# Guide to Bluetooth Security ###### tags: `Bluetooth Security` 稍微了解藍芽資安方面的基本名詞、行為、以及架構 ## 1. Basic Terminology * 各代藍芽 1. Bluetooth 1.0: `BR(Basic Rate)`,基本藍芽 2. Bluetooth 2.0: `EDR(Enhanced Data Rate)`,速率增強模式 3. Bluetooth 3.0: `HS(High Speed)`,高速模式 * BR/EDR的piconet可以有最多7個active slaves以及最多255個inactive slaves 4. Bluetooth 4.0: `LE(low energy)`,低功耗藍芽 * LE則允許master外圍(peripheral)有無限的slaves * LE支援connectionless broadcast,亦即為LE的broadcasters週期性的傳送資料,而為LE的observers監聽並接收,這樣使得一個device可以在一個時間點傳送資料給多個裝置 * Dual mode device的意思: 一個裝置支援BR/EDR/HS以及LE這兩種模式 * 舉例來說: 手機用EDR來連藍芽耳機並同時用LE來連接解鎖用戶汽車的sensor * 一個piconet中的slave可以扮演其他piconet的master(BR/EDR或LE都支援),而形成一個network chain,這又叫做`scatternet` * 裝置間需要建立piconet才能夠夠傳輸資料,例如下圖[1]在piconet3 的User C's phone無法與piconet2中User B's phone進行傳輸 ![](https://i.imgur.com/DBGa4vS.jpg =600x400) ## 2. Bluetooth Security Features * Bluetooth中5個基本的security services 1. `Authentication(驗證)` :基於device的位置來驗證身份 3. `Authorization(授權)` :在允許使用相關資源之前先確保經過授權 4. `Message Integrity(資料完整性)` :確保資料沒有被竄改 5. `Pairing/Bonding(配對)` :創建一個或多個shared secret keys並儲存這些keys來作為後續連接使用,為的就是彼此能成為受信任的裝置 * <font color = "blue">Key Transport vs. Key Agreement[3] * Key establishment: process to establish a shared secret key available to two or more parties; * key transport: one party creates, and securely transfers it to the other(s). * key agreement: key establishment technique in which a shared secret is derived by two (or more) parties</font> * <font color = "blue">Long-Term Key vs. Session Key[3] * Session key: temporary key, used for a short time period. * Long-term key: used for a long term period, sometimes public and secret key pairs used to sign messages.</font> * 下面探討兩種devices的security features 1. BR/EDR/HS * Prior to version 2.1 => BR/EDR legacy * Version 2.1 => BR/EDR (uses Secure Simple Pairing) * Version 4.2 => BR/EDR (uses Secure Connections) 3. LE * Version 4.0 and 4.1 => LE legacy (uses Secure Simple Pairing) * Version 4.2 => LE (uses Secure Connections) ### 2.1 Security Features of BR/EDR/HS <!-- * <font color = "blue">Outline in this section * Pairing and link Key Generation 1. PIN/Legacy Pairing 2. Secure Simple Pairing (SSP) 3. AMP Link Key Derivation from Bluetooth Link Key ~~(有需要再看)~~ * Authentication ~~(有需要再看)~~ 1. Legacy Authentication 2. Secure Authentication * Confidentiality ~~(有需要再看)~~ 1. E0 Encryption Algorithm 2. AES-CCM Encryption Algorithm * Trust levels, Service Security Levels, and Authorization ~~(有需要再看)~~</font> --> <!-- * Bluetooth BR/EDR/HS 定義了身分驗證(authentication)以及安全加密程序,可以在同等devices之間設置通訊的不同階段強制執行 1. `Link-level enforced` :在藍芽physical link完整建立前進行認證與加密程序 2. `Service-level enforced` :在藍芽phsical link完整建立之後與logical channels部分建立時,進行認證與加密程序 * BR/EDR/HS家族定義出4種security modes,每個bluetooth device一定要運作其中一個,注意這些modes是指出device"何時"開始啟動security 1. Security Mode 1: 代表不安全,還沒開始初始化security的部分。NIST也建議永遠不要用mode1 2. Security Mode 2: 為service level-enforced ~~(以下有需要再仔細看...)~~ 3. Security Mode 3: 為link level-enforced ~~(以下有需要再仔細看...)