BLUETOOTH SECURITY
Praneet Sharma Student ID: S3701201
A Minor Thesis Report Submitted in Partial Fulfillment of the Requirements for the Award of the Degree of
MASTER OF SCIENCE IN COMPUTER SCIENCE
Thesis Supervisor Dr Xun Yi
School of communication and Mathematics Victoria University of Technology November 2006
Acknowledgements
I am immensely pleased to express my profound gratitude to my thesis supervisor Dr Xun Yi for his support and constant guidance throughout my research on the minor thesis. I will remain ever grateful to him for his constructive criticism in the preparation of the manuscript and bringing it into its final shape. I am also thankful to the staff of department of computer science and mathematics of Victoria University for providing me access to the resources to develop this manuscript.
2
ABSTRACT
Bluetooth is a way of connecting Electronic devices without cables or any physical medium. Bluetooth technology is using radio waves to transfer information so it’s very susceptible to attacks. In the present world of computerization and communication this technology became a part of our day today life and the applications include Mobile telephones, PDA’s Laptops and other electronic gadgets. This Document mainly deals with the security of the Bluetooth technology. In particular this thesis focuses on the low level security aspects of Bluetooth Technology. We have tried to cover almost all the security features in this thesis but due to certain limitations only few are discussed in detail. Technology is introduced with strong and weak points of the specifications, security architecture is discussed and many of the recently discovered attacks are also covered.
As a part of Bluetooth security mechanism Encryption, Authentication and key management has been elaborated with Emphasis on Stream ciphers, Working of E _{0} Stream cipher is discussed in details. Detailed discussion of the recent attacks on the E _{0} Stream cipher has been performed. This includes a thorough discussion of the most recent Fast correlation attack, guess and determine attack, fast algebraic attack etc. although a few attacks are caused by the manufacturers because of the malfunctioning of the specification implementation this kind of attacks are just overviewed. In the penultimate chapter we have discussed the affect of all kinds of ciphers attacks on Bluetooth security mechanism specifically Bluetooth Encryption process. The thesis ends with the conclusion made on the basis of the analysis of the potential attacks on the E _{0} Stream cipher and with the discussion of Preventive security measures.
3
TABLE OF CONTENTS
1. 
INTRODUCTION 
6 

Motivation: 
6 

1.1 Introduction To Bluetooth Technology 
6 

1.2 Bluetooth Protocol Stack 
7 

1.3 What Is Security? 
11 

1.4 Bluetooth Security Issues 
13 

1.5 Weaknesses In Security Procedures 
15 

2. BLUETOOTH SECURITY ARCHITECTURE 
17 

2.1 
Bluetooth Security Architecture 
17 

2.1.1 Authentication 
18 

2.1.2 LMPAuthentication 
19 

2.1.3 Authorization 
20 

2.1.4 Encryption 
21 

2.1.5 Implementation 
23 

2.2 
Key Management 
24 

2.2.1 Key Database 
24 

2.2.2 Corrupted Database 
25 

2.3 Service Security Levels 
25 

2.4 Stream Ciphers 
26 

2.4.1 E0 Stream Cipher 
27 

2.4.2 Working Of The E0 Stream Cipher Algorithm 
27 

3. BLUETOOTH STREAM CIPHERS ATTACKS 
34 

3.1 Divideandconquer, Correlation attack, Hermelin and Nyberg 
35 

3.2 Divideandconquer attack, Correlation attack, Ekdahl and Johansson 
36 

3.3 Faster correlation attack, Y. Lu and S. Vaudenay 
40 

3.4 Guessanddetermine attack, M. O. Saarinen 
40 

3.5 Guessanddetermine attack, S.R. Fluhrer and S. Lucks 
41 
4
3.6
Improved guessanddetermine attack, C. De Cannière, T. Johansson, B. Preneel
42 

