1. Keywords
| abbreviation |
illustrate |
effect |
| TK |
Temporary key |
128bit, used to calculate the short-term key STK |
| STK |
short term key |
128bit, used to calculate the long-term key LTK |
| SK |
session key |
128bit, calculated through LTK, as the third stage three-way encryption handshake key; The value is calculated during the link encryption process, SK=e(LTK, (SKDmaster || SKDslave)); The link encryption process uses STK as the key and the dispersion factor SKD initial vector IV for encryption. |
| LTK |
long term key |
When two devices that have been paired and bound are connected again, it will be used as the link key; During the binding process, the three values LTK, EDIV and RAND are sent from the slave to the host. EDIV and RAND are used to generate LTK, RAND is a random number After the binding is successful, the host will save three values LTK, EDIV and RAND; The slave uses EDIV, RAND and its own saved ER and IR seed data to calculate LTK; |
| Mconfirm |
Host identity confirmation value |
The second stage of identity confirmation is calculated through TK and 128bit random number. |
| Disconfirm |
Slave identity confirmation value |
Same as above |
| ER 、IR |
128-bit pseudo-random number |
The seed data saved in the slave flash is written by the manufacturer and used to generate LTK |
| EDIV |
crypto decentralizer |
used to generate LTK |
2. Pairing process
The Bluetooth pairing process is divided into three stages. The first stage is used to exchange pairing characteristics and obtain the temporary key TK. In phase 2, identity confirmation and short-term key STK will be generated. The third stage is the process of device binding. During this period, the keys such as LTK, IRK and CSRK used in the encrypted link will be transmitted. The data transmitted in this stage is encrypted and transmitted using the short-term keys in the first and second stages. . The pairing process diagram is as follows:
2.1 Phase 1
2.1.1 Feature exchange
The pairing features exchange input and output (IO) functions, authentication requirements (need to bind and prevent MITM), and key size (fixed to 128bit).
In the BLE4.0 protocol, security is divided into three characteristics according to the degree of protection:
- Authenticated MITM protection: Reliable man-in-the-middle protection
- Unauthenticated no MITM protection: Unreliable no middleman protection
- No security requirements: No security requirements
The middleman MITM here means a third-party Bluetooth device. Reliable man-in-the-middle protection means that no third-party device will know the shared TK key when TK is shared; unreliable no-middle-man protection means that the third-party device can easily know the shared TK value when TK is shared, so it is an unreliable transmission; Without protection, you are not afraid of data being stolen by others.
Input and output capabilities: The combination of input and output determines how to generate TK.
2.1.2 Temporary key
When exchanging pairing features, each sends its comprehensive capabilities to the other device, and finally chooses which method to share TK values based on the capabilities of the two devices. In the BLE4.0 protocol specification, there are actually three ways to determine the TK value:
- Just Work : Both devices use the default TK value (6 zeros). For this method is an unreliable encrypted link, it cannot prevent MITM attacks. The premise of reliability when using this method is to ensure that there is no MITM attack during pairing and binding, so the encrypted data in subsequent connections cannot be eavesdropped by other devices. In other words, this method can protect the future encryption chain. The path is secure, but the pairing and binding process cannot be protected.
- Passkey Entry : For entering the key: Among the two devices, one Bluetooth device displays random 6 digits on its display; and after the operator sees these 6 digits, he will Enter it in another Bluetooth device so that the TK values of the two devices are the same.
- Out of Band : Out of Band uses another wireless method to transmit data to a Bluetooth device. If Out of Band itself can prevent MITM attacks, then the transmitted TK value must be protected. Moreover, the TK value in this method is a 128-bit random number. Although there is still a probability of being guessed by a third party, the probability of guessing the 128-bit random number is much smaller than the 6-bit random number when entering the password.
2.2 Phase 2
In the first phase of pairing, only the TK value is obtained through feature exchange, and the TK value is used to calculate two important values as a key in the second phase: identity confirmation value (confirm) and short-term secret key (STK) value.
2.2.1 Identity confirmation value
The TK value is obtained to ensure that the device communicating with itself is the device that it needs to connect to, and the identity of the other party must be determined through certain calculations. Both devices need to calculate acknowledgment values to determine that the other device is the desired connected device. Therefore, it is divided into host confirmation value/initiator confirmation value (Mconfirm) calculation and slave confirmation value/responder confirmation value (Sconfirm) calculation.
2.2.2 Short-term keys
The purpose of STK is that in the third stage of the pairing and binding process, plaintext is no longer used for data transmission. Instead, STK is used as the long-term secret key LTK to encrypt the data that needs to be interacted. The third stage of transmission is used in future encrypted links. LTK, IRK, CSRK and other keys. However, STK or LTK cannot directly be used as the key for encrypting data packets to be sent in the future. In order to make the transmitted data packets more secure, the key to encrypt the data packets is the session key (SK). SK uses STK or LTK is calculated as a key. When two devices are paired and bound for the first time, an encrypted link is required to transmit data in the third stage. At this time, the long-term key LTK is not shared, so the STK calculated in the second stage is needed as the key. Calculate the session key SK.