~~ 4. Security Mode 4: 為service level-enforced * Mode4使用Secure Simple Pairing(SSP),其中使用ECDH密鑰建立協議(key agreement)來生成link key * BT4.0之前是用P-192 Elliptic Curve,之後則使用P-256 Ellipti Curve來生成link key * BT4.1後authentication algorithm更新成HMAC-SHA-256,encryption algorithm則更新成AES-CCM,同時提供message integrity的特性 * 其中又有以下幾種level * Level 4: Authenticated link key using Secure Connectionsrequired * Level 3: Authenticated link key required * Level 2: Unauthenticated link key required * Level 1: No security required * Level 0: No security required. (Only allowed for SDP) * ~~(以下有需要再仔細看...)~~ --> #### 2.1.1 Pairing and Link Key Generation 藍芽認證與加密的關鍵為產生一個對稱式金鑰(secret symmetric key) * **在BR/EDR稱為`Link Key`** * Security Modes2與3透過`Personal Identification Number(PIN)`Pairing來開始建立link key * Security Mode 4則是用SSP * **在LE則稱為`Long Term Key`** * 在LE pairing中,產生`Short Term Key`是為了用來分配Slave以及Master`Long Term Key` * 在LE Secure Connection中,每個device都會生出`Long Term Key` </font> ##### 2.1.1.1 <font color = "blue">PIN/Legacy Pairing</font> * 當users在一個或兩個BT devices輸入PIN時,兩個藍芽devices會同時生出link keys,見下圖[1] ![](https://i.imgur.com/eyg2jvv.jpg =600x500) * 當生成link key後,devices間會相互驗證來看是否相同來完成配對 ##### 2.1.1.2 <font color = "blue">Secure Simple Pairing(SSP)</font> * SSP藉由提供在device I/O方面較為靈活的association models來簡化配對的過程 * 同時SSP也透過額外的ECDH public key來防止配對時竊聽以及中間人(MITM)攻擊,見下圖[1] ![](https://i.imgur.com/SLtSnJY.jpg =600x500) * 四種association models 1. <font color = "red">Numeric Comparison</font> * 應用場景: 兩個BT devices都有螢幕顯示六位數數字並讓user端回應yes或no。如果數字一樣回應yes即配對成功,如果回應no就是配對失敗(https://www.youtube.com/watch?v=yyF110U6i5k) * 與PIN差別: 顯示的數字不用被拿來作為生成link key的input,因此能夠拿到這個數字的竊聽者沒辦法用他來知道加密key 2. <font color = "red">Passkey Entry</font> * 應用場景: 其中一個BT device有像鍵盤一樣的input功能,另外一個沒有這種功能但有螢幕顯示。有螢幕的device顯示六位數數字,user則透過input輸入 * 與Numerica Comparison一樣,這六位數字並沒有包含在生產link key中 3. <font color = "red">Just Works</font> * 應用場景: 在配對的devices中至少有一個沒有螢幕也沒有input輸入(例如:耳機) * user在沒有驗證一個計算值的情況下被要求接收連接,所以Just Works並沒有提供MITM的保護 4. <font color = "red">Out of Band (OOB)</font> * 應用場景: 被設計來支援無線技術的附加功能(e.g., Near Field Communication(NFC))或是有線技術,以實現找到device(device discovery)以及交換加密值(cryptographic value exchange)的作用 * 在NFC下,OOB允許透過一個輕敲的動作就能和另一個device進行配對,然後user再透過按鈕接受配對。如果要在這配對過程保持安全,OOB該被設計成能夠降低竊聽風險以及MITM攻擊 <!--##### 2.1.1.3 AMP Link Key Derivation from Bluetooth Link Key(~~有需要再看~~)--> ### 2.2 Security Features of LE <!--* <font color = "blue">Outline in this section * Low Energy Security Modes and Levels * Low Energy Pairing Methods * Legacy Low Energy Key Generation and Distribution * Low Energy Secure Connection Key Generation * Confidentiality, Authentication, and Integrity * Low Energy Long Term Key Derivation from Bluetooth Link Key * Bluetooth Link Key Derivation from Low Energy Long Term Key</font>--> * LE被用在計算與儲存資源受限(computationally and storage-constrained)的devices * 由於LE並不是從BR/EDR/HS演變而來的,因此他們security並不相同 * <font color = "blue">LE在配對的時候是產生long-term key(LTK)而非BR/EDR/HS的link key</font> * <font color = "blue">LE在產生LTK後是用一個key transport來去分發的,並不像是BR/EDR使用key agreement</font> * LE的LTK可以從BR/EDR Link Key中用h6 AES-CMAC-128 function得出,BR/EDR Link Key也可以從LE的LTK用h6 function得出 <!