3.7 FBDDattack, M. Krause 
42 

3.8 Algebraic attack, F. Armknecht 
43 

3.9 Fast Algebraic attack, N. Courtois and F. Armknecht 
47 

4. HOW DO STREAM CIPHER ATTACKS AFFECT BLUETOOTH SECURITY 
48 

4.1 Encryption Revisited: 
48 

4.2 Problems with Encryption: 
49 

4.3 Affect Of Divideandconquer, Correlation attack 
49 

4.4 Affect Of Faster Correlation Attack 
50 

4.5 Affect Of GuessAndDetermine Attack 
51 

4.6 Affect Of Algebraic Attack 
51 

5. CONCLUSION 
53 

5.1 
Analysis And Conclusion 
53 
References 
55 
5
Chapter 1
1. INTRODUCTION Motivation:
There are a number of possible attacks on the Bluetooth Technology, We found that most of the attacks are caused by the Malfunctioning of implementation of a particular protocol. We have given the overview of all these kinds of attacks. But the main Focus of this minor thesis is finding out and discussing the “Attacks on certain cryptographic algorithms used”.
1.1 Introduction To Bluetooth Technology
Bluetooth is a wireless technology that provides short range wireless connectivity between similar kinds of devices. But where does the name come from? Herald I Bluetooth (Danish Harald Blatand) was the king of Denmark between 940 and 985 AD. The wireless technology is believed to be named on the name of the great king. Old Harald Bluetooth United Denmark and Norway, Bluetooth today unites worlds of computers and telecom supports that the name suggested is suitable. The sole motive of developing this technology is to make users to connect a range of computing and telecommunication devices in an easy and simple way without using a mesh of cables. It delivers opportunities for rapid ad hoc connections. It will virtually eliminate the need to purchase additional or proprietary cabling to connect individual devices. [14]
In the year 1994 Ericsson Mobile communication initiated a study to investigate the feasibility of a lowpower lowcost radio interface between phones and their accessories. Later in Feb 1998, five companies Ericsson, Nokia, IBM, Toshiba and Intel formed a special interest Group (SIG). The group contained the necessary business sector members – two market leaders in mobile telephony, two market leaders in laptop computing and a
6
market leader in digital signal processing technology. By the end of December 1999, 3Com, Microsoft and Motorola had joined the promoter group the folks that were willing to spend money hype the standard and in the neighborhood 1200 other companies had joined the SIG. At present SIG is composed of over 6,000 members who are leaders in the telecommunications, computing, automotive, music, apparel, industrial automation, and network industries, and a small group of dedicated staff in Hong Kong, Sweden, and the USA.
Bluetooth is a wireless protocol that requires less bandwidth and a shorter transmission range then typical wireless LAN applications. Bluetooth operates in the same crowded 2.4 GHz ISM(Industrial scientific Medical) Licensefree frequency band as WiFi networks, cordless phones and many emergency service communication systems transmission is at low energy hopping at a rate of 1600 times per second between 79 one MHz subbands of the permitted frequency band. It uses adaptive frequency hopping algorithm to avoid service interruption due to other equipment using the same frequencies and also to avoid interference to other equipment as well. However this hopping does not add any security to the Bluetooth link because the hopping sequence is broadcasted in clear at the initial connection procedure. Bluetooth devices can have variable signal length. The output power of normal Bluetooth devices is 1 milliwatt giving coverage of only 10 meters and 100 milliwatt devices with a range of up to 100meters are permitted for applications such as home networks.
1.2 Bluetooth Protocol Stack
The architecture used for Bluetooth consists of Bluetooth specific protocols combined with adopted protocols such as WAP, WAE, TCP/UDP/IP, PPP, vCard and IrMC. Bluetooth also supports cable replacement protocols as RFCOMM and telephony adapter protocols as ATcommands. The reason for this mixed architecture of Bluetooth specific and adopted protocols is that it allows integration of Bluetooth directly into existing application and transport protocols, without having to build up an entirely separate and parallel architecture. This also allows application specific security controls to be
7
implemented that would be transparent to the lower layer security controls (Data Link Layer) at which Bluetooth operates.
Figure 1.1 Bluetooth Protocol Stack [21]
According to Bluetooth SIG Bluetooth protocol stack can be divided in to four layers in accordance to their purpose. The protocols belong into the layers are explained with the table shown below.
Protocol layer 
Protocols in the stack 
Bluetooth Core Protocols 
Baseband , LMP , L2CAP , SDP 
Cable Replacement Protocol 
RFCOMM 
Telephony Control Protocols 
TCS Binary , ATcommands 
Adopted Protocols 
PPP , UDP/TCP/IP , OBEX , WAP ,vCard , vCal , IrMC1 , WAE 
Table 1.1 Layer structure of Bluetooth Protocol Stack
8
As shown in fig1 in addition to the protocol layers there is host controller interface (HCI) which is providing command interface to the baseband controller.
Bluetooth core protocols include exclusively Bluetoothspecific protocols developed by the Bluetooth SIG. The Bluetooth core protocols including the Bluetooth radio are the required by most of Bluetooth devices, while the other protocols are used as per requirement. Cable Replacement layer, the telephony control layer together with adopted protocol layer form applicationoriented protocols enabling the applications to run over the Bluetooth core protocols. As stated earlier, the Bluetooth Specification is open and we can use additional protocols (e.g., HTTP, FTP, etc.) can be accommodated in an interoperable fashion on top of the Bluetoothspecific transport protocols or on top of the applicationoriented protocols shown in Figure 1.1.
1.2.1 Baseband
We can visualise in the protocol stack shown above baseband and link Control layer enables the physical RF link between Bluetooth units forming a Piconet. As mentioned earlier the Bluetooth RF system uses a FrequencyHoppingSpreadSpectrum system in which packets are transmitted in defined time slots on defined frequencies, this layer uses inquiry and paging procedures to synchronize the transmission hopping frequency and clock of different Bluetooth devices.
It provides 2 different kind of physical links with their corresponding baseband packets, Synchronous ConnectionOriented (SCO) and Asynchronous Connectionless (ACL) which can be transmitted in a multiplexing manner on the same RF link. Asynchronous Connectionless packets are used for data only, while the Synchronous Connection Oriented packet can contain audio only or a combination of audio and data. All audio and data packets can be provided with different levels of FEC or CRC error correction and can be encrypted. Furthermore, the different data types, including link management and
9
control messages, are each allocated a special channel. Baseband packet format is shown below.
Access code
Packet header
Payload
72 bits
54 bits
02754 bits
Figure 1.2 Baseband Packet Format [22]
1.2.2 Link Manager Protocol
Link manager protocol is responsible for link setup between Bluetooth devices. This includes security aspects like authentication and encryption by generating, exchanging and checking of link and encryption keys and the control and negotiation of baseband packet sizes.
1.2.3 Logical Link Control and Adaptation Protocol
This protocol adapts upper layer protocols over the baseband. As per specification it is stated that it work in parallel with LMP in difference that L2CAP provides services to the upper layer when the payload data is never sent at LMP messages. This protocol provides connectionoriented and connectionless data services to the upper layer protocols with protocol multiplexing capability, segmentation and reassembly operation, and group abstractions. In addition to that it permits higher level protocols and applications to transmit and receive L2CAP data packets up to 64 kilobytes in length. Although the Baseband protocol provides the Synchronous ConnectionOriented and Asynchronous Connectionless link types, L2CAP is defined only for Asynchronous Connectionless links and no support for Synchronous ConnectionOriented links is specified in Bluetooth Specification 1.0.
10
1.2.4 Service Discovery Protocol (SDP)
