devices were vulnerable.

The user is dependent on the vendor’s implementation of OBEX/Bluetooth stack and the ven-

dor’s solutions to resolve the security leaks (e.g. patches).

7.6.10. BlueBug attack

The BlueBug attack creates a serial profile connection to the device, thereby giving full access

to the AT command set, which can then be exploited using standard off the shell tools, such

as PPP for networking and gNokii for messaging, contact management, diverts and initiating

calls. With this facility, it is possible to use the phone to initiate calls to premium rate numbers,

send sms messages, read sms messages, connect to data services such as the Internet, and even

monitor conversations in the vicinity of the phone.

The loophole identified in BlueBug allows to control the device via a plain serial connection.

7.6.11. Pairing attack, Offline PIN recovery

The Bluetooth specification is sensitive to passive and active attacks on the pairing procedure.

The attacks only work if the attacker is present at the pairing occasion, which typically only

occurs once between one pair of devices. If pairing is performed in public places during a

connection to an access point, point-of-sale machine, or printer, this can be a dangerous threat.

68

Attackers can sniff data transmissions between devices while pairing (KINIT transmission).

An improved version of this attack, will be discussed in Section 9.5.

7.6.12. On-line PIN recovery

This attack can be possible if a fixed PIN is used on a device (i.e. same PIN is used for

every connecting device). The attacker can change (spoof) the Bluetooth address BD_ADDR

several times and try different PIN codes. By changing the Bluetooth address, the attacker

will bypass the ever increasing delay between failed pairing retries.

7.6.13. Impersonate original sending/receiving unit

This attack would require the attacker to provide the correct response on the authentication

challenge of a correspondent. Currently, no attack on the SAFER+-based E1 authentication

function is known that achieves this within any realistic computational effort.

7.6.14. Attack on the Bluetooth Key Stream Generator

Many different attacks on the Bluetooth Key Stream Generator E0 are published (e.g. correla-

tion attacks, algebraic attack, FBDD-attack) and they will be reviewed in more detail in Chapter

8.

7.6.15. Replay attacks

A hacker could record Bluetooth transmissions in all 79 frequencies and then in some way

figure out the frequency hopping sequence to replay the whole transmission. Although special

devices would be necessary for this attack, the attack could be possible since the Bluetooth

devices cannot check if a message is new or old.

69

7.6.16. Man-in-the-middle attack

By intervening in the "middle" of two pairing devices, and simulating the opponent on each

device connection by passing through the connection data, an attacker could receive all keys and

data. This is possible since there is no real mutual authentication and no public key certification

is used during authentication, although special devices are required.

70

CHAPTER 8

Bluetooth Stream Cipher E0

8.1. Introduction

In Chapter 7 the E0 encryption engine has already been described informally, we will now take

a closer look at it.

E0 is a so-called autonomous finite state machine. Loaded with an initial state, it will move to

a new state and produce one single output bit of the key stream on every clock cycle.

The Bluetooth specification defines the stream cipher algorithm E0 to be used for point-to-

point encryption of the packet payload, the access code and the packet headers shall never be

encrypted. The E0 additive stream cipher was designed to provide the wireless connections

with a strong protection against eavesdropping. It is based on a direct design and uses a Blue-

tooth proprietary algorithm that is inspired by Massey and Rueppel’s [Rueppel86] summation

combiner stream cipher. The core of E0 is built around four independent linear feedback regis-

ters (LFSR) and a finite state machine (FSM) as a combining circuitry.

The cryptanalysis covered in Section 8.3 shows that E0 stream cipher is weaker than supposed

at its design. But the frequent rekeying in Bluetooth and the rather short generated key streams

keep the system safe for most attacks.

71

8.2. Encryption process

When two Bluetooth devices need to communicate securely, they first undergo a key exchange

protocol that completes with each unit agreeing on a shared secret key. Within this exchange

protocol the devices negotiate to decide the encryption key size to use. Each device has a

parameter defining the maximal allowed key length, Lmax, 1 ≤ Lmax ≤ 16 and for each

application using encryption a number Lmin must be defined to indicate the smallest acceptable

key size for that application. The devices negotiate and try to use the largest key size supported

by both. If the Lmax value of one of the devices is smaller than the Lmin value of the other

device, the negotiation will fail and a link encryption cannot be employed. This possibility of a

failure in setting up a secure link is an unavoidable consequence of letting the application decide

whether to accept or reject a suggested key size. However, this is a necessary precaution, since

otherwise a fraudulent device could enforce a weak protection on a link by claiming a small

maximum key size Lmax.

In the E0 stream cipher algorithm bits are bit-wise modulo-2 (XOR) added to the data stream

to be sent over the air interface. All units in the piconet must be able to read the packet header

to see if the message is for them or not. Therefore, it is only the payload of each packet that

is ciphered separately by the cipher algorithm E0. The payload data is ciphered after the CRC

bits are appended, but before the optional Forward Error Correction (FEC) encoding.

The E0 stream ciphering process consists of three parts: (see Figure 8.1)

a) Initialization: payload key generation.

The payload key generator combines the input bits in an appropriate order and shifts

them into four LFSRs of the key stream generator.

b) Main part: Key stream bits generation.

c) Encryption and decryption.

72

FIGURE 8.1. Bluetooth encryption process

The cipher algorithm E0 uses as input the 48 bits of the master Bluetooth device address

(BD_ADDR), 26 bits of the master real-time clock, CLK, and an encryption key KC . By

using the 26 bits of the master clock, which toggles every 625µs, and a reinitialization of

the E0 algorithm after each (multi-)packet, frequent changes of the starting state of the key

stream generator are assured, which forms a key factor in the resistance to security attacks. E0

generates a binary keystream Kcipher which will be modulo-2 (XOR) added to the data to be

encrypted. The cipher is symmetric; decryption shall be performed in exactly the same way

using the same key as used for encryption.

The private encryption key (KC) is derived by algorithm E3 from the current link key, a 96-

bit Ciphering OFfset number (COF), and a 128-bit random number EN_RAND. COF is set

to the concatenation of the master BD_ADDR if the current link key is a master key. Else

COF it is set to the value of Authenticated Ciphering Offset (ACO) as computed during the

authentication procedure.

KC = E3(Kmaster, EN_RAND,COF ) (38)

The Bluetooth system is said to be a two level operation. The first level consists of the initial-

ization and the second level performs the actual keystream generation.

73

Within the first level, the initialization of the E0 algorithm, the encryption key KC is trans-

formed to an intermediate constraint key K ′C :

K ′C(x) = g

(L)2 (x)(KC(x) mod g

(L)1 (x)), (39)

where deg(g(L)1 (x)) = 8L and deg(g

(L)2 (x)) ≤ 128 − 8L. The values for the polynomials g

(L)1

and g(L)2 are collected in a table1. The maximum effective size of this key shall be factory preset

and may be set to any multiple of eight between one an sixteen (8-128bits).

This constraint key K ′C is used together with the BD_ADDR and the clock CLK to load the

initial values of the four LFSRs (128 bits) and the four memory bits c0 and c−1. At the end of

the first level, the generator will generate 200 stream cipher bits, of which the last 128 bits are

fed back into the key stream generator as the initial values of the four LFSRs of the second

level. The values of the memory bits c0 and c−1 are kept as the initial values for the second

level. Further details of the complex initialization and the premixing of the initially loaded key

material can be found in the Bluetooth specification document ([SIG03], Section 4.5, pages

769-790).

After the initialization steps of first level and the initialization of the second level, a loop is

started (step 2 and 3 in Figure 8.1), until the maximum number of plaintext bits are encrypted

and the generator must be re-initialized to disable various kinds of statistical analysis attacks.

The core of the E0 keystream generator consists of four Linear Feedback Shift Registers

(LFSR), with a key of at most 128 bits, and a 4 bit finite state machine, feeding a Summa-

tion Combiner Logic (combining circuitry).

In the previous chapter it was noted that LFSR is not cryptographically secure, since it is linear.

In [Rueppel86] the use of memory in the combination generator was proposed to achieve

nonlinearity in an LFSR system. The finite state machine is used in the Bluetooth system to

introduce sufficient nonlinearity to make it difficult to recompute the initial state from observed

key stream data.

1Table 4.4, p770-771 of the Bluetooth SIG, "Bluetooth Specification v1.2", vol. 2, November 2003.

74

As we know from Section 4.5, LFSRs can be described with feedback polynomials. The

feedback polynomials of the four LFSRs used within E0 are all primitive maximum length

polynomials. This ensures that the period of a LFSR with degree n is 2n − 1. The smallest

period of all the Bluetooth LFSRs is the product of the four periods: P = (P1P2P3P4)/7 =

(225 − 1)(231 − 1)(233 − 1)(239 − 1) / 7 ≈ 2125.2. The period is divided by 7 since P3 and

P4 have 7 as their greatest common divisor. This entire period is never generated by the Blue-

tooth generator, since it is re-initialized after a maximum of 2745 bits. The total length of the

registers is 128. The Hamming weight2 of all the feedback polynomials is chosen to be five

- a reasonable trade-off between reducing the number of required XOR gates in the hardware

implementation and obtaining good statistical properties of the generated sequences. The poly-

LFSR Degree Feedback polynomial Ouput tap Period lengthLFSR1 25 t25 + t20 + t12 + t8 + 1 24 225 − 1LFSR2 31 t31 + t24 + t16 + t12 + 1 24 231 − 1LFSR3 33 t33 + t28 + t24 + t4 + 1 32 233 − 1LFSR4 39 t39 + t36 + t28 + t4 + 1 32 239 − 1

TABLE 1. Feedback polynomials of the four LFSRs

nomials are in fact maximum length windmill polynomials[Smeets98]. This can be exploited

in a hardware or software realization of the LFSR. The windmill polynomials have the property

that one can construct a linear sequential machine that, provided it is correctly initialized, for

each clock cycle generates four consecutive symbols of the sequence that the normal LFSR

would generate.

For each bit output, each LFSR is clocked once, and the output of all four LFSRs and the output

of the finite state machine is exclusive-or’ed together to form the keystream output. Then, the

4 LFFSR outputs are summed together to form a 3 bit output. The upper 2 bits of that sum are

used to update the state of the finite state machine (FSM). The least significant bit (LSB) of the

sum of the four LFSRs is their bit-wise XOR.

During the encryption loop, the following steps are walked through:

a) output xt for the four LFSRs

b) calculate the keystream zt = f0(xt, ct)

2The Hamming weight denotes the number of "1" bits in the binary sequence.

75

c) calculate the encrypted message bit et = zt ⊕ mt, where mt is the corresponding mes-

sage bit

d) calculate st+1 = f1(xt, ct)

e) calculate next FSM state ct+1 = T (st+1, ct)

f) put memory bits ct = ct+1 of FSM .

During decryption, the same loop is walked through, but in the third step, the calculation is

mt = zt ⊕ et, where et is the corresponding received encrypted bit.

