1 ets 880 secure e-commerce bluetooth and m-commerce presented by david johnson wireless specialist...

1

ETS 880 Secure e-CommerceETS 880 Secure e-CommerceETS 880 Secure e-CommerceETS 880 Secure e-Commerce

Bluetooth and M-CommerceBluetooth and M-Commerce

Presented by David JohnsonPresented by David JohnsonWireless SpecialistWireless SpecialistIcomtekIcomtekCSIRCSIR

3Author: D L Johnson

Contents of Bluetooth lectureContents of Bluetooth lecture

Origins and history of BluetoothOrigins and history of Bluetooth What Bluetooth can doWhat Bluetooth can do Building blocks of Bluetooth – the bluetooth stackBuilding blocks of Bluetooth – the bluetooth stack Bluetooth Security and M-CommerceBluetooth Security and M-Commerce Example applications – Bluetooth profilesExample applications – Bluetooth profiles Bluetooth products on the marketBluetooth products on the market Bluetooth in South AfricaBluetooth in South Africa Competing technologyCompeting technology The future of BluetoothThe future of Bluetooth DemonstrationsDemonstrations


Contents of Bluetooth LectureContents of Bluetooth Lecture

Origins and history of BluetoothOrigins and history of Bluetooth What Bluetooth can doWhat Bluetooth can do Building blocks of Bluetooth – the bluetooth stackBuilding blocks of Bluetooth – the bluetooth stack Bluetooth Security and M-CommerceBluetooth Security and M-Commerce Example applications – Bluetooth profilesExample applications – Bluetooth profiles Bluetooth products on the marketBluetooth products on the market Bluetooth in South AfricaBluetooth in South Africa Competing technologyCompeting technology The future of BluetoothThe future of Bluetooth DemonstrationsDemonstrations


Origins of BluetoothOrigins of Bluetooth

In 1994 Ericsson initiated a study to investigate the In 1994 Ericsson initiated a study to investigate the feasibility of a low-power low-cost radio interface feasibility of a low-power low-cost radio interface between mobile phones and their accessoriesbetween mobile phones and their accessories

In Feb 1998, five companies Ericsson, Nokia, IBM, In Feb 1998, five companies Ericsson, Nokia, IBM, Toshiba and Intel formed a Special Interest Group (SIG)Toshiba and Intel formed a Special Interest Group (SIG)

In July 1999 the first bluetooth specification 1.0 was In July 1999 the first bluetooth specification 1.0 was releasedreleased

The bluetooth consortium today is comprised of 9 The bluetooth consortium today is comprised of 9 promoter companies who are leaders in telecomms, promoter companies who are leaders in telecomms, computing and networking and more than 2000 adopter computing and networking and more than 2000 adopter companiescompanies

Bluetooth is the fastest growing technology since the Bluetooth is the fastest growing technology since the internet or the cellular phone, incredible considering that internet or the cellular phone, incredible considering that its first public outing was in mid 1998its first public outing was in mid 1998


Origins of BluetoothOrigins of Bluetooth


History of BluetoothHistory of Bluetooth

Harald I Bluetooth (Danish Harald Blåtand) was the King Harald I Bluetooth (Danish Harald Blåtand) was the King of Denmark between 940 and 985 AD who united Denmark of Denmark between 940 and 985 AD who united Denmark and Norwayand Norway

Rune stone in Danish town, Jelling depicting Harold Bluetooth

As Harald Bluetooth united Denmark and Norway, As Harald Bluetooth united Denmark and Norway, Bluetooth of today will unite the many worlds of personal Bluetooth of today will unite the many worlds of personal devices around usdevices around us


Contents of Bluetooth LectureContents of Bluetooth Lecture Origins and history of BluetoothOrigins and history of Bluetooth What Bluetooth can doWhat Bluetooth can do Building blocks of Bluetooth – the bluetooth stackBuilding blocks of Bluetooth – the bluetooth stack Bluetooth Security and M-CommerceBluetooth Security and M-Commerce Example applications – Bluetooth profilesExample applications – Bluetooth profiles Bluetooth products on the marketBluetooth products on the market Bluetooth in South AfricaBluetooth in South Africa Competing technologyCompeting technology The future of BluetoothThe future of Bluetooth DemonstrationsDemonstrations


What Bluetooth can do - definitionWhat Bluetooth can do - definition

Bluetooth is a low-power, low-cost short range Bluetooth is a low-power, low-cost short range radio system intended to replace cables between radio system intended to replace cables between fixed and portable devices. It is intended to fixed and portable devices. It is intended to replace many propriety cables with one replace many propriety cables with one universal radio link.universal radio link.


