Embed Size (px)
Citation preview
BLUETOOTH SECURITY
Praneet Sharma Student ID: S3701201
A Minor Thesis Report Submitted in Partial Fulfillment of the Requirements for the
Award of the Degree of
MASTER OF SCIENCE IN COMPUTER SCIENCE
Thesis Supervisor Dr Xun Yi
School of communication and Mathematics Victoria University of Technology
November 2006
2
Acknowledgements
I am immensely pleased to express my profound gratitude to my thesis supervisor Dr
Xun Yi for his support and constant guidance throughout my research on the minor-
thesis. I will remain ever grateful to him for his constructive criticism in the preparation
of the manuscript and bringing it into its final shape. I am also thankful to the staff of
department of computer science and mathematics of Victoria University for providing me
access to the resources to develop this manuscript.
3
ABSTRACT
Bluetooth is a way of connecting Electronic devices without cables or any physical
medium. Bluetooth technology is using radio waves to transfer information so it’s very
susceptible to attacks. In the present world of computerization and communication this
technology became a part of our day today life and the applications include Mobile
telephones, PDA’s Laptops and other electronic gadgets. This Document mainly deals
with the security of the Bluetooth technology. In particular this thesis focuses on the low
level security aspects of Bluetooth Technology. We have tried to cover almost all the
security features in this thesis but due to certain limitations only few are discussed in
detail. Technology is introduced with strong and weak points of the specifications,
security architecture is discussed and many of the recently discovered attacks are also
covered.
As a part of Bluetooth security mechanism Encryption, Authentication and key-
management has been elaborated with Emphasis on Stream ciphers, Working of E0
Stream cipher is discussed in details. Detailed discussion of the recent attacks on the E0
Stream cipher has been performed. This includes a thorough discussion of the most recent
Fast correlation attack, guess and determine attack, fast algebraic attack etc. although a
few attacks are caused by the manufacturers because of the malfunctioning of the
specification implementation this kind of attacks are just overviewed. In the penultimate
chapter we have discussed the affect of all kinds of ciphers attacks on Bluetooth security
mechanism specifically Bluetooth Encryption process. The thesis ends with the
conclusion made on the basis of the analysis of the potential attacks on the E0 Stream
cipher and with the discussion of Preventive security measures.
4
TABLE OF CONTENTS 1. INTRODUCTION .......................................................................................................... 6 Motivation: .......................................................................................................................... 6
1.1 Introduction To Bluetooth Technology .................................................................... 6 1.2 Bluetooth Protocol Stack .......................................................................................... 7 1.3 What Is Security? .................................................................................................... 11 1.4 Bluetooth Security Issues ........................................................................................ 13 1.5 Weaknesses In Security Procedures ........................................................................ 15
2. BLUETOOTH SECURITY ARCHITECTURE........................................................... 17
2.1 Bluetooth Security Architecture ............................................................................. 17 2.1.1 Authentication .................................................................................................. 18 2.1.2 LMP-Authentication ........................................................................................ 19 2.1.3 Authorization ................................................................................................... 20 2.1.4 Encryption ........................................................................................................ 21 2.1.5 Implementation ................................................................................................ 23
2.2 Key Management .................................................................................................... 24 2.2.1 Key Database ................................................................................................... 24 2.2.2 Corrupted Database .......................................................................................... 25
2.3 Service Security Levels ........................................................................................... 25 2.4 Stream Ciphers ........................................................................................................ 26
2.4.1 E0 Stream Cipher ............................................................................................. 27 2.4.2 Working Of The E0 Stream Cipher Algorithm ................................................ 27
3. BLUETOOTH STREAM CIPHERS ATTACKS ........................................................ 34
3.1 Divide-and-conquer, Correlation attack, Hermelin and Nyberg ......................... 35 3.2 Divide-and-conquer attack, Correlation attack, Ekdahl and Johansson ............. 36 3.3 Faster correlation attack, Y. Lu and S. Vaudenay .............................................. 40 3.4 Guess-and-determine attack, M. O. Saarinen ..................................................... 40 3.5 Guess-and-determine attack, S.R. Fluhrer and S. Lucks .................................... 41
5
3.6 Improved guess-and-determine attack, C. De Cannière, T. Johansson, B. Preneel................................................................................................................................... 42 3.7 FBDD-attack, M. Krause .................................................................................... 42 3.8 Algebraic attack, F. Armknecht .......................................................................... 43 3.9 Fast Algebraic attack, N. Courtois and F. Armknecht ........................................ 47
4. HOW DO STREAM CIPHER ATTACKS AFFECT BLUETOOTH SECURITY ..... 48
4.1 Encryption Revisited:.............................................................................................. 48 4.2 Problems with Encryption: ..................................................................................... 49 4.3 Affect Of Divide-and-conquer, Correlation attack ................................................. 49 4.4 Affect Of Faster Correlation Attack ....................................................................... 50 4.5 Affect Of Guess-And-Determine Attack ................................................................ 51 4.6 Affect Of Algebraic Attack ..................................................................................... 51
5. CONCLUSION ............................................................................................................. 53
5.1 Analysis And Conclusion ....................................................................................... 53 References ......................................................................................................................... 55
6
Chapter 1
1. INTRODUCTION
Motivation: There are a number of possible attacks on the Bluetooth Technology, We found that most
of the attacks are caused by the Malfunctioning of implementation of a particular
protocol. We have given the overview of all these kinds of attacks. But the main Focus of
this minor thesis is finding out and discussing the “Attacks on certain cryptographic
algorithms used”.
1.1 Introduction To Bluetooth Technology
Bluetooth is a wireless technology that provides short range wireless connectivity
between similar kinds of devices. But where does the name come from? Herald I
Bluetooth (Danish Harald Blatand) was the king of Denmark between 940 and 985 AD.
The wireless technology is believed to be named on the name of the great king. Old
Harald Bluetooth United Denmark and Norway, Bluetooth today unites worlds of
computers and telecom supports that the name suggested is suitable. The sole motive of
developing this technology is to make users to connect a range of computing and
telecommunication devices in an easy and simple way without using a mesh of cables. It
delivers opportunities for rapid ad hoc connections. It will virtually eliminate the need to
purchase additional or proprietary cabling to connect individual devices. [14]
In the year 1994 Ericsson Mobile communication initiated a study to investigate the
feasibility of a low-power low-cost radio interface between phones and their accessories.
Later in Feb 1998, five companies Ericsson, Nokia, IBM, Toshiba and Intel formed a
special interest Group (SIG). The group contained the necessary business sector members
– two market leaders in mobile telephony, two market leaders in laptop computing and a
7
market leader in digital signal processing technology. By the end of December 1999,
3Com, Microsoft and Motorola had joined the promoter group- the folks that were
willing to spend money hype the standard- and in the neighborhood 1200 other
companies had joined the SIG. At present SIG is composed of over 6,000 members who
are leaders in the telecommunications, computing, automotive, music, apparel, industrial
automation, and network industries, and a small group of dedicated staff in Hong Kong,
Sweden, and the USA.
Bluetooth is a wireless protocol that requires less bandwidth and a shorter transmission
range then typical wireless LAN applications. Bluetooth operates in the same crowded
2.4 GHz ISM(Industrial scientific Medical) License-free frequency band as Wi-Fi
networks, cordless phones and many emergency service communication systems
transmission is at low energy hopping at a rate of 1600 times per second between 79 one-
MHz sub-bands of the permitted frequency band. It uses adaptive frequency hopping
algorithm to avoid service interruption due to other equipment using the same frequencies
and also to avoid interference to other equipment as well. However this hopping does not
add any security to the Bluetooth link because the hopping sequence is broadcasted in
clear at the initial connection procedure.
Bluetooth devices can have variable signal length. The output power of normal Bluetooth
devices is 1 milliwatt giving coverage of only 10 meters and 100 milliwatt devices with a
range of up to 100meters are permitted for applications such as home networks.
1.2 Bluetooth Protocol Stack
The architecture used for Bluetooth consists of Bluetooth specific protocols combined
with adopted protocols such as WAP, WAE, TCP/UDP/IP, PPP, vCard and IrMC.
Bluetooth also supports cable replacement protocols as RFCOMM and telephony adapter
protocols as AT-commands. The reason for this mixed architecture of Bluetooth specific
and adopted protocols is that it allows integration of Bluetooth directly into existing
application and transport protocols, without having to build up an entirely separate and
parallel architecture. This also allows application specific security controls to be
8
implemented that would be transparent to the lower layer security controls (Data Link
Layer) at which Bluetooth operates.
Figure 1.1 Bluetooth Protocol Stack [21] According to Bluetooth SIG Bluetooth protocol stack can be divided in to four layers in
accordance to their purpose. The protocols belong into the layers are explained with the
table shown below.
Protocol layer Protocols in the stack
Bluetooth Core Protocols Baseband , LMP , L2CAP , SDP
Cable Replacement Protocol RFCOMM
Telephony Control Protocols TCS Binary , AT-commands Adopted Protocols PPP , UDP/TCP/IP , OBEX , WAP ,vCard ,
vCal , IrMC1 , WAE
Table 1.1 Layer structure of Bluetooth Protocol Stack
Bluetooth Radio
LMP
Baseband
AT-Commands SDP
L2CAP
WAE vCard/vCal BIN TCS
TCP
Audio
WAP OBEX
RFCOMM
IP
UDP
PPP
Host Controller Interface
9
As shown in fig1 in addition to the protocol layers there is host controller interface (HCI)
which is providing command interface to the baseband controller.
Bluetooth core protocols include exclusively Bluetooth-specific protocols developed by
the Bluetooth SIG. The Bluetooth core protocols including the Bluetooth radio are the
required by most of Bluetooth devices, while the other protocols are used as per
requirement. Cable Replacement layer, the telephony control layer together with adopted
protocol layer form application-oriented protocols enabling the applications to run over
the Bluetooth core protocols. As stated earlier, the Bluetooth Specification is open and
we can use additional protocols (e.g., HTTP, FTP, etc.) can be accommodated in an
interoperable fashion on top of the Bluetooth-specific transport protocols or on top of the
application-oriented protocols shown in Figure 1.1.
1.2.1 Baseband
We can visualise in the protocol stack shown above baseband and link Control layer
enables the physical RF link between Bluetooth units forming a Piconet. As mentioned
earlier the Bluetooth RF system uses a Frequency-Hopping-Spread-Spectrum system in
which packets are transmitted in defined time slots on defined frequencies, this layer uses
inquiry and paging procedures to synchronize the transmission hopping frequency and
clock of different Bluetooth devices.