The combination generator process is represented in Figure 8.2, where the z−1 labeled boxes

denote delay elements holding two bits each and the small numbers under the nodes indicate

the number of bits passing.

FIGURE 8.2. The E0 keystream generator 3

The function f0, called summation combiner, produces an output sequence of 200 bits z1, z2, · · · ,

where zt ∈ GF (2). It computes these zt of the modulo two sum of the xt vector and the first

bit c0t of the current contents of the memory. xi

t denotes the output from LFRSi at time t. The

76

output from the LFRS is taken from the shift register taps given in Table 1.

zt = f0(xt, c0t ) (40)

= x1t ⊕ x2

t ⊕ x3t ⊕ x4

t ⊕ (c0t mod 2) ∈ {0, 1} (41)

The nonlinear function f1 also takes the vector xt as input, but combined with the latest memory

update vector ct. f1 has a 2-bit vector st+1 as output. It is nonlinear since integer addition is

nonlinear in GF (2)

st+1 = (s1t+1, s

0t+1) (42)

= f1(xt, ct) (43)

=

⌊

yt + 2c1t + c0

t

2

⌋

∈ {0, 1, 2, 3} (44)

yt = x1t + x2

t + x3t + x4

t ∈ {0, 1, 2, 3, 4} (45)

The state of the FSM is determined by 4 bits, which are stored in a pair of 2-bit delay elements.

At each time t, the lower delay element stores the previous value of the upper element and we

can therefore refer to these 2-bit values as ct and ct+1 respectively. The function T is used to

mix these carry-bits. It takes the 4 memory bits and st+1 as input. It produces the 2-bit vector

ct+1 to be put in the memory.

The new content ct+1 of the upper delay element is computed as follows:

ct+1 = (c1t+1, c

0t+1) (46)

= T (st+1, ct, ct−1) (47)

= T0(st+1) ⊕ T1(ct) ⊕ T2(ct−1) (48)

ct+1 defines a linear infinite impulse response (IIR) filter4 that lowers the correlation factor,

an important parameter in the correlation attack. T1 and T2 are two different linear bijections

4An infinite impulse response is a type of digital signalfilter, in which every sample of output is the weightedsum of past and current samples of input, using all past samples, but the weights of past samples are an inversefunction of the sample age, approaching zero for old samples.[Howe05]

77

over GF (4), (x1, x0) → (y1, y0), where T0 = T1 : (x1, x0) → (x1, x0) and T2 : (x1, x0) →

(x0, x1 ⊕ x0).

This concludes the description process within the E0 keystream generator. To get better un-

derstanding in the way the E0 keystream generator works, a basic simulation of E0 has been

implemented in C. The working of the simulator could be checked with the testdata available

in [SIG03], pp. 652-676.

In the next section, we will present the known attacks on this algorithm.

8.3. Bluetooth Stream Cipher E0 Attacks

A lot of research has been done on the Bluetooth encryption and different types of attacks on

E0 are discovered. They will be described in this section. Although, within the scope of this

master thesis, not all attacks could be analysed in full detail, we will describe each type of

attack. Some parts of the attacks that are reviewed, are implemented besides the E0 simulator,

as a way to get better understanding in the working of the attack.

Since the nonlinear E0 algorithm uses memory bits beside the linear LSFR, the correlation

attacks introduced in Section 5.3.4 of Chapter 5 are not applicable right away. For most attacks

it is needed to remodel the cipher in such a way that the nonlinear part is replaced with a

sequence of random variables with some correlation probability.

Most of the theoretical attacks on the Bluetooth E0 stream cipher require a far larger amount

of consecutive keystream output than available in a practical environment. By Kerckhoffs’

principle (see Section 3.4.2), they assume the keystream generator and some key stream bit zt

are known and they try to recover the initial state of the LFSRs.

8.3.1. Divide-and-conquer, Correlation attack, Hermelin and Nyberg

In [Hermelin00b] Hermelin and Nyberg published a theoretical attack to recover the keystream

generators initial state with a time complexity of O(264) given O(264) known keystream bits

(≈ 2.097.152 TB).

78

The attack is based on a weak linear correlation between the output of the LFSRs vt = x1t ⊕x2

t ⊕

x3t ⊕ x4

t and the keystream output zt, to verify the accuracy of one of the LFSRs. The sequence

vt is generated by a fictive LFSR, based on the product of the four feedback polynomials form

the LFSRs in E0, that is, a feedback polynomial gt with degree 128, gt = f1(t)f2(t)f3(t)f4(t).

If the attack is successful, the attacker will discover the initial state of this fictive LFSR, from

which the initial state of the four original LFSRs of E0 can be computed by solving a set of

linear equations in 128 unknown variables.

Hermelin and Nyberg discovered the following correlation in the Bluetooth E0 stream cipher:

C(zt ⊕ zt−1 ⊕ zt−3, vt ⊕ vt−1 ⊕ vt−3) = −1

16, (49)

where vt denotes the XORed output of the four LFSRs.

Since the attack of Ekdahl and Johansson (Section 8.3.2) is based on the same principles of this

attack, but with better computational complexities, we will not analyse this attack in further

detail.

8.3.2. Divide-and-conquer attack, Correlation attack, Ekdahl and Johansson

A theoretical attack by Ekdahl and Johansson [Ekdahl00] describes how the initial state of

the keystream generator can be extracted given O(234) known keystream bits (≈ 2 GB) and a

computational complexity of O(263) . This attack is also based on a weak linear correlation

between the LFSRs output and the keystream output to verify if a guess on one of the LFSRs

is accurate. This attack remodels the cipher in such a way that the nonlinear part is replaced

with a sequence of random variables with some correlation probability. The nonlinear part of

the keystream can be found in the memory block ct.

Fluhrer and Lucks [Fluhrer01] discovered the following correlation for ct:

P(ct ⊕ ct−5 = 0) =1

2+ 0.04883 (50)

for all t ≥ 0.

79

The attacker observes a keystream zt of length N . The attack will primarily target the initial

state of the first LFSR, LFSR1. The other three LFSRs can be combined into a single equivalent

LFSR. The output from this equivalent LFSR is a sequence ut, 0 ≤ t ≤ (N − 1).

c0t is assumed to be a random noise sequence with correlation P(ct ⊕ ct−5 = 0) = 1

2+ 0.04883

(Equation (50)). Now we can remodel E0 into a simplified system as showed in Figure 8.3.

With this model, we need to guess the initial state of LFSR1 and add this, x′t, to zt. If the guess

is correct, we can write the resulting sequence as:

vt = zt + x′t = ut + c0

t (51)

FIGURE 8.3. Model of attack, [Ekdahl03]

From the equivalent LFSR of LFSR2, LFSR3 and LFSR4, we will get a sequence u0, u1, · · · , uN−1

which is a linear (N, l)-block code C5. In this block code C, there are l information symbols,

which is equal to the length of the equivalent shift register, the sum of the length of LFSR2,

LFRS3 and LFSR4. The sequence ut can be rewritten as a row vector u = (u0, u1, · · · , uN−1).

And this row vector can then be written as u = u0G, where u0 is the initial state of the equiv-

alent shift register and G the generator matrix. If we suppose we can find k columns in G such

that

Gi1 + Gi2 + · · · + Gik = 0, (52)

then we must have ui1 +ui2 + · · ·+uik = 0 for the sequence ut. Since the block code is cyclic,

we can write∑

i∈I

ut+1 = 0, (53)

5A linear block code is a class of block codes, which consists of a fixed finite alphabet and a set of strings,codewords, of fixed length from the alphabet. Block codes are mostly used in coding theory for error detectionand error correction. A linear block code is a vector subspace of F

nq where Fq is the finite field with q elements.

80

for any time index t ≥ 0, where I is the set of indices in Equation (52).

By summing over the indices in I , indicated by Equation (53), it possible to remove the influ-

ence of ut in vt (Equation (51)) and go towards the correlation Equation ().

vt = ut + ct (54)∑

i∈I

vt+i + vt+i−5 = 0 +∑

i∈I

ct+i + ct+i−5 (55)

∑

i∈I

vt+i + vt+i−5 = (ct+i + ct+ik−5) + (ct+i2 + ct+i2−5) + · · · + (ct+ik + ct+ik−5) (56)

P

(

∑

i∈I

vt+i + vt+i−5 = 0)

= (57)

P

(

(ct+i + ct+ik−5) + (ct+i2 + ct+i2−5) + · · · + (ct+ik + ct+ik−5) = 0)

=1

2+ 2k−1εk (58)

If vt is sampled at many different time instances, according to Equation (56) and depending on

the magnitude ε in Equation (58), it is possible to get statistical significance if the assumption

on the initial state of LFSR1 was good. If LFSR1 was guessed correctly, the correlation in

Equation (58) can be detected, else the correlation will not be detectable, since more noise will

have been added to the sequence vt and the sum of Equation (56) will tend to 12.

The attack requires a length, N , of the received sequence zt which depends on two parameters,

the value of the highest index in I for Equation (53) and the number of shifts in time, m, in

Equation (56).

An estimate for the highest index in I is needed since we need to search for a span of zt such

that the indices can be found that satisfy Equation (53). A good estimation of the required

length of the received sequence in order to find k columns that add up to the all-zero column in

the generator matrix from Equation (52) can be made using Theorem 14.

THEOREM 14. There are approximately 2l/(k−1) columns required in a random generator ma-

trix G of a cyclic code C, to find k columns that add to the all-zero column, where l is the

number of rows in G

81

To estimate the second parameter, the needed number of samples m, we will use the theoret-

ical background from Section 3.5. From this section we know we can separate the uniform

distribution PU(X = 0) = 12

from the indicator distribution PE0(X = 0) = 12

+ 2k−1εk using

approximately 1/(2k−1εk)2 samples. With increasing k, PE0(X = 0) gets closer to 1/2 and the

Chernoff information6. C(PU , PE0) is decreasing. So the required number of samples, m, in-

creases when k increase for a fixed error probability. The total number of columns w ≈ 2l/(k−1)

in G required to find k columns that add to the all-zero column decreases if k increases. The

total number of required keystream bits to observe, N , is the sum N = m + w, so we need to

chose k such that we minimize N .

When performing the attack, we count the number of times Equation (56) equals to zero, n0,

and the number of times it equals to 1, n1. Thus, the number of samples needed, m, equals

to m = n0 + n1. To simplify the application of the Lemma of Neyman-Pearson (Section 3.5,

Lemma 10), we replace 2k−1εk with ε′. We can now easily write PE0 = 1/2 + ε′. According to

the Lemma, we can test between the two hypotheses H0 : PU and H1 : PE0:

(12)m

(12

+ ε′)n0( 12−ε′)n1

> T, (59)

with T ≥ 0 being the decision threshold.

