---
# System prepended metadata

title: Guide to Bluetooth Security
tags: [Bluetooth Security]

---

# Guide to Bluetooth Security
###### tags: `Bluetooth Security`
稍微了解藍芽資安方面的基本名詞、行為、以及架構
## 1. Basic Terminology
* 各代藍芽
    1. Bluetooth 1.0: `BR(Basic Rate)`，基本藍芽
    2. Bluetooth 2.0: `EDR(Enhanced Data Rate)`，速率增強模式 
    3. Bluetooth 3.0: `HS(High Speed)`，高速模式
        * BR/EDR的piconet可以有最多7個active slaves以及最多255個inactive slaves 
    4. Bluetooth 4.0: `LE(low energy)`，低功耗藍芽
        * LE則允許master外圍(peripheral)有無限的slaves
        * LE支援connectionless broadcast，亦即為LE的broadcasters週期性的傳送資料，而為LE的observers監聽並接收，這樣使得一個device可以在一個時間點傳送資料給多個裝置
* Dual mode device的意思: 一個裝置支援BR/EDR/HS以及LE這兩種模式
    * 舉例來說: 手機用EDR來連藍芽耳機並同時用LE來連接解鎖用戶汽車的sensor
* 一個piconet中的slave可以扮演其他piconet的master(BR/EDR或LE都支援)，而形成一個network chain，這又叫做`scatternet`
    * 裝置間需要建立piconet才能夠夠傳輸資料，例如下圖[1]在piconet3 的User C's phone無法與piconet2中User B's phone進行傳輸     
     ![](https://i.imgur.com/DBGa4vS.jpg =600x400)

## 2. Bluetooth Security Features
* Bluetooth中5個基本的security services 
    1. `Authentication(驗證)` :基於device的位置來驗證身份
    3. `Authorization(授權)` :在允許使用相關資源之前先確保經過授權
    4. `Message Integrity(資料完整性)` :確保資料沒有被竄改
    5. `Pairing/Bonding(配對)` :創建一個或多個shared secret keys並儲存這些keys來作為後續連接使用，為的就是彼此能成為受信任的裝置
* <font color = "blue">Key Transport vs. Key Agreement[3]
    * Key establishment: process to establish a shared secret key available to two or more parties;
        * key transport: one party creates, and securely transfers it to the other(s).
        * key agreement: key establishment technique in which a shared secret is derived by two (or more) parties</font>
* <font color = "blue">Long-Term Key vs. Session Key[3]
    * Session key: temporary key, used for a short time period.
    * Long-term key: used for a long term period, sometimes public and secret key pairs used to sign messages.</font>
* 下面探討兩種devices的security features
    1. BR/EDR/HS
        * Prior to version 2.1 => BR/EDR legacy
        * Version 2.1 => BR/EDR (uses Secure Simple Pairing)
        * Version 4.2 => BR/EDR (uses Secure Connections)
    3. LE
        * Version 4.0 and 4.1 => LE legacy (uses Secure Simple Pairing)
        * Version 4.2 => LE (uses Secure Connections)