It provides 2 different kind of physical links with their corresponding baseband packets,
Synchronous Connection-Oriented (SCO) and Asynchronous Connectionless (ACL)
which can be transmitted in a multiplexing manner on the same RF link. Asynchronous
Connectionless packets are used for data only, while the Synchronous Connection-
Oriented packet can contain audio only or a combination of audio and data. All audio and
data packets can be provided with different levels of FEC or CRC error correction and
can be encrypted. Furthermore, the different data types, including link management and
10
control messages, are each allocated a special channel. Baseband packet format is shown
below.
Access code Packet header Payload
Figure 1.2 Baseband Packet Format [22]
1.2.2 Link Manager Protocol
Link manager protocol is responsible for link set-up between Bluetooth devices. This
includes security aspects like authentication and encryption by generating, exchanging
and checking of link and encryption keys and the control and negotiation of baseband
packet sizes.
1.2.3 Logical Link Control and Adaptation Protocol
This protocol adapts upper layer protocols over the baseband. As per specification it is
stated that it work in parallel with LMP in difference that L2CAP provides services to the
upper layer when the payload data is never sent at LMP messages. This protocol provides
connection-oriented and connectionless data services to the upper layer protocols with
protocol multiplexing capability, segmentation and reassembly operation, and group
abstractions. In addition to that it permits higher level protocols and applications to
transmit and receive L2CAP data packets up to 64 kilobytes in length. Although the
Baseband protocol provides the Synchronous Connection-Oriented and Asynchronous
Connectionless link types, L2CAP is defined only for Asynchronous Connectionless
links and no support for Synchronous Connection-Oriented links is specified in Bluetooth
Specification 1.0.
72 bits 54 bits 0-2754 bits
11
1.2.4 Service Discovery Protocol (SDP)
For every Bluetooth framework Discovery of services is a very crucial part. These
services provide the basis for all the usage models. Using SDP, device information,
services and the characteristics of the services can be queried and after that, a connection
between two or more Bluetooth devices can be established.
1.3 What Is Security?
To define the notion of security, it is necessary to introduce a third party that has access
to all public information and tries to derive private secret information. Such a third party
is denoted as an attacker or cryptanalyst. The notion of security can then be defined as:
"A system is secure if an attacker is unable to derive the private secret information".
It is not possible to break a perfectly secure encryption scheme and such schemes do
exist. However, a perfectly secure scheme needs a key with length no smaller than the
entropy of the message that is to be encrypted and this key may never be reused. If the
key is smaller than the entropy of the message, there will always be a correlation between
the input and output. An example of a perfectly secure encryption scheme is the One-time
pad or Vernam cipher.
1.3.1 Wireless Security
Risks are inherent to any wireless technology. Some of these risks are similar to those of
wired networks; some are exacerbated by wireless connectivity; others are new. Perhaps
the most significant source of risks in wireless networks is that the technology’s
underlying communications medium, the airwave, is open to intruders, making it the
logical equivalent of an Ethernet port in the parking lot.
12
Specific threats and vulnerabilities to wireless networks and handheld devices include the
following:
All vulnerabilities that exist in a conventional wired network apply to wireless
technologies.
Malicious entities may gain unauthorized access to a (company’s) computer
network through wireless connections, bypassing any firewall protections. For
example by using special long distance antenna’s which can connect to internal
private unprotected or weakly protected wireless access points.
Sensitive information that is not encrypted (or that is encrypted with poor
cryptographic techniques) and that is transmitted between two wireless devices
may be intercepted and disclosed. Several applications exist to "sniff" all the data
that is transmitted wirelessly in some area and recover encrypted passwords.
DoS attacks may be directed at wireless connections or devices. Such a Denial of
Service attack can take down the functionality of devices that is make them
unstable, make them lose data make them consume a lot of power (drain batteries)
or it can be used as a method to make other attacks possible.
Malicious entities may steal the identity of legitimate users and masquerade as
them on internal or external corporate networks. Since wireless connections may
allow invisible (or less visible) connections, masquerade and legitimation can be
easier.
Sensitive data may be corrupted during improper synchronization. For example
by "sniffing" and inserting or disturbing wireless data connections.
Malicious entities may be able to violate the privacy of legitimate users and be
able to track their movements. Since data connections need identification, this
identification can be tracked easily on most wireless networks.
Malicious entities may deploy unauthorized equipment (e.g. client devices and
access points) to surreptitiously gain access to sensitive information. A well
known example of this attack is the so called "Evil Twins", fake clones of
wireless hotspots managed by hackers to intercept sensitive data.
13
Handheld devices are easily stolen and can reveal sensitive information.
Data may be extracted without detection from improperly configured devices.
Viruses or other malicious code may corrupt data on a wireless device and
subsequently be introduced to a wired network connection.
Malicious entities may, through wireless connections, connect to other agencies or
organizations for the purposes of launching attacks and concealing their activities.
Intruders, from inside or out, may be able to gain connectivity to network
management controls and thereby disable or disrupt operations.
Malicious entities may use third-party, suspicious wireless network services to
gain access to an agency’s or other organization’s network resources.
Internal attacks may be possible via ad hoc transmissions.
It should be clear that maintaining secure wireless networks is a process that requires
greater effort than that required for other networks and systems. It is much harder to gain
a certain guarantee of security within the deployment of wireless networks. Routine
security tests, assessments and evaluations of the system security are important. The
National Institute of Standards and Technology (NIST) recommends agencies not to
undertake wireless deployment for essential operations, until they have examined and can
acceptably manage and mitigate the risks of their information, system operations and
continuity of essential operations.[23]
1.4 Bluetooth Security Issues Security requirement of Bluetooth applications depends upon the sensitivity of the
information involved the correct market trends and on the needs of the application user.
There exist some applications that do not require any security while the others require
extremely high level of security. But before we start developing any application it is
required to conduct sufficient trade studies and analysis of risk involved.
14
In reference to the SIG (special interested group) a Bluetooth wireless technology system
contains a set of profiles. A profile defines a selection of messages and procedures
(generally termed capabilities) from the Bluetooth specifications. This gives an
unambiguous description of the air interface for specified services and use cases.
Working groups with in the Bluetooth SIG defines these profiles.
Security can be defined in terms of four basic elements: availability, access, integrity and
confidentiality. The current Bluetooth specification defines the security at link level
application level security is not specified.
In the present scenario there are few general shortcomings in the Bluetooth security
concept on the basis of those shortcomings Bluetooth SIG issued two general
recommendations.
1. Avoid use of unit keys and use combination keys instead.
2. Perform bonding in an environment that is as secure as possible against
eavesdroppers, and use long random passkeys.
1.4.1 Reported attacks on the Bluetooth devices:
Blue jacking: in this technique the Bluetooth paring protocol is abused and is
used to pass a message during the initial handshake phase. In this phase the name
of the initiator is displayed on the target device. Hence the bluejacker can send
some funny messages unnoticed and if the paring goes to the end the bluejacker
can then intrude on the targets device and become a trusted device and may be
having access to targets data.
Bluesnarfing: is the process of ‘snarfing’ in this an attacker can gain access to
important portions of the data started on the phone including phone book,
calendar, business card and (international mobile equipment identity ) IMEI this
15
flow is due to mistake in the implementation of OBEX profile, where
authentication has been omitted.
Bluebug: is similar to bluesnarfing ,it is based on the serial profile and this
enables the use of most AT commands, This gives the attacker full access to
resources shared by the device over serial. For example, a mobile phone can be
used to make phone calls using the AT command set or a laptop computer could
have your PDA’s data stolen onto an empty PDA owned by the attacker.[19]
1.4.2 Bluetooth worms and viruses:
Like computers there is a risk of worms and viruses on the Bluetooth devices one such
worm is cabir worm which try to get paired with any other device in the vicinity and once
paired it will install itself on the paired device it will try to do the same procedure with
the other devices and the worm will drain the battery by scanning for the enabled
Bluetooth devices.
1.5 Weaknesses In Security Procedures
Encryption not necessary:
Irrespective of the security mode encryption of the data transmitted is optional. It has
to be explicitly requested by the application.
Insecure Default settings:
It is noticed that often the default configuration settings of the devices are not secure
if we consider an example security functions like authentication and encryption are
disabled and PINs are set to “0000”. In the devices like headset it is almost
impossible to alter the preconfigured settings.
16
Weak PINs can be guessed:
If a weak PIN is used during device pairing, an attacker can guess the PIN and use it
to calculate the link key resulting from the pairing. To do this, the attacker only has to
eavesdrop on the pairing and the subsequent authentication. Using transcripts of
intercepted protocols, the attacker can check whether he has correctly guessed the
PIN. In this way it is possible to guess short or trivial PINs (e.g."1234567890"). The
fact that PINs are the only secret parameters link keys should be viewed as a serious
security weakness. Experience shows that it is extremely difficult to break the
practice, widespread among users, of choosing weak PINs.
Unit keys are not that secure:
When a device uses unit keys as link keys, the same key is used for every connection
with that device. If the attacker succeeds in establishing a connection with this device,
he is then in a position to impersonate that device or to intercept every
communication made with it.
Weak protection of integrity:
A cyclic redundancy check (CRC), an encoding method used to identify transmission
errors, is used to protect the integrity of the data. Although a CRC is highly likely to
detect random errors during the transmission of data packets, it does not provide
adequate protection against deliberate tampering with data packets.
Quality of the random number generator:
The Bluetooth standard does not specify any particular mechanisms to be used to
generate the random numbers. Experience suggests that the quality of random number
generators varies widely from manufacturer to manufacturer and from
implementation to implementation. [16][18]
17
Chapter 2
2. BLUETOOTH SECURITY ARCHITECTURE
2.1 Bluetooth Security Architecture
The way that the Bluetooth security radio system is used in mobile devices and the type
of data carried on these devices makes security an extremely important factor. While
most wireless systems will claim that being a spread spectrum radio provides security, the
volumes projected for Bluetooth radio eliminates these barrier. As such, link layer and
application layer security are part of the basic Bluetooth radio requirements. At link
layer, the Bluetooth radio systems provides authentication, encryption and key
management of the various keys involved.