What Bluetooth can do - domainsWhat Bluetooth can do - domains

Landline

Data/Voice Data/Voice Access PointsAccess Points

Cable Cable ReplacementReplacement

Personal Ad-hoc Personal Ad-hoc ConnectivityConnectivity


What Bluetooth can do – user levelWhat Bluetooth can do – user level

Hot spot scenario: Let your laptop or PDA connect wireless to Internet or office while at the airport, hotel etc

Automatically sync mail, calendar, notes etc. between your PDA and PC, as soon as you get into your office

Physical access control Let your PC, Stereo and TV all connect without cables to

your loudspeakers. Let the PC, phone or PDA control them all

Take a picture with a digital camera, and send it via BT to a mobile phone, which forwards the picture to an email recipient via WAP

Pay the cab driver via the phone. Withdrawal of money at ATMs Setup ad-hoc wireless network at a conference


What Bluetooth can do – technical levelWhat Bluetooth can do – technical level

Data links: Can establish up to 7 simultaneous data Data links: Can establish up to 7 simultaneous data connections between a master and it’s slaves (piconet)connections between a master and it’s slaves (piconet)

Voice links: Can establish up to 3 simultaneous voice Voice links: Can establish up to 3 simultaneous voice connections between a master it’s slaves (piconet)connections between a master it’s slaves (piconet)

Maximum asymmetrical data rate of 723 kbps (57.6 kbps Maximum asymmetrical data rate of 723 kbps (57.6 kbps return channel)return channel)

Maximum Symmetrical data rate of 432.6 kbpsMaximum Symmetrical data rate of 432.6 kbps Can have up to ten multiple self contained networks Can have up to ten multiple self contained networks

(piconets) sharing spectrum in the same area (scatternet)(piconets) sharing spectrum in the same area (scatternet) Range can be up to 10m for non-amplified bluetooth Range can be up to 10m for non-amplified bluetooth

devices and up to 100m for amplified bluetooth devicesdevices and up to 100m for amplified bluetooth devices Very low power consumptionVery low power consumption Ability to discover available services on another deviceAbility to discover available services on another device



Origins and history of BluetoothOrigins and history of Bluetooth What Bluetooth can doWhat Bluetooth can do Building blocks of Bluetooth – the Bluetooth StackBuilding blocks of Bluetooth – the Bluetooth Stack Bluetooth Security and M-CommerceBluetooth Security and M-Commerce Example applications – Bluetooth profilesExample applications – Bluetooth profiles Bluetooth products on the marketBluetooth products on the market Bluetooth in South AfricaBluetooth in South Africa Competing technologyCompeting technology The future of BluetoothThe future of Bluetooth DemonstrationsDemonstrations


Building blocks of Bluetooth – the Bluetooth Building blocks of Bluetooth – the Bluetooth stackstack

The Bluetooth Stack OverviewThe Bluetooth Stack Overview Bluetooth Stack – RadioBluetooth Stack – Radio Bluetooth Stack – BasebandBluetooth Stack – Baseband Bluetooth Stack – Link controllerBluetooth Stack – Link controller Bluetooth Stack – Link ManagerBluetooth Stack – Link Manager Bluetooth Stack – HCIBluetooth Stack – HCI Bluetooth Stack – L2CAPBluetooth Stack – L2CAP Bluetooth Stack – RFCOMMBluetooth Stack – RFCOMM Bluetooth Stack – SDPBluetooth Stack – SDP


The Bluetooth Stack OverviewThe Bluetooth Stack Overview


Bluetooth Stack - OverviewBluetooth Stack - Overview

Headset Bluetooth StackHeadset Bluetooth Stack


Bluetooth Stack - OverviewBluetooth Stack - Overview

Access Point Bluetooth StackAccess Point Bluetooth Stack


Bluetooth Stack - RadioBluetooth Stack - Radio Bluetooth radio is a short range radio link capable of data Bluetooth radio is a short range radio link capable of data

and voice and voice Three classes of operating range are defined ( Class3: Three classes of operating range are defined ( Class3:

1mw ~ 10cm, Class2: 10mw ~ 10m, Class1: 100mw ~ 1mw ~ 10cm, Class2: 10mw ~ 10m, Class1: 100mw ~ 100m )100m )

Uses a radio link at 2.4Ghz (2400-2483.5MHz ) which is the Uses a radio link at 2.4Ghz (2400-2483.5MHz ) which is the unlicensed ISM band also used by WLANunlicensed ISM band also used by WLAN

GFSK (Guassian Frequency Shift Keying) modulation GFSK (Guassian Frequency Shift Keying) modulation schemescheme

Uses frequency hopping spread spectrum technology Uses frequency hopping spread spectrum technology (1600 hops/s)(1600 hops/s)

The signal hops among 79 frequencies which have a The signal hops among 79 frequencies which have a bandwidth of 1MHz which improves interference bandwidth of 1MHz which improves interference immunityimmunity

Channel has a symbol rate of 1 Mb/sChannel has a symbol rate of 1 Mb/s


Bluetooth Stack - BasebandBluetooth Stack - Baseband

Baseband is responsible for channel coding and decoding Baseband is responsible for channel coding and decoding and low level timing control and management of the link and low level timing control and management of the link within the domain of a single data packet transferwithin the domain of a single data packet transfer

Each registered device has a unique 48-bit device addressEach registered device has a unique 48-bit device address Bluetooth uses TDM where the duration of a slot is 625µs Bluetooth uses TDM where the duration of a slot is 625µs A Master and Slave transmit on alternate time slots with the A Master and Slave transmit on alternate time slots with the

master always initiating data exchangemaster always initiating data exchange Larger packets can use multiple slotsLarger packets can use multiple slots The Master and slave devices need to synchronize their The Master and slave devices need to synchronize their

clocks to enable reliable communication to take placeclocks to enable reliable communication to take place



Timing diagrams for data packetsTiming diagrams for data packets



Bluetooth is able to form point-to-point links and point-to-Bluetooth is able to form point-to-point links and point-to-multipoint linksmultipoint links

The network of bluetooth devices is defined as a Personal The network of bluetooth devices is defined as a Personal Area network (PAN)Area network (PAN)

A Piconet is an arbitrary collection of Bluetooth enabled A Piconet is an arbitrary collection of Bluetooth enabled devices which are physically close enough to devices which are physically close enough to communicatecommunicate

A Scatternet is formed when there are two overlapping A Scatternet is formed when there are two overlapping Piconets, where one of the Slaves of one Piconet also Piconets, where one of the Slaves of one Piconet also forms the Master of another Piconetforms the Master of another Piconet

A supervision timeout ensures that links are closed down A supervision timeout ensures that links are closed down when Bluetooth devices move out of range of the Piconet. when Bluetooth devices move out of range of the Piconet.



