BLUETOOTH SECURITY

TABLE OF CONTENTS

Chapter Page No.

ABSTRACT 1

1. INTRODUCTION 2

1.1 APPLICATION 3
1.2 BENIFITS 4

2. SECURITY FRAMEWORK 5

2.1 BASIC DEFINITION 5

2.2 SECURITY MODES 6
2.3 SECURITY LEVELS 7

3. LINK LEVEL SECURITY 8

3.1 KEY MANAGEMENT SCHEME 9

3.2 AUTHENTICATION SCHEME 10
3.3 ENCRYPTION SCHEME 11

4. SERVICE LEVEL SECURITY 12

5. CONCLUSION 14
6. BIBLIOGRAPHY 15

APPENDIX - A POWER POINT SLIDES

APPENDIX - B INDEX
 IV

ABSTRACT

Bluetooth is a way of connecting machines to each other without cables or any

other physical medium. It uses radio waves to transfer information, so it is very
easily affected by attacks. In this let me first give some background information
about Bluetooth system and security issues in ad hoc networks, a security
framework is introduced for the description of the Bluetooth security layout.
Then both link-level and service-level security schemes are discussed in detail on
the basis of the framework and then it concentrates on specific security measures
in Bluetooth, mainly authentication, encryption, key management and ad hoc
aspects. Corresponding countermeasures are also proposed in order to improve
the Bluetooth security.

Chapter I
1. INTRODUCTION

From the beginning of the computer era, cables are being used to connect
computers to each other and to special devices. For safe traveling of information
security measures have been developed to secure the cable connections.

Now, as the time has change, cables are not of that much use, thus the
Bluetooth is develop to provide cable-free environment. Bluetooth is a new
technology named after the 10th century Danish king Harald Bluetooth.
It is accepted as proposed standard for local wireless communication and is
becoming more and more popular day by day. Now it is extended to support both
the applications of voice/data access and personal ad hoc networks.

This report gives information about the security measures of Bluetooth,

where we examine the Bluetooth security architecture in detail, how they should be
different from the old security measures of the cable-connected world and are they
sufficient enough, so that Bluetooth can be used for everyday communications. I
have examined the Bluetooth security in two parts according to the framework
proposed, including the build-in link-level Bluetooth security as the main part, and
the service level Bluetooth security architecture as the practice part, respectively.
And what possible uses it has.

1.1 APPLICATIONS
The Bluetooth works for the wide range of applications. These range from
straightforward cable replacement to sophisticated networking applications.

Examples:
_ Wireless headsets for cell phones for hands-free, wire-free phone calls.
_ Wireless PC Mouse connection to the PC using Bluetooth.
_ Wireless printing between a PC or handheld and a Bluetooth enabled printer.
_ Wireless barcode scanner input for retail and warehousing.
_ Automated synchronization of Personal Digital Assistant (PDAs) and PCs using
Bluetooth.
_ Ad hoc networking and file sharing between PCs, PDAs & laptops in a
meeting.
_ Automated cell phone dialing from a laptop’s contact database with logging of
the activity on the laptop.
_ Internet access for Bluetooth used devices via the Bluetooth enabled device
on the Internet.
_ Synchronize contact information between a cell phone, PDA, notebook, and
desktop wirelessly.
_ With automatic synchronization enabled, everyone can see changes to the
shared material on his or her own computer.

1.2 BENEFITS
The most basic benefit from Bluetooth is of simple cable replacement between two
devices. For many situations were the physical elimination of inconvenient cables
that take space and limit device placement. In industrial and commercial
applications, the presence of wires creates problems and task interference issues.
The wide range of device types and standard interface make by Bluetooth. Which
allows selection of devices optimized each for their particular functions. The multi-
point capabilities of Bluetooth communications allows one interface to support
communications a set of wired and wireless devices are Bluetooth connectable,
including office appliances, e.g. desktop PCs, printers, projectors, laptops, and
PDAs; communication appliances, e.g. speakers, handsets, pagers, and mobile
phones; home appliances, e.g. DVD players, digital cameras, cooking ovens,
washing machines, refrigerators, and thermostats. Bluetooth is suitable for a wide
range of applications, e.g. wireless office and meeting room, smart home and
vehicle, intelligent parking, electrical paying and banking. printers, scanners,
scales, PDAs, other PCs, etc.
Bluetooth wireless networking, in general, provides a simple and fast path to ad
hoc networks with minimal equipment and overhead.

4
Chapter II
2. Security Framework

The Bluetooth technology provides security at both the application layer and the
link layer. In this there are two kinds of features that make attacks more difficult. A
hop selection mechanism of up to 1600 hops/sec is used to avoid the interference
from external or other piconets. An automatic output power adaptation scheme is
also included in the standard for the low power consumption of light-weight mobile
devices, which can reduce the radio spread range for data transmission exactly
according to requirements based on the detected intensity.