The Bluetooth device address is the first and the most important unique parameter
basically it is a unique 48 bit address of a Bluetooth device. However at the user interface
level it is represented as 12 hexadecimal characters. Another parameter is the Bluetooth
device user name which is a user friendly name can be chosen by the device owner. It can
be 248 bytes long, although a generic device is not expected to handle names more than
40 characters in length. In general most of the devices have limited capabilities and they
may handle only up to 20 characters. Among all the parameters used in the Bluetooth
security architecture Bluetooth passkey (PIN) is the most important in terms of security
prospective it is used to authenticate two Bluetooth devices which have not exchanged
link keys ever before. The important feature of this parameter is that it is having different
representations in the different levels. Bluetooth device class is another parameter used to
identify the type of device and services supported by the device. [20]
18
2.1.1 Authentication
Like other wireless technologies Bluetooth also uses authentication mechanism using a
secret key known as link key. In the previous versions of technology only unit keys were
used but just to make the authentication procedure a bit more secure now a days
combination keys are widely used. Moreover combination key is specific to a pair of
devices on the hand a device is having a single unit key for all the connections. There are
two ways of generating link keys either dynamically or through a process called pairing.
But when a device is configured to generate link keys dynamically, it requires the user to
enter the pass key each time a connection is established. Pairing on the other generates a
long-term, stored link key that allows for the simple automated connections that are the
hallmark of the Bluetooth specification. In order to pair two devices, the user will set
both devices in pairing mode and will then enter a shared passkey. This passkey is then
used to generate an initialization key. The initialization key is based on the Bluetooth
address of the devices, a random number and the passkey. This initialization key is then
used to authenticate each device as well as in the creation of the link key. Finally, the link
key is stored locally on each device for the future authentication. After the pairing
process has completed, the devices will automatically and transparently authenticate and
perform encryption of the link.
Bluetooth authentication is based on challenge-response process and it can be both
unidirectional and mutual. The authentication process uses the E1 algorithm that is based
on the SAFER+ block cipher. The communication between any two devices starts when
first device sends its 48 bit (BD-ADDRESS) to second device. At this point the second
device will send a 128 bit random number-based challenge to the first device. Now both
the devices will compute an authentication response which is a function of algorithm E1
and is based on the device first’s address, the random number challenge issued by device
second, and the previously established link key. Device first will then transmit its
authentication response and device second will compare it with its own calculations. If
the two agree, then the device is authenticated. If the authentication response does not
19
Verifier (Initiator)
Generate Random number
Calculate Kinit
Calculate Kinit
Claimant
Imp -authentication
Create link keyLink key Link key
PINPIN
Init_pairing
LMP in rand
LMP accepted
match, the connection is refused. Once the authentication process has completed, device
second will generate new random number for its next authentication session. [17][13]
2.1.2 LMP-Authentication
LMP-Pairing is a procedure that authenticates two devices, based on a PIN, and
subsequently creates a common link key that is used as the basis for a trusted relationship
or a secure connection. This procedure consists of the steps, LMP-authentication is based
on the initialization key and creation of the common link key.
Figure 2.1 LMP-Pairing Procedure
LMP-authentication is procedure for verifying the identity of a remote device. The
procedure is based on a challenge response mechanism using a random number, a secret
20
Verifier (Initiator)
Generate Random number
Calculate Challenge
Calculate Response
Claimant
Result
Compare
Secret Key
Init_Authentication
Imp_au_rand
Imp_sres
Secret key
key and the BD-ADDR of the non-initiating device. The secret key can be previously
exchanged link key or an initialization key created based on a pin as used in pairing
procedure.[15][13]
Figure 2.2 LMP-Authentication Procedure
2.1.3 Authorization
Authorisation is the process by which a Bluetooth device determines whether another
device is allowed access to a particular service. Basically authorisation incorporates two
21
important Bluetooth security concepts, trust relationships and service security levels.
Authorisation is dependent on authentication as the authentication process establishes the
device identity that is used to determine access. The Bluetooth specification allows three
different levels of trust between devices, trusted, untrusted, and unknown. If device A has
a trusted relationship with device B, then device B is allowed unrestricted access to
device A. If device B is untrusted, then device B has been previously authenticated, but
its access to services on device A is restricted by service security levels. An unknown
device that has not been authenticated is considered untrusted.
Service security levels control access to a devices service on a per service basis. The first
security service level requires both authentication and authorisation in order to grant
access to a service. In other words, the identity of the requesting device has to be
confirmed and the requesting device has to be granted specific permission to access the
service. The second level of service security requires authentication only. At this security
level, the identity of the requesting device need only be judged genuine in order to be
granted access to the service. The third level requires encryption only. At this level,
access to the service will be granted to any device that is encrypting its communications.
The last level is open to all devices. An example of a use for this security level would be
if a user wanted to grant unrestricted access to a business card stored on the device while
restricting access to other, more sensitive services.
2.1.4 Encryption
Bluetooth strives to maintain confidentiality by offering a 128-bit encryption service. By
encrypting its transmissions, a Bluetooth device ensures that only a recipient with the
proper decryption key can view the data. Bluetooth’s encryption uses an algorithm called
E0. A devices encryption key is based on its link key. This simplifies the key generation
process as both the sender and receiver have shared secret information upon which to key
their encryption. Bluetooth’s encryption service has three different modes. In mode 1, no
encryption is performed. In mode 2, communication with individual devices is encrypted,
but broadcast traffic is not. In mode 3, all communications are encrypted. In addition to
reducing interference, Bluetooth’s limited range and spread spectrum frequency hopping
22
help to ensure confidentiality by reducing the possibility of eavesdropping. The use of
fast frequency hopping, at 1600 hops per second over 79 different channels, represents an
important barrier to interception. Since the transmitter only dwells on a specific
frequency for 625 microseconds, it is difficult to even detect the presence of a Bluetooth
device unless it is in the process of actively paging another device. Key Generation
overview the encryption key is derived from the authentication key and is used for
enciphering the data for transmission. This will increase the life time of the authentication
key. The authentication key is also referred as link key to emphasize the importance of
this key to a specific Bluetooth link. The authentication procedure needs that the both end
devices of a link know the present link key. Since the link keys are to be kept secret, they
cannot be obtained through any inquiry routines. There has to be an initialisation phase
carried out separately for each two units that want to implement authentication and
encryption. The steps in initialization are as follows:
1. Generate an initialisation key, Kinit, and use it as link key. This key is derived from
three entities: device address, a random number issued by verifier and a PIN code. The
PIN can be a fixed number provided with the Bluetooth unit (for example, devices with
no user interface). Alternatively, the PIN can be selected arbitrarily by the user, and then
entered in both units that have to be matched. Authentication of devices to each other
using Kinit.
2. The entity authentication uses a challenge-response scheme in which claimant's
knowledge of secret key is checked using symmetric secret keys.
3. Generation of a link key K.
4. Once the initial authentication is over, the devices decide on a new link key for future.
Each device has a unit key, denoted by Ka, which is generated when that device is in
operation for first time. So the devices can decide on using one of the unit keys as link in
future or can derive a combination key, denoted as Kab. Sometimes, same information
may need to be distributed securely to several recipients in which case the serving device
23
decides a single common link key for all links to recipients. This key is known as master
key and is denoted by Kmaster.
5. Exchange K securely using encryption key derived from Kinit. The agreed upon future
link key is exchanged between the devices.
6. Generate a new encryption key based on K.
7. For transmitting data, a new encryption key is generated at each end based on chosen
K. A new encryption key is generated for every new session. [13]
2.1.5 Implementation Bluetooth security implementation is based on a challenge-response system using the
passkey (PIN) as the secret key. The Security Manager (key unit) performs the following
tasks: _ Stores security related information for all services (Service Database); _ Stores
security related information for available devices in range (Device Database); _ Processes
access requests by protocol implementations or applications (grants access or denies
connection); _ Enforces authentication and/or encryption before connection can be
established;_ Initiates and processes input from a device user (called External Security
Control Entity (ESCE) - a human operating a device) to setup trusted relationship; _
Initiates pairing and queries PIN (PIN entry may be done by an ESCE or an application).
For connection-oriented L2CAP data (setup to connect to the next higher protocol or
application) security check is performed at the onset of the request while for
connectionless data packets the Security Manager checks the Service Database (for
services that does not allow connectionless packets) to decide whether the packet will be
allowed or denied.
24
2.2 Key Management
2.2.1 Key Database To retrieve the correct key upon request from the host or unit, the semipermanent link
keys must be stored in a database. If we use a simple database as shown in the table, no
information is given of the semi permanent key type that is used (i.e unit or
combination).However, a key in the table might be a unit key. Since a unit key is not as
secure as a combination key we might want to enforce a more restricted security policy.
Device Address Key
10FA487DE52 1B4D5698AE374FDE8390912463DFE3AB
047F6BB427EA FE729425BC9A95D39132BDE275917823
Table 2.1: Example of Link Key Database
Now we show the information of the table with the type of the key (i.e unit or
combinational).In addition to this it is also good to add some redundancy to the database
entries so that errors can be detected. [20]
The example table with the type-of-key information is:
Here U = Unit Key and C = Combination Key
Device Address Key Key Type
10FA487DE52 1B4D5698AE374FDE8390912463DFE3AB C
047F6BB427EA FE729425BC9A95D39132BDE275917823 C
A5EE29667190 091827AD41D4E48D29CB8E82615D1849 U
Table 2.2: Link Key Database with Key Information
25
2.2.2 Corrupted Database
The link key database for some reason might become corrupted. The probability of
having corrupted databases depends on the type of storage medium and the storage
protection mechanisms. If a device address held is damaged, it might result in key lookup
error. If the corrupted key entry is detected when the unit is about to send an
authentication (acting as verifier), the error can be handled internally by the unit. In this
case, it should be possible for the user (if desired) to demand a new pairing and derive a
new link key and the device will initiate a new pairing.
2.3 Service Security Levels
Bluetooth specifications include authentication (uni- and bi-directional) and encryption
services at the link level using the Link Manager Protocol (LMP). Authentication
between a pair of devices is based on a secret link key that is generated by a pairing
procedure when the two devices communicate for the first time.
There are three security modes defined:
1. Security Mode 1 (non-secure): No security procedures are performed;
2. Security Mode 2 (service level security): Security procedures initiated after channel
establishment request has been received at L2CAP level. Whether security procedure is
initiated or not depends on the service type. Service (or application) level security
implementation allows different access policies for different applications which may run
in parallel.