Piconets (a & b) and Scatternets ( c )Piconets (a & b) and Scatternets ( c )



Two types of links are definedTwo types of links are defined+Data Links - ACL (Asynchronous Connection-Less)+Voice Links – SCO (Synchronous Connection Orientated)

An ACL link is a packet switched data link which is An ACL link is a packet switched data link which is established between a Master and Slave as soon as a established between a Master and Slave as soon as a connection has been established. connection has been established.

ACL Data is carried in DH (Data High rate) packets with ACL Data is carried in DH (Data High rate) packets with no FEC (Forward Error Correction) or DM (Data Medium no FEC (Forward Error Correction) or DM (Data Medium rate) packets with FECrate) packets with FEC

A SCO link provides a circuit switched link between a A SCO link provides a circuit switched link between a Master and Slave with reserved channel bandwidth.Master and Slave with reserved channel bandwidth.

SCO Data is carried in HV (High Quality Voice) packets a SCO Data is carried in HV (High Quality Voice) packets a number of selectable error correction packets number of selectable error correction packets



Packet TypesPacket Types


Bluetooth Stack – Link ControllerBluetooth Stack – Link Controller

The Link Control Layer is a state machine which drives The Link Control Layer is a state machine which drives the baseband through various stages to establish links.the baseband through various stages to establish links.

It is responsible for managing device discoverability, It is responsible for managing device discoverability, establishing connections and once connected, establishing connections and once connected, maintaining the on-air linksmaintaining the on-air links

It can drive a device through the following stagesIt can drive a device through the following stages+Host Inquiry+Inquiry Scan+FHS (Frequency Hop Synchronization) packet response +Paging+Page Scan+Connection


Bluetooth Stack - Link ControllerBluetooth Stack - Link Controller

State Diagram for Link ControllerState Diagram for Link Controller



Inquiry procedure (typical time ~ 2s)Inquiry procedure (typical time ~ 2s)



Inquiry procedure (continued)Inquiry procedure (continued)


Bluetooth stack – Link ControllerBluetooth stack – Link Controller Bluetooth Inquiry procedure at packet levelBluetooth Inquiry procedure at packet level



Paging Procedure (typical time ~0.6s)Paging Procedure (typical time ~0.6s)



Paging Procedure (Continued)Paging Procedure (Continued)

The frequency hop sequence used in the connected state The frequency hop sequence used in the connected state is calculated from the Master BD Address and Clockis calculated from the Master BD Address and Clock

A connection is established once the Slave has received A connection is established once the Slave has received the Masters native clock and bluetooth address and a poll the Masters native clock and bluetooth address and a poll packet has been sent to confirm the connection is packet has been sent to confirm the connection is workingworking


Bluetooth stack – Link ControllerBluetooth stack – Link Controller

Bluetooth Paging procedure at packet levelBluetooth Paging procedure at packet level



Low Power connected states (Can re-establish connection in 2ms)Low Power connected states (Can re-establish connection in 2ms)+ Connection – Hold: Device ceases to support ACL traffic for a

defined period of time to free up bandwidth for other operations such as paging or inquiring, maintains AM address, after hold time expires the device resynchronizes to the CAC and listens for traffic again

+ Connection – Sniff: Device is given a predefined slot time and periodicity to listen for traffic, on reception of a packet during this time it will continue to listen until packets with its AM address stop and the timeout period ceases, it then waits until the next sniff period

+ Connection – Park: Slave gives up its AM address and only listens for traffic at predefined beacon intervals – between this it can enter a low power state. At these intervals even if there is no traffic it will synchronize its clock to the CAC.


Bluetooth Stack – Link ManagerBluetooth Stack – Link Manager

Commands the Link Controller/BasebandCommands the Link Controller/Baseband Attaches/Detaches slaves to a piconet and allocates their Attaches/Detaches slaves to a piconet and allocates their

