# Guide to Bluetooth Security
###### tags: `Bluetooth Security`
稍微了解藍芽資安方面的基本名詞、行為、以及架構
## 1. Basic Terminology
* 各代藍芽
1. Bluetooth 1.0: `BR(Basic Rate)`,基本藍芽
2. Bluetooth 2.0: `EDR(Enhanced Data Rate)`,速率增強模式
3. Bluetooth 3.0: `HS(High Speed)`,高速模式
* BR/EDR的piconet可以有最多7個active slaves以及最多255個inactive slaves
4. Bluetooth 4.0: `LE(low energy)`,低功耗藍芽
* LE則允許master外圍(peripheral)有無限的slaves
* LE支援connectionless broadcast,亦即為LE的broadcasters週期性的傳送資料,而為LE的observers監聽並接收,這樣使得一個device可以在一個時間點傳送資料給多個裝置
* Dual mode device的意思: 一個裝置支援BR/EDR/HS以及LE這兩種模式
* 舉例來說: 手機用EDR來連藍芽耳機並同時用LE來連接解鎖用戶汽車的sensor
* 一個piconet中的slave可以扮演其他piconet的master(BR/EDR或LE都支援),而形成一個network chain,這又叫做`scatternet`
* 裝置間需要建立piconet才能夠夠傳輸資料,例如下圖[1]在piconet3 的User C's phone無法與piconet2中User B's phone進行傳輸
## 2. Bluetooth Security Features
* Bluetooth中5個基本的security services
1. `Authentication(驗證)` :基於device的位置來驗證身份
3. `Authorization(授權)` :在允許使用相關資源之前先確保經過授權
4. `Message Integrity(資料完整性)` :確保資料沒有被竄改
5. `Pairing/Bonding(配對)` :創建一個或多個shared secret keys並儲存這些keys來作為後續連接使用,為的就是彼此能成為受信任的裝置
* <font color = "blue">Key Transport vs. Key Agreement[3]
* Key establishment: process to establish a shared secret key available to two or more parties;
* key transport: one party creates, and securely transfers it to the other(s).
* key agreement: key establishment technique in which a shared secret is derived by two (or more) parties</font>
* <font color = "blue">Long-Term Key vs. Session Key[3]
* Session key: temporary key, used for a short time period.
* Long-term key: used for a long term period, sometimes public and secret key pairs used to sign messages.</font>
* 下面探討兩種devices的security features
1. BR/EDR/HS
* Prior to version 2.1 => BR/EDR legacy
* Version 2.1 => BR/EDR (uses Secure Simple Pairing)
* Version 4.2 => BR/EDR (uses Secure Connections)
3. LE
* Version 4.0 and 4.1 => LE legacy (uses Secure Simple Pairing)
* Version 4.2 => LE (uses Secure Connections)
### 2.1 Security Features of BR/EDR/HS
<!--
* <font color = "blue">Outline in this section
* Pairing and link Key Generation
1. PIN/Legacy Pairing
2. Secure Simple Pairing (SSP)
3. AMP Link Key Derivation from Bluetooth Link Key ~~(有需要再看)~~
* Authentication ~~(有需要再看)~~
1. Legacy Authentication
2. Secure Authentication
* Confidentiality ~~(有需要再看)~~
1. E0 Encryption Algorithm
2. AES-CCM Encryption Algorithm
* Trust levels, Service Security Levels, and Authorization ~~(有需要再看)~~</font>
-->
<!--
* Bluetooth BR/EDR/HS 定義了身分驗證(authentication)以及安全加密程序,可以在同等devices之間設置通訊的不同階段強制執行
1. `Link-level enforced` :在藍芽physical link完整建立前進行認證與加密程序
2. `Service-level enforced` :在藍芽phsical link完整建立之後與logical channels部分建立時,進行認證與加密程序
* BR/EDR/HS家族定義出4種security modes,每個bluetooth device一定要運作其中一個,注意這些modes是指出device"何時"開始啟動security
1. Security Mode 1: 代表不安全,還沒開始初始化security的部分。NIST也建議永遠不要用mode1
2. Security Mode 2: 為service level-enforced ~~(以下有需要再仔細看...)~~
3. Security Mode 3: 為link level-enforced ~~(以下有需要再仔細看...)~~
