BLE Security

7/23/2019 BLE Security

http://slidepdf.com/reader/full/ble-security 1/8

BLE Security

The SMP (Security Manager Protocol) offers applications running over a Bluetooth Low

Energy stack access to the following types of services:

• Device uthentication

• Device uthori!ation

• Data "ntegrity

•Data #onfi$entiality

• Data privacy

The SMP works with % types of keys:

• Te&porary 'ey (T')

o Deter&ine$ y the type of pairing use$ see the tale elow

•

Short*Ter& 'ey (ST')

o +se$ to encrypt a connection when , $evices are pairing for the first ti&e

o ST' - ES.,/ (T'0 Sran$ 11 Mran$)

o Sran$ an$ Mran$ are ran$o& nu&ers generate$ y the Master an$ the Slave

for every connection

• Long*Ter& 'ey (LT')

o +se$ to create a Session 'ey for each Link Layer #onnection

o #an e $e$uce$ y the Slave using an$ ED"2 (uni3ue to each &aster) an$ a

4an$ value sent fro& the Slave to the Master when the $evices are on$ing

o The salve can store it in its security $ataase the LT' or the ED"2 fro& which

it can e calculate$

• "$entity 4esolving 'ey ("4')

o +se$ for generating an$ checking 4an$o& 4esolvale Private $$resses



• hash - ES.,/("4'0 prand )0 where random_address = [hash || prand

|| 0b10]

• #onnection Signature 4esolving 'ey (#S4')

o +se$ for sen$ing signe$ $ata without encryption

o uthenticates a &essage

5hat services an$ keys are use$ for the co&&unication etween two $evices are estalishe$

$uring the SMP Pairing proce$ure which is perfor&e$ y the SMP an$ set up y the

pplication accor$ing to its nee$s6

Pairing Procedure in BLE

The pairing proce$ure in Bluetooth S&art (LE) is perfor&e$ in three steps:

.6 E7change of pairing infor&ation

,6 uthentication of the link

86 Distriution of the keys

Exchange of pairing information

The e7change of pairing infor&ation etween two $evices is $one through the Pairing

Request an$ Pairing Response SMP &essages6 The contents of these two &essages is

shown below and is set up by the application according to device capabilities and/or itsneeds.

0x01 Pairing Request

0x02 Pairing Response

Field #o$e "9

#apaility

99B

Data

lag

uth4e3 Ma7i&u&

Encryptio

n 'ey Si!e

"nitiator

'ey

Distriution

4espon$

'ey

DistriutiSufiel

d

Bon$in

g lags

M"TM 4eserve$



Bits / / / , . % / / /

Bytes . . . . . . .

!" #apaility

;7;; Display9nly

;7;. Display<es=o

;7;, 'eyoar$9nly

;7;8 =o"npout=o9ut

put

;7;> 'eyoar$Displa

y

;7;%*

;7

4eserve$

Bonding Flag

;7;

;

=o

Bon$ing

;7;.

Bon$ing

;7.

;

4eserve$

;7.

.

4eserve$

""B $ata Flag

;7;; 99B uthentication $ata not present

;7;. 99B uthentication $ata fro& re&ote $evice

present

;7;,*

;7

4eserve$

!nitiator %ey $istriution Field

Responder %ey $istriution Field

Sufield Enc'ey "$'ey Sign 4es

Bits . . .

Bytes .

The value of the "9 #apaility fiel$ is set up y $evices accor$ing to the following tale fro&

the BLE>6. spec:



The 99B Data lag is set to . if the application?$evice re3uires an$ supports e7changing

$ata through an 9ut*of*an$ &etho$6

The M"TM flag is set in the uth4e3 fiel$ if the pplication re3uires Man*in*the*&i$$le

protection6

The Bon$ing lags in the uth4e3 fiel$ are set if the application re3uires on$ing6

The &ini&u& Encryption 'ey Si!e is set up y the application with a value etween @ Bytes

(%A its) an$ .A Bytes (.,/ its) in steps of . yte6 'eys which are less than .,/ its are

pa$$e$ with !eroes starting with the lowest a$$ress: .,/ it key *

;7.,8>%A@/B#DE;.,8>%A@/B#DE;0 %A it key *;7;;;;;;;;;;;;;;;;;;8>%A@/B#DE;6

The "nitiator an$ 4espon$er key $istriution fiel$s are set $epen$ing on what keys &ust e

e7change$ etween two $evices in phase 8 of the pairing process6

The "nitiator is always the Link Layer Master (CP #entral) an$ the 4espon$er is always the