Active Member addressesActive Member addresses Configures the link which inlcudes a master-slave switchConfigures the link which inlcudes a master-slave switch Establishes ACL (data) and SCO (voice) linksEstablishes ACL (data) and SCO (voice) links Puts connections in low-power modes: Hold, Sniff, ParkPuts connections in low-power modes: Hold, Sniff, Park Controls test modesControls test modes Controls Power levelsControls Power levels Communicates with Link Managers on other Bluetooth Communicates with Link Managers on other Bluetooth

devices using the Link Management Protocol (LMP)devices using the Link Management Protocol (LMP)+ These LMP commands are used to exchange information

necessary for security negotiation+ Requesting a SCO connection or Master/Slave switch is also

done through LMP commands


Bluetooth Stack – Link ManagerBluetooth Stack – Link Manager



The Bluetooth Stack OverviewThe Bluetooth Stack Overview Bluetooth Stack – RadioBluetooth Stack – Radio Bluetooth Stack – BasebandBluetooth Stack – Baseband Bluetooth Stack – Link controllerBluetooth Stack – Link controller Bluetooth Stack – Link ManagerBluetooth Stack – Link Manager Bluetooth Stack – HCIBluetooth Stack – HCI Bluetooth Stack – L2CAPBluetooth Stack – L2CAP Bluetooth Stack – RFCOMMBluetooth Stack – RFCOMM Bluetooth Stack – SDPBluetooth Stack – SDP Bluetooth Stack – Other Higher LayersBluetooth Stack – Other Higher Layers


Bluetooth Stack - HCIBluetooth Stack - HCI

The Host Controller Interface is necessary when there is The Host Controller Interface is necessary when there is system partitioning between the baseband and Link system partitioning between the baseband and Link Manager on one processor and the higher layers such as Manager on one processor and the higher layers such as L2CAP, SDP and RFCOMM running on a serperate host L2CAP, SDP and RFCOMM running on a serperate host processorprocessor

This can reduce the processing power needed by the This can reduce the processing power needed by the bluetooth device and hence reduce costbluetooth device and hence reduce cost

Creates a standard interface that can be used by different Creates a standard interface that can be used by different manufactures of Bluetooth devicesmanufactures of Bluetooth devices

Three types of HCI packets are usedThree types of HCI packets are used+ Command packets used by host to control the module+ Event packets used by the module to inform the host+ Data packets used to pass voice and data between host

and module A transport layer (USB, RS-232) is also required to carry HCI A transport layer (USB, RS-232) is also required to carry HCI

packetspackets


Bluetooth Stack - HCIBluetooth Stack - HCI

Position of the HCI in the Bluetooth StackPosition of the HCI in the Bluetooth Stack


Bluetooth Stack – Logical Link Control and Bluetooth Stack – Logical Link Control and Adaptation Protocol (L2CAP)Adaptation Protocol (L2CAP)

Takes data from higher layers of the stack and from Takes data from higher layers of the stack and from applications and sends it over the lower layers of the applications and sends it over the lower layers of the stack – this is achieved by multiplexing using dedicated stack – this is achieved by multiplexing using dedicated channel numbers and associated PSM’schannel numbers and associated PSM’s

Segmentation and reassembly to transfer packets larger Segmentation and reassembly to transfer packets larger than the lower layers supportthan the lower layers support

Quality of service management for high layer protocolsQuality of service management for high layer protocols Group management, provides one-way transmission to a Group management, provides one-way transmission to a

group of bluetooth devicesgroup of bluetooth devices



Example setting up an L2CAP connection over HCIExample setting up an L2CAP connection over HCI



Segmentation and transport of L2CAP packetsSegmentation and transport of L2CAP packets


Bluetooth Stack - RFCOMMBluetooth Stack - RFCOMM

RFCOMM is a simple reliable transport protocol which can RFCOMM is a simple reliable transport protocol which can emulate the serial cable link settings and status of an RS-emulate the serial cable link settings and status of an RS-232 serial port232 serial port

It can handle multiple concurrent connections by relying on It can handle multiple concurrent connections by relying on the multiplexing features of L2CAPthe multiplexing features of L2CAP

It provides the following provisionsIt provides the following provisions+Modem status – RTS/CTS, DSR/DTR, DCD and RI+Remote line status – Break, Overrun, Parity+Remote port settings – Baud rate, parity, data bits etc.+Parameter negotiation (frame size)+Optional credit based flow control


Bluetooth Stack – Service Discovery ProtocolBluetooth Stack – Service Discovery Protocol

Provides a means for an SDP client to access information Provides a means for an SDP client to access information about service offered by SDP servers (examples: printing about service offered by SDP servers (examples: printing services, Dial-up networking, LAN access)services, Dial-up networking, LAN access)

SDP servers maintain a database of service records SDP servers maintain a database of service records which provide information that a client needs to access a which provide information that a client needs to access a service (This will be the service name, protocols needed service (This will be the service name, protocols needed for this service and even URL’s for executables and for this service and even URL’s for executables and documentation)documentation)

Services have UUID’s (Universally Unique Identifiers) Services have UUID’s (Universally Unique Identifiers) which have been allocated for the standard bluetooth which have been allocated for the standard bluetooth profiles but service providers can define their own using profiles but service providers can define their own using a method that guarantees they cannot be duplicated a method that guarantees they cannot be duplicated (there is no need for a central authority to allocate these)(there is no need for a central authority to allocate these)

Fits in well with Universal Plug and Play architectureFits in well with Universal Plug and Play architecture



Origins and history of BluetoothOrigins and history of Bluetooth What Bluetooth can doWhat Bluetooth can do Building blocks of Bluetooth – the bluetooth stackBuilding blocks of Bluetooth – the bluetooth stack Bluetooth Security and M-commerceBluetooth Security and M-commerce Example applications – Bluetooth profilesExample applications – Bluetooth profiles Bluetooth products on the marketBluetooth products on the market Bluetooth in South AfricaBluetooth in South Africa Competing technologyCompeting technology The future of BluetoothThe future of Bluetooth DemonstrationsDemonstrations