For this attacks, it is desired to use an unsymmetrical threshold and decrease PF at the expense

of PM . We would like to have PF << PM . In [Ekdahl03] an unsymmetrical threshold of

T = 25 was chosen, resulting in a threshold of PM ≈ 2−4 and a threshold of PF ≈ 2−10. It is

shown that the value for the parameter k = 4 is the best choice for attacking LFSR1, since the

value of N will then be minimized to 234.6.

8.3.3. Faster correlation attack, Y. Lu and S. Vaudenay

Although the faster correlation attack proposed by Yi Lu and Serge Vaudenay in [Lu04], has the

best known time complexity O(239) after O(237) it still requires 239 consecutive keystream bits

(≈ 64 GB). The attack recovers the LFSR1 with a new Maximum Likelihood Decoding (MLD)

algorithm, by means of Fast Walsh Transform. This algorithm can speed up a fast correlation

6The Chernoff bound gives information (distance) between two probability densities. Relatively large Cher-noff information means low error probabilty. [Cover91]

82

attack. The attack applies the concept of convolution to the analysis of the distinguisher based

on all known correlations. This allows building an efficient distinguisher that halves the data

complexity of the basic uni-bias-based distinguisher.

The approach is similar as the Divide-and-conquer attack from Ekdahl and Johansson 8.3.2,

but with a decreased time complexity.

The correlations used for this attack are:

P(c0t ⊕ c0

t+1 ⊕ c0t+3 ⊕ c0

t+4 = 1) =1

2+

λ

2, (60)

P(c0t ⊕ c0

t+5 = 0) =1

2+

λ

2, (61)

where λ = 25256

8.3.4. Guess-and-determine attack, M. O. Saarinen

Markku-Juhani O. Saarinen showed in [Saarinen00] the first guess-and-determine attack on

the Bluetooth keystream generator. This attack consists of guessing the states of the 3 smallest

LFSRs and the Final State Machine to derive the contents of remaining fourth LFSR. Using the

observed keystream, the consistency of the assumption is checked with the output from LFSR4.

The complexity of this attack is expected to be close to O(293). We will not treat the attack of

Saarinen in further details, since the improved versions of this attack are analysed below.

8.3.5. Guess-and-determine attack, S.R. Fluhrer and S. Lucks

Scott R. Fluhrer and Stefan Lucks refined the attack of M.O. Saarinen in [Fluhrer01]. This

attack recovers the initial state of the shift register (level 2 of the keystream generator) and

reverses the premixing step to recover the session key KC (level 1 of the keystream generator).

The time complexity of the attack has the order of O(284) when 132 keystream bits are avail-

able. The time complexity required to reconstruct the level 2 keystream generator (LFSRs

initial states) is expected to be between O(272) and O(284), depending on the amount known

keystream bits. The work effort to reconstruct the level 1 keystream generator is expected to

take between O(281) and O(251). The algorithm allows the key stream bits to be spread over

83

multiple data packets, unlike correlation attack. The computational complexity can then be

improved to the order between O(276) and (284), depending on the amount of keystream bits

available.

The basic approach of guessing the initial states of parts of the cipher and checking consistency

stays the same as in Saarinen’s attack. But this attack takes advantage of additional relation-

ships within E0 to gain performance. Instead of guessing the three LFSRs as in the attack of

Saarinen, this attack guesses the initial state of the FSM and the contents of the two shortest

LFSRs. A set of linear equations is build up and checked for inconsistencies. The guess will

be rejected as soon an inconsistency can be found.

The idea behind the algorithm used in this attack, is that the next state function for the FSM

depends only on the number of LFSRs that output a one. Instead of computing the exact value

of the two longest LFSRs, we just have to decide if their output will differ or not. The algorithm

will also take advantage of the fact that we can efficiently find contradictions in GF (2).

The attack will derive the initial LFSRs settings given 132 bit of the keystream output. The

initial settings for the FSM contents and LFSR1 and LFSR2 are guessed. By observing the

keystream, it is possible to decide whether the XOR of the outputs of LFRS3 and LFSR4 is

one or zero, and a set L of linear equations on the LFRS3 and LFSR4 output bits is constructed

in a search tree. When enough keystream bits are analyzed, the linear equations implied by

the LFSR3 and LFSR4 tap equations can be added to the set L of linear equations. As long

as the equations in the set L stay consistent, we can continue to analyze the keystream. If an

inconsistency appears, we can backtrack in the tree and try another guess in the different steps.

8.3.6. Improved guess-and-determine attack, C. De Cannière, T. Johansson, B. Preneel

The theoretical attack presented by Christophe De Cannière, Thomas Johansson and Bart Pre-

neel in [Cannière01] is based on the attack of Scott Fluhrer [Fluhrer01] described in the

precedent section. The time complexity of the attack is in the order O(276) when 1 Mbit of

keystream data is available.

84

The approach for this attack is similar to the attack of Fluhrer and Lucks. But instead of

guessing two of the LFSRs contents and the FSM, only the shortest LFSR and the initial state

of the FSM will be guessed.

8.3.7. FBDD-attack, M. Krause

In [Krause01] Matthias Krause proposes a FBDD-attack on the Bluetooth keystream generator.

This attack has a time complexity of O(277) while requiring only 128 known keystream bits.

Free Binary Decision Diagrams (FBDD) are data structures for representing and manipulat-

ing Boolean functions [Gergov94] [Sieling95]. An FBDD-attack is a short-keystream attack,

where the number of key bits needed for computing the secret initial state, x ∈ {0, 1}n is at

most cn for some constant c ≥ 1.

The attack exploits that many LFSR-based stream ciphers produce keystream according to the

rule z = C(L(x)), where L(x) denotes an internal linear bit stream generated by a small

number of parallel LFSRs and C denotes some nonlinear compression function. The weakness

of LFSR-based keystream generators is that the compressor C has to produce the keystream

in an online manner and at high speed. To achieve this, C uses only a small memory and

consumes only a few new internal bits for producing the next output bit. These requirements

imply that the decision if an internal bitstream z generates a prefix of a given keystream y via C

can be computed by small FBDDs. This allows to compute dynamically a sequence of FBDDs

Pm, m ≥ n, which test a given initial state x ∈ 0, 1n whether C(L≤m(x)) is prefix of y, where

L≤m(x) denotes the first m bits of the internal linear bitstream generated via L on the secret

initial state x.

8.3.8. Algebraic attack, F. Armknecht

Frederik Armknecht proposed an algebraic attack to reconstruct the initial state of E0 in [Armknecht02].

This attack is based on a system of nonlinear equations of degree 4, which holds with proba-

bility 1 at each clocking. By linearisation, the system becomes solvable, assuming that enough

independent equations can be collected. The number of possible terms in the linearized system

85

is T ≈ 224.056 and by employing Strassen’s algorithm for solving the system of linear equations,

the complexity of this approach is concluded to be about O(267.58). In order to get enough inde-

pendent linear equations, the number of observed keystream bits must be approximately 224.056

(≈ 16MB). We will explore this attack in more detail.

Theorem 15 makes up the basis of the algebraic attack on the combiner with memory.

THEOREM 15 (Krause, Armknecht, 2003). For each combiner C with k LFSRs and l memory

bits, a nontrivial relation FC of degree dk(l + 1)/2e with

0 = FC

(

Xt, · · · , Xt+l, zt, · · · , zt+l

)

can be constructed.

Basically, we are able to transform some equations z based on the LFSRs output bits x and

memory bits c to a system of linear equations which depends not on the memory bits and can

be used to find the initial values of the LFSRs.

zt = F(

x1t , · · · , x4

t , c1t , · · · , c4

t

)

zt = F(

x1t , · · · , x4

t , Ct(x11, · · · , x4

t−1, c11, · · · , c4

1))

zt = Ft

(

x1, · · · , xn, c11, · · · , c4

1

)

0 = F ′(

x1t , · · · , x4

t , x1t+1, · · · , x4

t+1, x1t+2, · · · , x4

t+2, x1t+3, · · · , x4

t+3, zt, zt+1, zt+2, zt+3

)

0 = F ′(

x1, · · · , xn, zt, zt+1, zt+2, zt+3

)

For each clock t, the new key stream output zt is produced and the next memory bits c0t+1 and

c1t+1 are computed. This is done by Equation (48). We will reformulate this equation to have

86

the functions for the individual memory bits c0t+1 and c1

t+1:

ct+1 = (c1t+1, c

0t+1) (62)

= T0(st+1) ⊕ T1(ct) ⊕ T2(ct−1) (63)

= (s1t+1 ⊕ c1

t ⊕ c0t−1 , s0

t+1 ⊕ c0t ⊕ c1

t−1 ⊕ c0t−1). (64)

In this equation we can reformulate s1t+1 and s0

t+1 from Equation (45) as7:

st+1 = (s1t+1, s

0t+1) (65)

=

⌊

x1t + x2

t + x3t + x4

t + 2c1t + c0

t

2

⌋

(66)

s1t+1 = Π4(t) ⊕ Π3(t)c

0t ⊕ Π2(t)c

1t ⊕ Π1(t)c

0t c

1t (67)

s0t+1 = Π2(t) ⊕ Π1(t)c

0t ⊕ c1

t (68)

where Πi(t) is the XOR over all possible products in {x1t , x

2t , x

3t , x

4t} of degree i:

Π1(t) = x1t ⊕ x2

t ⊕ x3t ⊕ x4

t

Π2(t) = x1t x

2t ⊕ x1

t x3t ⊕ x1

t x4t ⊕ x2

t x3t ⊕ x2

t x4t ⊕ x3

t x4t

Π3(t) = x1t x

2t x

3t ⊕ x1

t x2t x

4t ⊕ x1

t x3t x

4t ⊕ x2

t x3t x

4t

Π4(t) = x1t x

2t x

3t x

4t

which leads to the following equations for the individual bits c1t+1 and c0

t+1 (from Equation

(64)):

c1t+1 = s1

t+1 ⊕ c1t ⊕ c0

t−1 (69)

= Π4(t) ⊕ Π3(t)c0t ⊕ Π2(t)c

1t ⊕ Π1(t)c

0t c

1t ⊕ c1

t ⊕ c0t−1 (70)

c0t+1 = s0

t+1 ⊕ c0t ⊕ c1

t−1 ⊕ c0t−1 (71)

= Π2(t) ⊕ Π1(t)c0t ⊕ c1

t ⊕ c1t−1 ⊕ c0

t ⊕ c0t−1 (72)

7F. Armknecht, A Linearisation Attack on the Bluetooth Key Stream Generator, 2002.

