Professional Documents
Culture Documents
Hardware
Implementation of
Bluetooth Security
Bluetooth can implement its security layer’s key-generation mechanism
and authentication in software or hardware. Software implementation
usually satisfies user requirements, but in time-critical applications or
processing-constrained devices, a hardware implementation is preferable.
S
ecurity in pervasive computing is a com- or pseudorandom3 process. In the Bluetooth system,
plex issue that has been the subject of neg- the security layer is one of the baseband layers, which
ative publicity in recent years due to poor the upper layers (such as the link manager) control.
implementations (such as the Wired Equiv- It includes key management, key-generation mecha-
alent Privacy protocol used by IEEE nisms, user and device authentication, and data
802.11). Many low-level protocols are not secure, encryption. The Bluetooth security architecture can
and the use of more secure high-level protocols is lim- secure all upper layers by enforcing the Bluetooth
ited by the processing capabilities of mobile devices. security policy or can be flexible enough to let those
Bluetooth could enhance and extend pervasive appli- layers use their own security policies.
cations because it is well suited to the power require-
ments of mobile applications (see the “Bluetooth” Key management and the key-generation
sidebar). Furthermore, it offers methods for generat- mechanism
ing keys, authenticating users, and encrypting data. To connect, users must enter their personal identi-
Most single-chip Bluetooth baseband implemen- fication numbers (see Figure 1). Using the PIN, the
tations, which include a low-per- link-key-generation function (E2) generates the appro-
Paraskevas Kitsos, Nicolas Sklavos, formance general-purpose proces- priate link key. The authentication function (E1) uses
Kyriakos Papadomanolakis, and sor, implement only the data this key to authenticate the identity of the connect-
Odysseas Koufopavlou encryption in hardware. How- ing parties. When data encryption is required, the
University of Patras, Greece ever, in time-critical applications encryption-key-generation function (E3) produces the
requiring a fast connection and in encryption key using the same link key. The stream
devices with processing con- cipher function (E0) uses the encryption key to encrypt
straints, implementing key generation and authenti- or decrypt the sending or receiving data.
cation in the hardware (rather than software) is also During a connection, a Bluetooth device produces
preferable. To improve performance in these appli- several different types of 128-bit link keys. These
cations, we use an efficient implementation of the keys handle all security transactions between two or
Safer+ (Secure And Fast Encryption Routine) algo- more parties. Depending on the application type, the
rithm, which reduces the resource requirements. link keys can be initialization, unit, combination, or
master keys. A link key’s lifetime depends on whether
Bluetooth security it is a semipermanent or temporary key. A point-to-
The Bluetooth security layer uses four key elements: multipoint connection, which transmits the same
a Bluetooth device address, two separate key types information to several recipients, uses a master (tem-
(authentication and encryption), and a random num- porary) key. All other link-key types are semiper-
ber.1 The authentication key generates the encryp- manent. In addition to link keys, there is the encryp-
tion key during the authentication phase. A Bluetooth tion key. The encryption-key-generation process uses
device produces the random number using a random2 the current link key to produce the encryption key.