Bluetooth Security and M-commerceBluetooth Security and M-commerce

Bluetooth Security – OverviewBluetooth Security – Overview Bluetooth Security - M-commerceBluetooth Security - M-commerce Bluetooth Security – Security LevelsBluetooth Security – Security Levels Bluetooth Security - ComponentsBluetooth Security - Components Bluetooth Security – Link keysBluetooth Security – Link keys Bluetooth Security – Generating keysBluetooth Security – Generating keys Bluetooth Security – key exchangeBluetooth Security – key exchange Bluetooth Security - AuthenticationBluetooth Security - Authentication Bluetooth Security - EncryptionBluetooth Security - Encryption Bluetooth Security - ArchitectureBluetooth Security - Architecture Bluetooth Security – Security ManagerBluetooth Security – Security Manager Bluetooth Security – Service & Device DatabasesBluetooth Security – Service & Device Databases Bluetooth Security – Flow diagramsBluetooth Security – Flow diagrams Bluetooth Security - WeaknessesBluetooth Security - Weaknesses


Bluetooth Security - OverviewBluetooth Security - Overview

Wireless signals can be easily intercepted and are Wireless signals can be easily intercepted and are vulnerable to spoofing and eavesdroppingvulnerable to spoofing and eavesdropping

Bluetooth offers the following inherent security featuresBluetooth offers the following inherent security features+Two different modes of accessibility (confidentiality)

– Discoverable mode – Anyone can discover the device– Non-discoverable, Limited discoverability, General discoverability

– Connectible mode – Only trusted devices can connect to the devices

+Frequency hopping+Limited Range

Bluetooth offers the following specific security servicesBluetooth offers the following specific security services+Authentication to verify the device’s identity+Authorization to allow a device access to specific

services+Encryption to protect the link privacy


Bluetooth Security - OverviewBluetooth Security - Overview


Bluetooth Security – M-commerceBluetooth Security – M-commerce

M-commerce (mobile commerce) is the buying and selling M-commerce (mobile commerce) is the buying and selling of goods and services through wireless handheld devices of goods and services through wireless handheld devices such as such as cellular telephonescellular telephones and personal digital and personal digital assistants (assistants (PDAPDAs). Known as next-generation s). Known as next-generation e-commercee-commerce, m-commerce enables users to access the , m-commerce enables users to access the Internet without needing to find a place to plug in. The Internet without needing to find a place to plug in. The emerging technology behind m-commerce is based on emerging technology behind m-commerce is based on the Wireless Application Protocol (the Wireless Application Protocol (WAPWAP))

Bluetooth could become a new carrier for M-commerce Bluetooth could become a new carrier for M-commerce traffic in Personal Area Networks and security will be a traffic in Personal Area Networks and security will be a key component of thiskey component of this

Bluetooth can also act as a carrier for longer range Bluetooth can also act as a carrier for longer range gateway such as a POT or mobile phone (eg. Between a gateway such as a POT or mobile phone (eg. Between a PDA and a cellphone making an online purchase)PDA and a cellphone making an online purchase)



Walkup Bluetooth Kiosks – provide local information in many venues such as shopping malls, airports and exhibits (maps, coupons, special offers, and so on)+ allow multiple users to access the kiosks simultaneously. + Enable mobility - information could be transferred to a

personal device, available even when the user is not near a kiosk.

Ultimate “Queue-killer” – Peer-to-peer transactions enable local m-commerce transactions without having to stand in line for access to a resource (machine and/or person).+ Consumers make purchases, get discount authorizations,

and do other transactions wirelessly at the point of presence.



Bluetooth Application RoadmapBluetooth Application Roadmap


Bluetooth Security – Security LevelsBluetooth Security – Security Levels

Not all applications warrant the use of securityNot all applications warrant the use of security Bluetooth defines three levels of securityBluetooth defines three levels of security

+Mode 1: Absence of security for users accessing non-critical applications in public areas such as airports or for example exchanging business cards

+Mode2: Service level security which will enable or disable security depending on the particular application which in run. For example a hotel bluetooth network could have no security for accessing local town information but could add security if you wanted to access your email.

+Mode3: Link-level security where security is enforced at a common level for all applications – for example if ATM transactions were done via bluetooth.


Bluetooth Security - ComponentsBluetooth Security - Components

Security is based on the SAFER+ security protocolSecurity is based on the SAFER+ security protocol All link-level security is based on 128-bit link keysAll link-level security is based on 128-bit link keys A secret PIN number (variable from 4 to 16 octets) which A secret PIN number (variable from 4 to 16 octets) which

is common to the two devices wishing to communicate is common to the two devices wishing to communicate forms one of the key inputs into forming the initial link forms one of the key inputs into forming the initial link key.key.

Authentication in Bluetooth uses a device-to-device Authentication in Bluetooth uses a device-to-device challenge and response scheme to determine if the two challenge and response scheme to determine if the two devices share a common link keydevices share a common link key

Encryption generates a cipher stream based on an Encryption generates a cipher stream based on an encryption key which is generated from a common link encryption key which is generated from a common link key – encryption is symmetricalkey – encryption is symmetrical

Link keys can be semi-permanent or temporaryLink keys can be semi-permanent or temporary


Bluetooth Security – Link keysBluetooth Security – Link keys

In order to accommodate for different types of applications, four types of link keys have been defined:+ the unit key KA: Semi permanent key generated in every unit

only once during factory setup+ the combination key KAB: This is dependent on two units and is

unique for a particular pair of devices – more secure than a unit key

+ the master key Kmaster: Temporary key used for point to multipoint broadcast communications and will replace the current link key until peer-to-peer communications resume

+ the initialization key Kinit: The is a temporary key which is used when no combination or unit keys have been exchanged yet. It is generated using a PIN code as one of its inputs

In addition to these keys there is an encryption key, denoted Kc. This key is derived from the current link key.


