BLE Security
-
Upload
mathivanan-elangovan -
Category
Documents
-
view
221 -
download
0
Transcript of BLE Security
7/23/2019 BLE Security
http://slidepdf.com/reader/full/ble-security 1/8
BLE Security
The SMP (Security Manager Protocol) offers applications running over a Bluetooth Low
Energy stack access to the following types of services:
• Device uthentication
• Device uthori!ation
• Data "ntegrity
•Data #onfi$entiality
• Data privacy
The SMP works with % types of keys:
• Te&porary 'ey (T')
o Deter&ine$ y the type of pairing use$ see the tale elow
•
Short*Ter& 'ey (ST')
o +se$ to encrypt a connection when , $evices are pairing for the first ti&e
o ST' - ES.,/ (T'0 Sran$ 11 Mran$)
o Sran$ an$ Mran$ are ran$o& nu&ers generate$ y the Master an$ the Slave
for every connection
• Long*Ter& 'ey (LT')
o +se$ to create a Session 'ey for each Link Layer #onnection
o #an e $e$uce$ y the Slave using an$ ED"2 (uni3ue to each &aster) an$ a
4an$ value sent fro& the Slave to the Master when the $evices are on$ing
o The salve can store it in its security $ataase the LT' or the ED"2 fro& which
it can e calculate$
• "$entity 4esolving 'ey ("4')
o +se$ for generating an$ checking 4an$o& 4esolvale Private $$resses
7/23/2019 BLE Security
http://slidepdf.com/reader/full/ble-security 2/8
• hash - ES.,/("4'0 prand )0 where random_address = [hash || prand
|| 0b10]
• #onnection Signature 4esolving 'ey (#S4')
o +se$ for sen$ing signe$ $ata without encryption
o uthenticates a &essage
5hat services an$ keys are use$ for the co&&unication etween two $evices are estalishe$
$uring the SMP Pairing proce$ure which is perfor&e$ y the SMP an$ set up y the
pplication accor$ing to its nee$s6
Pairing Procedure in BLE
The pairing proce$ure in Bluetooth S&art (LE) is perfor&e$ in three steps:
.6 E7change of pairing infor&ation
,6 uthentication of the link
86 Distriution of the keys
Exchange of pairing information
The e7change of pairing infor&ation etween two $evices is $one through the Pairing
Request an$ Pairing Response SMP &essages6 The contents of these two &essages is
shown below and is set up by the application according to device capabilities and/or itsneeds.
0x01 Pairing Request
0x02 Pairing Response
Field #o$e "9
#apaility
99B
Data
lag
uth4e3 Ma7i&u&
Encryptio
n 'ey Si!e
"nitiator
'ey
Distriution
4espon$
'ey
DistriutiSufiel
d
Bon$in
g lags
M"TM 4eserve$
7/23/2019 BLE Security
http://slidepdf.com/reader/full/ble-security 3/8
Bits / / / , . % / / /
Bytes . . . . . . .
!" #apaility
;7;; Display9nly
;7;. Display<es=o
;7;, 'eyoar$9nly
;7;8 =o"npout=o9ut
put
;7;> 'eyoar$Displa
y
;7;%*
;7
4eserve$
Bonding Flag
;7;
;
=o
Bon$ing
;7;.
Bon$ing
;7.
;
4eserve$
;7.
.
4eserve$
""B $ata Flag
;7;; 99B uthentication $ata not present
;7;. 99B uthentication $ata fro& re&ote $evice
present
;7;,*
;7
4eserve$
!nitiator %ey $istriution Field
Responder %ey $istriution Field
Sufield Enc'ey "$'ey Sign 4es
Bits . . .
Bytes .