--* 4.0版本: * 用Identity Resolving Key(IRK)來支援LE private device addresses以及用Connection Signature Resolving Key(CSRK)來支援data signing * IRK被用來將Resolvable Private Address(RPA) map到一個Identity Address * CSRK被用來驗證沒加密的link上device的cryptographically-signed Attribute Protocol (ATT) data frame * 這讓藍牙可以用data signing連接(提供Integrity以及authentication)而不是data encryption(例如用AES-CCM)--> #### 2.2.1 Paring in LE * Low energy Legacy pairing uses <font color=blue>key transport</font> rather than key agreement for all keys (LTK, IRK, and CSRK), thus a <font color=blue>key distribution</font> step is required during low energy Legacy pairing ##### 2.2.1.1 Legacy Pairing ![](https://i.imgur.com/Ay8mMCA.png) ##### 2.2.1.2 Secure Connections Pairing 1. Out-of-Band 1. Numeric Comparison 1. Passkey Entry 1. Just Works ![](https://i.imgur.com/reCbdZK.png) #### 2.2.2 Legacy Low Energy Key Generation and Distribution * Two options are specified for key generation prior to distribution. 1. A device may simply generate random 128-bit values and store them in a local database (called “Database Lookup” in the specification). 2. Use a single 128-bit static but random value called Encryption Root (ER) along with a 16-bit Diversifier (DIV) unique to each trusted device to generate the keys. This option is called “Key Hierarchy” in the specification. * LTK = d1(ER, DIV, 0) * Identity Resolving Key (IRK) is a 128-bit key used to generate and resolve random addresses * CSRK = d1(ER, DIV, 1) * Connection Signature Resolving Key (CSRK) is a 128-bit key used to sign data and verify signatures on the receiving device. * IRK = d1(IR, 1, 0) * Long Term Key (LTK) is a 128-bit key used to generate the contributory session key for an encrypted connection * d1() Diversifying function based on AES-128 encryption, used in Legacy Low Energy key generation. * the device does not need to store multiple 128-bit keys for each trusted device; rather, it only needs to store its ER and the unique DIVs for each device. * During reconnection, the remote device sends its EDIV, which is a masked version of DIV The local (DIV = dm(DHK, rand) xor EDIV where DHK is the Diversifier Hiding Key) * The local device can then regenerate the LTK and/or CSRK from its ER and the passed EDIV * If data encryption or signing is set up successfully, it is verified that the remote device had the correct LTK or CSRK. If unsuccessful, the link is dropped. * Note in the above example that the IRK is static and device-specific, and therefore could be generated prior to pairing (e.g., during manufacturing). t #### 2.2.3 Low Energy Secure Connection Key Generation ## 3. BR/EDR vs. LE比較圖 ![](https://i.imgur.com/MiTiZI9.png =600x300) 主要差別: * BR/EDR是用inquiry/paging的方式,BLE則是Advertising * BR/EDR piconet內的slaves有限,BLE則無限