1536-1268/03/$17.00 © 2003 IEEE ■ Published by the IEEE CS and IEEE Communications Society PERVASIVE computing 21
SECURITY & PRIVACY
tion consists of the payload key generator, Bluetooth device Data Bluetooth device
address A Encryption Encryption address A
the key stream generator, and the encryp- (E0) (E0)
tion/decryption part.1 Encryption key Kc Encryption key Kc
The payload key generator combines the Random
stream-cipher function’s input bits in an Kstream number A Kstream
Data A–>B Data A–>B
appropriate order and leads them to the
key stream generator’s4 four linear feed- Data B–>A Data B–>A
back shift registers (LFSR). The generator
uses different encryption modes depend-
ing on the party link-key type. It doesn’t
encrypt the broadcast traffic when using a
combination or unit key. However, when Device A (master) Device B (slave)
using a master key, it can use one of three Signed
possible encryption modes. In encryption Random number A response Random number A
mode 1, the generator doesn’t encrypt any- Bluetooth device (SRES) Bluetooth device
thing. In encryption mode 2, it uses the address B Authentication Authentication address B
(E1) (E1)
master key to encrypt the individually Link key Link key
addressed traffic but doesn’t encrypt L L
broadcast traffic. In encryption mode 3, it Random
uses the master key to encrypt all traffic. number A
ACO ? ACO
Bluetooth implementations SRES' = SRES SRES
Commercial chipsets are available that
implement Bluetooth. Many companies
(including Cambridge Silicon Radio,
Philips, Ericsson, Atmel, and Zeevo) have
integrated the basic Bluetooth baseband
functions in hardware. Other companies,
such as Silicon Wave, Oki Semiconductor,
and Intel, provide a Host Control Interface
that can be controlled, for example, across
Figure 3. Bluetooth system hardware
a USB interface. An ARM (Advanced Risk Bluetooth
implementation.
Machines) embedded processor core, for baseband
the appropriate firmware execution, sup-
ports the Bluetooth controller’s hardware The cryptography algorithms demand ARM
Radio
components (see Figure 3). We can imple- high processing capabilities. Implementing frequency I/O
ment the security protocol in these hard- either a public-key encryption or a private- module
Bluetooth
ware components. key algorithm, with a typical microcon- controller
For an ARM-based system to work troller instruction set, leads to large code
properly, it generally needs many RAM and size and high power requirements. The
ROM blocks, instruction cache memory, challenge is to include appropriate hard-
and sophisticated control logic. On the ware primitives that make these operations RAM ROM
other hand, hardware implementations more efficient in all these dimensions while
limit the silicon area and consume less of letting the security algorithms evolve.5
the chip’s power. In addition, the software data encryption (the stream cipher function
implementation requires multiply instruc- Security hardware unit) in hardware. This removes the contin-
tions and more clock cycles to execute the implementation uous load from the processor across the
partial operation, reducing the system time As we stated earlier, most single-chip Blue- wireless link during data transfer. In addi-
performance. tooth baseband implementations implement tion, implementing the key-generation
D
a E1/E3 function unit
• RAM and ROM memories
t
a • The stream cipher function
I/O interface
• Control
b
RAM • The I/O interface
u
s
The link-key-generation function unit
ROM
produces the appropriate link keys. Using
these link keys, the E1/E3 function unit per-
E0 stream cipher
function unit forms authentication and produces the
encryption key. It uses the stream cipher
function unit for data encryption and
transfers all the interunit data movements
mechanism and authentication in hardware ware implementation. It consists of six units: through the 64-bit data bus. It also inte-
(rather than software) offers faster connec- grates RAM to store the appropriate func-
tion times and lower power consumption. • The link-key-generation function tion keys and stores the function constants
Figure 4 shows the proposed system • The E1/E3 function (authentication and in the ROM. The control unit synchronizes
architecture for the Bluetooth security hard- encryption-key generation) the system’s operation and puts the inac-
tive system portions in standby mode.6
This greatly reduces power dissipation.
The system communicates with the exter-
128 Plaintext nal environment through the I/O interface.
The basic component of all the key gen-
Clock eration functions (E2, E3) and the authenti-
Input register Reset cation function is the Safer+ algorithm.1,7–9
Safer+ is based on the existing Safer family
of ciphers, which comprises the ciphers Safer
Key odd K-64, Safer K-128, and Safer SK-128,7
addition developed by James Massey of ETH Zurich.
All algorithms are byte-oriented block-
MUX encryption algorithms, which have two
When sel=0=> Ar
properties. First, to achieve the desired dif-
When sel=1=> A'r
K fusion, they use a nonorthodox linear trans-
e Round keys formation (Pseudo-Hadamard Transfor-
y Safer+
K2r – 1 / K2r single round mation). Second, they use additive constant
128
factors (bias vectors) in the key scheduling
s to avoid weak keys.