The value of the "9 #apaility fiel$ is set up y $evices accor$ing to the following tale fro&
the BLE>6. spec:
7/23/2019 BLE Security
http://slidepdf.com/reader/full/ble-security 4/8
The 99B Data lag is set to . if the application?$evice re3uires an$ supports e7changing
$ata through an 9ut*of*an$ ðo$6
The M"TM flag is set in the uth4e3 fiel$ if the pplication re3uires Man*in*the*&i$$le
protection6
The Bon$ing lags in the uth4e3 fiel$ are set if the application re3uires on$ing6
The &ini&u& Encryption 'ey Si!e is set up y the application with a value etween @ Bytes
(%A its) an$ .A Bytes (.,/ its) in steps of . yte6 'eys which are less than .,/ its are
pa$$e$ with !eroes starting with the lowest a$$ress: .,/ it key *
;7.,8>%A@/B#DE;.,8>%A@/B#DE;0 %A it key *;7;;;;;;;;;;;;;;;;;;8>%A@/B#DE;6
The "nitiator an$ 4espon$er key $istriution fiel$s are set $epen$ing on what keys &ust e
e7change$ etween two $evices in phase 8 of the pairing process6
The "nitiator is always the Link Layer Master (CP #entral) an$ the 4espon$er is always the
Link Layer Slave (CP Peripheral) in a connection6
&uthentication
The secon$ step of the pairing proce$ure is the uthentication step which is perfor&e$ ase$
on the infor&ation e7change$ in the previous step in the Pairing 4e3uest an$ Pairing
4esponse &essages6
"n this step the Te&porary 'ey is generate$6 There are 8 ways of generating the T' in BLE
($escrie$ elow): ust 5orks0 99B0 an$ Passkey Entry6 The priority of these ðo$s is the
following: if oth $evices have set the 99B flag than the 99B ðo$ is use$ regar$less ofthe other flags in the Pairing 4e3uest an$ 4esponse6 "f the 99B flag is not set on at least one
7/23/2019 BLE Security
http://slidepdf.com/reader/full/ble-security 5/8
of the $evices then the M"TM flag is checke$6 "f oth $evices have not set the M"TM flag
then the ust works ðo$ is chosen ("9 capailities are ignore$)0 else the pairing algorith&
is chosen ase$ on the "9 #apailities6
The following tale $escries the relation etween the T' an$ the pairing ðo$s6
Pairing
'ethod
(emporary %ey
)(%*
'!('
Protectio
n
+otes
ust
5orks
; (!ero) =9 • =o authentication
Passkey
Entry
; 666 (si7
$eci&al $igits)
The rest of the key is
pa$$e$ with !eroes6
<ES • uthenticate$
• "nterface allows
$isplaying or
entering values
9ut 9f
Ban$
+sually a full .,/
it key6
<ES • uthenticate$
The enaling of M"TM protection $uring pairing is consi$ere$ as Futhenticate$ PairingG
Base$ on the contents of the Pairing 4e3uest an$ Pairing 4esponse SMP &essages the
pairing ðo$ is chosen as $escrie$ in the following tales fro& the BLE >6. specification6
7/23/2019 BLE Security
http://slidepdf.com/reader/full/ble-security 6/8
fter the T' is otaine$ the $evices generate the ST'6 The ST' generation proce$ure is
$etaile$ in the following tale for the "nitiator an$ the 4espon$er
!ntiator Responder +otes
Cenerate a .,/ it ran$o& nu&er
* Mrand
Cenerate a .,/ it ran$o& nu&er
* Srand
Mconfirm - c.(k0 r0 pres0 pre30 iat0
ia0 rat0 ra) -
Sconfirm - c.(k0 r0 pres0 pre30 iat0
ia0 rat0 ra) -
The c. function is $etaile$ in th
BLuetooth >6. specification6
7/23/2019 BLE Security
http://slidepdf.com/reader/full/ble-security 7/8
- c. (T'0 Mrand, Pairing re3
#o&&an$0 pairing 4esponse
#o&&an$0 "nitiating Device
$$ress Type0 "nitiating Device
$$ress0 4espon$ing Device$$ress Type0 4espon$ing Device
$$ress)
- c. (T'0 Srand, Pairing re3
#o&&an$0 pairing 4esponse
#o&&an$0 "nitiating Device
$$ress Type0 "nitiating Device
$$ress0 4espon$ing Device$$ress Type0 4espon$ing Device
$$ress)
Trans&it Mconfirm to the
respon$ing $evice6
Trans&it Sconfirm to the intiating
$evice6
Trans&it Mrand to the respon$ing$evice
2erify Mconfirm using the c.
function
"f Mconfirm verifies trans&it Srand
to the initiating $evice
2erify Sconfirm using the c.
function
"f Sconfirm verifies generate ST'
ST' - s.(T'0 Sran$0 Mran$)
The s. function is $etaile$ in th
BLuetooth >6. specification6
Cenerate ST'
ST' - s.(T'0 Sran$0 Mran$)
Start Encryption "n the #ontroller
using the H#" co&&an$s
$istriution of ,eys
The thir$ phase of the pairing proce$ure is the $istriution of the keys6 The keys are
$istriute$ using specific SMP packets6 The keys are encrypte$ with the ST' an$ once store$
in a security $ataase &ust have the sa&e properties (authentication0 M"TM protection) as theST'6 The keys which can e $istriute$ are: (LT'0 ED"2 an$ 4an$)0 "4'0 #S4'6
7/23/2019 BLE Security
http://slidepdf.com/reader/full/ble-security 8/8
The $istriute$ ED"2 an$ 4an$ values are trans&itte$ in clear te7t y the &aster $evice to
the slave $evice $uring encrypte$ session setup6
The BDIDD4 of $evices is also $istriute$ in this phase6
9nly the security infor&ation specifie$ in the Pairing 4e3uest an$ response is $istriute$6The $istriution is $one in the following or$er specifie$ y the stan$ar$:
.6 LT' y the slave
,6 ED"2 an$ 4an$ y the slave
86 "4' y the slave
>6 BD DD4 y the slave
%6 #S4' y the slave
A6 LT' y the &aster
@6 ED"2 an$ 4an$ y the &aster
/6 "4' y the &aster
6 BDIDD4 y the &aster
.;6 #S4' y the &aster