For every Bluetooth framework Discovery of services is a very crucial part. These services provide the basis for all the usage models. Using SDP, device information, services and the characteristics of the services can be queried and after that, a connection between two or more Bluetooth devices can be established.
1.3 What Is Security?
To define the notion of security, it is necessary to introduce a third party that has access to all public information and tries to derive private secret information. Such a third party is denoted as an attacker or cryptanalyst. The notion of security can then be defined as:
"A system is secure if an attacker is unable to derive the private secret information". It is not possible to break a perfectly secure encryption scheme and such schemes do exist. However, a perfectly secure scheme needs a key with length no smaller than the entropy of the message that is to be encrypted and this key may never be reused. If the key is smaller than the entropy of the message, there will always be a correlation between the input and output. An example of a perfectly secure encryption scheme is the Onetime pad or Vernam cipher.
1.3.1 Wireless Security
Risks are inherent to any wireless technology. Some of these risks are similar to those of wired networks; some are exacerbated by wireless connectivity; others are new. Perhaps the most significant source of risks in wireless networks is that the technology’s underlying communications medium, the airwave, is open to intruders, making it the logical equivalent of an Ethernet port in the parking lot.
11
Specific threats and vulnerabilities to wireless networks and handheld devices include the following:
All vulnerabilities that exist in a conventional wired network apply to wireless technologies. Malicious entities may gain unauthorized access to a (company’s) computer network through wireless connections, bypassing any firewall protections. For example by using special long distance antenna’s which can connect to internal private unprotected or weakly protected wireless access points. Sensitive information that is not encrypted (or that is encrypted with poor cryptographic techniques) and that is transmitted between two wireless devices may be intercepted and disclosed. Several applications exist to "sniff" all the data that is transmitted wirelessly in some area and recover encrypted passwords. DoS attacks may be directed at wireless connections or devices. Such a Denial of Service attack can take down the functionality of devices that is make them unstable, make them lose data make them consume a lot of power (drain batteries) or it can be used as a method to make other attacks possible. Malicious entities may steal the identity of legitimate users and masquerade as them on internal or external corporate networks. Since wireless connections may allow invisible (or less visible) connections, masquerade and legitimation can be easier. Sensitive data may be corrupted during improper synchronization. For example by "sniffing" and inserting or disturbing wireless data connections. Malicious entities may be able to violate the privacy of legitimate users and be able to track their movements. Since data connections need identification, this identification can be tracked easily on most wireless networks. Malicious entities may deploy unauthorized equipment (e.g. client devices and access points) to surreptitiously gain access to sensitive information. A well known example of this attack is the so called "Evil Twins", fake clones of wireless hotspots managed by hackers to intercept sensitive data.
12
Handheld devices are easily stolen and can reveal sensitive information. Data may be extracted without detection from improperly configured devices.
Viruses or other malicious code may corrupt data on a wireless device and subsequently be introduced to a wired network connection. Malicious entities may, through wireless connections, connect to other agencies or organizations for the purposes of launching attacks and concealing their activities. Intruders, from inside or out, may be able to gain connectivity to network management controls and thereby disable or disrupt operations. Malicious entities may use thirdparty, suspicious wireless network services to gain access to an agency’s or other organization’s network resources. Internal attacks may be possible via ad hoc transmissions.
It should be clear that maintaining secure wireless networks is a process that requires
greater effort than that required for other networks and systems. It is much harder to gain
a certain guarantee of security within the deployment of wireless networks. Routine
security tests, assessments and evaluations of the system security are important. The National Institute of Standards and Technology (NIST) recommends agencies not to undertake wireless deployment for essential operations, until they have examined and can acceptably manage and mitigate the risks of their information, system operations and continuity of essential operations.[23]
1.4 Bluetooth Security Issues
Security requirement of Bluetooth applications depends upon the sensitivity of the information involved the correct market trends and on the needs of the application user. There exist some applications that do not require any security while the others require extremely high level of security. But before we start developing any application it is required to conduct sufficient trade studies and analysis of risk involved.
13
In reference to the SIG (special interested group) a Bluetooth wireless technology system contains a set of profiles. A profile defines a selection of messages and procedures (generally termed capabilities) from the Bluetooth specifications. This gives an unambiguous description of the air interface for specified services and use cases. Working groups with in the Bluetooth SIG defines these profiles.
Security can be defined in terms of four basic elements: availability, access, integrity and confidentiality. The current Bluetooth specification defines the security at link level application level security is not specified.
In the present scenario there are few general shortcomings in the Bluetooth security concept on the basis of those shortcomings Bluetooth SIG issued two general recommendations.
1. Avoid use of unit keys and use combination keys instead.
2. Perform bonding in an environment that is as secure as possible against eavesdroppers, and use long random passkeys.
1.4.1 Reported attacks on the Bluetooth devices:
Blue jacking: in this technique the Bluetooth paring protocol is abused and is used to pass a message during the initial handshake phase. In this phase the name of the initiator is displayed on the target device. Hence the bluejacker can send some funny messages unnoticed and if the paring goes to the end the bluejacker can then intrude on the targets device and become a trusted device and may be having access to targets data.
Bluesnarfing: is the process of ‘snarfing’ in this an attacker can gain access to important portions of the data started on the phone including phone book, calendar, business card and (international mobile equipment identity ) IMEI this
14
flow is due to mistake in the implementation of OBEX profile, where authentication has been omitted.
Bluebug: is similar to bluesnarfing ,it is based on the serial profile and this enables the use of most AT commands, This gives the attacker full access to resources shared by the device over serial. For example, a mobile phone can be used to make phone calls using the AT command set or a laptop computer could have your PDA’s data stolen onto an empty PDA owned by the attacker.[19]
1.4.2 Bluetooth worms and viruses:
Like computers there is a risk of worms and viruses on the Bluetooth devices one such worm is cabir worm which try to get paired with any other device in the vicinity and once paired it will install itself on the paired device it will try to do the same procedure with the other devices and the worm will drain the battery by scanning for the enabled Bluetooth devices.
1.5 Weaknesses In Security Procedures
Encryption not necessary:
Irrespective of the security mode encryption of the data transmitted is optional. It has to be explicitly requested by the application.
It is noticed that often the default configuration settings of the devices are not secure if we consider an example security functions like authentication and encryption are disabled and PINs are set to “0000”. In the devices like headset it is almost impossible to alter the preconfigured settings.
Insecure Default settings:
15