2.2.3 Overall process of stage 2
In the second phase, the master and slave machines will first calculate their respective identity confirmation values. First, the master machine sends the confirmation value to the slave machine, and the slave machine also sends the confirmation value to the master machine. Then the master machine sends a random number to the slave machine. When the slave machine receives the random number After counting, the confirmation value starts to be calculated. When the counted confirmation value is the same as the confirmation value sent by the host, the slave will also send a random number to the host. Otherwise, it will not send a random number to the host because it may be attacked. If the master and slave exchange random numbers for calculating the confirmation value, each will calculate the short-term key STK=s1(TK, Srand, Mrand).
After calculating the STK value, both parties exchange the dispersion factor SKD and the initial vector VI. The host uses LL_ENC_REQ to initiate an encryption request through the link layer, and sends the parameter session key dispersion value SKDm used to calculate the session key SK to the slave, as well as the initialization vector IVm value used by CCM, the EDIV and RAND parameters used to calculate LTK. Sent to slave. Both IV and SKD are pseudo-random numbers. The slave also sends the parameters related to calculating SK to the master through the LL_ENC_RSP encrypted response. At this time, the master and slave perform three encrypted handshakes through LL_START_ENC. The first time, the slave sends the LL_START_ENC_REQ start encryption request to the host in plain text, and sets its receiving mode to encrypted reception; the second time, when the host receives the plain text of the slave's start encryption request, the host Send the encrypted start encryption request response packet LL_START_ENC_RSP to the slave, and set its own reception to encrypted reception; for the third time, because the slave has set the reception to encryption mode, it should be able to successfully receive the ciphertext LL_START_ENC_RSP sent by the host. , then the slave sends the encrypted LL_START_ENC_RSP packet to the host to complete the three encryption handshakes.
2.3 Phase 3
The third stage is the device binding stage, which generates LTK from chance calculation and sends the LTK and the EDIV and RAND values used in calculating LTK to the host. The host saves these three values, so that the two devices are successfully bound.
The data packets transmitted in stage 3 are all encrypted ciphertext.
When two devices that have been matched and bound make a secondary connection, the two parties first exchange SKD and VI, and then the host sends EDIV and RAND to the slave. The slave uses EDIV and RAND and its own saved ER and IR seeds. The data calculates the LTK, and then the two parties perform an encrypted 3-way handshake. If the 3-way handshake is successful, the connection is established successfully. Otherwise, the connection fails to be established and the match is re-matched.
PS: The EDIV and Rand parameters are the criteria for determining STK as LTK to calculate SK. When EDIV and Rand are both 0, it means that this encryption request is the first pairing and binding of two devices, so STK must be used as LTK; when When EDIV and Rand are not 0, it means that the two devices have been paired before. This value is sent from the slave to the host during the first pairing. It can be known that only the first pairing and binding process involves the security management protocol. , subsequent connections only need to be controlled by the link layer.
3. Vulnerability analysis
- Man-in-the-middle attack: The ER and IR seed data of Bluetooth devices are read from the hardware, fixed. When the communication is completed, then B obviously knows the link key used by A. Then B modifies its own address and changes its own address to A's address, pretending to be communicating with A and C. Then C thinks at this time I am communicating with A. B can also pretend to be C to communicate with A. Because B knows A's link key, B can pass A's authentication and connect to A. In this way, there is no actual communication between A and C. B pretends to communicate with A and C respectively.
- Leakage of key encryption data: All data before the 3-step encryption handshake in the second phase is transmitted in clear text, including the EDIV and RAND values used to calculate LTK and the SKD and VI values used for link encryption.
- Authentication DOS attack: A DOS attack during authentication is when a third party deliberately fails the authentication by masquerading from the last authentication failure to the next time the authentication can be initiated, so that the interval continues to rise until it reaches the maximum allowed value. , during which both parties cannot perform normal authentication. There is also a form of DOS attack that rapidly and continuously sends files to the remote Bluetooth device, and the remote device is overwhelmed by a large number of commands whether to receive the file until it becomes paralyzed.
PS: Authentication refers to the process in which both master and slave obtain the same temporary key (TK).
References
Analysis of the BLE4.0 pairing and binding communication process: Analysis of the BLE4.0 pairing and binding communication process_Hong-luo-bu's blog-CSDN blog
BLE Pairing and Binding Summary---Summary from Bluetooth Low Energy Protocol Summary: BLE Pairing and Binding Summary---Summary from Bluetooth Low Energy Protocol Summary_irk ltk_binger-csdn's blog-CSDN blog
Introduction to the LE legacy Pairing process and subsequent connection process: https://www.cnblogs.com/unrulife/p/10876795.html