Page 493 - From GMS to LTE
P. 493
Bluetooth and Bluetooth Low Energy 479
with the device address of the remote device are saved, the link key can be automatically
retrieved from the database during the next connection establishment procedure.
Authentication is then performed without requiring interaction with the user.
To verify that the link key was created correctly by both sides, a mutual authentica-
tion procedure is performed after the pairing. The way the authentication is performed
is described in more detail in the next section. Figure 7.15 also shows how the complete
pairing is performed by the link manager layers of the Bluetooth chips of the two
devices. The only input needed from higher layers via the HCI interface is the PIN
number to generate the keys.
7.5.2 Pairing with Bluetooth 2.1 and Above (Secure Simple Pairing)
In 2005, Yaniv Shaked and Avishai Wool discovered a number of weaknesses that allow
one to calculate the PIN and link keys from the data exchanged during the pairing
procedure. This might have been one of the reasons why Bluetooth 2.1 introduced the
following new pairing mechanisms, which are referred to as secure simple pairing:
The Numeric Comparison protocol: The major difference between this pairing
mechanism and the classic protocol is that a public/private key exchange mechanism is
used instead of a PIN. For this purpose, each device has a private and a public key. During
the pairing process, each device sends its public key to the other end, which then encrypts
a random number with the key and returns it to the originator. After both devices have
received the encrypted random numbers, they use their private keys to decrypt the
information which is then used to generate the link keys. The encryption and decryption
work only one way, that is, the random number encrypted with the public key can only
be decrypted with the private key. As the private keys are never transmitted over the air,
an attacker cannot generate the link key from the intercepted message exchange. A simi-
lar authentication is also used by the EAP‐TLS Wi‐Fi authentication method (see
Chapter 5) and during the first access to a web page via secure HTTP (HTTPS, SSL/TLS).
As the two devices do not yet know each other, however, an attacker could insert itself
between the two devices and act as device B to device A and similarly to the other party.
This is also referred to as a man‐in‐the‐middle (MITM) attack. To prevent this, the
Numeric Comparison protocol calculates a six‐digit number after the generation of the
link keys, which is then shown to the user on both devices. The user then has to confirm
that the numbers are identical before the pairing process is finished. The method of
calculating the six‐digit number prevents MITM attacks as a device in the middle would
alter the calculation and the numbers shown on the devices would not be the same. The
Bluetooth Special Interest Group (SIG) states that by using this pairing mechanism, the
chance of a successful MITM attack is below 1:1,000,000.
The Just Works protocol: This protocol is mostly identical to the Numeric
Comparison protocol described above with the difference that no six‐digit number is
calculated and shown to the user. Hence, this pairing mechanism does not offer protec-
tion against MITM attacks but is still required, as some devices such as headsets do not
have a display to show a generated number. Consequently, this pairing method should
be used only if it is highly unlikely that no attacker is present during the pairing process.
If an MITM attack is successful during the pairing process, the attacker needs to be
present during future communication sessions as otherwise the connection establishment
process would fail.