Weak PINs can be guessed: 
If 
a weak PIN is used during device pairing, an attacker can guess the PIN and use it 
to 
calculate the link key resulting from the pairing. To do this, the attacker only has to 
eavesdrop on the pairing and the subsequent authentication. Using transcripts of intercepted protocols, the attacker can check whether he has correctly guessed the PIN. In this way it is possible to guess short or trivial PINs (e.g."1234567890"). The fact that PINs are the only secret parameters link keys should be viewed as a serious security weakness. Experience shows that it is extremely difficult to break the practice, widespread among users, of choosing weak PINs.
Unit keys are not that secure:
When a device uses unit keys as link keys, the same key is used for every connection with that device. If the attacker succeeds in establishing a connection with this device, he is then in a position to impersonate that device or to intercept every communication made with it.

Weak protection of integrity: 
A 
cyclic redundancy check (CRC), an encoding method used to identify transmission 
errors, is used to protect the integrity of the data. Although a CRC is highly likely to detect random errors during the transmission of data packets, it does not provide adequate protection against deliberate tampering with data packets.
Quality of the random number generator:
The Bluetooth standard does not specify any particular mechanisms to be used to generate the random numbers. Experience suggests that the quality of random number generators varies widely from manufacturer to manufacturer and from implementation to implementation. [16][18]
16
Chapter 2
2. BLUETOOTH SECURITY ARCHITECTURE
2.1 Bluetooth Security Architecture
The way that the Bluetooth security radio system is used in mobile devices and the type of data carried on these devices makes security an extremely important factor. While most wireless systems will claim that being a spread spectrum radio provides security, the volumes projected for Bluetooth radio eliminates these barrier. As such, link layer and application layer security are part of the basic Bluetooth radio requirements. At link layer, the Bluetooth radio systems provides authentication, encryption and key management of the various keys involved.
The Bluetooth device address is the first and the most important unique parameter basically it is a unique 48 bit address of a Bluetooth device. However at the user interface level it is represented as 12 hexadecimal characters. Another parameter is the Bluetooth device user name which is a user friendly name can be chosen by the device owner. It can be 248 bytes long, although a generic device is not expected to handle names more than 40 characters in length. In general most of the devices have limited capabilities and they may handle only up to 20 characters. Among all the parameters used in the Bluetooth security architecture Bluetooth passkey (PIN) is the most important in terms of security prospective it is used to authenticate two Bluetooth devices which have not exchanged link keys ever before. The important feature of this parameter is that it is having different representations in the different levels. Bluetooth device class is another parameter used to identify the type of device and services supported by the device. [20]
17
2.1.1 Authentication
Like other wireless technologies Bluetooth also uses authentication mechanism using a secret key known as link key. In the previous versions of technology only unit keys were used but just to make the authentication procedure a bit more secure now a days combination keys are widely used. Moreover combination key is specific to a pair of devices on the hand a device is having a single unit key for all the connections. There are two ways of generating link keys either dynamically or through a process called pairing. But when a device is configured to generate link keys dynamically, it requires the user to enter the pass key each time a connection is established. Pairing on the other generates a longterm, stored link key that allows for the simple automated connections that are the hallmark of the Bluetooth specification. In order to pair two devices, the user will set both devices in pairing mode and will then enter a shared passkey. This passkey is then used to generate an initialization key. The initialization key is based on the Bluetooth address of the devices, a random number and the passkey. This initialization key is then used to authenticate each device as well as in the creation of the link key. Finally, the link key is stored locally on each device for the future authentication. After the pairing process has completed, the devices will automatically and transparently authenticate and perform encryption of the link.
Bluetooth authentication is based on challengeresponse process and it can be both unidirectional and mutual. The authentication process uses the E1 algorithm that is based on the SAFER+ block cipher. The communication between any two devices starts when first device sends its 48 bit (BDADDRESS) to second device. At this point the second device will send a 128 bit random numberbased challenge to the first device. Now both the devices will compute an authentication response which is a function of algorithm E1 and is based on the device first’s address, the random number challenge issued by device second, and the previously established link key. Device first will then transmit its authentication response and device second will compare it with its own calculations. If the two agree, then the device is authenticated. If the authentication response does not
18
match, the connection is refused. Once the authentication process has completed, device
second will generate new random number for its next authentication session. [17][13]
2.1.2 LMPAuthentication
LMPPairing is a procedure that authenticates two devices, based on a PIN, and
subsequently creates a common link key that is used as the basis for a trusted relationship
or a secure connection. This procedure consists of the steps, LMPauthentication is based
Figure 2.1 LMPPairing Procedure
LMPauthentication is procedure for verifying the identity of a remote device. The
procedure is based on a challenge response mechanism using a random number, a secret
19
key and the BDADDR of the noninitiating device. The secret key can be previously
exchanged link key or an initialization key created based on a pin as used in pairing
procedure.[15][13]
Figure 2.2 LMPAuthentication Procedure
2.1.3 Authorization
Authorisation is the process by which a Bluetooth device determines whether another
device is allowed access to a particular service. Basically authorisation incorporates two
20
important Bluetooth security concepts, trust relationships and service security levels. Authorisation is dependent on authentication as the authentication process establishes the device identity that is used to determine access. The Bluetooth specification allows three
different levels of trust between devices, trusted, untrusted, and unknown. If device A has
a trusted relationship with device B, then device B is allowed unrestricted access to
device A. If device B is untrusted, then device B has been previously authenticated, but its access to services on device A is restricted by service security levels. An unknown
device that has not been authenticated is considered untrusted.
Service security levels control access to a devices service on a per service basis. The first security service level requires both authentication and authorisation in order to grant access to a service. In other words, the identity of the requesting device has to be confirmed and the requesting device has to be granted specific permission to access the service. The second level of service security requires authentication only. At this security level, the identity of the requesting device need only be judged genuine in order to be granted access to the service. The third level requires encryption only. At this level, access to the service will be granted to any device that is encrypting its communications. The last level is open to all devices. An example of a use for this security level would be