2.1 Basic Definitions

A total of three different information security objectives are to be reached one or
all. Confidentiality means that the data can only be used by authorized users and/or
parties. Integrity means that the data cannot be modified during transfer and stored
by adversaries. Availability means that the data is always available for authorized
use.
Bluetooth gives three main techniques to achieve security features:
· Encryption: The process of transforming data into a form that it cannot be
understood without a key. Both data and control information can be encrypted.
· Authentication: means the ensuring of the identity of another user, so that he
knows to whom is communicating with. In which to verify ‘who’ is at the other end
of the link. Authentication is performed for both devices and users.
· Authorization: The process of deciding, if a device is allowed to have access to a
service. Authorization always includes authentication.
5
2.2 Security Modes

Each Bluetooth device can work on one of the three security modes. Depending on
whether a device uses a semi link key or a master key, there are several encryption
modes available. If a unit key or a combination key is used, broadcast traffic is not
encrypted. Individually addressed traffic can be either encrypted or not. If a master
key is used, there are three possible modes.

In mode 1, is a non-secure mode, in which a Bluetooth device never initiates

any security procedure, nothing is encrypted.
In mode 2, is service-level security where a device does not initiate security
function before channel establishment and whether to initiate or not depends on the
security requirements of the requested channel or service. Broadcast traffic is not
encrypted, but the individually addressed traffic is encrypted with the master key.
In mode 3, is a link-level security in which a Bluetooth device shall initiate
security function before the link set-up. All traffic is encrypted with the master key.
The above two levels of Bluetooth security scheme can be defined, as follows:
· Link-level security, The Bluetooth device initiates security functions before the
channel is established. This is the in-built security mechanism.
· Service-level security, The Bluetooth device initiates security functions after the
channel is established, i.e. at the higher layers.

6
2.3 Security Levels

Service-level security, The Bluetooth device initiates security functions after the
channel is established, i.e. at the higher layers.
Bluetooth allows different security levels to be used for devices and various
services. To secure devices two security levels can be defined. An authorized
device has unrestricted access to all or some specific services. Basically this means
that the device has been previously authenticated is marked as “trusted”. An
unauthorized device has restricted access to services. Usually the device has been
previously authenticated but has not been marked as “trusted”. An unknown device
is also an untrusted device.
Three levels of service security are used to be defined so that the
requirements for authorization, authentication, and encryption can be set
independently, including services that require authorization and authentication,
services that require authentication only, and services open to all devices.

These three security levels can be described by using the following

attributes:
· Authorization: The access services are granted only after an authorization
procedure. Only authorized devices will get automatic access.
· Authentication: The remote device must be authenticated before being able to
connect to the application being access.
· Encryption: the link between the two devices must be encrypted before the
application can be accessed.
 7
Chapter III

3. Link-level Security

Link-level security, The Bluetooth device initiates security functions before the
channel is established. This is the in-built security mechanism.
Figure 1 illustrates the link-level security framework of Bluetooth. In the
figure, the Bluetooth devices (the claimant) try to communicate the other device
(the verifier) [1].
Generally the whole scheme is divided in four levels as shown below in the figure.

Authentication (Communication
Figure 1: Bluetooth link-level security scheme.ink Key

3.1 Key Management Scheme

Key management scheme[2] is used to generate, store, and distribute keys, which is
included in the first step of each of the four parts in Figure 1. Bluetooth uses a
private key called link key is shared between two or more parties.
· A semi-permanent key can be used after the current process is terminated, while a
temporary key is valid only until the current process is over.
· The initialization key is used only during the initialization process. The unit key is
generated once at the installation of the unit.
· The combination key is derived by both units for services that require more
security.
· The master key, generated by the master device, is used when the master wants to
send messages.
· A Bluetooth Personal Identification Number (PIN) is used for authentication and
to generate the initialization key before exchanging link keys.
· The unit key is generated in a single device when it is installed.

Figure 2: Bluetooth key structure.

9
3.2 Authentication Scheme

The Bluetooth authentication scheme uses a challenge-response strategy in which a

2-move protocol is used to check whether the other party knows the secret key. The
protocol uses similar keys, so a successful authentication is based on the fact that
both participants share the same key.

Figure 3: Challenge-response for the Bluetooth authentication.

First, the verifier sends the claimant a random number for authention. Then
both participants use the authentication function E1 with the random number, the
claimants Bluetooth Device Address and the current link key to get a response. The
claimant sends the response to the verifier, who then makes sure the responses
match. The used application indicates who is to be authenticated. So the verifier
may not necessarily be the master, where both parties are authenticated in turn. If
the authentication fails, there is a period of time that must pass until a new attempt
at authentication can be made. The period of time doubles for each subsequent
failed attempt from the same address reached. The waiting time decreases
exponentially to a minimum when no failed authentication are made during a time
period.