87

Now we can define the additional variables A(t) and B(t):

A(t) = Π4(t) ⊕ Π3(t)c0t ⊕ c0

t−1

B(t) = Π2(t) ⊕ Π1(t)c0t ⊕ 1

so that the Equations (70) and (72) can be simplified to (using the fact that for Boolean variables

x2 = x):

c1t+1 = A(t) ⊕ B(t)c1

t (73)

c1t+1B(t) = A(t)B(t) ⊕ B(t)c1

t (74)

0 = B(t)(

A(t) ⊕ c1t ⊕ c1

t+1

)

(75)

and

c0t+1 = B(t) ⊕ 1 ⊕ c0

t−1 ⊕ c1t ⊕ c1

t−1 (76)

c0t+1 ⊕ c1

t−1 = B(t) ⊕ 1 ⊕ c0t−1 ⊕ c1

t (77)

By inserting Equation (77) into (75) with index t+1 instead of t we get the following equation:

0 = B(t)(

A(t) ⊕ B(t + 1) ⊕ 1 ⊕ c0t ⊕ c0

t+1 ⊕ c0t+2

)

(78)

88

In this equation, we can eliminate all unknown memory bits c0t by using the observed keystream

zt (Equation (41)) and by knowing in X2 = X and X ⊕ X = 0 in GF (2):

zt = x1t ⊕ x2

t ⊕ x3t ⊕ x4

t ⊕ c0t

c0t = x1

t ⊕ x2t ⊕ x3

t ⊕ x4t ⊕ zt

= Π1(t) ⊕ zt

B(t) = Π2(t) ⊕ Π1(t)c0t ⊕ 1

= Π2(t) ⊕ Π1(t) ⊕ Π1(t)zt ⊕ 1

A(t) = Π4(t) ⊕ Π3(t)c0t ⊕ c0

t−1

= Π4(t) ⊕ Π3(t)Π1(t) ⊕ Π3(t)zt ⊕ Π1(t − 1) ⊕ zt−1

0 = B(t)(

A(t) ⊕ B(t + 1) ⊕ 1 ⊕ c0t ⊕ c0

t+1 ⊕ c0t+2

)

= Π2(t) ⊕ Π1(t) ⊕ Π1(t)zt ⊕ 1(

Π4(t) ⊕ Π3(t)Π1(t) ⊕ Π3(t)zt ⊕ Π1(t − 1) ⊕ zt−1 ⊕ Π2(t + 1)

⊕Π1(t + 1) ⊕ Π1(t + 1)zt+1 ⊕ 1 ⊕ 1 ⊕ Π1(t) ⊕ zt ⊕ Π1(t + 1) ⊕ zt+1 ⊕ Π1(t + 2) ⊕ zt+2

)

= 1 ⊕ zt−1 ⊕ zt ⊕ zt+1 ⊕ zt+2

⊕Π1(t)(ztzt+2 ⊕ ztzt+1 ⊕ ztzt−1 ⊕ zt−1 ⊕ zt+1 ⊕ zt+2 ⊕ 1)

⊕Π2(t)(1 ⊕ zt−1 ⊕ zt ⊕ zt+1 ⊕ zt+2) ⊕ Π3(t)zt ⊕ Π4(t)

⊕Π1(t − 1) ⊕ Π1(t − 1)Π1(t)(1 ⊕ zt) ⊕ Π1(t − 1)Π2(t)

⊕Π1(t + 1)zt+1 ⊕ Π1(t + 1)Π1(t)zt+1(1 ⊕ zt) ⊕ Π1(t + 1)Π2(t)zt+1

⊕Π2(t + 1) ⊕ Π2(t + 1)Π1(t)(1 ⊕ zt) ⊕ Π2(t + 1)Π2(t)

⊕Π1(t + 2) ⊕ Π1(t + 2)Π1(t)(1 ⊕ zt) ⊕ Π1(t + 2)Π2(t)

This equation has terms of degree of at most 4 in the variables {x1t , x

2t , x

3t , x

4t} (in Π) and holds

for any t. By iterating this equation we can build a system of nonlinear equations (SNE) of

degree 4, with the initial value of the four LFSRs unknown. These initial states of the LFSRs

89

have length 25, 31, 33 and 39, so the key to recover with the attack has the form:

K0 = (a0, · · · , a24, b0, · · · , b30, c0, · · · , c32, d0, · · · , d38)

= (k0, k1, · · · , k127)

Although the long Equation (79) uses the output bits of the LFSRs at clock t, we are able to

rewrite the equation in terms of the initial state bits. This is possible since we can construct

a linear function L : GF (2)n → GF (2)n, where n is the length of the LFSR, which linearly

maps the state Kt to Kt+1 : Kt+1 = L(Kt), for each clock t:

K1 = L(k0, k1, · · · , k127) = L(K0)

K2 = L(k1, k2, · · · , k128) = L(

L(k0, k1, · · · , k127))

= L2(K0)

...

Kt = L(kt−1, kt, · · · , kt+126) = L t(K0)

So we can rewrite Equation (79), following the notation of Theorem 15, as:

0 = F (K0, · · · , L3(K0), z0, z1, z2, z3)

0 = F (L(K0), · · · , L4(K0), z1, · · · , z4)

0 = F (L2(K0), · · · , L5(K0), z2, · · · , z5)

0 = F (L3(K0), · · · , L6(K0), z3, · · · , z6)

...

0 = F (L t(K0), · · · , L t+3(K0), zt, · · · , zt+3)

where F is a multivariate relation of degree 4 (at most).

Since the LFSRs output bits {x1t , x

2t , x

3t , x

4t} can be expressed as a linear equation of the initial

state bits, only a finite number of different terms can occur. Armknecht found that this limit

is T = 17, 440, 047 ≈ 224.056. This means that we will get a system of nonlinear equations

with T unknown. To solve this system we will thus need at least T equations by clocking the

90

system that many times. The system can be solved with the Strassen algorithm in O(7T log2 7)

or with the Coppersmith-Winograd algorithm[Coppersmith90] in O(T w), w ≤ 2.376 through

linearisation.

8.3.9. Fast Algebraic attack, N. Courtois and F. Armknecht

As an extension on the algebraic attack of F. Armknecht, the Fast Algebraic attack enables

us work with equations with a lower degree(see also Section 5.3.7 and Section 5.3.8). By

reducing the degree of the system of equations, the run-time complexity will decrease. The Fast

Algebraic attack was introduced by Nicolas Courtois in [Courtois03a] and Frederik Armknecht

[Armknecht04c]. The attack will decrease the degree of the system of equations by using

linear combinations of equations. Equation (79) can be written in the form:

0 = F (L t(K0), · · · , L t+3(K0), zt, · · · , zt+3)

0 = F1(L t(K0), · · · , L t+3(K0)) + F2(L t(K0), · · · , L t+3(K0), zt, · · · , zt+3)

where F = (F1, F2) and F1 and F2 are a multivariate relations with high degree d1 for F1 and

a lower degree d2 for F2. The linear combination will cancel out the high-degree monomials of

degree {d2 + 1, d2 + 2, · · · , d1} that occurs in Equation (79).

In [Hawkes04] another approach has been proposed: by using the Fast Fourier Transform

(FFT) the complexity of substituting the keystream into the equations can be decreased, result-

ing in a expected process complexity of O(249). These 249 can be performed in about 35 hours

on a 4GHz machine. The attack requires 223.4 keystream output bits.

91

CHAPTER 9

Bluetooth Pairing and Authentication process

9.1. Introduction

This section will explore in depth the pairing and authentication process used by the Bluetooth

system when operating in the Bluetooth Security Mode 3: Link-level security mode. Within

this security mode, the Bluetooth devices will initiate security measures before establishing a

channel by pairing (bonding).

Very recently, Y. Shaked an A. Wool discovered a new attack [Shaked05] on this security mech-

anism. This attack will be discussed in Section 9.5. But first we wil introduce the SAFER+

block cipher, used in the pairing and authentication key generation.

9.2. SAFER+

SAFER+ is a non-proprietary block cipher algorithm used within the generation of different

keys of the Bluetooth pairing and authentication processes. SAFER+ is invented by Prof. J.L.

Massey, Prof. G.H. Khachatrian and Dr. M.K. Kuregian for Cylink Corporation. SAFER+ was

one of the candidates for the Advanced Encryption Standard (AES). SAFER+ is based on the

SAFER block cipher family. If sufficient rounds are used, SAFER is still a safe algorithm. But

SAFER uses blocks of 64-bits, which is too small for Bluetooth. SAFER+ uses a block size of

128-bits for the plaintext and ciphertext and supports three user-selected-key lengths, namely

128, 192 and 256 bits. The standard Bluetooth key length uses 128-bit keys which require 8

rounds in the SAFER+ algorithm. SAFER+ has also an important improvement on the SAFER

92

algorithm, an Armenian Shuffle permutation is used which boosts the diffusion of single-bit

modifications in the input data. This is a highly desirable property for a good block cipher.

SAFER+ consists of an encryptions subsystem and the key scheduling subsystem. The key

scheduling subsystem (KSA) (see Figure 9.1) provides 17 different 128-bit subkeys, called

round keys, for each encryption round in the encryption subsystem. Such a round key con-

sists of two vectors of 16 octets. We regard octets as being integer numbers 0, 1,... , 255

or as being eight-dimensional binary valued vectors. Each of these 16-octects vectors Ki =

(Ki[0], Ki[1], · · · , Ki[15]) , except the first, are offset by a bias Bi = (bi[0], bi[1], · · · , bi[15]),

i = 2, 3, · · · , 17 using modulo 256 addition. The bias vectors are defined by

bi[j] =[(

45(4517i+j+1 mod 257) mod 257)

mod 256]

, for j = 0,1,... ,15. (79)

In each step of the key scheduling algorithm, each byte is cyclic-rotated left by 3 bit positions

and 16 bytes of the 17 are selected for the output round key.

FIGURE 9.1. SAFER+ key scheduling [SIG03].

93

In the encryption subsystem, the round keys are fed into the 8 SAFER+ identical rounds and

added into the round data. Each round uses 2 round keys and the last key is used in the SAFER+

output transformation. This addition is done by intertwined modulo 256 and XOR additions,

implemented by a Pseudo Hadamard Transform (PHT) mapping, a 16-byte transformation by

the Armenian Shuffles and two substitution tables E and L.

The Pseudo Hadamard Transform takes two input bytes and produces two output bytes:

PHT (a, b) =(

(2a + b) mod 256, (a + b) mod 256)

(80)

The Armenian Shuffles permutates the PHT output bits as follows:

(0 8)(1 11)(2 12)(3 15)(4 2)(5 1)(6 6)(7 5)(8 10)(9 9)(10 14)(11 13)(12 0)(13 7)(14 4)(15 3)

(81)

The mappings E and L introduce the nonlinearity for SAFER+.

E,L : {0, 1, · · · , 255} → {0, 1, · · · , 255} (82)

E : x 7→ (45x mod 257) mod 256 (83)

L : x 7→ y such that x = E(y) (84)

9.3. Bluetooth Pairing process

The first time two devices communicate with each other they are authenticated during the ini-

tialization process and a link key KAB is generated. This link key will also be used in further

authentications and the encryption procedures.