Link Layer Slave (CP Peripheral) in a connection6

&uthentication

The secon$ step of the pairing proce$ure is the uthentication step which is perfor&e$ ase$

on the infor&ation e7change$ in the previous step in the Pairing 4e3uest an$ Pairing

4esponse &essages6

"n this step the Te&porary 'ey is generate$6 There are 8 ways of generating the T' in BLE

($escrie$ elow): ust 5orks0 99B0 an$ Passkey Entry6 The priority of these &etho$s is the

following: if oth $evices have set the 99B flag than the 99B &etho$ is use$ regar$less ofthe other flags in the Pairing 4e3uest an$ 4esponse6 "f the 99B flag is not set on at least one



of the $evices then the M"TM flag is checke$6 "f oth $evices have not set the M"TM flag

then the ust works &etho$ is chosen ("9 capailities are ignore$)0 else the pairing algorith&

is chosen ase$ on the "9 #apailities6

The following tale $escries the relation etween the T' an$ the pairing &etho$s6

Pairing

'ethod

(emporary %ey

)(%*

'!('

Protectio

n

+otes

ust

5orks

; (!ero) =9 • =o authentication

Passkey

Entry

; 666 (si7

$eci&al $igits)

The rest of the key is

pa$$e$ with !eroes6

<ES • uthenticate$

• "nterface allows

$isplaying or

entering values

9ut 9f

Ban$

+sually a full .,/

it key6

<ES • uthenticate$

The enaling of M"TM protection $uring pairing is consi$ere$ as Futhenticate$ PairingG

Base$ on the contents of the Pairing 4e3uest an$ Pairing 4esponse SMP &essages the

pairing &etho$ is chosen as $escrie$ in the following tales fro& the BLE >6. specification6



fter the T' is otaine$ the $evices generate the ST'6 The ST' generation proce$ure is

$etaile$ in the following tale for the "nitiator an$ the 4espon$er

!ntiator Responder +otes

Cenerate a .,/ it ran$o& nu&er

* Mrand

Cenerate a .,/ it ran$o& nu&er

* Srand

Mconfirm - c.(k0 r0 pres0 pre30 iat0

ia0 rat0 ra) -

Sconfirm - c.(k0 r0 pres0 pre30 iat0

ia0 rat0 ra) -

The c. function is $etaile$ in th

BLuetooth >6. specification6



- c. (T'0 Mrand, Pairing re3

#o&&an$0 pairing 4esponse

#o&&an$0 "nitiating Device

$$ress Type0 "nitiating Device

$$ress0 4espon$ing Device$$ress Type0 4espon$ing Device

$$ress)

- c. (T'0 Srand, Pairing re3

#o&&an$0 pairing 4esponse

#o&&an$0 "nitiating Device

$$ress Type0 "nitiating Device

$$ress0 4espon$ing Device$$ress Type0 4espon$ing Device

$$ress)

Trans&it Mconfirm to the

respon$ing $evice6

Trans&it Sconfirm to the intiating

$evice6

Trans&it Mrand to the respon$ing$evice

2erify Mconfirm using the c.

function

"f Mconfirm verifies trans&it Srand

to the initiating $evice

2erify Sconfirm using the c.

function

"f Sconfirm verifies generate ST'

ST' - s.(T'0 Sran$0 Mran$)

The s. function is $etaile$ in th

BLuetooth >6. specification6

Cenerate ST'

ST' - s.(T'0 Sran$0 Mran$)

Start Encryption "n the #ontroller

using the H#" co&&an$s

$istriution of ,eys

The thir$ phase of the pairing proce$ure is the $istriution of the keys6 The keys are

$istriute$ using specific SMP packets6 The keys are encrypte$ with the ST' an$ once store$

in a security $ataase &ust have the sa&e properties (authentication0 M"TM protection) as theST'6 The keys which can e $istriute$ are: (LT'0 ED"2 an$ 4an$)0 "4'0 #S4'6



The $istriute$ ED"2 an$ 4an$ values are trans&itte$ in clear te7t y the &aster $evice to

the slave $evice $uring encrypte$ session setup6

The BDIDD4 of $evices is also $istriute$ in this phase6

9nly the security infor&ation specifie$ in the Pairing 4e3uest an$ response is $istriute$6The $istriution is $one in the following or$er specifie$ y the stan$ar$:

.6 LT' y the slave

,6 ED"2 an$ 4an$ y the slave

86 "4' y the slave

>6 BD DD4 y the slave

%6 #S4' y the slave

A6 LT' y the &aster

@6 ED"2 an$ 4an$ y the &aster

/6 "4' y the &aster

6 BDIDD4 y the &aster

.;6 #S4' y the &aster

BLE Security

Documents

Transcript of BLE Security