3. Security Mode 3 (link level security): Security procedures are performed and
authenticated at the LMP level before a channel is created for communication. A
26
Bluetooth device in security mode 3 may reject a host connection request best on host
settings.
Services are also classified as:
(1) Services those are open to all devices
(2) Services that require authentication only
(3) Services that require both authentication and authorization.
While automatic access is only granted to trusted devices, all other devices if need
manual authorization. A link may be changed to encrypted mode if required by the
service or application.
2.4 Stream Ciphers
Stream ciphers are an important class of encryption algorithms. They encrypt individual
characters (usually binary digits) of a plaintext message one at a time, using an
encryption transformation which varies with time. By contrast, block ciphers tend to
simultaneously encrypt groups of characters of a plaintext message using a fixed
encryption transformation. Stream ciphers are generally faster than block ciphers in
hardware, and have less complex hardware circuitry. They are also more appropriate, and
in some cases mandatory for example in some telecommunications applications when
buffering is limited or when characters must be individually processed as they are
received. Because they have limited or no error propagation, stream ciphers may also be
advantageous in situations where transmission errors are highly probable. There is a vast
body of theoretical knowledge on stream ciphers, and various design principles for
stream ciphers have been proposed and extensively analysed. However, there are
relatively few fully-specified stream cipher algorithms in the open literature. This
unfortunate state of affairs can partially be explained by the fact that most stream ciphers
used in practice tend to be proprietary and confidential. By contrast, numerous concrete
block cipher proposals have been published, some of which have been standardized or
placed in the public domain. Nevertheless, because of their significant advantages, stream
27
ciphers are widely used today, and one can expect increasingly more concrete proposals
in the coming years.
2.4.1 E0 Stream Cipher
E0 is a so-called autonomous finite state machine. Loaded with an initial state, it will
move to a new state and produce one single output bit of the key stream on every clock
cycle.
The Bluetooth specification defines the stream cipher algorithm E0 to be used for point-
to point encryption of the packet payload, the access code and the packet headers shall
never be encrypted. The E0 additive stream cipher was designed to provide the wireless
connections with a strong protection against eavesdropping. It is based on a direct design
and uses a Bluetooth proprietary algorithm that is inspired by Massey and Rueppel’s [27]
summation combiner stream cipher. The core of E0 is built around four independent
linear feedback registers (LFSR) and a finite state machine (FSM) as a combining
circuitry.
Studies shows that E0 stream cipher is weaker than supposed at its design. But the
frequent rekeying in Bluetooth and the rather short generated key streams keep the
system safe for most of the attacks.
2.4.2 Working Of The E0 Stream Cipher Algorithm
In the E0 stream cipher algorithm bits are bit-wise modulo-2 (XOR) added to the data
stream to be sent over the air interface. All units in the piconet must be able to read the
packet header to see if the message is for them or not. Therefore, it is only the payload of
each packet that is ciphered separately by the cipher algorithm E0. The payload data is
ciphered after the CRC bits are appended, but before the optional Forward Error
Correction (FEC) encoding.
28
The E0 stream ciphering process consists of three parts: (see Figure 2.3)
a) Initialization: payload key generation.
The payload key generator combines the input bits in an appropriate order and shifts them
into four LFSRs of the key stream generator.
b) Main part: Key stream bits generation.
c) Encryption and decryption.
FIGURE 2.3 Bluetooth encryption process
1. Initialization payload key Generation
Key Stream generator
Encryption and decryption
Plain text Cipher text
CLK
EN_RAND
BD_ADDR Kc
Payload key
Z
Transform Kc to K`c load K`c, BD_ADDR and 6bit constant 111000
29
The cipher algorithm E0 uses as input the 48 bits of the master Bluetooth device address
(BD_ADDR), 26 bits of the master real-time clock, CLK, and an encryption key KC. By
using the 26 bits of the master clock, which toggles every 625µs, and a reinitialization of
the E0 algorithm after each (multi-)packet, frequent changes of the starting state of the
key stream generator are assured, which forms a key factor in the resistance to security
attacks. E0 generates a binary keystream Kcipher which will be modulo-2 (XOR) added to
the data to be encrypted. The cipher is symmetric; decryption shall be performed in
exactly the same way using the same key as used for encryption.
The private encryption key (KC) is derived by algorithm E3 from the current link key, a
96- bit Ciphering Offset number (COF), and a 128-bit random number EN_RAND. COF
is set to the concatenation of the master BD_ADDR if the current link key is a master
key. Else COF it is set to the value of Authenticated Ciphering Offset (ACO) as
computed during the authentication procedure.
KC = E3 (Kmaster, EN_RAND, COF)
The Bluetooth system is said to be a two level operation. The first level consists of the
initialization and the second level performs the actual keystream generation.
Within the first level, the initialization of the E0 algorithm, the encryption key KC is
transformed to an intermediate constraint key K`C :
K`C (x) = g2(L) (x) (KC(x) mod g1
(L) (x))
Where deg (g1(L) (x)) = 8L and deg (g2
(L) (x)) <= 128 - 8L. The values for the polynomials
g1(L) and g2
(L) are collected in a table[28]. The maximum effective size of this key shall be
factory preset and may be set to any multiple of eight between one an sixteen (8-128bits).
30
This constraint key K`C is used together with the BD_ADDR and the clock CLK to load
the initial values of the four LFSRs (128 bits) and the four memory bits c0 and c-1. At the
end of the first level, the generator will generate 200 stream cipher bits, of which the last
128 bits are fed back into the key stream generator as the initial values of the four LFSRs
of the second level. The values of the memory bits c0 and c-1 are kept as the initial values
for the second level. Further details of the complex initialization and the premixing of the
initially loaded key material can be found in the Bluetooth specification document. [28]
After the initialization steps of first level and the initialization of the second level, a loop
is started (step 2 and 3 in Figure 2.3), until the maximum number of plaintext bits are
encrypted and the generator must be re-initialized to disable various kinds of statistical
analysis attacks.
The core of the E0 keystream generator consists of four Linear Feedback Shift Registers
(LFSR), with a key of at most 128 bits, and a 4 bit finite state machine, feeding a
Summation Combiner Logic (combining circuitry).
Studies shows that LFSR is not cryptographically secure, since it is linear. In [26] the use
of memory in the combination generator was proposed to achieve nonlinearity in an
LFSR system. The finite state machine is used in the Bluetooth system to introduce
sufficient nonlinearity to make it difficult to recompute the initial state from observed key
stream data.
As we know that LFSRs can be described with feedback polynomials. The feedback
polynomials of the four LFSRs used within E0 are all primitive maximum length
polynomials. This ensures that the period of a LFSR with degree n is 2n - 1. The smallest
period of all the Bluetooth LFSRs is the product of the four periods: P = (P1P2P3P4)/7 =
(225 - 1)(231 - 1)(233 - 1)(239 - 1) / 7 ≈ 2125.2. The period is divided by 7 since P3 and P4
have 7 as their greatest common divisor. This entire period is never generated by the
Bluetooth generator, since it is re-initialized after a maximum of 2745 bits. The total
length of the registers is 128. The Hamming weight( which shows the number of “1” bits
31
in binary sequence) of all the feedback polynomials is chosen to be five - a reasonable
trade-off between reducing the number of required XOR gates in the hardware
implementation and obtaining good statistical properties of the generated sequences.
LFSR Degree Feedback Polynomial Output tap Period length
LFSR1
LFSR2
LFSR3
LFSR4
25
31
33
39
t25 + t20 + t12 + t8 + 1
t31 + t24 + t16 + t12 + 1
t33 + t28 + t24 + t4 + 1
t39 + t36 + t28 + t4 + 1
24
24
32
32
225 - 1
231 -1
233 -1
239 -1
TABLE 2.3. Feedback polynomials of the four LFSRs
The polynomials are in fact maximum length windmill polynomials [30]. This can be
exploited in a hardware or software realization of the LFSR. The windmill polynomials
have the property that one can construct a linear sequential machine that, provided it is
correctly initialized, for each clock cycle generates four consecutive symbols of the
sequence that the normal LFSR would generate.
For each bit output, each LFSR is clocked once, and the output of all four LFSRs and the
output of the finite state machine is exclusive-or’ed together to form the keystream
output. Then, the 4 LFFSR outputs are summed together to form a 3 bit output. The upper
2 bits of that sum are used to update the state of the finite state machine (FSM). The least
significant bit (LSB) of the sum of the four LFSRs is their bit-wise XOR.
During the encryption loop, the following steps are walked through:
a) Output xt for the four LFSRs
b) Calculate the keystream zt = f0(xt, ct)
c) Calculate the encrypted message bit et = zt (+) mt, where mt is the corresponding
message bit
d) Calculate St+1 = f1(xt, ct)
e) Calculate next FSM state ct+1 = T (St+1, ct)
32
f) Put memory bits ct = ct+1 of FSM.
During decryption, the same loop is walked through, but in the third step, the calculation
is mt = zt (+) et, where et is the corresponding received encrypted bit.
The combination generator process is represented in Figure 2.4, where the z-1 labeled
boxes denote delay elements holding two bits each and the small numbers under the
nodes indicate the number of bits passing.
FIGURE 2.4. The E0 keystream generator [29]
The function f0, called summation combiner, produces an output sequence of 200 bits z1,
z2, …….. , where zt 2 GF (2). It computes these zt of the modulo two sum of the xt vector
and the first bit c0t of the current contents of the memory. xi
t denotes the output from
LFRSi at time t. The output from the LFRS is taken from the shift register taps given in
Table 2.3.
zt = f0(xt, c0t )
= x1t (+) x2
t (+) x3t (+) x4
t (+) (c0t mod 2) Є {0, 1}
33
The nonlinear function f1 also takes the vector xt as input, but combined with the latest
memory update vector ct. f1 has a 2-bit vector St+1 as output. It is nonlinear since integer
addition is nonlinear in GF (2)
St+1 = (S1t+1, S0
t+1)
= f1(xt, ct)
= [(yt + 2c1t + c0
t )/2] Є {0, 1, 2, 3}
yt = x1t + x2
t + x3t + x4
t Є {0, 1, 2, 3, 4}
The state of the FSM is determined by 4 bits, which are stored in a pair of 2-bit delay
elements. At each time t, the lower delay element stores the previous value of the upper
element and we can therefore refer to these 2-bit values as ct and ct+1 respectively. The
function T is used to mix these carry-bits. It takes the 4 memory bits and st+1 as input. It
produces the 2-bit vector ct+1 to be put in the memory. The new content ct+1 of the
upper delay element is computed as follows:
ct+1 = (c1t+1, c0
t+1)
= T (St+1, ct, ct-1)
= T0 (St+1) (+) T1 (ct) (+) T2 (ct-1)
ct+1 defines a linear infinite impulse response (IIR) filter that lowers the correlation factor,
an important parameter in the correlation attack. T1 and T2 are two different linear
bijections over GF (4), (x1, x0) → (y1, y0), where T0 = T1 : (x1, x0) → (x1, x0) and T2 : (x1,
x0) → (x0, x1 (+) x0).