if a user wanted to grant unrestricted access to a business card stored on the device while
restricting access to other, more sensitive services.
2.1.4 Encryption
Bluetooth strives to maintain confidentiality by offering a 128bit encryption service. By encrypting its transmissions, a Bluetooth device ensures that only a recipient with the proper decryption key can view the data. Bluetooth’s encryption uses an algorithm called E0. A devices encryption key is based on its link key. This simplifies the key generation process as both the sender and receiver have shared secret information upon which to key their encryption. Bluetooth’s encryption service has three different modes. In mode 1, no encryption is performed. In mode 2, communication with individual devices is encrypted, but broadcast traffic is not. In mode 3, all communications are encrypted. In addition to reducing interference, Bluetooth’s limited range and spread spectrum frequency hopping
21
help to ensure confidentiality by reducing the possibility of eavesdropping. The use of fast frequency hopping, at 1600 hops per second over 79 different channels, represents an important barrier to interception. Since the transmitter only dwells on a specific frequency for 625 microseconds, it is difficult to even detect the presence of a Bluetooth device unless it is in the process of actively paging another device. Key Generation overview the encryption key is derived from the authentication key and is used for enciphering the data for transmission. This will increase the life time of the authentication key. The authentication key is also referred as link key to emphasize the importance of this key to a specific Bluetooth link. The authentication procedure needs that the both end devices of a link know the present link key. Since the link keys are to be kept secret, they cannot be obtained through any inquiry routines. There has to be an initialisation phase carried out separately for each two units that want to implement authentication and encryption. The steps in initialization are as follows:
1. Generate an initialisation key, Kinit, and use it as link key. This key is derived from
three entities: device address, a random number issued by verifier and a PIN code. The PIN can be a fixed number provided with the Bluetooth unit (for example, devices with no user interface). Alternatively, the PIN can be selected arbitrarily by the user, and then entered in both units that have to be matched. Authentication of devices to each other using Kinit.
2. The entity authentication uses a challengeresponse scheme in which claimant's knowledge of secret key is checked using symmetric secret keys.
3. Generation of a link key K.
4. Once the initial authentication is over, the devices decide on a new link key for future.
Each device has a unit key, denoted by Ka, which is generated when that device is in operation for first time. So the devices can decide on using one of the unit keys as link in
future or can derive a combination key, denoted as Kab. Sometimes, same information may need to be distributed securely to several recipients in which case the serving device
22
decides a single common link key for all links to recipients. This key is known as master key and is denoted by Kmaster.
5. Exchange K securely using encryption key derived from Kinit. The agreed upon future
link key is exchanged between the devices.
6. Generate a new encryption key based on K.
7. For transmitting data, a new encryption key is generated at each end based on chosen
K. A new encryption key is generated for every new session. [13]
2.1.5 Implementation
Bluetooth security implementation is based on a challengeresponse system using the passkey (PIN) as the secret key. The Security Manager (key unit) performs the following tasks: _ Stores security related information for all services (Service Database); _ Stores security related information for available devices in range (Device Database); _ Processes access requests by protocol implementations or applications (grants access or denies connection); _ Enforces authentication and/or encryption before connection can be established;_ Initiates and processes input from a device user (called External Security Control Entity (ESCE)  a human operating a device) to setup trusted relationship; _ Initiates pairing and queries PIN (PIN entry may be done by an ESCE or an application). For connectionoriented L2CAP data (setup to connect to the next higher protocol or application) security check is performed at the onset of the request while for connectionless data packets the Security Manager checks the Service Database (for services that does not allow connectionless packets) to decide whether the packet will be allowed or denied.
23
2.2 Key Management
2.2.1 Key Database
To retrieve the correct key upon request from the host or unit, the semipermanent link keys must be stored in a database. If we use a simple database as shown in the table, no information is given of the semi permanent key type that is used (i.e unit or combination).However, a key in the table might be a unit key. Since a unit key is not as secure as a combination key we might want to enforce a more restricted security policy.
Device Address 
Key 
10FA487DE52 
1B4D5698AE374FDE8390912463DFE3AB 
047F6BB427EA 
FE729425BC9A95D39132BDE275917823 
Table 2.1: Example of Link Key Database Now we show the information of the table with the type of the key (i.e unit or combinational).In addition to this it is also good to add some redundancy to the database entries so that errors can be detected. [20] The example table with the typeofkey information is:
Here U = Unit Key and C = Combination Key
Device Address 
Key 
Key Type 
10FA487DE52 
1B4D5698AE374FDE8390912463DFE3AB 
C 
047F6BB427EA 
FE729425BC9A95D39132BDE275917823 
C 
A5EE29667190 
091827AD41D4E48D29CB8E82615D1849 
U 
Table 2.2: Link Key Database with Key Information
24
2.2.2 Corrupted Database
The link key database for some reason might become corrupted. The probability of having corrupted databases depends on the type of storage medium and the storage protection mechanisms. If a device address held is damaged, it might result in key lookup error. If the corrupted key entry is detected when the unit is about to send an authentication (acting as verifier), the error can be handled internally by the unit. In this case, it should be possible for the user (if desired) to demand a new pairing and derive a new link key and the device will initiate a new pairing.
2.3 Service Security Levels
Bluetooth specifications include authentication (uni and bidirectional) and encryption services at the link level using the Link Manager Protocol (LMP). Authentication between a pair of devices is based on a secret link key that is generated by a pairing procedure when the two devices communicate for the first time.
There are three security modes defined:
1. Security Mode 1 (nonsecure): No security procedures are performed;
2. Security Mode 2 (service level security): Security procedures initiated after channel
establishment request has been received at L2CAP level. Whether security procedure is initiated or not depends on the service type. Service (or application) level security implementation allows different access policies for different applications which may run in parallel.
3. Security Mode 3 (link level security): Security procedures are performed and authenticated at the LMP level before a channel is created for communication. A
25
Bluetooth device in security mode 3 may reject a host connection request best on host settings.
Services are also classified as:
(1) Services those are open to all devices (2) Services that require authentication only (3) Services that require both authentication and authorization.
While automatic access is only granted to trusted devices, all other devices if need manual authorization. A link may be changed to encrypted mode if required by the service or application.