4. Security Mode 4: 為service level-enforced
* Mode4使用Secure Simple Pairing(SSP),其中使用ECDH密鑰建立協議(key agreement)來生成link key
* BT4.0之前是用P-192 Elliptic Curve,之後則使用P-256 Ellipti Curve來生成link key
* BT4.1後authentication algorithm更新成HMAC-SHA-256,encryption algorithm則更新成AES-CCM,同時提供message integrity的特性
* 其中又有以下幾種level
* Level 4: Authenticated link key using Secure Connectionsrequired
* Level 3: Authenticated link key required
* Level 2: Unauthenticated link key required
* Level 1: No security required
* Level 0: No security required. (Only allowed for SDP)
* ~~(以下有需要再仔細看...)~~
-->
#### 2.1.1 Pairing and Link Key Generation
藍芽認證與加密的關鍵為產生一個對稱式金鑰(secret symmetric key)
* **在BR/EDR稱為`Link Key`**
* Security Modes2與3透過`Personal Identification Number(PIN)`Pairing來開始建立link key
* Security Mode 4則是用SSP
* **在LE則稱為`Long Term Key`**
* 在LE pairing中,產生`Short Term Key`是為了用來分配Slave以及Master`Long Term Key`
* 在LE Secure Connection中,每個device都會生出`Long Term Key`
</font>
##### 2.1.1.1 <font color = "blue">PIN/Legacy Pairing</font>
* 當users在一個或兩個BT devices輸入PIN時,兩個藍芽devices會同時生出link keys,見下圖[1]
* 當生成link key後,devices間會相互驗證來看是否相同來完成配對
##### 2.1.1.2 <font color = "blue">Secure Simple Pairing(SSP)</font>
* SSP藉由提供在device I/O方面較為靈活的association models來簡化配對的過程
* 同時SSP也透過額外的ECDH public key來防止配對時竊聽以及中間人(MITM)攻擊,見下圖[1]
* 四種association models
1. <font color = "red">Numeric Comparison</font>
* 應用場景: 兩個BT devices都有螢幕顯示六位數數字並讓user端回應yes或no。如果數字一樣回應yes即配對成功,如果回應no就是配對失敗(https://www.youtube.com/watch?v=yyF110U6i5k)
* 與PIN差別: 顯示的數字不用被拿來作為生成link key的input,因此能夠拿到這個數字的竊聽者沒辦法用他來知道加密key
2. <font color = "red">Passkey Entry</font>
* 應用場景: 其中一個BT device有像鍵盤一樣的input功能,另外一個沒有這種功能但有螢幕顯示。有螢幕的device顯示六位數數字,user則透過input輸入
* 與Numerica Comparison一樣,這六位數字並沒有包含在生產link key中
3. <font color = "red">Just Works</font>
* 應用場景: 在配對的devices中至少有一個沒有螢幕也沒有input輸入(例如:耳機)
* user在沒有驗證一個計算值的情況下被要求接收連接,所以Just Works並沒有提供MITM的保護
4. <font color = "red">Out of Band (OOB)</font>
* 應用場景: 被設計來支援無線技術的附加功能(e.g., Near Field Communication(NFC))或是有線技術,以實現找到device(device discovery)以及交換加密值(cryptographic value exchange)的作用
* 在NFC下,OOB允許透過一個輕敲的動作就能和另一個device進行配對,然後user再透過按鈕接受配對。如果要在這配對過程保持安全,OOB該被設計成能夠降低竊聽風險以及MITM攻擊
<!--##### 2.1.1.3 AMP Link Key Derivation from Bluetooth Link Key(~~有需要再看~~)-->
### 2.2 Security Features of LE
<!--* <font color = "blue">Outline in this section
* Low Energy Security Modes and Levels
* Low Energy Pairing Methods
* Legacy Low Energy Key Generation and Distribution
* Low Energy Secure Connection Key Generation
* Confidentiality, Authentication, and Integrity
* Low Energy Long Term Key Derivation from Bluetooth Link Key
* Bluetooth Link Key Derivation from Low Energy Long Term Key</font>-->
* LE被用在計算與儲存資源受限(computationally and storage-constrained)的devices
* 由於LE並不是從BR/EDR/HS演變而來的,因此他們security並不相同
* <font color = "blue">LE在配對的時候是產生long-term key(LTK)而非BR/EDR/HS的link key</font>
* <font color = "blue">LE在產生LTK後是用一個key transport來去分發的,並不像是BR/EDR使用key agreement</font>