This concludes the description process within the E0 keystream generator.
34
Chapter 3
3. BLUETOOTH STREAM CIPHERS ATTACKS
We will be discussing different types of attacks possible on the E0. The attacks will be
described in this section. Although, it will be difficult to discuss all the attacks in full
detail under the scope of this minor thesis, but we will describe each type of attack. Some
parts of the attacks that are reviewed are implemented besides the E0 simulator, as a way
to get better understanding in the working of the attack.
For most attacks it is needed to remodel the cipher in such a way that the nonlinear part is
replaced with a sequence of random variables with some correlation probability. Most of
the theoretical attacks on the Bluetooth E0 stream cipher require a far larger amount of
consecutive keystream output than available in a practical environment. By Kerckhoffs’
principle, they assume the keystream generator and some key stream bit Zt are known
and they try to recover the initial state of the LFSRs.[23]
Before we discuss attacks on Eo stream cipher it is mandatory to add a few definitions
and terms which are used throughout the chapter we shall consider the field GF(2n) as a
linear space with a given fixed basis. Xt denotes an n-dimensional vector in GF(2n) as
Xt = (X1t , X2
t ,…… , Xnt).
The inner product "." between two vectors v = (v1, v2, ……. , vn) and w = (w1,w2,…. ,wn)
of the space GF(2n) is defined as:
v . w = v1w1 (+) v2w2 (+)………(+) vnwn
The linear function Lu(x) is then Lu(x) = u . x, u Є GF(2n).
35
DEFINITION 1. We say a function L: GF (2n) → GF (2n) is linear if for any vectors v
and w in GF (2n):
L (v + w) = L (v) + L (w)
and for any vector x in GF (2n) and scalar a,
L (av) = a L (v)
An affine function is just a linear function plus a translation.
DEFINITION 2. We say a function A: GF(2m) → GF(2n) is affine if there is a linear
function L : GF(2m) → GF(2n) and a vector b in GF(2n) such that:
A(x) = L(x) + b
For all x in GF (2m)
3.1 Divide-and-conquer, Correlation attack, Hermelin and Nyberg
In [26] Hermelin and Nyberg published a theoretical attack to recover the keystream
generators initial state with a time complexity of O (264) given O (264) known keystream
bits (≈2.097.152 TB).
The attack is based on a weak linear correlation between the output of the LFSRs
Vt = X1t (+) X2
t (+) X3t (+) X4
t and the keystream output Zt, to verify the accuracy of
one of the LFSRs. The sequence Vt is generated by a fictive LFSR, based on the product
of the four feedback polynomials form the LFSRs in E0, that is, a feedback polynomial Gt
with degree 128, Gt = f1(t)f2(t)f3(t)f4(t). If the attack is successful, the attacker will
discover the initial state of this fictive LFSR, from which the initial state of the four
original LFSRs of E0 can be computed by solving a set of linear equations in 128
unknown variables.
Hermelin and Nyberg discovered the following correlation in the Bluetooth E0 stream
cipher:
C (Zt (+) Zt-1 (+) Zt-3, Vt (+) Vt-1 (+) Vt-3) = -1/16
Where Vt denotes the XORed output of the four LFSRs.
36
Since the attack of Ekdahl and Johansson is based on the same principles of this attack,
but with better computational complexities, we will not analyse this attack in further
detail.
3.2 Divide-and-conquer attack, Correlation attack, Ekdahl and Johansson
A theoretical attack by Ekdahl and Johansson [1] describes how the initial state of the
keystream generator can be extracted given O(234) known keystream bits (≈2 GB) and a
computational complexity of O(263). This attack is also based on a weak linear correlation
between the LFSRs output and the keystream output to verify if a guess on one of the
LFSRs is accurate. This attack remodels the cipher in such a way that the nonlinear part
is replaced with a sequence of random variables with some correlation probability. The
nonlinear part of the keystream can be found in the memory block Ct.
Fluhrer and Lucks [2] discovered the following correlation for Ct:
P (Ct (+) Ct-5 = 0) = 1/2 + 0.04883
for all t >= 0.
The attacker observes a keystream Zt of length N. The attack will primarily target the
initial state of the first LFSR, LFSR1. The other three LFSRs can be combined into a
single equivalent LFSR. The output from this equivalent LFSR is a sequence Ut,
0 <= t <= (N - 1).
C0 it is assumed to be a random noise sequence with correlation
P (Ct (+) Ct-5 = 0) = 1/2 +0.04883
Now we can remodel E0 into a simplified system as showed in Figure 8.3. With this
model, we need to guess the initial state of LFSR1 and add this, x0 it, to zt. If the guess
is correct, we can write the resulting sequence as:
Vt = Zt + Xt = Ut + Ct0 (1)
37
FIGURE 3.1. Model of attack, [3]
From the equivalent LFSR of LFSR2, LFSR3 and LFSR4, we will get a sequence u0,
u1,………uN-1 which is a linear (N, l)-block code C5. In this block code C, there are l
information symbols, which is equal to the length of the equivalent shift register, the sum
of the length of LFSR2, LFRS3 and LFSR4. The sequence ut can be rewritten as a row
vector u = (u0, u1… uN-1).
And this row vector can then be written as u = u0G, where u0 is the initial state of the
equivalent shift register and G the generator matrix. If we suppose we can find k columns
in G such that
Gi1 + Gi2 + …+ Gik = 0, (2)
then we must have ui1 +ui2 +…+uik = 0 for the sequence ut. Since the block code is cyclic,
we can write
∑ ut+1 = 0, (3) iЄI
LFSR1
Equivalent LFSR
Assumed LFSR1
Test
xt1
ut Ct
0
vt zt
x’t
38
for any time index t >=0, where I is the set of indices in Equation (2).
By summing over the indices in I, indicated by Equation (3), it possible to remove the
influence of ut in vt (Equation (1)) and go towards the correlation Equation ().
vt = ut + ct (4)
∑ vt+i + vt+i-5 = 0 + ∑ ct+i + ct+i-5 (5) iЄI i ЄI
∑ vt+i + vt+i-5 = (ct+i + ct+ik-5) + (ct+i2 + ct+i2-5) + …+ (ct+ik + ct+ik-5) (6) iЄI
P (∑ vt+i + vt+i-5 = 0), (7) i Є I
P( (ct+i + ct+ik-5) + (ct+i2 + ct+i2-5) + …+ (ct+ik + ct+ik-5) = 0) =1/2+ 2k-1 Єk (8)
If vt is sampled at many different time instances, according to Equation (6) and
depending on the magnitude Є in Equation (8), it is possible to get statistical significance
if the assumption on the initial state of LFSR1 was good. If LFSR1 was guessed
correctly, the correlation in Equation (8) can be detected, else the correlation will not be
detectable, since more noise will have been added to the sequence vt and the sum of
Equation (6) will tend to 1/2.
The attack requires a length, N, of the received sequence zt which depends on two
parameters, the value of the highest index in I for Equation (3) and the number of shifts in
time, m, in Equation (6).
An estimate for the highest index in I is needed since we need to search for a span of zt
such that the indices can be found that satisfy Equation (3). A good estimation of the
required length of the received sequence in order to find k columns that add up to the all-
zero column in the generator matrix from Equation (2) can be made using Theorem 14.
THEOREM 1: There are approximately 2l/(k-1) columns required in a random generator
matrix G of a cyclic code C, to find k columns that add to the all-zero column, where l is
the number of rows in G
39
To estimate the second parameter, the needed number of samples m. From this section we
know we can separate the uniform distribution PU(X = 0) = 1/2 from the indicator
distribution PE0(X = 0) = 1/2 + 2k-1 Єk using approximately 1/(2k-1Єk)2 samples. With
increasing k, PE0(X = 0) gets closer to 1/2 and the Chernoff information says regarding
the (distance) between two probability densities. Relatively large Chernoff information
means low error probability. C (PU, PE0) is decreasing. So the required number of
samples, m, increases when k increase for a fixed error probability. The total number of
columns w ≈ 2l/(k-1) in G required to find k columns that add to the all-zero column
decreases if k increases. The total number of required keystream bits to observe, N, is the
sum N = m + w, so we need to chose k such that we minimize N.
When performing the attack, we count the number of times Equation (6) equals to zero,
n0, and the number of times it equals to 1, n1. Thus, the number of samples needed, m,
equals to m = n0 + n1. To simplify the application of the Lemma of Neyman-Pearson we
replace 2k-1Єk with Є .We can now easily write PE0 = 1/2 + Є . According to the Lemma,
we can test between the two hypotheses H0 : PU and H1 : PE0 :
( 1/2 )m /( 1/2 + Є`)n0
( 1/2- Є)n1> T (9)
with T >= 0 being the decision threshold.
For this attack, it is desired to use an unsymmetrical threshold and decrease PF at the
expense of PM. We would like to have PF << PM. In [3] an unsymmetrical threshold of
T = 25 was chosen, resulting in a threshold of PM ≈2-4 and a threshold of PF ≈ 2-10. It is
shown that the value for the parameter k = 4 is the best choice for attacking LFSR1, since
the value of N will then be minimized to 234.6.
40
3.3 Faster correlation attack, Y. Lu and S. Vaudenay
Although the faster correlation attack proposed by Yi Lu and Serge Vaudenay in[12], has
the best known time complexity O(239) after O(237) it still requires 239 consecutive
keystream bits (≈ 64GB). The attack recovers the LFSR1 with a new Maximum
Likelihood Decoding (MLD) algorithm, by means of Fast Walsh Transform. This
algorithm can speed up a fast correlation attack. The attack applies the concept of
convolution to the analysis of the distinguisher based on all known correlations. This
allows building an efficient distinguisher that halves the data complexity of the basic uni-
bias-based distinguisher.