Bluetooth Security Link keysBluetooth Security Link keys

Link keys need to be distributed among bluetooth devices Link keys need to be distributed among bluetooth devices wishing to communicate in a secure manner, these are wishing to communicate in a secure manner, these are encrypted using the current key (initialization key for encrypted using the current key (initialization key for devices connecting for the first time)devices connecting for the first time)

During the initialization phase of bluetooth the following During the initialization phase of bluetooth the following steps occur for devices connecting for the first timesteps occur for devices connecting for the first time+ 1. generation of an initialization key

+ 2. generation of link key

+ 3. link key exchange

+ 4. authentication

+ 5. Generating of encryption key in each unit (optional) Only steps 4 and 5 will be necessary if link keys have Only steps 4 and 5 will be necessary if link keys have

already been stored in memory in the case of devices already been stored in memory in the case of devices which have previously connected (trusted pair)which have previously connected (trusted pair)


Bluetooth Security – Generating keysBluetooth Security – Generating keys

Generation of KeysGeneration of Keys

Algorithm E22 is used to generate Initialization keys and Master keys where Algorithm E22 is used to generate Initialization keys and Master keys where PIN’ is a combination of the bluetooth address and the PIN and L’ is derived PIN’ is a combination of the bluetooth address and the PIN and L’ is derived from the number of octets in the PINfrom the number of octets in the PIN

Algorithm E21 is used to generate Unit keys and Combination keys where Algorithm E21 is used to generate Unit keys and Combination keys where RAND is a 128-bit random number and BD_ADDR is the units bluetooth RAND is a 128-bit random number and BD_ADDR is the units bluetooth addressaddress



Formal definition for EFormal definition for E2121



Formal definition for EFormal definition for E2222


Bluetooth Security – key exchangeBluetooth Security – key exchange

Exchange of unit keysExchange of unit keys

A sends the unit key KA to unit B securely by XORing with Kinit

Unit B will store KA as the link key KBA. Usually the application will let the unit with restricted memory abilities send its

unit key to be used as the link key since this unit only has to remember its own unit key

Kinit is discarded once keys have been exchanged



Creation and exchange of combination keysCreation and exchange of combination keys

Random numbers (LK_RANDRandom numbers (LK_RANDAA and LK_RAND and LK_RANDBB) are generated in Unit A and Unit B) are generated in Unit A and Unit B These are exchanged securely by XORing them with the current link key KThese are exchanged securely by XORing them with the current link key K Two new random numbers (LK_KTwo new random numbers (LK_KAA and LK_K and LK_KBB) are generated for LK_RAND) are generated for LK_RANDAA and and

LK_RANDLK_RANDBB using the E using the E2121 algorithm algorithm These two random numbers are XORed together to form a new combination key These two random numbers are XORed together to form a new combination key

KKABAB on unit A and K on unit A and KBABA on unit B on unit B



Creation and exchange of a master keyCreation and exchange of a master key

The master device generates two random numbers (RAND1 and RAND2) and The master device generates two random numbers (RAND1 and RAND2) and uses the Euses the E2222 algorithm to generate a random key K algorithm to generate a random key Kmastermaster

A third random number (RAND) is generated by the master and sent to the slaveA third random number (RAND) is generated by the master and sent to the slave The slave and the master compute an overlay (OVL) using the EThe slave and the master compute an overlay (OVL) using the E22 22 algorithm with algorithm with

the current key and the new random as inputsthe current key and the new random as inputs The master key (KThe master key (Kmastermaster) is sent from the master to the slave by XORing it with the ) is sent from the master to the slave by XORing it with the

overlayoverlay The slave which has the identical overlay, recalculates KmasterThe slave which has the identical overlay, recalculates Kmaster


Bluetooth Security - AuthenticationBluetooth Security - Authentication

Authentication processAuthentication process

Authentication uses a challenge response scheme to check the claimant’s Authentication uses a challenge response scheme to check the claimant’s knowledge of a secret key (current link key)knowledge of a secret key (current link key)

The verifier challenges the claimant to authenticate a random number The verifier challenges the claimant to authenticate a random number (AU_RANDA) with an authentication code, E1, and return a result, SRES, which (AU_RANDA) with an authentication code, E1, and return a result, SRES, which is compared against it’s own generated code SRES’ is compared against it’s own generated code SRES’

Authentication is often mutual – Unit A verifying Unit B is followed by Unit B Authentication is often mutual – Unit A verifying Unit B is followed by Unit B verifying Unit Averifying Unit A