During the initialization or pairing (see Figure 9.2), two associated devices simultaneously pro-

duce their own temporary initialization key KINIT . This key is generated by a part of the E2

link key generation function, more specific the E22 function, which is based on the SAFER+

algorithm. The E22 function uses the PIN -code entered by the user (on both devices), the

shared 48-bit Bluetooth device address (BD_ADDR) and a 128-bit shared random number

(IN_RAND) to generate the 128-bit initialization key KINIT . The PIN code used in Blue-

tooth devices can vary between 1 and 16 bytes. The typical 4-digit PIN may be sufficient for

some applications; however, longer codes may be necessary. If the identical PIN -code was

94

put-in on both devices, the generated (and exchanged) KINIT will be equal on both devices

which means they are authorized to create a link. If one of the devices has a fixed PIN , the

BD_ADDR of the peer device will be used, else the PIN code of the slave device that re-

ceives the IN_RAND will be used. Within the E22 algorithm, the PIN and the BD_ADDR

are combined. If the PIN is to short, it is lengthened with bits from the BD_ADDR. If this

new word is still to short, it will be expanded cyclically until it has 128 bits.

FIGURE 9.2. Initialization key KINIT generation with the E22 algorithm [Shaked05].

Once both devices have the same initialization key KINIT , they will use it to generate the

semi permanent link key KAB so that the pairing can be remembered by the devices and thus

eliminating the initialization phase on subsequent connections. Both devices will immerse The

initialization key KINIT is only used during the pairing process. After the link key KAB is

created, KINIT is removed.

This authorization will be remembered by the devices by creating the semi permanent link

key KAB, eliminating the initialization phase on subsequent connections, since the two devices

possess a shared secret that they can use when they meet again.

95

The link key is a generated by exchanging two 128-bit random words between the devices.

These random words, LD_RANDA and LD_RANDB, are sent to the other device after bit-

wise XORing it with the KINIT key they both have. After both devices have both random num-

bers LD_RANDA and LD_RANDB they both create the semi permanent link key KAB with

the algorithm E21, which also based on the SAFER+ algorithm. This algorithm is used twice,

once with the BD_ADDRA, which is cyclic expanded to 128 bits, and the LK_ADDRA of

one device to create LK_KA and once with the BD_ADDRB , which is cyclic expanded to

128bits, and the LK_ADDRB of the other device to create LK_KB, after which those two

LK_KA and LK_KB are XOR combined to form KAB. See Figure 9.3

FIGURE 9.3. Link key KAB generation with the E21 algorithm [Shaked05].

The link key can be a unit key for devices with limited memory. The unit key is generated by the

device on its own with the E21 with input parameters KINIT , BD_ADDR and 128-bit random

number LK_RAND. This unit key will then be used within any other link, which makes it

unsafe since any linked device knowing this unit key can impersonate any other device with the

96

same unit key. It is possible to create a link key using higher layer key exchange methods and

then import the link key into the Bluetooth modules.

The master device has the possibility to broadcast data to all or several slave devices. The

master will use a temporary master link key for this purpose, which is also generated by the

E22 function and two 128-bit random numbers. Each slave receives this master key by using

an overlay number which is generated from an exchanged random number and the link key.

The E21 algorithm used to create the link key KAB is build around a modified SAFER+ algo-

rithm A′r. This modified SAFER+ is used so that the E21 algorithm cannot be applied directly

as an invertible encryption algorithm. This is done in order to prevent the algorithm from be-

ing used for encryption and avoid problems with export regulations. The difference between

the original Ar and the E21 A′r involves the third round of the SAFER+ algorithm. In A′

r, the

original input to the algorithm is also added to the input of this third round, which is not in Ar.

The authentication procedure which uses the E1 function and the encryption-key generation

function E3 are explained in more detail in the following sections.

9.4. Bluetooth Authentication process

The Bluetooth challenge-response authentication procedure, briefly introduced in Section 7.4.2,

is depicted conceptually in Figure 9.4. As shown, one of the Bluetooth devices (the claimant)

attempts to reach and connect another device (the verifier).

The steps in the authentication process are the following:

a) The claimant transmits its 48-bit address (BD_ADDR) to the verifier.

b) The verifier generates and transmits (in plaintext) a 128-bit random challenge (AU_RANDA)

to the claimant.

c) The claimant and the verifier both use the authentication function E1 to compute an

authentication response SRES using the BD_ADDR (which is expanded cyclically

to 128-bits), the link key KAB and the random challenge as inputs AU_RANDA. .

97

d) The claimant returns the computed signed response, SRES, to the verifier.

e) The verifier compares the SRES from the claimant with the SRES that it computes.

f) If the two 32-bit SRES values are equal, the claimant is authenticated by the veri-

fier and the mutual authentication is repeated with switched roles for the verifier and

claimant.

g) If the mutual authentication has been fulfilled with success, the connection is estab-

lished and the devices can exchange information.

FIGURE 9.4. Bluetooth Authentication [Karygiannis02a].

Within the authentication procedure, the E1 algorithm is used. This algorithm is called a mes-

sage authentication code (MAC) algorithm and it is also built around the SAFER+ block cipher

algorithm.

9.5. PIN recovery

If we take a look at all messages sent between two devices during the pairing and authentication

process, we would come up with the following list for the messages send from the first device

98

A to the second B: BD_ADDR, IN_RAND, LK_RANDA, AU_RANDA and SRES.

The messages send from the second device B to the first A would then be: BD_ADDR,

LK_RANDB, SRES and AU_RANDB. All these messages are send as plaintext, except

the LK_RAND messages, which are XORed with the K_INIT key.

So it is easy to see that an attacker could eavesdrop the entire pairing and authentication process

to try to break the algorithm and recover the PIN code used. Since the attacker knows the

IN_RAND and BD_ADDR of the first device A, the attacker can recover the PIN code with

a brute force attack. By guessing the value of the PIN code and running the E22 algorithm,

a hypothesis for the K_INIT can be found (see Figure 9.2). To test if this hypothesis for

K_INIT is right, the attacker should first use the K_INIT key to decode the LK_RAND

values and then use these decoded values to compute the link key KAB with the E21 algorithm

(see Figure 9.3). Now the attacker can test if the PIN code was guessed correctly by testing

if the observed SRES values are equal to the value the attacker can compute by using the

link key KAB and the observed AU_RAND values (see Figure 9.4). Since the SRES values

provide 64 bits of data to test again, the attacker can successfully recover PIN codes under

64 bits or 19 decimal digits. The whole process of this attack is illustrated by the flowchart of

Figure 9.5.

As this attack is very straightforward, the concept was known during the design of the Bluetooth

specifications by the Bluetooth SIG. For this reason, the Bluetooth SIG recommends to use long

PIN codes and only establish the first pairing process in a safe environment. Newer versions

of the Bluetooth specification will switch to longer-sequence alphanumeric PIN codes to drive

the number of combinations into millions and make the attack impractical. But until this newer

version is released, users should be aware of this risk.

Recently, the attack described above has been implemented and optimized by Yaniv Shaked

and Avishal Wool [Shaked05]. But since the initial pairing has to be established only once

when a new devices is connected, and the attack requires recording all pairing and authenti-

cation messages, the attack was not very practical. Once the link key KAB has been created,

99

FIGURE 9.5. Flowchart of the PIN recovery attack [Shaked05].

the Bluetooth devices will store this link key and reuse it on later connections with the same

device, to skip the pairing process. So Yaniv Shaked and Avishal Wool created a new attack

[Shaked05] that exploits the connection establishment protocol to force the communicating

devices to repeat the pairing process. This will make it possible for an attacker to record the

pairing messages and use it with the first attack.

The connection protocol of the Bluetooth specification allows Bluetooth devices to forget the

link key KAB from a previous pairing. An attacker can abuse this if he has a special Bluetooth

device that makes it is possible to spoof the BD_ADDR and to inject a specific message at

precise points in the communication protocol. The attacker can then pretend to be another

device and inject, during the authentication, the special protocol codes [SIG03] that denote it

has forgotten the link key. Instead of using the special protocol codes, the attacker can also

return a wrong answer on the authentication request. Both cases will make the devices discard

the link key and run through the pairing process during the next connection establishment. This

allows the attacker to record all pairing messages and use the first attack to recover the PIN

100

code. It has to be noted that a user may realize the attack since he will have to enter his PIN

code again.

101

CHAPTER 10

Conclusion

The main goal of this thesis was to study and analyze the security of the Bluetooth archi-

tecture. We tried to cover the whole low-level security features supported by the Bluetooth

specifications. The thesis concentrated on the stream cipher and block cipher properties, on the

encryption and on the pairing and authentication.

The starting point of this thesis was the Bluetooth specification with all the properties of the

Bluetooth architecture. Although not all these properties are related to the security of the

Bluetooth system, they were explored in this thesis as the author is a member of the faculty

of Computer Science and thus also interested in other parts of the specifications besides the

security.

Within the thesis, we always went from a more general and theoretical overview to the specific

and practical details. This was the result of a lot of research, both very theoretically as very

specific to Bluetooth. The study of the encryption system started by reviewing existing litera-

ture, covering theorems of the information theory, cryptography and the general properties of

stream ciphers. This was essential to understand the design principles of the Bluetooth secu-

rity properties. We reviewed in detail which types of attacks on wireless networks exists and

covered generally the attacks on stream ciphers.

The different modes and levels of security have been discussed generally and an overview

of different types of practical attacks on Bluetooth devices has been given. Most of these

attacks, for example Snarf attack, Backdoor attack, Bluejacking, etc. are of less interest within

the Bluetooth protocol security research, since they are based on the malfunction of specific

Bluetooth implementations. Nevertheless, these attacks can be used in practice and can thus

102

have an impact on the overall security. The Bluetooth technology is relatively young and quite

complex, making it very difficult to verify all aspects that could result in security problems.

The study covered an in depth analysis of the E0 encryption algorithm. We did not only cover

the complete functionality of the E0 system, we also analysed many of the recent attacks.

A basic simulation of the E0 algorithm and some parts of the attack of Armknecht (Section

8.3.8) and Fluhrer (Section 8.3.5) were implemented, although this was more a way to be able

to fully understand them.

The most important attacks on the E0 encryption system include the correlation attacks and

the algebraic attacks. The correlation attacks are based on a presumed correlation between the

input and output bits. The algebraic attacks exploit the fact that the output bits can be expressed

with an algebraic relation in terms of the initial state bits. The best attacks currently known are

the fast algebraic attack of Armknecht [Armknecht04c] and Courtois [Courtois03a] and the

fast correlation attack of Lu and Vaudenay [Lu04]. We have seen that this attack can recover the

initial state of the LFSRs and FSM in a known plaintext attack approximately O(239) keystream

bits and a time complexity of approximately O(239). If we compare the different attacks on the

encryption engine, Figure 10.1, we can see that the complexity of the attacks has been greatly

optimized the last year(s).