### 2.1 Security Features of BR/EDR/HS
<!--
* <font color = "blue">Outline in this section
    * Pairing and link Key Generation
        1. PIN/Legacy Pairing 
        2. Secure Simple Pairing (SSP)
        3. AMP Link Key Derivation from Bluetooth Link Key ~~(有需要再看)~~
    * Authentication ~~(有需要再看)~~
        1. Legacy Authentication
        2. Secure Authentication
    * Confidentiality ~~(有需要再看)~~
        1. E0 Encryption Algorithm
        2. AES-CCM Encryption Algorithm
    * Trust levels, Service Security Levels, and Authorization ~~(有需要再看)~~</font>
-->
<!--
* Bluetooth BR/EDR/HS 定義了身分驗證(authentication)以及安全加密程序，可以在同等devices之間設置通訊的不同階段強制執行
    1. `Link-level enforced` :在藍芽physical link完整建立前進行認證與加密程序
    2. `Service-level enforced` :在藍芽phsical link完整建立之後與logical channels部分建立時，進行認證與加密程序
* BR/EDR/HS家族定義出4種security modes，每個bluetooth device一定要運作其中一個，注意這些modes是指出device"何時"開始啟動security
    1. Security Mode 1: 代表不安全，還沒開始初始化security的部分。NIST也建議永遠不要用mode1
    2. Security Mode 2: 為service level-enforced ~~(以下有需要再仔細看...)~~
    3. Security Mode 3: 為link level-enforced ~~(以下有需要再仔細看...)~~
    4. Security Mode 4: 為service level-enforced
        * Mode4使用Secure Simple Pairing(SSP)，其中使用ECDH密鑰建立協議(key agreement)來生成link key
        * BT4.0之前是用P-192 Elliptic Curve，之後則使用P-256 Ellipti Curve來生成link key
        * BT4.1後authentication algorithm更新成HMAC-SHA-256，encryption algorithm則更新成AES-CCM，同時提供message integrity的特性
        * 其中又有以下幾種level
            * Level 4: Authenticated link key using Secure Connectionsrequired
            * Level 3: Authenticated link key required
            * Level 2: Unauthenticated link key required
            * Level 1: No security required
            * Level 0: No security required. (Only allowed for SDP)
        * ~~(以下有需要再仔細看...)~~
-->
#### 2.1.1 Pairing and Link Key Generation
藍芽認證與加密的關鍵為產生一個對稱式金鑰(secret symmetric key)
* **在BR/EDR稱為`Link Key`**
    * Security Modes2與3透過`Personal Identification Number(PIN)`Pairing來開始建立link key     
    * Security Mode 4則是用SSP
* **在LE則稱為`Long Term Key`**
    * 在LE pairing中，產生`Short Term Key`是為了用來分配Slave以及Master`Long Term Key`
    * 在LE Secure Connection中，每個device都會生出`Long Term Key`
</font>
##### 2.1.1.1 <font color = "blue">PIN/Legacy Pairing</font>
* 當users在一個或兩個BT devices輸入PIN時，兩個藍芽devices會同時生出link keys，見下圖[1]
![](https://i.imgur.com/eyg2jvv.jpg =600x500)
* 當生成link key後，devices間會相互驗證來看是否相同來完成配對


##### 2.1.1.2 <font color = "blue">Secure Simple Pairing(SSP)</font>
* SSP藉由提供在device I/O方面較為靈活的association models來簡化配對的過程
* 同時SSP也透過額外的ECDH public key來防止配對時竊聽以及中間人(MITM)攻擊，見下圖[1]
![](https://i.imgur.com/SLtSnJY.jpg =600x500)
* 四種association models
    1. <font color = "red">Numeric Comparison</font>
        * 應用場景: 兩個BT devices都有螢幕顯示六位數數字並讓user端回應yes或no。如果數字一樣回應yes即配對成功，如果回應no就是配對失敗(https://www.youtube.com/watch?v=yyF110U6i5k)
        * 與PIN差別: 顯示的數字不用被拿來作為生成link key的input，因此能夠拿到這個數字的竊聽者沒辦法用他來知道加密key
    2. <font color = "red">Passkey Entry</font>
        * 應用場景: 其中一個BT device有像鍵盤一樣的input功能，另外一個沒有這種功能但有螢幕顯示。有螢幕的device顯示六位數數字，user則透過input輸入
        * 與Numerica Comparison一樣，這六位數字並沒有包含在生產link key中
    3. <font color = "red">Just Works</font>
        * 應用場景: 在配對的devices中至少有一個沒有螢幕也沒有input輸入(例如:耳機)
        * user在沒有驗證一個計算值的情況下被要求接收連接，所以Just Works並沒有提供MITM的保護
    4. <font color = "red">Out of Band (OOB)</font>  
        * 應用場景: 被設計來支援無線技術的附加功能(e.g., Near Field Communication(NFC))或是有線技術，以實現找到device(device discovery)以及交換加密值(cryptographic value exchange)的作用
        * 在NFC下，OOB允許透過一個輕敲的動作就能和另一個device進行配對，然後user再透過按鈕接受配對。如果要在這配對過程保持安全，OOB該被設計成能夠降低竊聽風險以及MITM攻擊