* LE的LTK可以從BR/EDR Link Key中用h6 AES-CMAC-128 function得出,BR/EDR Link Key也可以從LE的LTK用h6 function得出
<!--* 4.0版本:
* 用Identity Resolving Key(IRK)來支援LE private device addresses以及用Connection Signature Resolving Key(CSRK)來支援data signing
* IRK被用來將Resolvable Private Address(RPA) map到一個Identity Address
* CSRK被用來驗證沒加密的link上device的cryptographically-signed Attribute Protocol (ATT) data frame
* 這讓藍牙可以用data signing連接(提供Integrity以及authentication)而不是data encryption(例如用AES-CCM)-->
#### 2.2.1 Paring in LE
* Low energy Legacy pairing uses <font color=blue>key transport</font> rather than key agreement for all keys (LTK, IRK, and CSRK), thus a <font color=blue>key distribution</font> step is required during low energy Legacy pairing
##### 2.2.1.1 Legacy Pairing
##### 2.2.1.2 Secure Connections Pairing
1. Out-of-Band
1. Numeric Comparison
1. Passkey Entry
1. Just Works
#### 2.2.2 Legacy Low Energy Key Generation and Distribution
* Two options are specified for key generation prior to distribution.
1. A device may simply generate random 128-bit values and store them in a local database (called “Database Lookup” in the specification).
2. Use a single 128-bit static but random value called Encryption Root (ER) along with a 16-bit Diversifier (DIV) unique to each trusted device to generate the keys. This option is called “Key Hierarchy” in the specification.
* LTK = d1(ER, DIV, 0)
* Identity Resolving Key (IRK) is a 128-bit key used to generate and resolve random addresses
* CSRK = d1(ER, DIV, 1)
* Connection Signature Resolving Key (CSRK) is a 128-bit key used to sign data and verify signatures on the receiving device.
* IRK = d1(IR, 1, 0)
* Long Term Key (LTK) is a 128-bit key used to generate the contributory session key for an encrypted connection
* d1() Diversifying function based on AES-128 encryption, used in Legacy Low Energy key generation.
* the device does not need to store multiple 128-bit keys for each trusted device; rather, it only needs to store its ER and the unique DIVs for each device.
* During reconnection, the remote device sends its EDIV, which is a masked version of DIV The local (DIV = dm(DHK, rand) xor EDIV where DHK is the Diversifier Hiding Key)
* The local device can then regenerate the LTK and/or CSRK from its ER and the passed EDIV
* If data encryption or signing is set up successfully, it is verified that the remote device had the correct LTK or CSRK. If unsuccessful, the link is dropped.
* Note in the above example that the IRK is static and device-specific, and therefore could be generated prior to pairing (e.g., during manufacturing). t
#### 2.2.3 Low Energy Secure Connection Key Generation
## 3. BR/EDR vs. LE比較圖
主要差別:
* BR/EDR是用inquiry/paging的方式,BLE則是Advertising
* BR/EDR piconet內的slaves有限,BLE則無限
Google Drive
Gist
Clipboard
Sign in via Google
Sign in via Facebook
Sign in via X(Twitter)
Sign in via GitHub
Sign in via Dropbox
Sign in with Wallet
