ISNI and Libraries - Anila Angjeli, Bibliotheque Nationale de France
Distributed systems – Part 2 Bluetooth 4 Anila Mjeda.
-
Upload
dinah-anthony -
Category
Documents
-
view
214 -
download
2
Transcript of Distributed systems – Part 2 Bluetooth 4 Anila Mjeda.
Distributed systems – Part 2
Bluetooth 4
Anila Mjeda
2
Bluetooth Profiles
In order to offer interoperability and to provide support for specific applications, the Bluetooth SIG has developed a set of Bluetooth profiles.
A profile defines an unambiguous description of the communication interface between two units for one particular service.
3
Bluetooth Profiles
Fig 1: Bluetooth profiles
All other Bluetooth profiles make use of the Generic Access Profile
4
Generic Access Profile (GAP)
The Generic Access Profile defines the generic procedure related to the discovery of Bluetooth devices and the link management aspects of connecting to Bluetooth devices.
The GAP also defines the different basic security procedures of a Bluetooth device.
5
Need for Security in Bluetooth
Anyone with a Bluetooth device can potentially connect to your Bluetooth device, gaining access to data without your knowledge and permission
Security needs depend on the application being developed. Ultimately, the decision on how to implement security is up to the application developer.
* Information on this slide comes from http://www.kjhole.com/
6
Bluetooth Security Toolbox
The Bluetooth “security toolbox” is based on the three components: Authentication: used to verify the
identity of a device Authorization: determines if a device is
to be granted access to specific services offered by another device
Encryption: protects data by encoding it prior to transmission
7
Pairing Pairing -> procedure involving exchanging
(link management) packets to establish a temporary key, called an initialization key (Kinit), for use between two Bluetooth devices wishing to communicate for the first time The pairing procedure requires that an identical
Personal Identification Number (PIN) be made available to both devices
An application must ask the user for the PIN and deliver it to the Bluetooth stack
* Information on this slide comes from http://www.kjhole.com/
8
Authentication
During authentication a device determines whether or not it shares a common authentication key with another device. If two devices are new to one another, the
pairing procedure is needed to create the initialization key Kinit
This initialization key is then used to create a semi-permanent authentication key (KAB) which is authenticated
* Information on this slide comes from http://www.kjhole.com/
9
Bonding
Bonding refers to the entire process of link-creating, pairing, creation of semi-permanent authentication key KAB, and authentication Once devices are bonded, pairing does not have to
be done again and authentication can proceed (using KAB) without the need for PIN entry
If a device is requested to bond with another device that it already possesses an authentication key for, this key is erased. Pairing is then initiated, establishing another authentication KAB
* Information on this slide comes from http://www.kjhole.com/
10
Authorization
Authorization is needed before a device is given permission to access a particular service
Authorization requires that Requesting device is authenticated Service being requested is reported to device providing
service Device determines whether or not to permit access to
service
* Information on this slide comes from http://www.kjhole.com/
11
Trust
Trust is an attribute that links authorization permission to a particular device If a device is marked as Trusted, then the
authorization process can completed successfully without user interaction
Trust can be granted both temporarily and permanently
Permanent Trust is usually granted during the initial authorization via A Man-Machine Interface (MMI)
A Man-Machine Interface (MMI) is often used to grant Trust
* Information on this slide comes from http://www.kjhole.com/
* Information on this slide comes from http://www.kjhole.com/
12
Encryption
Encryption relies upon a special encryption key (Kc) generated from the stored authentication key KAB
It is not possible to prevent the interception of data that is transmitted wirelessly
* Information on this slide comes from http://www.kjhole.com/
13
Security Modes
A Bluetooth connectable device can operate in three different security modes: Security mode 1: A Bluetooth unit in security mode 1 never
initiates any security procedures; that is, it never demands authentication or encryption of the Bluetooth link.
Security mode 2: When a Bluetooth unit is operating in security mode 2, it shall not initiate any security procedures, that is, demand authentication or encryption of the Bluetooth link, at link establishment. Instead, security is enforced at channel (L2CAP) or connection (e.g., Service Discovery Protocol, RFCOMM) establishment.
Security mode 3: When a Bluetooth unit is in security mode 3, it shall initiate security procedures before the link setup is completed.
* Information on this slide comes from http://www.kjhole.com/
14
Security Mode 1 Security mode 1 is the “unsecured” mode in Bluetooth. A unit
that offers its service to all connecting devices operates in security mode 1. This implies that the unit does not demand authentication or encryption at connection establishment.
For example, an access point that offers information services to anybody is a possible usage scenario for security mode 1.
Supporting authentication is mandatory and a unit in security mode 1 must respond to any authentication challenge. However, the unit will never send an authentication challenge itself and mutual authentication is never performed.
A unit in security mode 1 that does not support encryption will refuse any request for that. On the other hand, if encryption is supported, the unit should accept a request for switching encryption on.
* Information on this slide comes from http://www.kjhole.com/
15
Security Mode 2 Security mode 2 has been defined in order to provide better flexibility
in the use of Bluetooth link-level security.
In security mode 2, no security procedures are initiated until a channel or connection request has been received. This means that it is up to the application or service to ask for security. Only when the application or service requires it will the authentication and/or encryption mechanisms be switched on.
A sophisticated authentication and encryption policy based on the
baseband mechanisms can be implemented using this principle. Security mechanisms enforcement and policy handling must be taken care of by the unit. One possibility is to use a “security manager” to handle this.
Security mode 2 comes at the price of higher implementation complexity and the risk of faulty security policies that might compromise the security of the unit.
* Information on this slide comes from http://www.kjhole.com/
16
Security mode 3 In security mode 3, security procedures (authentication
and/or encryption) are enforced at connection establishment. Security mode 3 is a simple, always-on security policy.
The implementation is easy and that reduces the risks of any security implementation mistakes. The drawback is the lack of flexibility.
The unit will not be generally accessible. All connecting units need to be authenticated.
* Information on this slide comes from http://www.kjhole.com/c
17
Important Note! Note that in Security Mode 2 the device
initiates security procedures after the channel is established (at the higher layers), while in Security Mode 3 the device initiates security procedures before the channel is established (at the lower layers).
* Information on this slide comes from http://www.kjhole.com/c
18
Bibliography
Bluetooth tutorial: http://www.palowireless.com/infotooth/tutorial.asp
Several tutorials on Bluetooth :http://www.kjhole.com/