Key c Feedback data
h
e Implementing the Safer+
d Round key
Key odd addition algorithm
u 128 K 17
l Figure 5 shows the Safer+ algorithm’s
i hardware implementation. It consists of
n Output register two main units: the encryption data path
g
and the key-scheduling unit. The key-
128
Ciphertext
DE-MUX
g2(x) degrees are n and m, accordingly.
XOR
Synthesis results and analysis
+16 96 128 We captured the overall system (see Fig-
ure 4) using VHDL (VHSIC Hardware
Output Description Language) and simulated/ver-
ADD register ified the system under real-time operating
Expansion
+16 conditions. The performance, critical
32 96 128
ACO
path, and silicon area of the Safer+ imple-
Signed Kc mentation determine the characteristics of
response Ciphering the function implementations for link
96 offset
production keys, encryption-key generation, and
Key_type
Bluetooth authentication.
device
address 96
Initial value
tion mechanism functions execute in less
Linear feedback shift register 2 Encryption stream Zt
than 1.5 msec. Because our system uses XOR
Linear feedback shift register 3
only two nonlinear functions (e and l), it
Linear feedback shift register 4 Blend
significantly reduces the silicon area.
The two components of the stream- Z –1
cipher function unit are implemented eas- T2
ily using registers and basic logic gates (see Z –1 T1
Figures 9 and 10). The critical path of the
key-stream generation is short, so the XOR
+
achieved throughput is much higher than + /2
the Bluetooth specification demands.
We synthesized, placed, and routed the
system using the XILINX field-program-
mable gate array (VIRTEX-E V2600E-
FG1156). Table 1 presents detailed syn-
g1(0) g1(1) g1(2) g1(n -1)
thesis results for the overall system. The
device utilization for this specific XILINX
FPGA device is 78.4 percent for the con-
figurable logic blocks, 84 percent for the
function generators, and 5 percent for the Kc (0) ... Kc (n – 1) D D D D D
D flip-flops. The system clock frequency is IR ( 0) IR (1) IR (2) IR (n -1) IR (n )
15 MHz. 80 bytes of RAM stores the keys
that the link-key-generation and E1/E3
g2(m) g2(m –1) g2(1) g2(0)
function units produce. The system also
has a 4,704-byte ROM.
TABLE 1
System FPGA synthesis results.
System component Configurable Function D flip-flops ROM blocks (bytes)
logic blocks generators
TABLE 2
Safer+ performance comparisons.
Implementation Frequency (MHz) Throughput (Mbps) Normalized frequency (MHz)
Table 2 presents the proposed Safer+ anywhere. We might not be there yet, but can work together through ad hoc net-
implementation’s measurements, frequency, we are headed in the right direction. works, marking the beginning of a standard
and throughput. For comparison, we also In realizing this vision, hardware and that enables wireless machine-to-machine
include measurements from other imple- networking infrastructures are increasingly communications between each and every
mentations. When establishing a Bluetooth becoming a reality. Wireless networking intelligent device and every appliance.
connection using authentication and the standards, such as IEEE 802.11 and Blue- Over the last few years, we have labored
key-generation mechanism, the throughput tooth, provide local connectivity while the under the constraint that secure cryptosys-
is much lower than when connecting using Internet provides worldwide connectivity. tems require too much computation to be
data encryption. In particular, with Bluetooth, various devices performed easily. Moore’s law is producing
The Software1 implementation was
coded in C language and executed on a
200-MHz Pentium PC.10 The Software2 the AUTHORS
implementation was coded in Assembly
Paraskevas Kitsos is working toward his PhD in the Department of Electrical and
language and executed on an 8-bit MCS
Computer Engineering at the University of Patras. His research interests include
51 family processor.9 The proposed Safer+ Very Large Scale Integration design, hardware implementations of cryptography
implementation’s throughput is five times algorithms, security protocols for wireless communication systems, and Galois field
arithmetic implementations. He received his BS in physics from the University of
higher than James Massey’s implementa-
Patras. Contact him at VLSI Design Laboratory, Dept. of Electrical and Computer
tion,9 and much higher when compared to Eng., Univ. of Patras, 26500 Rio, Patras, Greece; pkitsos@ee.upatras.gr; www.vlsi.
the software implementations. ee.upatras.gr/~pkitsos.