We can conclude that currently there is no attack known that breaks the complete encryption

procedure with reasonable effort and pratical available keystream bits. However, the security

margin is insufficient to feel comfortable about the years to come. Since the research on the

attacks continues actively, future attacks may succeed to reduce the cryptanalytic workload to

a practical level.

Besides the encryption system based on stream ciphers, we also analysed the pairing and au-

thentication mechanisms of Bluetooth, based on the SAFER+ block cipher. So again we first

explored the general and theoretical elements of the block cipher, before analysing the details

of SAFER+ and the specific Bluetooth pairing and authentication properties.

103

FIGURE 10.1. Complexities of the E0 attacks. [Kiviharju04]

Recently a new attack to break the Bluetooth pairing process was published by Yaniv Shaked

and Avishal Wool in [Shaked05]. We analysed this attack, which makes it possible to recover

the PIN code used by two observed pairing devices. It has been shown that this could even

be exploited after the devices passed the pairing process. Yet this attack requires a special

Bluetooth device to be able to manipulate the Bluetooth protocol messages.

After this research we may conclude that there are a lot of security problems with Bluetooth,

the most important are related to encryption, pairing, location tracking and implementation

flaws. But still, Bluetooth can be seen as a quite safe for the intended usage. For a practical

multifunctional protocol as Bluetooth, many considerations must be made to find a good bal-

ance between functionality, user-friendliness, speed and security. The active research on this

topic will help enhance the Bluetooth system in future versions.

104

References

[Abdelhameed01] A. Abdelhameed and S.A. Ibrahim. VLSI Design and Implemantation of

ASICs for the Security Core of Bluetooth Wirelees Communication System Stan-

dard. Masters thesis. Ain Shames University. 2000-2001.

[Aissi04] S. Aissi, C. Gehrmann and K. Nyberg. Proposal for Enhancing Bluetooth Se-

curity Using an Improved Pairing Mechanism. 2004.

[Anand01] N. Anand. An Overview of Bluetooth Security. February 2001.

[Anderson94] R. Anderson. Searching for the Optimum Correlation Attack. 1994.

[Armknecht02] F. Armknecht. A linearisation attack on the Bluetooth key stream generator.

2002.

[Armknecht04a] . An Algebraic attack on the Bluetooth Key Stream Generator. 2004.

[Armknecht04b] . Algebraic Attacks on Stream Ciphers. 2004.

[Armknecht04c] . On Fast Algebraic Attacks. March 2004. Talk at the 9th Estonian

Winter School in Computer Science, Palmse, Estonia.

[Armknecht04d] . On the Existence of low-degree Equations for Algebraic Attacks.

2004.

[Armknecht04e] F. Armknecht, J. Lano and B. Preneel. Extending the Resynchronization At-

tack. 2004.

[Armknecht05a] F. Armknecht. Algebraic Attacks and Annihilators. 2005.

[Armknecht05b] F. Armknecht and W. Meier. Fault attacks on Cominers with Memory. 2005.

U.S.Patent No. 4,797,922.

[Association69] Electronics Industries Association. EIA Standard RS-232-C Interface Between

Data Terminal Equipment and Data Communication Equipment Employing Se-

rial Data Interchange. August 1969. reprinted in Telebyte Technology "Data

Communication Library", Greenlawn NY, 1985.

[BE03] H. Bar-El. Introduction to Side Channel Attacks. 2003.

[Biryukov03] A. Biryukov, C. De Cannière and G. Dellkrantz. Cryptanalysis of Safer++.

2003.

105

[Biryukov04] A. Biryukov. Block Ciphers and Stream Ciphers: the State of the Art. 2004.

[Blewitt97] G. Blewitt. Basics of the GPS Technique: Observation Equations. 1997.

[Brassard88] G. Brassard. Modern Cryptology. Springer-Verlag. 1988.

[Candolin00] C. Candolin. Security Issues for Wearable Computing and Bluetooth Technol-

ogy. 2000.

[Cannière01] C. De Cannière, T. Johansson and B. Preneel. Cryptanalysis of the Bluetooth

Stream Cipher. 2001.

[Chepyzhov03] V.V. Chepyzhov, T. Johansson and B. Smeets. A simple algorithm for fast cor-

relation attacks on stream ciphers. 2003.

[Comer88] D.E. Comer. Internetworking with TCP/IP: principles, protocols, and architec-

ture. Prentice Hall. Englewood Cliffs, N.J.. 1988.

[Coppersmith90] D. Coppersmith and S. Winograd. Matrix Multiplication via Arithmetic Pro-

gressions. 1990. pp. 251–280.

[Coppersmith94] D. Coppersmith, H. Krawczyz and Y. Mansour. The shrinking generator.

dvances in Cryptology - Crypto ’93. 1994. pp. 22–38.

[Cormen90] T.H. Cormen, C.E. Leiserson and R.L. Rivest. Introduction to Algorithms. 24

ed.. The MIT Press. 1990.

[Courtois00] N.T. Courtois, A. Klimov, J. Patarin and A. Shamir. An Algebraic attack on the

Bluetooth Key Stream Generator. 2000. pp. 392–407.

[Courtois02] N.T. Courtois. Higher Order Correlation Attacks, XL algorithm, and Crypt-

analysis of Toyocrypt. 2002.

[Courtois03a] . Fast Algebraic Attacks on Stream Ciphers with Linear Feedback. 2003.

pp. 177–194.

[Courtois03b] N.T. Courtois and W. Meier. Algebraic Attacks on Stream Ciphers with Linear

Feedback. 2003.

[Courtois04] N.T. Courtois. Algebraic Attacks on Combiners with Memory and Several Out-

puts. 2004.

[Cover91] T. Cover and J.A. Thomas. Elements of Information Theory. Wiley. 1991.

[Daemen95] J. Daemen. Cipher and Hash Function Design. Ph.D. thesis. Katholieke Uni-

versiteit Leuven. 1995.

[Dasgupta05] A. Dasgupta. Analysis of Different types of Attacks on Stream Ciphers and Eval-

uation of Security of Stream Ciphers. 2005.

106

[Davenport58] W.B. Davenport and W.L. Root. Introduction to the Theory of Random Signals

and Noise. McGraw-Hill. New York. 1958.

[Ekdahl00] P. Ekdahl and T. Johansson. Some results on correlations in the Bluetooth

stream cipher. 2000.

[Ekdahl03] P. Ekdahl. On LFSR based Stream Ciphers, Analysis and Design. Ph.D. thesis.

Lund University. November 2003.

[Feistel73] H. Feistel. Cryptography and Computer Privacy. 1973.

[Fluhrer01] S.R. Fluhrer and S. Lucks. Analysis of the E0, encryption system. 2001. pp. 38–

48.

[Flurher02] S. R. Flurher. Improved Key Recovery of Level 1 of the Bluetooth Encryption

System. 2002.

[Forum01] WAP Forum. Wireless Application Protocol (WAP) Architecture 2.0. July 2001.

http://www.wapforum.org.

[Gauthier02] E. Gauthier. A man-in-the-middle attack using Bluetooth in a WLAN interwork-

ing environnment. 2002.

[Gehrmann02] C. Gehrmann. Bluetooth Security White Paper. 2002.

[Gehrmann04] C. Gehrmann, J. Persson and B. Smeets. Bluetooth Security. Artech House,

Inc.. 2004.

[Gergov94] J. Gergov and CH. Meinel. Efficient Boolean function manipulation with OB-

DDs can be generalized to FBDDs. 1994. pp. 1197–1209.

[Golic02] J.D. Golic, V. Bagini and G.Morgari.. Linear cryptanalysis of Bluetooth stream

cipher. 2002. pp. 238–255.

[Golomb67] S.W. Golomb. Shift Register Sequences. 1967.

[Grimaldi99] R.P. Grimaldi. Discrete and combinatorial mathematics: an applied introduc-

tion. 4th ed.. Addison Wesley Longman, Inc. 1999.

[Group03] The Shmoo Group. BlueSniff, The next Wardriving Frontier. 2003.

[Haartsen99] J. Haartsen. Hardware Architecture Overview. 1999.

[Hawkes04] P. Hawkes and G.G. Rose. Rewriting Variables: the Complexity of Fast Alge-

braic Attacks on Stream Ciphers. 2004.

[Herfurt04] M. Herfurt. Bluesnarfing @ CeBiT 2004: Detecting and Attacking bluetooth-

enabled Cellphones at the Hannover Fairground. 2004.

[Herfurt05] M. Herfurt, C. Mulliner, A. Laurie and M. Holtmann. trifinte.group. 2004-2005.

http://trifinite.org.

107

[Hermelin00a] M. Hermelin. Cryptographic properties of the Bluetooth Combination Genera-

tor. Masters thesis. Helsinki University of Technology. 2000.

[Hermelin00b] M. Hermelin and K. Nyberg. Correlation properties of the Bluetooth combiner.

2000. pp. 17–29.

[Heys01] H.M. Heys. A Tutorial on Linear and Differential Cryptanalysis. 2001.

[Hopkins03] B. Hopkins and R. Antony. Bluetooth for Java. 2003.

[Howe05] D. Howe. Free On-Line Dictionary of Computing. 2005.

[Jakobsson03] M. Jakobsson and S. Wetzel. Security Weaknesses in Bluetooth. 2003.

[Johansson00] T. Johansson and F. Jönsson. Fast correlation attacks through reconstruction of

linear polynomials. 2000. pp. 300–315.

[Kammer02] D. Kammer, G. McNutt, B. Senese and J. Bray. Bluetooth. Application Devel-

oper’s Guide: The Short Range Interconnect Solution. 2002.

[Kardach98] J. Kardach. Bluetooth Architecture Overview. 1998.

[Karygiannis02a] T. Karygiannis and I. Owens. Wireless Network Security 802.11, Bluetooth

and Handheld Devices. November 2002.

[Karygiannis02b] T. Karygiannis and L. Owens. Wireless Network Security; 802.11, Bluetooth

and Handheld devices. November 2002.

[Käsper04] E. Käsper. Linear Cryptanalysis of Stream Ciphers. 2004.

[Kerckhoffs83] A. Kerckhoffs. La cryptographie militaire. 1883. pp. 5–38.

[Kipnis99] A. Kipnis and A. Shamir. Cryptanalysis of the HFE public key cryptosystem.

1999. pp. 19–30.

[Kitsos03] P. Kitsos, N. Sklavos, K. Papadomanolakis and O. Koufopavlou. Hardware Im-

plementation of Bluetooth Security. 2003.

[Kiviharju04] M. Kiviharju. Algebraic Attacks and Stream Ciphers. 2004.

[Kocher99] P. Kocher, J. Jaffe and B. Jun. Differential power analysis. 1999. pp. 388–397.

[Koç95] Ç. K. Koç. RSA Hardware Implementation, Technical Report TR-801 version

1.0. RSA Security Inc.. August 1995.

[Krause01] M. Krause. BDD-based Cryptanalysis of Keystream Generators. Cryptology

ePrint Archive, Report 2001/092. 2001.