Bluetooth Security - AuthenticationBluetooth Security - Authentication

The formal definition of E1 isThe formal definition of E1 is

The authentication function E1 is often called a MACThe authentication function E1 is often called a MAC E1 uses the encryption function SAFER+E1 uses the encryption function SAFER+ The ACO (Authenticated Ciphering Offset) produced is used later for The ACO (Authenticated Ciphering Offset) produced is used later for

encryptionencryption


Bluetooth Security - EncryptionBluetooth Security - Encryption

Generating the Encryption KeyGenerating the Encryption Key

The encryption key Kc is generated by E3 from a COF (Ciphering Offset The encryption key Kc is generated by E3 from a COF (Ciphering Offset Number), the current link key and a 128-bit random numberNumber), the current link key and a 128-bit random number

The COF is either derived from the BD_ADDR of the master if the current link The COF is either derived from the BD_ADDR of the master if the current link key is a master key otherwise it is generated from the ACO created during key is a master key otherwise it is generated from the ACO created during authenticationauthentication

Even though the generated key length is 128 bits this may be shortened due to Even though the generated key length is 128 bits this may be shortened due to export encryption lawsexport encryption laws



Formal definition of E3Formal definition of E3

**See equation 36 for description of the hashing function**See equation 36 for description of the hashing function



Encryption processEncryption process


Bluetooth Security - ArchitectureBluetooth Security - Architecture

Security architectureSecurity architecture


Bluetooth Security – Security ManagerBluetooth Security – Security Manager

A Security manager is essential especially in a Mode 2 A Security manager is essential especially in a Mode 2 system where various levels of security are needed for system where various levels of security are needed for different services different services

A security manager carries out the following functionsA security manager carries out the following functions+Stores security related information on services in service

database+Stores security related information on devices in device

database+Responds to access requests+Enforce authentication and/or encryption before

connection the application+Initiating or processing input from an external security

control entity such as a user interface prompting for a PIN

+Initiating Pairing


Bluetooth Security – Service & Device DatabasesBluetooth Security – Service & Device Databases

Service database will contain the following entries for Service database will contain the following entries for each service/applicationeach service/application

EntryEntry StatusStatus

Authorization requiredAuthorization required MM

Authentication requiredAuthentication required MM

Encryption requiredEncryption required MM

PSM (Protocol/Service multiplexer)PSM (Protocol/Service multiplexer) MM

Broadcasting AllowedBroadcasting Allowed OO

EntryEntry StatusStatus ContentsContents

BD_ADDR (bluetooth address)BD_ADDR (bluetooth address) MM 48-bit MAC address48-bit MAC address

Trust levelTrust level MM Trusted/UntrustedTrusted/Untrusted

Link KeyLink Key MM Bit field (up to 128 bits)Bit field (up to 128 bits)

Device NameDevice Name OO String (to avoid name request)String (to avoid name request)

Device database will contain the following entries for Device database will contain the following entries for each deviceeach device


Bluetooth Security – Flow diagramsBluetooth Security – Flow diagrams

Flow diagram for Security managerFlow diagram for Security manager



Flow diagram for authenticationFlow diagram for authentication



Flow diagram for authorizationFlow diagram for authorization


Bluetooth Security - WeaknessesBluetooth Security - Weaknesses

Strength of the challenge-response pseudo-random generator is not known.

PINs are only 4 digits. An elegant way to generate and distribute PINs does not

exist. Initialization key may be too weak. Unit key is reusable and becomes public once used. The master key is shared. Repeating attempts for authentication. Negotiable key length. Eavesdropping resulting from unit key sharing.


Example Applications – Bluetooth ProfilesExample Applications – Bluetooth Profiles

The blueooth SIG has created profiles which give a clear The blueooth SIG has created profiles which give a clear description of how the bluetooth specification should be description of how the bluetooth specification should be used for a given end-user function – this is to ease used for a given end-user function – this is to ease interoperation between different bluetooth devicesinteroperation between different bluetooth devices

Currently defined profilesCurrently defined profiles+Cordless Telephony+Intercom+Headset+Dial-up networking+FAX+LAN Access+File Transfer+Object Push+Synchronization


Bluetooth ProductsBluetooth Products

Notebooks Printers and keyboards

Camcorders

Access points

PC and flash cards

Phones and accessories

Headsets

PDA’s and accessories

USB and serial ports


Bluetooth Products - BluetagsBluetooth Products - Bluetags

TrackTrack:: Registration of the Registration of the tagged item leaving a tagged item leaving a predefined area or range.predefined area or range.

SearchSearch:: Registration of Registration of the tagged item entering the tagged item entering a predefined area or a predefined area or range range

WriteWrite:: Information can be Information can be written and stored written and stored directly in the BlueTag directly in the BlueTag

ReadRead:: Information stored Information stored in the BlueTag can be in the BlueTag can be accessed and readaccessed and read


Bluetooth Products – Ericsson ChatpenBluetooth Products – Ericsson Chatpen

Used together with patterned Used together with patterned paper it enables you to store paper it enables you to store and transmit basically and transmit basically anything you write or drawanything you write or draw

Can store several pages of Can store several pages of informationinformation

The information is The information is transmitted by the Bluetooth transmitted by the Bluetooth transceiver, either directly to transceiver, either directly to your computer, or forwarded your computer, or forwarded to someone via a relay to someone via a relay device such as a cell phonedevice such as a cell phone


Bluetooth Products – Bluetooth Products – Commil’s Cellarion systemCommil’s Cellarion system