10
3.3 Encryption Scheme

Figure 4 shows the encryption procedure. The encryption key (KC) is generated
from the current link key.

Figure 4: Encryption procedure.

The Bluetooth encryption system encrypts the payloads of the packets. This
is done with a stream cipher E0, which is re-synchronized for every payload. The
E0 stream cipher consists of the payload key generator, the key stream generator
and the encryption/decryption part. The payload key generator combines the input
bits in an appropriate order and shifts them to the four Linear Feedback Shift
Registers (LSFR) of the key stream generator.

In each device, there is a parameter defining the maximum allowed key

length, the size of the encryption key used between two devices must be
negotiated. In the key size negotiation, the master sends its suggestion for the
encryption key size to the slave. The slave can either accept and acknowledge it, or
send another suggestion. This is continued, until a consensus is reached or one of
the devices aborts the negotiation.

11
Chapter IV
4. Service-level Security

This section gives basic issues involved in the implementation of security

mechanisms; this is an approach for a flexible security architecture built on top of
the link-level security features of Bluetooth. Figure 5 gives the general security
architecture. The key component in the architecture is a security manager, with the
following functions:
· Store security-related information on both services and devices into
corresponding service and device databases.
· Permit or refuse access requested by protocol implementations or applications.
· Command the link manager to enforce authentication and/or encryption before
connecting to the application, using the HCI.
· Query Personal Identification Number (PIN) entry to set-up trusted device
relationship.
Such a centralized security manager is flexible to implement different access
strategy policies and easy to add new strategy without affecting other parts.
The security manager acts as a bridge to join application level and link level
security controls together and thus helps in providing end-to-end security.
Authentication should be performed after determining what the security level of
the requested service is. That is to say, the authentication can only be performed
when a connection request to a service (SCO link) is submitted.
Logical Link Control and Adaptation Protocol (L2CAP). This protocol
provides connection-oriented and connectionless data services to the
upper layer protocols, with protocol multiplexing capability.
12
 Host Controller Interface (HCI), i.e. the boundary between hardware and
software, provides a uniform command interface to access capabilities of
hardware, e.g. link manager, link control and event registers.
Cable Replacement Protocol, i.e. RFCOMM protocol, is based on the ETSI
TS 07.10 that matches serial line control and data signals over Bluetooth Base
band to provide transport capabilities for upper level services.
The Device database stores information about the device type, the trust level
(whether trusted or untrusted) and about the link key (used for encryption) length.
[3]
The Service database stores information regarding the authentication,
authorization and encryption requirements for the services. It also stores other
routing information for the services.[3]

Figure 5: Bluetooth security architecture.

13

CONCLUSIONS
We have now examined Bluetooth in general, some of the Bluetooth security
mechanisms. As was seen, the Bluetooth's security seemed to be adequate only for
small ad hoc networks, such as a network of the participants in a meeting.
Connecting a Personal Digital Assistant (PDA) to a mobile phone using Bluetooth
may also be secure enough, but is Bluetooth secure enough for larger networks,
money transfers and transferring other sensitive information.

In the light of this study, it seems that the security of Bluetooth is still not
suitable for any serious, security sensitive work; the more sophisticated security
methods may be implemented. Since the Bluetooth security scheme is reasonably
useful to the applications with less security requirements. Based on the original
design goal of cable replacement, Bluetooth is more suitable to short-range and
small-size wireless personal area networks than for connecting with outside public
networks, comparing.

14

BIBLIOGRAPHY

[1] Jun-Zhao Sun, Douglas Howie, Antti Koivisto, and Jaakko Sauvola.
Design, Implementation, And Evaluation Of Bluetooth Security,
[referred 2002-01-07]

[2] Marjaana Traskback, Security of Bluetooth: An overview of Bluetooth

Security, Department of Electrical and Communications Engineering,
Mtraskba@cc.hut.fi
<http//www.cs.hut.fi/opinnot/Tik-86.174/Bluetooth_security.pdf >
[3] Nikhil_Anand, An overview of Bluetooth Security,[referred 2003-3-19]
<http//www.giac.org/practical/gsec/Nikhil_Anand_GSEC.pdf>

15

INDEX

ACL Oriented and Asynchronous Connectionless

ACO Authenticated Ciphering Offset
AU_RAND Authorized Random Number
BD_ADDR Bluetooth Device Address
CA Certification Authority
CDC Certification Distribution Center
COF Ciphering Offset Number
EN_RAND Encryption Random Number
HCI Host Controller Interface
LM Link Manager
LMP Link Manager Protocol
L2CAP Logical Link Control and Adaptation Protocol
PDA Personal Digital Assistant
PIN Personal Identification Number
SCO Synchronous Connection-