[Kuhn98] M. Kuhn and R. Anderson. Hidden data transmission using electromagnetic

emanations. 1998. pp. 124–142.

[KZ98] C.-H. Yang K. Zeng and T. Rao. On the Linear Consistency Test (LCT) in Crypt-

analysis with Applications. 1998. pp. 164–174.

108

[Laboratories00] RSA Laboratories. RSA Laboratories’ Frequently Asked Questions About To-

day’s Cryptography, Version 4.1. 2000.

[Lano] J. Lano, N. Mentens, B. Preneel and I. Verbauwhede. Power Analysis of Syn-

chronous Stream Ciphers with Resynchronization Mechanism.

[Laurie03] A. Laurie. Serious flaws in bluetooth security lead to disclosure of personal

data. 2003.

[Laurie04] A. Laurie, M. Holtmann and M. Herfurt. Hacking Bluetooth enabled mobile

phones and beyond - Full Disclosure. 2004.

[Levy05] O. Levy and A. Wool. A Uniform Framework for Cryptanalysis of the Bluetooth

E0 Cipher. 2005.

[Long03] W. F. Long. Overview of Bluetooth Security. 2003.

[Ltd04] PaloWireless Pty Ltd. Bluetooth Resource Center. 2004.

http://www.palowireless.com/bluetooth/.

[Lu04] Y. Lu and S. Vaudenay. Faster Correlation Attack on Bluetooth Keystream Gen-

erator E0. 2004. pp. 407–425.

[Massey69] J.L. Massey. Shift-register synthesis and BCH decoding.. 1969. pp. 122–127.

[Massey89] J.L. Massey and R.A. Rueppel. Method of, and Apparatus for, Transforming a

Digital Sequence into an Encoded Form. 1989. U.S.Patent No. 4,797,922.

[Maurer90] U. Maurer. A Universal Statistical Test for Random Bit Generators. Advances

in Cryptology - CRYPTO ’90. Lecture Notes in Computer Science, vol. 537.

Springer-Verlag. Aug 1990. pp. 409–420.

[Mceliece02] R.J. Mceliece. The Theory of Information and Coding. 2nd ed.. Cambridge Uni-

versity Press. 2002.

[Meier89] W. Meier and O. Staffelbach. Fast correlation attacks on certain stream ciphers.

1989. pp. 159–176.

[Meier94] . The self-shrinking generator. 1994. pp. 205–214.

[Meier02] W. Meier. Cryptanalysis of Stream Ciphers. 2002.

[Menezes96] A. Menezes, P. van Oorschot and S. Vanstone. Handbook of Applied Cryptog-

raphy. CRC Press. 1996.

[Mihaljevic03] M.J. Mihaljevic, M.P.C. Fossorier and H. Imai. A Low-Complexity and High-

Performance Algorithm for the Fast Correlation Attack. 2003. p. 196.

[Miller00] B.A. Miller and C. Bisdikian. Bluetooth revealed. The Insider’s Guide to an

Open Specification for Global Wireless Communications. Prentice Hall. 2000.

109

[Miller01] M. Miller. Discovering Bluetooth. Sybex Inc.. 2001.

[Muller99] T. Muller. Bluetooth Security Architecture. July 1999.

[Muller00] N.J. Muller. Bluetooth Demystified. McGraw-Hill Professional. 2000.

[Neyman33] J. Neyman and E.S. Pearson. On the problem of the most ecient tests of statisti-

cal hypotheses. 1933. pp. 289–337.

[Ollikainen] V. Ollikainen. Bluetooth Applications in New Media Technology.

http://citeseer.ist.psu.edu/393407.html.

[Paulraj02] A.J. Paulraj, P.K. Sebastian, J. Tellado, R.W. Heath Jr., S. Talwar

and H. Bolcskei. Wireless communication system and method us-

ing stochastic space-time/frequency division multiplexing. Apr 2002.

http://www.nari.ee.ethz.ch/commth/pubs/p/patent1.

[Preneel05] B. Preneel. Research Challenges in Cryptology and Security. 2005.

[Proctor85] N. Proctor. A self-synchronizing cascaded cipher system with dynamic control

of error-propagation. Springer-Verlag. 1985.

[Quisquarter02] J.J. Quisquarter and D. Samyde. Side channel cryptanalysis. 2002.

[Rechberger04] C. Rechberger. Side channel analysis of Stream Ciphers. Masters thesis. Graz

University of Technology. 2004.

[Rijmen01] V. Rijmen and J. Daemen. The Wide Trail Design Strategy. 2001. p. 222.

[Roberts04] S. Roberts. Bluetooth Encryption. 2004.

[Robshaw95] M.J.B. Robshaw. Stream Ciphers. RSA Laboratories Technical Report TR-701.

1995.

[Rousseau01] L. Rousseau, C. Arnoux and C. Cardonnel. A Trusted Device to Secure a Blue-

tooth Piconet. 2001.

[Rowe04a] M. Rowe and T. Hurman. Bluetooth Security. Isseus, threats and consequences.

2004.

[Rowe04b] . Bluetooth Vulnerabilities. Fact and Fiction. 2004.

[Rueppel86] R.A. Rueppel. Correlation immunity and the summation combiner. 1986.

pp. 260–272.

[Rueppel89] . Security models and notions for stream ciphers. 1989. pp. 213–230.

[Rueppel92] . Stream ciphers. 1992. pp. 65–134.

[Saarinen00] M.J. Saarinen. Bluetooth und E0. 2000.

[Seys04] S. Seys, D. Singelée and B. Preneel. Wireless Network Security. 2004. pp. 25–

35.

110

[Shaked05] Y. Shaked and A. Wool. Cracking the Bluetooth PIN. 2005.

[Shannon48] C.E. Shannon. A mathematical theory of communication. Tech. Report 27. Bell

Laboratories, Inc.. 1948.

[Shannon49] . Communication theory of secrecy systems. Tech. Report 28. Bell Lab-

oratories, Inc.. 1949.

[Siegenthaler84] T. Siegenthaler. Correlation-immunity of nonlinear combining functions for

cryptographic applications. September 1984. pp. 776–779.

[Siegenthaler85] . Decrypting a class of stream ciphers using ciphertext only. 1985.

pp. 81–85.

[Sieling95] D. Sieling. Graph driven BDDs - a new data structure for Boolean functions.

1995. pp. 283–310.

[SIG03] Bluetooth Special Interest Group SIG. The Bluetooth core specification version

1.2. November 2003. http://www.bluetooth.org.

[Singelée03] D. Singelée. Overview of the Security Weaknesses in Bluetooth. 2003.

[Singelée04] D. Singelée and B. Preneel. Security Overview of Bluetooth. 2004.

[Smeets98] B.J.M. Smeets. Pseudo-random sequence generator and associated method.

1998.

[Song04] B. Song. Observations on the Cryptologic Properties of the AES Algorithm.

Ph.D. thesis. University of Wollongong. April 2004.

[Stamp93] M. Stamp and C.F.Martin. An Algorithm for the k-Error Linear Complexity of

Binary Sequences with Period 2n. 1993.

[Sun02] J.-Z. Sun, D. Howie, A. Koivisto and J. Sauvola. Design, Implementation and

Evaluation of Bluetooth Security. 2002.

[Tanenbaum03] A.S. Tanenbaum. Computer Networks. 4th ed.. Prentice Hall. 2003.

[Träskbäck00] M. Träskbäck. Security of Bluetooth: an overview of Bluetooth Security. 2000.

[Vainio00] J.T. Vainio. Bluetooth Security. 2000.

[Vernam26] G.S. Vernam. Cipher printing telegraph systems for secret wire and radio tele-

graphic communications. J. Amer. Inst. Elec. Eng.. 1926. pp. 109–115.

[vT88] H. van Tilborg. An Introduction to Cryptology. first ed.. Kluwer Academic Pub-

lishers. 1988.

[WaveWireless00] WaveWireless. Direct sequence vs. Frequency Hopping. 2000.

[Whitehouse03a] O. Whitehouse. RedFang. 2003. http://cansecwest.com,

http://www.securiteam.com.

111

[Whitehouse03b] . War Nibbling: Bluetooth Insecurity. 2003.

[Wikipedia05] Wikipedia. Linear Feedback Shift Register. 2005.

http://en.wikipedia.org/wiki/Linear_feedback_shift_register.

[Xydis02] T. G. Xydis and S. Blake-Wilson. Security Comparison: Bluetooth Communi-

cations vs. 802.11. 2002.

[Yang04] B.-Y. Yang and J.-M. Chen. All in the XL Family: Theory and Practice. 2004.

[Zenner04] E. Zenner. On Cryptographic Properties of LFSR-based Pseudorandom Gener-

ators. Ph.D. thesis. Universität Mannheim. 2004.

112

APPENDIX A

Abbreviations

Following is a table of all the abbreviations, symbols and notation used, common within the

topic of this thesis.

Abbreviation Definition.

ACL Asynchronous ConnectionLess. Data transfer, logical transport.

ACO Authenticated Ciphering Offset. A parameter binding devices to

a particular authentication event.

AES Advanced Encryption Standard. Adopted block cipher algorithm

by National Institute of Standards and Technology (NIST) in 2001

after a 5-year public competition. The AES Rijndael algorithm

was submitted by Joan Daemen and Vincent Rijmen.

AG Audio Gateway. A mobile phone or other outloud-playing device

(connected to a headset).

AT command set This is set of commands for controlling a modem.

BB BaseBand. This is the lowest layer of the Bluetooth specification.

BD_ADDR Bluetooth Device ADDRess.

BER Bit Error Rate. Average probability that a received bit is erroneous

10−3 for Blueooth.

BNEP Bluetooth Network Encapsulation Protocol. Emulation of Ether-

net over Bluetooth links.

CA Certificate Authority. Trusted issuer of certificates.

CAC Channel Access Code. A code derived from the master device

address in a Bluetooth connection.

113

CAK Common Access Key. A common key that can be used when

connecting to different access points belonging to a particular net-

work provider.

CBC Cipher Block Chaining. Block Cipher mode.

CFB Cipher Feedback. Block Cipher mode.

CID Channel IDentifier. End points at an L2CAP channel.

COF Ciphering OFfset. Additional secret input to ciphering key gener-

ation procedure.

CPU Central Processing Unit. .

CRC Cyclic Redundancy Check. A checksum added to the payload by

the sender that the receiver can use to detect transmission errors.

CTR Counter Mode. Block cipher mode.

DAC Device Access Code. A code derived from a specific slave device

in a Bluetooth connection.

DES Data Encryption Standard. US National Bureau of Standards

(NBS) adopted a reveised version of the original block cipher al-

gorithm of Feistel as the Data Encryption Standard (DES) after a

public invitation for submissions.

DH Diffie-Hellman. The name of the first public key exchange

scheme.

DoS Denial of Service. Incident in which a user or organization is

deprived of the services of a resource they would normally expect

to have.