The approach is similar as the Divide-and-conquer attack from Ekdahl and Johansson 3.2,
but with a decreased time complexity. The correlations used for this attack are:
P(c0t (+) c0
t+1 (+) c0t+3 (+) c0
t+4 = 1) =1/2+λ/2, (10)
P(c0t (+) c0
t+5 = 0) =1/2+λ/2, (11)
where λ = 25/256
3.4 Guess-and-determine attack, M. O. Saarinen Markku-Juhani O. Saarinen showed in [4] the first guess-and-determine attack on the
Bluetooth keystream generator. This attack consists of guessing the states of the 3
smallest LFSRs and the Final State Machine to derive the contents of remaining fourth
LFSR. Using the observed keystream, the consistency of the assumption is checked with
the output from LFSR4. The complexity of this attack is expected to be close to O(293).
We will not treat the attack of Saarinen in further details, since the improved versions of
this attack are analysed below.
41
3.5 Guess-and-determine attack, S.R. Fluhrer and S. Lucks
Scott R. Fluhrer and Stefan Lucks refined the attack of M.O. Saarinen in [2]. This attack
recovers the initial state of the shift register (level 2 of the keystream generator) and
reverses the premixing step to recover the session key KC (level 1 of the keystream
generator). The time complexity of the attack has the order of O(284) when 132 keystream
bits are available. The time complexity required to reconstruct the level 2 keystream
generator (LFSRs initial states) is expected to be between O(272) and O(284), depending
on the amount known keystream bits. The work effort to reconstruct the level 1
keystream generator is expected to take between O(281) and O(251). The algorithm allows
the key stream bits to be spread over 83 multiple data packets, unlike correlation attack.
The computational complexity can then be improved to the order between O(276) and
(284), depending on the amount of keystream bits available.
The basic approach of guessing the initial states of parts of the cipher and checking
consistency stays the same as in Saarinen’s attack. But this attack takes advantage of
additional relationships within E0 to gain performance. Instead of guessing the three
LFSRs as in the attack of Saarinen, this attack guesses the initial state of the FSM and the
contents of the two shortest LFSRs. A set of linear equations is build up and checked for
inconsistencies. The guess will be rejected as soon an inconsistency can be found. The
idea behind the algorithm used in this attack, is that the next state function for the FSM
depends only on the number of LFSRs that output a one. Instead of computing the exact
value of the two longest LFSRs, we just have to decide if their output will differ or not.
The algorithm will also take advantage of the fact that we can efficiently find
contradictions in GF(2). The attack will derive the initial LFSRs settings given 132 bit of
the keystream output. The initial settings for the FSM contents and LFSR1 and LFSR2
are guessed. By observing the keystream, it is possible to decide whether the XOR of the
outputs of LFRS3 and LFSR4 is one or zero, and a set L of linear equations on the
LFRS3 and LFSR4 output bits is constructed in a search tree. When enough keystream
bits are analysed, the linear equations implied by the LFSR3 and LFSR4 tap equations
42
can be added to the set L of linear equations. As long as the equations in the set L stay
consistent, we can continue to analyse the keystream. If an inconsistency appears, we can
backtrack in the tree and try another guess in the different steps.
3.6 Improved guess-and-determine attack, C. De Cannière, T. Johansson, B. Preneel
The theoretical attack presented by Christophe De Cannière, Thomas Johansson and Bart
Preneel in [5] is based on the attack of Scott Fluhrer [2] described in the precedent
section. The time complexity of the attack is in the order O(276) when 1 Mbit of
keystream data is available.
The approach for this attack is similar to the attack of Fluhrer and Lucks. But instead of
guessing two of the LFSRs contents and the FSM, only the shortest LFSR and the initial
state of the FSM will be guessed.
3.7 FBDD-attack, M. Krause
In [6] Matthias Krause proposes a FBDD-attack on the Bluetooth keystream generator.
This attack has a time complexity of O (277) while requiring only 128 known keystream
bits.
Free Binary Decision Diagrams (FBDD) are data structures for representing and
manipulating Boolean functions [7] [8]. An FBDD-attack is a short-keystream attack,
where the number of key bits needed for computing the secret initial state, x Є {0, 1}n is
at most cn for some constant c >=1.
The attack exploits that many LFSR-based stream ciphers produce keystream according
to the rule z = C(L(x)), where L(x) denotes an internal linear bit stream generated by a
small number of parallel LFSRs and C denotes some nonlinear compression function.
The weakness of LFSR-based keystream generators is that the compressor C has to
produce the keystream in an online manner and at high speed. To achieve this, C uses
43
only a small memory and consumes only a few new internal bits for producing the next
output bit. These requirements imply that the decision if an internal bitstream z generates
a prefix of a given keystream y via C can be computed by small FBDDs. This allows to
compute dynamically a sequence of FBDDs Pm, m >= n, which test a given initial state
x Є{ 0, 1}n whether C(L<=m(x)) is prefix of y, where L<=m(x) denotes the first m bits of the
internal linear bitstream generated via L on the secret initial state x.
3.8 Algebraic attack, F. Armknecht Frederik Armknecht proposed an algebraic attack to reconstruct the initial state of E0 in
[9]. This attack is based on a system of nonlinear equations of degree 4, which holds with
probability 1 at each clocking. By linearization, the system becomes solvable, assuming
that enough independent equations can be collected. The number of possible terms in the
linearized system is T ≈ 224.056 and by employing Strassen’s algorithm for solving the
system of linear equations, the complexity of this approach is concluded to be about O
(267.58). In order to get enough independent linear equations, the number of observed
keystream bits must be approximately 224.056 (≈16MB). We will explore this attack in
more detail.
Theorem 2 makes up the basis of the algebraic attack on the combiner with memory.
THEOREM 2: (Krause, Armknecht, 2003). For each combiner C with k LFSRs and l
memory bits, a nontrivial relation FC of degree [k(l + 1)/2] with
0 = FC ( Xt , …,Xt+l, zt,…, zt+l )
can be constructed.
Basically, we are able to transform some equations z based on the LFSRs output bits x
and memory bits c to a system of linear equations which depends not on the memory bits
and can be used to find the initial values of the LFSRs.
zt = F(x1t ,..., x4
t , c1t ,..., c4
t )
zt = F( (x1t ,....... x4
t , Ct(x11,…….. x4
t-1, c11,……., c4
1 ) )
zt = Ft(x1, … ,xn,c11, ….., c4
1
44
0 = F’(x1t,...., x4
t ,x1t+1,......, x4
t+1,x1t+2, …. x4
t+2 , x1t+3,...., x4
t+3, zt, zt+1, zt+2, zt+3)
0 = F’(x1,......, xn, zt, zt+1, zt+2, zt+3)
For each clock t, the new key stream output zt is produced and the next memory bits
c0t+1 and c1
t+1 are computed. We will reformulate this equation to have the functions for
the individual memory bits c0t+1 and c1
t+1:
ct+1 = (c1t+1, c0
t+1) (12)
= T0(st+1) (+) T1(ct) (+) T2(ct-1) (13)
= (s1t+1 (+) c1
t (+) c0t-1 , s0
t+1 (+) c0t (+) c1
t-1 (+) c0t-1). (14)
In this equation we can reformulate s1t+1 and s0
t+1 from Equation which says
yt = x1t + x2
t + x3t + x4
t as stated by F. Armknecht, A Linearisation Attack on the Bluetooth Key Stream Generator, 2002: st+1 = (s1
t+1, s0t+1) (15)
= [x1t + x2
t + x3t + x4
t + 2c1t + c0
t ] / 2 (16)
s1t+1 = ∏4(t) (+) ∏3(t)c0
t (+) ∏2(t)c1t (+) ∏1(t)c0
t c1t (17)
s0t+1 = ∏2(t) (+) ∏1(t)c0
t (+) c1t (18)
Where ∏i(t) is the XOR over all possible products in {x1t , x2
t , x3t , x4
t } of degree i:
∏1(t) = x1t (+) x2
t (+) x3t (+) x4
t
∏2(t) = x1t x2
t (+) x1t x3
t (+) x1t x4
t (+) x2t x3
t (+) x2t x4
t (+) x3t x4
t
∏3(t) = x1t x2
t x3t (+) x1
t x2t x4
t (+) x1t x3
t x4t (+) x2
t x3t x4
t
∏4(t) = x1t x2
t x3t x4
t
which leads to the following equations for the individual bits c1t+1 and c0
t+1 (from
Equation(14)):
c1t+1 = s1
t+1 (+) c1t (+) c0
t-1 (19)
= ∏4(t) (+) ∏3(t)c0t (+) ∏2(t)c1
t (+) ∏1(t)c0t c1
t (+) c1t (+) c0
t-1 (20)
c0t+1 = s0
t+1 (+) c0t (+) c1
t-1 (+) c0t-1 (21)
= ∏2(t) (+) ∏1(t)c0t (+) c1
t (+)c1t-1 (+) c0
t (+) c0t-1 (72)
45
Now we can define the additional variables A(t) and B(t):
A(t) = ∏4(t) (+) ∏3(t)c0t (+) c0
t-1
B(t) = ∏2(t) (+) ∏1(t)c0t (+)1
so that the Equations (20) and (22) can be simplified to (using the fact that for Boolean
variables x2 = x):
c1t+1 = A(t) (+) B(t)c1
t (23)
c1t+1 B(t) = A(t)B(t) (+) B(t)c1
t (24)
0 = B(t) (A(t) (+) c1t (+) c1
t+1 (25)
and
c0t+1 = B(t) (+) 1 (+) c0
t-1 (+) c0t (+) c1
t (+) c1t-1 (26)
c1t (+) c1
t-1 = B(t) (+) 1 (+) c0t-1 (+) c1
t (+) c0t+1 (27)
By inserting Equation (27) into (25) with index t+1 instead of t we get the following
equation:
0 = B(t)(A(t) (+) B(t + 1) (+) 1 (+) c0t (+) c0
t+1 (+) c0t+2) (28)
In this equation, we can eliminate all unknown memory bits c0t by using the observed
keystream zt and by knowing in X2 = X and X (+) X = 0 in GF(2):
zt = x1t (+) x2
t (+) x3t (+) x4
t (+) c0t
c0t = x1
t (+) x2t (+) x3
t (+) x4t (+) zt
= ∏1(t) (+) zt
B(t) = ∏2(t) (+) ∏1(t)c0t (+) 1
= ∏2(t) (+) ∏1(t) (+) ∏1(t)zt (+) 1
A(t) = ∏4(t) (+) ∏3(t)c0t (+) c0
t-1
= ∏4(t) (+) ∏3(t)∏1(t) (+) ∏3(t)zt (+) ∏1(t - 1) (+) zt-1
0 = B(t)(A(t) (+) B(t + 1) (+) 1 (+) c0t (+) c0
t+1 (+) c0t+2 )
= ∏2(t) (+) ∏1(t) (+) ∏1(t)zt (+) 1( ∏4(t) (+) ∏3(t)∏1(t) (+) ∏3(t)zt (+) ∏1(t - 1) (+) zt-1 (+)
∏2(t + 1) (+) ∏1(t + 1) (+) ∏1(t + 1)zt+1 (+) 1 (+) 1 (+) ∏1(t) (+) zt (+) ∏1(t + 1) (+) zt+1
(+) ∏1(t + 2) (+) zt+2 )
= 1 (+) zt-1 (+) zt (+) zt+1 (+) zt+2
46
(+) ∏1(t)(ztzt+2 (+) ztzt+1 (+) ztzt-1 (+) zt-1 (+) zt+1 (+) zt+2 (+) 1)
(+) ∏2(t)(1 (+) zt-1 (+) zt (+) zt+1 (+) zt+2) (+) ∏3(t)zt (+) ∏4(t)
(+)∏1(t -1) (+) ∏1(t - 1)∏1(t)(1 (+) zt) (+) ∏1(t - 1)∏2(t)
(+)∏1(t + 1)zt+1 (+) ∏1(t + 1) ∏1(t)zt+1(1 (+) zt) (+) ∏1(t + 1)∏2(t)zt+1
(+)∏2(t + 1) (+) ∏2(t + 1)∏1(t)(1 (+) zt) (+) ∏2(t + 1)∏2(t)
(+)∏1(t + 2) (+) ∏1(t + 2)∏1(t)(1 (+) zt) (+) ∏1(t + 2)∏2(t)
This equation has terms of degree of at most 4 in the variables {x1t, x2
t, x3t, x4
t} (in ∏) and
holds for any t. By iterating this equation we can build a system of nonlinear equations
(SNE) of degree 4, with the initial value of the four LFSRs unknown. These initial states
of the LFSRs have length 25, 31, 33 and 39, so the key to recover with the attack has the
form:
K0 = (a0,….., a24, b0,……., b30, c0,……., c32, d0,……, d38)
= (k0, k1,…….., k127)
Although the long Equation (29) uses the output bits of the LFSRs at clock t, we are able
to rewrite the equation in terms of the initial state bits. This is possible since we can
construct a linear function L: GF(2)n → GF(2)n, where n is the length of the LFSR, which
linearly maps the state Kt to Kt+1 : Kt+1 = L(Kt), for each clock t:
K1 = L(k0,k1,…………., k127) = L(K0)
K2 = L(k1, k2,…………, k128) = L(L(k0, k1,……., k127)) = L2(K0)
...