2.4 Stream Ciphers
Stream ciphers are an important class of encryption algorithms. They encrypt individual characters (usually binary digits) of a plaintext message one at a time, using an encryption transformation which varies with time. By contrast, block ciphers tend to simultaneously encrypt groups of characters of a plaintext message using a fixed encryption transformation. Stream ciphers are generally faster than block ciphers in hardware, and have less complex hardware circuitry. They are also more appropriate, and in some cases mandatory for example in some telecommunications applications when buffering is limited or when characters must be individually processed as they are received. Because they have limited or no error propagation, stream ciphers may also be advantageous in situations where transmission errors are highly probable. There is a vast body of theoretical knowledge on stream ciphers, and various design principles for stream ciphers have been proposed and extensively analysed. However, there are relatively few fullyspecified stream cipher algorithms in the open literature. This unfortunate state of affairs can partially be explained by the fact that most stream ciphers used in practice tend to be proprietary and confidential. By contrast, numerous concrete block cipher proposals have been published, some of which have been standardized or placed in the public domain. Nevertheless, because of their significant advantages, stream
26
ciphers are widely used today, and one can expect increasingly more concrete proposals in the coming years.
2.4.1 E0 Stream Cipher
E0 is a socalled autonomous finite state machine. Loaded with an initial state, it will move to a new state and produce one single output bit of the key stream on every clock cycle.
The Bluetooth specification defines the stream cipher algorithm E0 to be used for point to point encryption of the packet payload, the access code and the packet headers shall never be encrypted. The E0 additive stream cipher was designed to provide the wireless connections with a strong protection against eavesdropping. It is based on a direct design and uses a Bluetooth proprietary algorithm that is inspired by Massey and Rueppel’s [27] summation combiner stream cipher. The core of E0 is built around four independent linear feedback registers (LFSR) and a finite state machine (FSM) as a combining circuitry.
Studies shows that E0 stream cipher is weaker than supposed at its design. But the frequent rekeying in Bluetooth and the rather short generated key streams keep the system safe for most of the attacks.
2.4.2 Working Of The E0 Stream Cipher Algorithm
In the E0 stream cipher algorithm bits are bitwise modulo2 (XOR) added to the data stream to be sent over the air interface. All units in the piconet must be able to read the packet header to see if the message is for them or not. Therefore, it is only the payload of each packet that is ciphered separately by the cipher algorithm E0. The payload data is ciphered after the CRC bits are appended, but before the optional Forward Error Correction (FEC) encoding.
27
The E0 stream ciphering process consists of three parts: (see Figure 2.3)
a) Initialization: payload key generation.
The payload key generator combines the input bits in an appropriate order and shifts them
into four LFSRs of the key stream generator.
b) Main part: Key stream bits generation.
c) Encryption and decryption.
Transform Kc to K`c load K`c, BD_ADDR and 6bit constant
111000
FIGURE 2.3 Bluetooth encryption process
28
The cipher algorithm E0 uses as input the 48 bits of the master Bluetooth device address (BD_ADDR), 26 bits of the master realtime clock, CLK, and an encryption key K _{C} . By using the 26 bits of the master clock, which toggles every 625µs, and a reinitialization of the E _{0} algorithm after each (multi)packet, frequent changes of the starting state of the key stream generator are assured, which forms a key factor in the resistance to security attacks. E _{0} generates a binary keystream K _{c}_{i}_{p}_{h}_{e}_{r} which will be modulo2 (XOR) added to the data to be encrypted. The cipher is symmetric; decryption shall be performed in exactly the same way using the same key as used for encryption.
The private encryption key (K _{C} ) is derived by algorithm E _{3} from the current link key, a 96 bit Ciphering Offset number (COF), and a 128bit random number EN_RAND. COF is set to the concatenation of the master BD_ADDR if the current link key is a master key. Else COF it is set to the value of Authenticated Ciphering Offset (ACO) as computed during the authentication procedure.
K _{C} = E _{3} (K _{m}_{a}_{s}_{t}_{e}_{r} , EN_RAND, COF)
The Bluetooth system is said to be a two level operation. The first level consists of the initialization and the second level performs the actual keystream generation.
Within the first level, the initialization of the E _{0} algorithm, the encryption key KC is transformed to an intermediate constraint key K` _{C} :
K` _{C} (x) = g _{2} ^{(}^{L}^{)} (x) (K _{C} (x)
mod g _{1} ^{(}^{L}^{)} (x))
Where deg (g _{1} ^{(}^{L}^{)} (x)) = 8L and deg (g _{2} ^{(}^{L}^{)} (x)) <= 128  8L. The values for the polynomials g _{1} ^{(}^{L}^{)} and g _{2} ^{(}^{L}^{)} are collected in a table[28]. The maximum effective size of this key shall be factory preset and may be set to any multiple of eight between one an sixteen (8128bits).
29
This constraint key K` _{C} is used together with the BD_ADDR and the clock CLK to load the initial values of the four LFSRs (128 bits) and the four memory bits c _{0} and c _{}_{1} . At the end of the first level, the generator will generate 200 stream cipher bits, of which the last 128 bits are fed back into the key stream generator as the initial values of the four LFSRs of the second level. The values of the memory bits c _{0} and c _{}_{1} are kept as the initial values for the second level. Further details of the complex initialization and the premixing of the initially loaded key material can be found in the Bluetooth specification document. [28]
After the initialization steps of first level and the initialization of the second level, a loop is started (step 2 and 3 in Figure 2.3), until the maximum number of plaintext bits are encrypted and the generator must be reinitialized to disable various kinds of statistical analysis attacks.
The core of the E0 keystream generator consists of four Linear Feedback Shift Registers (LFSR), with a key of at most 128 bits, and a 4 bit finite state machine, feeding a Summation Combiner Logic (combining circuitry).
Studies shows that LFSR is not cryptographically secure, since it is linear. In [26] the use of memory in the combination generator was proposed to achieve nonlinearity in an LFSR system. The finite state machine is used in the Bluetooth system to introduce sufficient nonlinearity to make it difficult to recompute the initial state from observed key stream data.
As we know that LFSRs can be described with feedback polynomials. The feedback polynomials of the four LFSRs used within E _{0} are all primitive maximum length polynomials. This ensures that the period of a LFSR with degree n is 2 ^{n}  1. The smallest period of all the Bluetooth LFSRs is the product of the four periods: P = (P _{1} P _{2} P _{3} P _{4} )/7 = (2 ^{2}^{5}  1)(2 ^{3}^{1}  1)(2 ^{3}^{3}  1)(2 ^{3}^{9}  1) / 7 ≈ 2 ^{1}^{2}^{5}^{.}^{2} . The period is divided by 7 since P _{3} and P _{4} have 7 as their greatest common divisor. This entire period is never generated by the Bluetooth generator, since it is reinitialized after a maximum of 2745 bits. The total length of the registers is 128. The Hamming weight( which shows the number of “1” bits
30
in binary sequence) of all the feedback polynomials is chosen to be five  a reasonable
tradeoff between reducing the number of required XOR gates in the hardware
implementation and obtaining good statistical properties of the generated sequences.
LFSR 
Degree 
Feedback Polynomial 
Output tap 
Period length 