DSP Digital Signal Processor. Editing of sounds in order to produce

different sound effects.

DT Data Terminal.

E0 Bluetooth ciphering algorithm built around four independent lin-

ear feedback registers and a finite state machine as a combining

circuitry. The final state machine is needed to introduce sufficient

nonlinearity to make it difficult to recompute the initial state from

observing key stream data.

114

E1 Bluetooth authentication function build around SAFER+. E1 is

called a Message Authentication Code (MAC) algorithm.

E2 Bluetooth link key generation function. Consits of the E21 and

E22

E21 Bluetooth unit key algorithm, used for unit key derivation, build

around a slightly modified SAFER+ algorithm. Because of this,

the algorithm E21 cannot be used directly as an invertible encryp-

tion algorithm.

E22 Bluetooth initial key algorithm. Used for initial key derivation and

also build around a slightly modified SAFER+ algorithm. E21 and

E22 are very similar, this simplified the implementation.

E3 Bluetooth encryption key KC algorithm.

EAP Extensible Authentication Protocol. An authentication protocol

standardized by the IETF organization.

EAPoL Encapsulation over LANs.

ECB Electronic Code Block Cipher. Block Cipher mode. .

ECDH Elliptic-Curve Diffie-Hellman.

EDR Enhanced Data Rate, New Bluetooth specification released in

2005 that allows a data with throughput up to 2.1Mbps

eSCO Enhanced Synchronous Connection-Oriented. A logical channel

for transport of prioritized synchronous user data.

FBDD Free Binary Decision Diagram. Data structure for representing

and manipulating Boolean functions.

FEC Forward Error Correction. Another notion for an error correcting

code.

FFT Fast Fourier Transform.

FH Frequency Hopping. Sending transmissions over a different car-

rier frequency at different times.

FHS Frequency Hop Synchronization.

115

FHSS Frequency Hopping Spread Spectrum. The FHSS carrier will hop

on a predetermined, pseudo random pattern defined using a pool

of 79 1MHz sub-channels defined across the entire band changing

frequency about 1600 times per second. Each channel is used in

625 microseconds followed by a hop in a pseudo-random order

to another channel. Bluetooth uses FHSS to solve interference

problems with numerous other technologies that also operate in

the 2.4GHz-2.4835GHz ISM frequency band.

FSM Final State Machine.

GAP Generic Access Profile. A Bluetooth profile that determines com-

mon connection handling functions for all other Bluetooth pro-

files.

GSM Global Mobile System.

HC Host Controller.

HCI Host Controller Interface.

HS Headset.

IAC Inquiry Access Code.

ICC Integrated Circuit Card.

ID IDentifier.

IEEE Institute of Electrical and Electronics Engineers. A nonprofit

technical professional association for engineers in this area.

IETF Internet Engineering Task Force.

IIR Infinite Impulse Response.

IKE Internet Key Exchange. An IETF protocol used to authenticate IP

connections and to exchange IPSEC keys.

IP Internet Protocol.

IPSEC IP SECurity protocol. An IETF security protocol used to protect

IP packets.

Filter used in the E0 combination generator to lower the correla-

tion factor.

116

ISM Industrial-Scientific-Medical. A part of the radio spectrum

(2.4GHz) that is free and globally available.

IrMC Server This provides an object exchange server. The IrMC server must

comply with the interoperability requirements for the server of the

GOEP, if not defined to the contrary.

KFB Key Feedback. Block cipher mode.

KSA Key Scheduling Algorithm. The key scheduling algorithm pro-

duces 17 different 128-bit subkeys for the SAFER+ block cipher.

KSG Key Stream Generator. Used in the two levels of the E0 encryp-

tion system.

L2CAP Logical Link Communication and Adaptation Protocol. It is lay-

ered over the Baseband Protocol and resides in the data link

layer. L2CAP provides connection-oriented and connectionless

data services to upper layer protocols with protocol multiplexing

capability, segmentation and reassembly operation, and group ab-

stractions. L2CAP permits higher level protocols and applications

to transmit and receive L2CAP data packets up to 64 kilobytes in

length.

LAN Local Area Network.

LAP Lower Address Part. Bits 0 to 23 of the unique 48-bit IEEE device

address BD_ADDR.

LC Link Controller. Entity that implements the baseband protocol

and procedures.

LFSR Linear Feedback Shift Register.

LM Link Manager. Entity that sets up and maintains the Bluetooth

link.

LMP Link Manager Protocol.

LSB Least Significant Bit.

LT_ADDR Logical Transport ADDRess. A logical 3-bit address assigned to

each slave in a piconet.

MAC Message Authentication Code, E1 is a MAC algorithm.

117

MANA Manual Authentication.

MSB Most Significant Bit.

NAcP Network Access Point.

NAP Nonsignificant Address Part. Bits 32 to 47 of the unique 48-bit

IEEE device address.

NBS National Bureau of Standards. The NBS is now called NIST.

NIST The National Institute of Standards and Technology,

http://www.nist.gov, is a non-regulatory federal

agency within the U.S. Commerce Department’s Technology

Administration, formely known as the NBS. NIST’s mission is to

develop and promote measurement, standards, and technology to

enhance productivity, facilitate trade, and improve the quality of

life. .

OBEX OBject EXchange. Bluetooth protocol for data exchange.

OFB Output Feedback. Block cipher mode.

OpCode Operation code. A code used to identify different types of PDUs.

PAN Personal Area Network.

PCD Personal Certification Device.

PDA Personal Digital Assistant.

PDU Protocol Data Unit.

PHT Pseudo Hadamard Transform. Component of the SAFER+ en-

cryption algorithm

PIN Personal Identification Number.

PPP Point to Point Protocol. Protocol used for connecting computers

to the Internet through telephone lines.

PKI Public Key Infrastructure.

PRG Pseudo-Random Generator.

PSM Protocol/Service Multiplexor. An identifier used by L2CAP dur-

ing channel establishment to route the connection request to the

right upper layer protocol. Several protocols can be multiplexed

over L2CAP.

118

QoS Quality of Service. Defines the specific requirements on the link

(e.g., with respect to bit rate, delay, latency) needed by certain

applications.

RFCOMM The RFCOMM protocol provides emulation of serial ports over

the L2CAP protocol.

RS-code Reed-Solomon code.

RSA Rivest, Shamir, and Adleman. The name of a public-key cryp-

tosystem for both encryption and authentication.

RSSI Received Signal Strength Indicator. Thrugh this indicator, a slave

can request a transmission power adaptation to the master.

SCO Synchronous Connection-Oriented. A logical channel for trans-

port of synchronous user data, e.g. voice and sound.

SDP Service Discovery Protocol. A protocol for locating services pro-

vided by or available through a Bluetooth device.

SIG Special Interest Group. The organization owning the Bluetooth

trademark, also responsible for the evolution of Bluetooth wire-

less technology.

SIM Subscription Identity Module. An ICC used in the GSM mobile

telephony system. The module stores subscription and user data.

SLE System of Linear Equations.

SNE System of Nonlinear Equations.

TCP Transmission Control Protocol. An IETF protocol for reliable IP

communication.

TCS Binary Telephony Control Specification. Call control signaling necessary

to establish voice and data calls between Bluetooth devices.

TDM Time Division Multiplexing. This is a type of multiplexing that

combines data streams by assigning each stream a different time

slot in a set. TDM repeatedly transmits a fixed sequence of time

slots over a single transmission channel.

TLS Transport Layer Security. An IETF security protocol used to au-

thenticate peers, exchange keys, and protect TCP traffic.

119

UAP Upper Address Part. Bits 24 to 31 of the unique 48-bit IEEE

device address.

UART Universal Asynchronous Receiver/Transmitter. An integrated cir-

cuit used for serial communication with the transmitter and re-

ceiver clocked separately.

USB Universal Serial Bus.

vCard Virtual Business Card. Standard for electronic business cards and

applications that handle them on networks. .

WAE Wireless Application Environment. This is the top-most level in

the WAP architecture. It is based on WWW and Mobile Tele-

phony technologies. The primary objective of the WAE is to pro-

vide the operators and service providers an interoperable environ-

ment on which they can build applications and services. .

WAP Wireless Application Protocol. Specification that allows users to

access the Internet from wireless devices. .

WLAN Wireless Local Area Network.

120

Remove page [Vernam26] [SIG03] [Forum01] [Muller99] [Shannon48] [Shannon49] [Proctor85]

[Miller01] [Daemen95] [Laboratories00] [Robshaw95] [Coppersmith94] [Koç95] [Karygiannis02a]

[vT88] [Golomb67] [Massey69] [Siegenthaler84] [Siegenthaler85] [Meier89] [Meier02]

[Meier94] [Rueppel86] [Johansson00] [Kipnis99] [Kocher99] [Lano] [Hermelin00a] [Hermelin00b]

[Dasgupta05] [Krause01] [Herfurt05] [Shaked05][Cover91] [Brassard88] [KZ98] [Golic02]

[Armknecht02] [Feistel73] [Rijmen01] [Armknecht04c] [Song04] [Courtois03b] [Courtois04]

[Courtois03a] [Hawkes04] [Fluhrer01] [Lu04] [Neyman33] [Smeets98] [Stamp93] [Kiviharju04]

[Howe05] [Coppersmith90] [Rueppel89] [Quisquarter02] [Kuhn98] [Kerckhoffs83] [Rueppel92]

[Massey89] [Armknecht05b] [Zenner04] [Maurer90] [Karygiannis02b] [Anand01] [Ekdahl03]

[Ekdahl00] [Mihaljevic03] [Cannière01] [WaveWireless00] [Vainio00] [Jakobsson03] [Gehrmann02]

[Candolin00] [Kitsos03] [Paulraj02] [Gehrmann04] [Chepyzhov03] [Davenport58] [Ltd04]

[Comer88] [Association69] [Rechberger04] [Sieling95] [Gergov94] [Wikipedia05] [Grimaldi99]

[Cormen90] [Whitehouse03a] [Saarinen00] [Rousseau01] [Heys01] [Levy05] [Yang04] [Armknecht04b]

[Armknecht05a] [Träskbäck00] [Blewitt97] [Biryukov04] [Herfurt04] [Kammer02] [Ollikainen]

[Kardach98] [Abdelhameed01] [Muller00] [Roberts04] [Hopkins03] [Laurie04] [Miller00]

[Rowe04a] [Rowe04b] [Biryukov03] [Preneel05] [Sun02] [Armknecht04e] [Menezes96]

[Haartsen99] [Flurher02] [Gauthier02] [BE03] [Long03] [Singelée03] [Aissi04] [Anderson94]

[Xydis02] [Seys04] [Singelée04] [Whitehouse03b] [Armknecht04a] [Tanenbaum03] [Käsper04]

[Courtois00] [Mceliece02] [Laurie03] [Group03] [Courtois02] [Armknecht04d]

121