Kt = L(kt-1, kt,.........., kt+126) = Lt(K0)
So we can rewrite Equation (29), following the notation of Theorem 2, as:
0 = F(K0,………., L3(K0), z0, z1, z2, z3)
0 = F(L(K0),……., L4(K0), z1, …….., z4)
0 = F(L2(K0),………., L5(K0), z2,……, z5)
0 = F(L3(K0),………, L6(K0), z3,…….., z6)
...
0 = F(Lt(K0),........., Lt+3(K0), zt,.........., zt+3)
where F is a multivariate relation of degree 4 (at most).
Since the LFSRs output bits {x1t, x2
t , x3t , x4
t} g can be expressed as a linear equation of
the initial state bits, only a finite number of different terms can occur. Armknecht found
47
that this limit is T = 17,440,047 ≈ 224.056.This means that we will get a system of
nonlinear equations with T unknown. To solve this system we will thus need at least T
equations by clocking the system that many times. The system can be solved with the
Strassen algorithm in O(7Tlog27) or with the Coppersmith-Winograd algorithm[24] in
O(Tw), w <=2.376 through linearization
3.9 Fast Algebraic attack, N. Courtois and F. Armknecht
As an extension on the algebraic attack of F. Armknecht, the Fast Algebraic attack
enables us work with equations with a lower degree. By reducing the degree of the
system of equations, the run-time complexity will decrease. The Fast Algebraic attack
was introduced by Nicolas Courtois in [10] and Frederik Armknecht [11]. The attack will
decrease the degree of the system of equations by using linear combinations of equations.
Equation (29) can be written in the form:
0 = F(Lt(K0),......, Lt+3(K0), zt ,........., zt+3)
0 = F1(Lt(K0),........., Lt+3(K0)) + F2(Lt(K0),........., Lt+3(K0), zt,......., zt+3)
where F = (F1, F2) and F1 and F2 are a multivariate relations with high degree d1 for F1
and a lower degree d2 for F2. The linear combination will cancel out the high-degree
monomials of degree {d2 + 1, d2 + 2,………, d1} that occurs in Equation (29). In [25]
another approach has been proposed: by using the Fast Fourier Transform (FFT) the
complexity of substituting the keystream into the equations can be decreased, resulting in
a expected process complexity of O(249). These 249 can be performed in about 35 hours
on a 4GHz machine. The attack requires 223.4 keystream output bits.
48
Chapter 4
4. HOW DO STREAM CIPHER ATTACKS AFFECT BLUETOOTH SECURITY
4.1 Encryption Revisited:
Encryption can optionally be used once at least one of the two communicating devices
has authenticated itself to the other. Either the master or the slave can request encryption.
However, encryption itself is always initiated by the master after it has negotiated the
necessary parameters with the slave. For this purpose the two devices first of all agree the
length of the key to be used. The master then initiates the encryption process by sending a
random number to the slave. The cipher key is computed from the link key, a cipher
offset and the random number. Encryption can operate in two ways, point-to-point and
point-to-multipoint. Under point-to-point encryption, the authenticated cipher offset of
the authentication protocol is used as cipher offset. Under point-to-multipoint encryption,
on the other hand, the device address of the master is used as cipher offset. The link key
must then be replaced by a master key before encryption can be initiated. A stream cipher
is used for encryption (in the standard this is designated E0). For each data packet a
new initialisation vector (the message key) is computed from the device address and the
Bluetooth clock of the master. The data is only encrypted during transportation by radio.
Prior to transmission and after receipt the data is held unencrypted in the two devices.
Encryption is thus not end-to-end (i.e. the data is not encrypted from input into device A
up until output or processing in device B).
49
4.2 Problems with Encryption: Encryption is only optional in Bluetooth and has a number of vulnerabilities:
Security of the stream cipher E0
Although E0 accepts key lengths of 1-16 bytes (8-128 bits), Fluhrer and Lucks have
shown that the maximum key length does not exceed 73 or 84 bits, depending on the
power of the attacker.
The initialisation vector does not depend on the full clock.
Every data packet transmitted is encrypted using a new initialisation vector. This is
computed from the master's clock amongst other things. However, the highest value bit of
the clock is "forgotten", so that even when encryption is used, man in the middle attacks
is possible.
Encrypted data can be manipulated.
Even if strong encryption is used, data can still be manipulated during transmission. The
characteristics of stream ciphers allow the data intercepted in a man in the middle attack
to be deliberately altered as long as some of the encrypted plaintext is known. Thus it is
possible, for example, to deliberately manipulate IP headers.
4.3 Affect Of Divide-and-conquer, Correlation attack
In a Divide and Conquer attack, a part of the key is guessed and this constraint on the
keystream may make it possible to determine the rest of the key faster and hence is a
challenge to the Bluetooth Encryption. This attack is mostly combined with a correlation
attack to determine the rest of the key. A correlation attack is a widely applicable type of
attack which might be used with success on generators which attempt to combine the
output from several (cryptographically weak) keystream generators.
A correlation attack exploits the weakness in some combining function which allows
information about individual input sequences to be observed in the output sequence. In
such a case, there is a correlation between the output sequence and one of the (internal)
input sequences.
50
This correlation can be used to extract information about the correlated input sequences.
In the simplest case, a correlation means that the output is equal to one of the input
variables with a probability not equal to 0.5. Siegenthaler showed in his paper [31] that a
smaller linear complexity of the output sequence means greater correlation immunity.
As a protection against these correlation attacks, Rueppel introduced in [27] the idea of a
combining function with memory that makes it possible to attain maximum-order
correlation and maximum linear complexity simultaneously making a separation to the
ideas of correlation immunity and linear complexity.
4.4 Affect Of Faster Correlation Attack
The fast correlation attack is based on using certain parity check equations created from
the feedback polynomial of the LFSR. The attack assumes that there is a correlation
between one shift register of the LFSR and the output keystream zt,: P(s1t = zt) = p = 1 /2
+ ε, t >= 0. Meier and Staffelbach saw this as if the sequence from LFSR1 was
transmitted over a Binary Symmetric Channel (BSC), with crossover probability 1 - p,
i.e. the BSC transmits the symbol correctly with a probability p. The combined effect of
the other shift registers and the nonlinear combiner is modelled as the BSC. Since the
feedback polynomial of LFSR1 is linear, each st for different t must satisfy a number of
linear equations, based on how many taps the feedback polynomial has, and where the
taps are located. If the correlation between st and zt is high enough, most of the
corresponding symbols in the keystream zt must also fulfil these linear equations. So, by
attempting to slightly modify the sequence zt to compensate for a possible crossover in
the BSC model, Meier and Staffelbach showed that the sequence s = s01, s1
1…sN1 can be
recovered and thus the initial state of the shift register. This is again a risk for the
Bluetooth Encryption process.
The drawback of this algorithm is that it is only successful if the feedback polynomial has
very few terms which corresponds to a LFSR with few taps. The idea of a communication
channel was reconsidered by Johansson and Jönsson in [32] where they identified an
embedded convolution code in the sequences and could apply standard decoding
techniques, e.g. the Viterbi algorithm, to recover the initial state even if the correlation
51
probability was very close to 0.5. Typically, a shift register of length 40 with a correlation
probability of 0.45 can be attacked with modest computational effort. This algorithm is
independent of the number of taps of the feedback polynomial.