LFSR1 
25 
t ^{2}^{5} + t ^{2}^{0} + t ^{1}^{2} + t ^{8} + 1 
24 
2 
^{2}^{5} 
 1 

LFSR2 
31 
t ^{3}^{1} + 
t ^{2}^{4} + t ^{1}^{6} 
+ t ^{1}^{2} + 1 
24 
2 
^{3}^{1} 
1 
LFSR3 
33 
t ^{3}^{3} + t ^{2}^{8} + t ^{2}^{4} 
+ t ^{4} + 1 
32 
2 
^{3}^{3} 
1 

LFSR4 
39 
t ^{3}^{9} + t ^{3}^{6} + t ^{2}^{8} + t ^{4} + 1 
32 
2 
^{3}^{9} 
1 
TABLE 2.3. Feedback polynomials of the four LFSRs
The polynomials are in fact maximum length windmill polynomials [30]. This can be
exploited in a hardware or software realization of the LFSR. The windmill polynomials
have the property that one can construct a linear sequential machine that, provided it is
correctly initialized, for each clock cycle generates four consecutive symbols of the
sequence that the normal LFSR would generate.
For each bit output, each LFSR is clocked once, and the output of all four LFSRs and the
output of the finite state machine is exclusiveor’ed together to form the keystream
output. Then, the 4 LFFSR outputs are summed together to form a 3 bit output. The upper
2 bits of that sum are used to update the state of the finite state machine (FSM). The least
significant bit (LSB) of the sum of the four LFSRs is their bitwise XOR.
During the encryption loop, the following steps are walked through:
a) Output x _{t} for the four LFSRs
b) Calculate the keystream z _{t} = f _{0} (x _{t} , c _{t} )
c) Calculate the encrypted message bit e _{t} = z _{t} (+) m _{t} , where m _{t} is the corresponding
message bit
d) Calculate S _{t}_{+}_{1} = f _{1} (x _{t} , c _{t} )
e) Calculate next FSM state c _{t}_{+}_{1} = T (S _{t}_{+}_{1} , c _{t} )
31
f) Put memory bits c _{t} = c _{t}_{+}_{1} of FSM. During decryption, the same loop is walked through, but in the third step, the calculation is m _{t} = z _{t} (+) e _{t} , where e _{t} is the corresponding received encrypted bit. The combination generator process is represented in Figure 2.4, where the z ^{}^{1} labeled boxes denote delay elements holding two bits each and the small numbers under the nodes indicate the number of bits passing.
FIGURE 2.4. The E0 keystream generator [29]
The function f _{0} , called summation combiner, produces an output sequence of 200 bits z _{1} ,
, where zt 2 GF (2). It computes these z _{t} of the modulo two sum of the x _{t} vector
and the first bit c ^{0} _{t} of the current contents of the memory. x ^{i} _{t} denotes the output from
LFRS _{i} at time t. The output from the LFRS is taken from the shift register taps given in Table 2.3. z _{t} = f _{0} (x _{t} , c ^{0} _{t} ) = x ^{1} _{t} (+) x ^{2} _{t} (+) x ^{3} _{t} (+) x ^{4} _{t} (+) (c ^{0} _{t} mod 2) Є {0, 1}
z _{2} , ……
32
The nonlinear function f _{1} also takes the vector x _{t} as input, but combined with the latest
memory update vector c _{t} . f _{1} has a 2bit vector S _{t}_{+}_{1} as output. It is nonlinear since integer
addition is nonlinear in GF (2)
S t+1 = (S ^{1} t+1 , S ^{0} t+1 )
= f _{1} (x _{t} , c _{t} )
= [(y _{t} + 2c ^{1} _{t} + c ^{0} _{t} )/2] Є {0, 1, 2, 3}
y _{t} = x ^{1} _{t} + x ^{2} _{t} + x ^{3} _{t} + x ^{4} _{t}
Є {0, 1, 2, 3, 4}
The state of the FSM is determined by 4 bits, which are stored in a pair of 2bit delay
elements. At each time t, the lower delay element stores the previous value of the upper
element and we can therefore refer to these 2bit values as ct and ct+1 respectively. The
function T is used to mix these carrybits. It takes the 4 memory bits and st+1 as input. It
produces the 2bit vector ct+1 to be put in the memory. The new content ct+1 of the
upper delay element is computed as follows:
c t+1
= (c ^{1} t+1 , c ^{0} t+1 )
= T (S t+1 , c t , c t1 )
= T _{0} (S _{t}_{+}_{1} ) (+) T _{1} (c _{t} ) (+) T _{2} (c _{t}_{}_{1} )
c _{t}_{+}_{1} defines a linear infinite impulse response (IIR) filter that lowers the correlation factor,
an important parameter in the correlation attack. T _{1} and T _{2} are two different linear
bijections over GF (4), (x _{1} , x _{0} ) → (y _{1} , y _{0} ), where T _{0} = T _{1} : (x _{1} , x _{0} ) → (x _{1} , x _{0} ) and T _{2} : (x _{1} ,
x _{0} ) → (x _{0} , x _{1} (+) x _{0} ).
This concludes the description process within the E0 keystream generator.
33
Chapter 3
3. BLUETOOTH STREAM CIPHERS ATTACKS
We will be discussing different types of attacks possible on the E _{0}_{.} The attacks will be described in this section. Although, it will be difficult to discuss all the attacks in full detail under the scope of this minor thesis, but we will describe each type of attack. Some parts of the attacks that are reviewed are implemented besides the E _{0} simulator, as a way to get better understanding in the working of the attack.
For most attacks it is needed to remodel the cipher in such a way that the nonlinear part is replaced with a sequence of random variables with some correlation probability. Most of the theoretical attacks on the Bluetooth E _{0} stream cipher require a far larger amount of consecutive keystream output than available in a practical environment. By Kerckhoffs’
principle, they assume the keystream generator and some key stream bit Z _{t} are known
and they try to recover the initial state of the LFSRs.[23]
Before we discuss attacks on Eo stream cipher it is mandatory to add a few definitions and terms which are used throughout the chapter we shall consider the field GF(2 ^{n} ) as a linear space with a given fixed basis. X _{t} denotes an ndimensional vector in GF(2 ^{n} ) as
X _{t} = (X ^{1} _{t} , X ^{2} _{t} ,…… , X ^{n} _{t} ).
The inner product "." between two vectors v = (v _{1} , v _{2} , ……. , vn) and w = (w1,w2,…. ,wn) of the space GF(2 ^{n} ) is defined as:
v . w = v _{1} w _{1} (+) v _{2} w _{2} (+)………(+) v _{n} w _{n} The linear function Lu(x) is then Lu(x) = u . x, u Є GF(2 ^{n} ).
34
DEFINITION 1. We say a function L: GF (2 ^{n} ) → GF (2 ^{n} ) is linear if for any vectors v and w in GF (2 ^{n} ):
L (v + w) = L (v) + L (w)
and for any vector x in GF (2 ^{n} ) and scalar a,
L (av) = a L (v)
An affine function is just a linear function plus a translation. DEFINITION 2. We say a function A: GF(2 ^{m} ) → GF(2 ^{n} ) is affine if there is a linear function L : GF(2 ^{m} ) → GF(2 ^{n} ) and a vector b in GF(2 ^{n} ) such that:
For all x in GF (2 ^{m} )
A(x) = L(x) + b
3.1 Divideandconquer, Correlation attack, Hermelin and Nyberg
In [26] Hermelin and Nyberg published a theoretical attack to recover the keystream generators initial state with a time complexity of O (2 ^{6}^{4} ) given O (2 ^{6}^{4} ) known keystream bits (≈2.097.152 TB).
The attack is based on a weak linear correlation between the output of the LFSRs V _{t} = X ^{1} _{t} (+) X ^{2} _{t} (+) X ^{3} _{t} (+) X ^{4} _{t} and the keystream output Z _{t} , to verify the accuracy of one of the LFSRs. The sequence V _{t} is generated by a fictive LFSR, based on the product of the four feedback polynomials form the LFSRs in E _{0} , that is, a feedback polynomial G _{t} with degree 128, G _{t} = f _{1} (t)f _{2} (t)f _{3} (t)f _{4} (t). If the attack is successful, the attacker will discover the initial state of this fictive LFSR, from which the initial state of the four original LFSRs of E _{0} can be computed by solving a set of linear equations in 128 unknown variables.