<!--##### 2.1.1.3 AMP Link Key Derivation from Bluetooth Link Key(~~有需要再看~~)-->
### 2.2 Security Features of LE 
<!--* <font color = "blue">Outline in this section
    * Low Energy Security Modes and Levels
    * Low Energy Pairing Methods
    * Legacy Low Energy Key Generation and Distribution
    * Low Energy Secure Connection Key Generation
    * Confidentiality, Authentication, and Integrity
    * Low Energy Long Term Key Derivation from Bluetooth Link Key
    * Bluetooth Link Key Derivation from Low Energy Long Term Key</font>-->
* LE被用在計算與儲存資源受限(computationally and storage-constrained)的devices
* 由於LE並不是從BR/EDR/HS演變而來的，因此他們security並不相同
* <font color = "blue">LE在配對的時候是產生long-term key(LTK)而非BR/EDR/HS的link key</font>
* <font color = "blue">LE在產生LTK後是用一個key transport來去分發的，並不像是BR/EDR使用key agreement</font>
* LE的LTK可以從BR/EDR Link Key中用h6 AES-CMAC-128 function得出，BR/EDR Link Key也可以從LE的LTK用h6 function得出
<!--* 4.0版本:
    * 用Identity Resolving Key(IRK)來支援LE private device addresses以及用Connection Signature Resolving Key(CSRK)來支援data signing
    * IRK被用來將Resolvable Private Address(RPA) map到一個Identity Address
    * CSRK被用來驗證沒加密的link上device的cryptographically-signed Attribute Protocol (ATT) data frame
        * 這讓藍牙可以用data signing連接(提供Integrity以及authentication)而不是data encryption(例如用AES-CCM)-->
#### 2.2.1 Paring in LE
* Low energy Legacy pairing uses <font color=blue>key transport</font> rather than key agreement for all keys (LTK, IRK, and CSRK), thus a <font color=blue>key distribution</font> step is required during low energy Legacy pairing
##### 2.2.1.1 Legacy Pairing
![](https://i.imgur.com/Ay8mMCA.png)
##### 2.2.1.2 Secure Connections Pairing
1. Out-of-Band
1. Numeric Comparison
1. Passkey Entry
1. Just Works
![](https://i.imgur.com/reCbdZK.png)

#### 2.2.2 Legacy Low Energy Key Generation and Distribution
* Two options are specified for key generation prior to distribution.
    1. A device may simply generate random 128-bit values and store them in a local database (called “Database Lookup” in the specification).
    2. Use a single 128-bit static but random value called Encryption Root (ER) along with a 16-bit Diversifier (DIV) unique to each trusted device to generate the keys. This option is called “Key Hierarchy” in the specification.
        * LTK = d1(ER, DIV, 0)
            * Identity Resolving Key (IRK) is a 128-bit key used to generate and resolve random addresses
        * CSRK = d1(ER, DIV, 1)
            * Connection Signature Resolving Key (CSRK) is a 128-bit key used to sign data and verify signatures on the receiving device.
        * IRK = d1(IR, 1, 0)
            *  Long Term Key (LTK) is a 128-bit key used to generate the contributory session key for an encrypted connection
        * d1() Diversifying function based on AES-128 encryption, used in Legacy Low Energy key generation.
        * the device does not need to store multiple 128-bit keys for each trusted device; rather, it only needs to store its ER and the unique DIVs for each device.
        * During reconnection, the remote device sends its EDIV, which is a masked version of DIV The local (DIV = dm(DHK, rand) xor EDIV where DHK is the Diversifier Hiding Key)
        * The local device can then regenerate the LTK and/or CSRK from its ER and the passed EDIV
        * If data encryption or signing is set up successfully, it is verified that the remote device had the correct LTK or CSRK. If unsuccessful, the link is dropped.
        * Note in the above example that the IRK is static and device-specific, and therefore could be generated prior to pairing (e.g., during manufacturing). t
#### 2.2.3 Low Energy Secure Connection Key Generation

## 3. BR/EDR vs. LE比較圖
![](https://i.imgur.com/MiTiZI9.png =600x300)
主要差別:
* BR/EDR是用inquiry/paging的方式，BLE則是Advertising
* BR/EDR piconet內的slaves有限，BLE則無限