4.5 Affect Of Guess-And-Determine Attack In this attack we start by guessing some internal variables of the cipher (e.g. a part of the
LFSR) and then try to determine the other variables based on the observed keystream and
the evolution of the cipher in time. If our guess is correct, we can confirm it by running
the cipher for some time and match the output from our trial generator with the observed
sequence. If our guess is false, we simply make a new guess and start over again. The
time complexity of such an attack is O (2b), where b is the number of bits we have to
guess, since in the worst case we have to try all possible combinations of the guessed bits.
The difficult part of this attack is to discover which part of the state space should be
guessed in order to obtain the rest. In this way in this type of attacks we try to break up
the Bluetooth encryption cycle by guessing the internal variables of cipher that is part of
the LFSR.
4.6 Affect Of Algebraic Attack Algebraic attacks are based on a technique called relinearization, introduced by Kipnis
and Shamir in [33]. In most cases, the generated keystream can be described by a
complex system of multivariate polynomial equations with the key bits as the in-
determinants. The general idea behind algebraic attacks is to form (non-linear) equations consisting of
the observable keystreams zt for all clock ticks t, and the initial secret key bits of the
LFSRs as unknowns. The pre-computation of these equations need only to be performed
once, the attacker can use the same equations for attacking different keystream. Once the
equations are set up, the attacker has to observe the keystream and substitutes these
keystream bits into the algebraic equations. Now, the equations will merely depend on
the initial secret LFSR key bits. The equations have to be solved to determine the value
52
of the LFSRs initialization keys. This is possible if sufficient equations can be
constructed from the observed keystream and the equations are of low degree in the bits
of the initialization keys. To solve a system of nonlinear equations, we have to linearize
the equations. This can be done by assigning a new unknown variable to each monomial
term that appears in the system. If the same monomial appears in a distinct equation, the
same variable will be assigned. This results in a system of linear equations, with a large
number of unknown variables.
Since the complexity of the algebraic attacks is exponential in the degree of the
equations, a way of reducing the degree of the equations was needed. Courtois [10]
introduced a method to achieve this in his Fast Algebraic attacks. His method requires an
additional pre-computation step to determine a linear combination of equations in the
initial system of the algebraic attack. This linear combination can cancel out terms of
high degree, making it easier to solve the system of equations. His approach is based on
the fact that we can multiply the multivariate polynomial with another multivariate
polynomial such that the product is of a lower degree in the initial state bit variables.
Courtois proposes to use the Berlekamp-Massey algorithm to determine the linear
combination for the pre-computation step. The algorithm finds the minimal polynomial of
a linear recurrent sequence. So these attacks tries to affect the Bluetooth encryption
process by forming an algebraic equation based on observable keystream Zt.
53
Chapter 5
5. CONCLUSION 5.1 Analysis And Conclusion We are concluding this thesis by analysing the E0 encryption Algorithm on the basis of
all the possible attacks on E0 stream cipher discussed in the previous chapters. We have
tried to cover the whole low-level security features supported by the Bluetooth
specifications. But still we have kept stream ciphers as the main topic of discussion and
further we have discussed encryption, pairing procedure and authentication in full details.
The study covered an in depth analysis of the E0 encryption algorithm. We did not only
cover the complete functionality of the E0 system, we also analysed many of the recent
attacks. The most important attacks on the E0 encryption system include the correlation
attacks and the algebraic attacks.
Encryption is one of the most important security mechanisms which deals with the
transfer of data between any two communicating wireless in the present case Bluetooth
devices. Bluetooth uses E0 Encryption Which is discussed in details in the previous
chapters. By taking in to consideration all the possible attacks like the correlation attacks
which are based on a presumed correlation between the input and output bits. The
algebraic attacks exploit the fact that the output bits can be expressed with an algebraic
relation in terms of the initial state bits. The best attacks currently known are the fast
algebraic attack of Armknecht [11] and Courtois [10] and the fast correlation attack of Lu
and Vaudenay [12]. We have seen that this attack can recover the initial state of the
LFSRs and FSM in a known plaintext attack approximately O (239) keystream bits and a
time complexity of approximately O (239) and therefore it became possible for the
intruder to decipher the text and hence breaks the Bluetooth security mechanism. But in
54
the light of present scenario we can say that currently there is no attack known that breaks
the complete encryption procedure and hence the security mechanism of Bluetooth
security architecture with reasonable effort and practical available keystream bits.
However, the security margin is insufficient to feel comfortable about the years to come.
Since the research on the attacks continues actively, future attacks may succeed to reduce
the cryptanalytic workload to a practical level.
After this research we may conclude that there are a lot of security problems with
Bluetooth, the most important are related to encryption which is protected by the E0
Encryption Algorithm. But still, Bluetooth can be seen as a quite safe for the intended
usage. For a practical multifunctional protocol as Bluetooth, many considerations must be
made to find a good balance between functionality, user-friendliness, speed and security.
The active research on this topic will help enhance the Bluetooth system in future
versions.
55
References [1] P. Ekdahl, T. Johansson, "Some results on correlations in the Bluetooth stream cipher", Abstract, Proceedings of 10th Joint Conference on Communications and Coding, Obertauern, Austria, 2000 [2] S.R.Fluhrer and S. Lucks. Analysis of the E0 encryption system. 2001. pp. 38–48. [3] P. Ekdahl, "On LFSR based Stream Ciphers - Analysis and Design", Ph.D. Thesis, Lund University, 2003 [4] M.J. Saarinen. Bluetooth und E0. 2000. [5] C. De Cannière, T. Johansson, B. Preneel, “Cryptanalysis of the Bluetooth Stream Cipher”, Internal Report, November 2001. [6] M. Krause. BDD-based Cryptanalysis of Keystream Generators. Cryptology EPrint Archive, Report 2001/092. 2001. [7] J. Gergov and CH. Meinel.” Efficient Boolean function manipulation with OBDDs can be generalized to FBDDs.” IEEE. Trans. on Computers, Vol. 43, pp. 1197–1209, 1994. [8] D. Sieling. “Graph driven BDDs - a new data structure for Boolean functions.” Theoretical computer science 141:1-21-2, 283-310, Elsevier, 1995. [9] F. Armknecht. A linearization attack on the Bluetooth key stream generator. Posted on eprint in December 2002. [10] Nicolas Courtois:”Fast Algebraic Attacks on Stream Ciphers with Linear Feedback.” In Crypto 2003, LNCS 2729, pp: 177-194, Springer. [11] Frederik Armknecht “On Fast Algebraic Attacks” March 2004. Talk at the 9th Estonian Winter School in Computer Science, Palmse, Estonia. [12] Y. Lu and S. Vaudenay. “Faster Correlation Attack on Bluetooth Keystream Generator E0” M. Franklin (Ed.): CRYPTO 2004, LNCS 3152, pp. 407–425, 2004. [13] Term paper on Bluetooth security May 2006
http://netlab.cs.iitm.ernet.in/cs650/2006/TermPapers/siddeshkarra.pdf
[14] On Bluetooth. Security Nikos Mavrogiannopoulos December 16, 2005 available from http://members.hellug.gr/nmav/papers/other/Bluetooth%20security.pdf
56
[15] Cybertrust “Article on Bluetooth security” updated June 2005 available from
http://www.cybertrust.com/media/white_papers/cybertrust_wp_blue.pdf
[16] Netsec “Article on Bluetooth security “ July 2005 available from
http://www.netsec.net/content/securitybrief/archive/2005-07_Bluetooth.pdf
[17] Alexander Grimm: Matsushita Electronic “Presentation on security aspects on wireless Bluetooth applications” available from http://www.holtmann.org/papers/bluetooth/saimba_english.pdf
[18] Bundesamt für Sicherheit in der Informationstechnik 2003” Article on Bluetooth threats and security measures “available from http://www.bsi.de/english/publications/brosch/B05_bluetooth.pdf
[19] Bluetooth security notes by university of Western Australia available at
http://www.ucs.uwa.edu.au/__data/page/5183/bluetooth_security.pdf
[20]Thomas Muller “Bluetooth Security white paper 1.C.116/1.0 July 99” available from http://www.bluetooth.com/NR/rdonlyres/C222A81E-D9F9-48CA-91DE-9C81F5C8B94F/0/Security_Architecture.pdf
[21] Bluetooth protocol stack available from
http://www.bluetooth.com/NR/rdonlyres/7F6DEA50-05CC-4A8D-B87B-
F5AA02AD78EF/0/Protocol_Architecture.pdf
[22] Bluetooth Special Interest Group. Specification of the Bluetooth system: Core package version 2.0 + edr, 2004. Available from http://www.bluetooth.org.
[23] Master of Applied Computer Science by. Sil Janssens. 2004-2005 http://student.vub.ac.be/~sijansse/2e%20lic/BT/Thesis/Thesis.pdf
[24] D. Coppersmith, H. Krawczyz and Y. Mansour. “The shrinking generator”. Advances in Cryptology - Proc. Crypto'93, Lect. Notes Computer. Sci. 773, pp.22–39, Springer Verlag, 1994. [25] P. Hawkes and G.G. Rose. “Rewriting Variables: the Complexity of Fast Algebraic Attacks on Stream Ciphers.” Advances in Cryptology - CRYPTO 2004.
57
[26] M. Hermelin and K. Nyberg. “Correlation properties of the Bluetooth combiner”. Proceedings of 2nd international Conference on information security and cryptology pp. 17–29 year 1999. [27] R.A. Rueppel. “Correlation immunity and the summation combiner”. Generator, Advances. In Cryptology-Crypto’85, Proceedings, pp. 260-272, Springer-Verlag, 1986 [28] Bluetooth Special Interest Group SIG. “The Bluetooth core specification version 1.2”. November 2003. http://www.bluetooth.org. [29] S.R.Fluhrer and S.Lucks:” Analysis of the E0 Encryption System, Selected Areas in. Cryptography - SAC 2001, Lecture Notes in Computer Science”, 2001 http://www.cs.stonybrook.edu/~sion/teaching/sunysb/2006-Fall/CSE508/slides/class14/Bluetooth.pdf [30] B.J.M. Smeets. “Pseudo-random sequence generator and associated method.” 1998. [31] T. Siegenthaler. “Correlation-immunity of nonlinear combining functions for cryptographic applications”. September 1984. pp. 776–779. [32] T. Johansson and F. Jönsson. “Fast correlation attacks through reconstruction of linear polynomials”. 2000. pp. 300–315. [33] A. Kipnis and A. Shamir. “Cryptanalysis of the HFE public key cryptosystem.” 1999. pp. 19–30.