To fairly compare the Safer+ designs,
Nicolas Sklavos is pursuing his PhD in the department of Electrical and Computer
Table 2 presents the normalized frequen- Engineering at the University of Patras. His research includes Very Large Scale Inte-
cies for each design for 1 million bits per gration and low-power design, cryptography implementations for wireless commu-
nications, and reconfigurable computing architectures. He received his diploma in
second (Mbps) yielding throughput. The
electrical and computer engineering from the University of Patras. Contact him at
proposed implementation achieves the the VLSI Design Laboratory, Dept. of Electrical and Computer Eng., Univ. of Patras,
required throughput with the same clock 26500 Rio, Patras, Greece; nsklavos@ee.upatras.gr; www.vlsi.ee.upatras.
gr/~sklavos/sklavos.htm.
frequency as one of Massey’s designs.10
Compared to previous designs, it requires Kyriakos Papadomanolakis is pursuing his PhD in the department of Electrical
a much lower clock frequency. and Computer Engineering at the University of Patras. His research interests include
Very Large Scale Integration, low-power design, and fault-tolerant techniques. He
received his diploma in electrical and computer engineering from the University of
Patras. Contact him at the VLSI Design Laboratory, Dept. of Electrical and Computer
Eng., Univ. of Patras, 26500 Rio, Patras, Greece; papk@ee.upatras.gr.
P
ervasive computing promises a
computing environment that seam-
lessly supports users in accom- Odysseas Koufopavlou is an associate professor with the Department of Electrical
and Computer Engineering at the University of Patras. His research interests include
plishing their tasks and renders the
Very Large Scale Integration, low-power design, VLSI cryptosystems, and high-
actual computing devices and technology performance communication subsystems architecture and implementation. He
largely invisible. The explosive growth of received his Diploma and PhD in electrical engineering from the University of Patras.
He is a member of the IEEE. Contact him at the VLSI Design Laboratory, Dept. of
both Internet and wireless communication
Electrical and Computer Eng., Univ. of Patras, 26500 Rio, Patras, Greece; odysseas@
means that technology can bring informa- ee.upatras.gr; www.vlsi.ee.upatras.gr/~odysseas.
tion, services, and applications to the user,
PAPERS
CALL
FOR
Submission Deadline: 7 July 2003
IEEE PERVASIVE COMPUTING Submission address: pervasive@computer.org
SENSOR AND ACTUATOR NETWORKS Publication date: November 2003
IEEE Pervasive Computing invites articles relating to the design of distributed systems coupled with
the physical world. Such systems face tight constraints on energy, computation, and communication
yet must last for long periods of time without human intervention.Their study
is thus central to ubiquitous/pervasive computing. We especially welcome
papers that lie at the intersection of distributed control systems, sensor
networks, and robotics and offer useful insights to one or more of those
research communities.
Example topics include (but are not limited to):
• Sensor/actuator networks
• Robotic sensor networks
• Distributed control
• Signal processing in sensor/actuator networks
• New distributed sensor/actuator technologies
• Applications and case studies
Submissions should be 4,000 to 6,000 words and should follow the magazine’s guidelines
on style and presentation (see http://computer.org/pervasive/author.htm). All submissions will be
anonymously reviewed in accordance with normal practice for scientific publications. In addition to full-length
submissions, we also invite work-in-progress submissions of 250 words or less. The deadline for those submissions is 1
October 2003. Please contact Lead Editor Shani Murray (smurray@computer.org), Editor-in-Chief M. Satyanarayanan
(satya@cs.cmu.edu) , or the Guest Editors, Gaurav Sukhatme (gaurav@usc.edu) and Deborah Estrin (destrin@cs.ucla.edu),
for more information.