Your mobile phone with Bluetooth inside becomes your “all-in-Your mobile phone with Bluetooth inside becomes your “all-in-one” handset: a cellular phone outdoorsone” handset: a cellular phone outdoorsand a cordless extension of your desk phone at your officeand a cordless extension of your desk phone at your office

Your Bluetooth PDA becomes an extension ofYour Bluetooth PDA becomes an extension ofyour PC, continuously connected to the Internet and to the your PC, continuously connected to the Internet and to the office LANoffice LAN


Bluetooth in South AfricaBluetooth in South Africa

Bluetooth is still in its infancy in South AfricaBluetooth is still in its infancy in South Africa Red-M have representation in South Afirca – they Red-M have representation in South Afirca – they

specialize in bluetooth networking solutions for buildings specialize in bluetooth networking solutions for buildings (supply bluetooth access nodes and servers)(supply bluetooth access nodes and servers)+1000AP Access Node : +3000AS Server+Genosware network management

ATIO are networking consultants who are pursuing ATIO are networking consultants who are pursuing bluetooth networking in buildings in partnership with bluetooth networking in buildings in partnership with Red-M – they currently have two buildings bluetooth Red-M – they currently have two buildings bluetooth enabled (one AFROX hospital and Investec)enabled (one AFROX hospital and Investec)


Bluetooth in South AfricaBluetooth in South Africa

Bluetooth hardware is available from the following Bluetooth hardware is available from the following companiescompanies+Avnet Kopp: Bluetooth development kit using Phillips

chipset+Memec: Alcatel bluetooth development kit using Silicon

Wave chipset+Ericsson: Ericsson Development kit using Ericsson ROK

chipset Very little low level design work and R&D is currently being Very little low level design work and R&D is currently being

carried out in bluetooth but a need exisitcarried out in bluetooth but a need exisit Non- OFS (Off The Shelf) solutions are needed for the Non- OFS (Off The Shelf) solutions are needed for the

Transport sector, Energy sector, Emergency services and Transport sector, Energy sector, Emergency services and Scientists Scientists

Cost is a major hindrance to bluetooth penetrationCost is a major hindrance to bluetooth penetration Currently a bluetooth chip costs ~$11 when purchased in Currently a bluetooth chip costs ~$11 when purchased in

bulk, but when a module with all the necessary surrounding bulk, but when a module with all the necessary surrounding components is manufactured it costs ~$100components is manufactured it costs ~$100


Bluetooth in South AfricanBluetooth in South African

The cost of bluetooth silicon could fall to $5 within the The cost of bluetooth silicon could fall to $5 within the next two years (looking more promising since microsoft next two years (looking more promising since microsoft included bluetooth in wireless keyboards)included bluetooth in wireless keyboards)

South African markets need to create indigenous South African markets need to create indigenous solutions based on the raw $11 chipset and not only solutions based on the raw $11 chipset and not only purchase OTS solutions from overseas supplierspurchase OTS solutions from overseas suppliers

Current potential markets are Current potential markets are +Home and industrial security+Home automation+Emergency services (bluetooth vehicle link – voice,

data)+ Industrial control and automation+Military+Scientific instrumentation


Competing TechnologyCompeting Technology


The FutureThe Future

Current working groups working on Version 2.0Current working groups working on Version 2.0+ High rate bluetooth 10 Mb/s+ HI_FI quality non-compressed audio, video suitable for video

conferencing+ Coexistence of Bluetooth with other ISM band technologies+ Local positioning for indoor and built-up areas

Despite the delays, Bluetooth is still projected to be a $5 Despite the delays, Bluetooth is still projected to be a $5 billion market within the next five years (Merrill Lynch billion market within the next five years (Merrill Lynch February 8, 2001). February 8, 2001).

The majority of market forecasting for Bluetooth The majority of market forecasting for Bluetooth applications remain in mobile phones, headsets, PDAs, and applications remain in mobile phones, headsets, PDAs, and PCs, accounting for over 80% of units by 2006.PCs, accounting for over 80% of units by 2006.

Bluetooth penetration rate for digital still cameras is expected to be 60% in 2006 and the same rate for digital TV is expected to hit 65% in 2006 (Merrill Lynch, February 8, 2001).

Cost per bluetooth chip is expected to fall to $5 by 2003Cost per bluetooth chip is expected to fall to $5 by 2003


The FutureThe Future

Based on analysts pricing estimates, this could translate to $18.5 billion of data access revenues, $2.4 billion of m-commerce, and $1.2 billion of advertising revenues by 2005 (Goldman Sachs, “Mobile Internet Primer,” July 14, 2000

Bluetooth remains a chicken or egg game – where the Bluetooth remains a chicken or egg game – where the benefits of Bluetooth only begin to reach their zenith as a benefits of Bluetooth only begin to reach their zenith as a function of manufacturers’ willingness to introduce new function of manufacturers’ willingness to introduce new products and make Bluetooth a persistent element in the products and make Bluetooth a persistent element in the industryindustry


DemonstrationsDemonstrations

Managing security on a Bluetooth Access Point with a Managing security on a Bluetooth Access Point with a Red-M systemRed-M system

Device Inquiry and Service DiscoveryDevice Inquiry and Service Discovery WAP browsing over BluetoothWAP browsing over Bluetooth Serial Cable replacement demoSerial Cable replacement demo

1 ets 880 secure e-commerce bluetooth and m-commerce presented by david johnson wireless specialist...

Documents