Hermelin and Nyberg discovered the following correlation in the Bluetooth E _{0} stream cipher:
C (Z _{t} (+) Z _{t}_{}_{1} (+) Z _{t}_{}_{3} , V _{t} (+) V _{t}_{}_{1} (+) V _{t}_{}_{3} ) = 1/16
Where V _{t} denotes the XORed output of the four LFSRs.
35
Since the attack of Ekdahl and Johansson is based on the same principles of this attack, but with better computational complexities, we will not analyse this attack in further detail.
3.2 Divideandconquer attack, Correlation attack, Ekdahl and Johansson
A theoretical attack by Ekdahl and Johansson [1] describes how the initial state of the
keystream generator can be extracted given O(2 ^{3}^{4} ) known keystream bits (≈2 GB) and a computational complexity of O(2 ^{6}^{3} ). This attack is also based on a weak linear correlation between the LFSRs output and the keystream output to verify if a guess on one of the
LFSRs is accurate. This attack remodels the cipher in such a way that the nonlinear part
is replaced with a sequence of random variables with some correlation probability. The
nonlinear part of the keystream can be found in the memory block C _{t} .
Fluhrer and Lucks [2] discovered the following correlation for C _{t} :
P (C _{t} (+) C _{t}_{}_{5} = 0) = 1/2 + 0.04883
for all t >= 0. The attacker observes a keystream Z _{t} of length N. The attack will primarily target the initial state of the first LFSR, LFSR1. The other three LFSRs can be combined into a single equivalent LFSR. The output from this equivalent LFSR is a sequence U _{t} , 0 <= t <= (N  1).
C 
_{0} it is assumed to be a random noise sequence with correlation 
P 
(C _{t} (+) C _{t}_{}_{5} = 0) = 1/2 +0.04883 
Now we can remodel E _{0} into a simplified system as showed in Figure 8.3. With this model, we need to guess the initial state of LFSR1 and add this, x _{0} it, to z _{t} . If the guess
is correct, we can write the resulting sequence as:
V _{t} = Z _{t} + X _{t} = U _{t} + C _{t} ^{0}
(1)
36
From the equivalent LFSR of LFSR2, LFSR3 and LFSR4, we will get a sequence u _{0} , u _{1} ,………u _{N}_{}_{1} which is a linear (N, l)block code C ^{5} . In this block code C, there are l information symbols, which is equal to the length of the equivalent shift register, the sum of the length of LFSR2, LFRS3 and LFSR4. The sequence u _{t} can be rewritten as a row vector u = (u _{0} , u _{1} … u _{N}_{}_{1} ). And this row vector can then be written as u = u _{0} G, where u _{0} is the initial state of the equivalent shift register and G the generator matrix. If we suppose we can find k columns in G such that
G _{i}_{1} + G _{i}_{2} + …+ G _{i}_{k} = 0,
(2)
then we must have u _{i}_{1} +u _{i}_{2} +…+u _{i}_{k} = 0 for the sequence u _{t} . Since the block code is cyclic, we can write
∑ u _{t}_{+}_{1} = 0,
iЄI
(3)
37
for any time index t >=0, where I is the set of indices in Equation (2). By summing over the indices in I, indicated by Equation (3), it possible to remove the influence of u _{t} in v _{t} (Equation (1)) and go towards the correlation Equation (). v _{t} = u _{t} + c _{t} (4)
∑ v t+i + v t+i5 = 0 + ∑ c t+i + c t+i5
iЄI
i ЄI
(5)
∑ v t+i + v t+i5 = (c t+i + c t+ik5 ) + (c t+i2 + c t+i25 ) + …+ (c t+ik + c t+ik5 ) iЄI
P (∑ v _{t}_{+}_{i} + v _{t}_{+}_{i}_{}_{5} = 0),
i Є I
(7)
(6)
P( (c _{t}_{+}_{i} + c _{t}_{+}_{i}_{k}_{}_{5} ) + (c _{t}_{+}_{i}_{2} + c _{t}_{+}_{i}_{2}_{}_{5} ) + …+ (c _{t}_{+}_{i}_{k} + c _{t}_{+}_{i}_{k}_{}_{5} ) = 0) =1/2+ 2 ^{k}^{}^{1} Є ^{k} (8)
If v _{t} is sampled at many different time instances, according to Equation (6) and depending on the magnitude Є in Equation (8), it is possible to get statistical significance if the assumption on the initial state of LFSR1 was good. If LFSR1 was guessed correctly, the correlation in Equation (8) can be detected, else the correlation will not be detectable, since more noise will have been added to the sequence v _{t} and the sum of Equation (6) will tend to 1/2. The attack requires a length, N, of the received sequence z _{t} which depends on two parameters, the value of the highest index in I for Equation (3) and the number of shifts in time, m, in Equation (6). An estimate for the highest index in I is needed since we need to search for a span of z _{t} such that the indices can be found that satisfy Equation (3). A good estimation of the required length of the received sequence in order to find k columns that add up to the all zero column in the generator matrix from Equation (2) can be made using Theorem 14.
THEOREM 1: There are approximately 2 ^{l}^{/}^{(}^{k}^{}^{1}^{)} columns required in a random generator matrix G of a cyclic code C, to find k columns that add to the allzero column, where l is the number of rows in G
38
To estimate the second parameter, the needed number of samples m. From this section we know we can separate the uniform distribution P _{U} (X = 0) = 1/2 from the indicator distribution P _{E}_{0} (X = 0) = 1/2 + 2 ^{k}^{}^{1} Є ^{k} using approximately 1/(2 ^{k}^{}^{1} Є ^{k} ) ^{2} samples. With increasing k, P _{E}_{0} (X = 0) gets closer to 1/2 and the Chernoff information says regarding the (distance) between two probability densities. Relatively large Chernoff information means low error probability. C (P _{U} , P _{E}_{0} ) is decreasing. So the required number of samples, m, increases when k increase for a fixed error probability. The total number of columns w ≈ 2 ^{l}^{/}^{(}^{k}^{}^{1}^{)} in G required to find k columns that add to the allzero column decreases if k increases. The total number of required keystream bits to observe, N, is the sum N = m + w, so we need to chose k such that we minimize N.
When performing the attack, we count the number of times Equation (6) equals to zero, n _{0} , and the number of times it equals to 1, n _{1} . Thus, the number of samples needed, m, equals to m = n _{0} + n _{1} . To simplify the application of the Lemma of NeymanPearson we replace 2 ^{k}^{}^{1} Є ^{k} with Є .We can now easily write P _{E}_{0} = 1/2 + Є . According to the Lemma, we can test between the two hypotheses H _{0} : P _{U} and H _{1} : P _{E}_{0} :
( 1/2 ) ^{m} /( 1/2 + Є`) ^{n} _{0} ^{(} ^{1}^{/}^{2}^{} ^{Є}^{}^{)}^{n} _{1} > T
(9)
with T >= 0 being the decision threshold.
For this attack, it is desired to use an unsymmetrical threshold and decrease PF at the expense of PM. We would like to have PF << PM. In [3] an unsymmetrical threshold of T = 25 was chosen, resulting in a threshold of P _{M} ≈2 ^{}^{4} and a threshold of P _{F} ≈ 2 ^{}^{1}^{0} . It is shown that the value for the parameter k = 4 is the best choice for attacking LFSR1, since the value of N will then be minimized to 2 ^{3}^{4}^{.}^{6} .
39
3.3
Faster correlation attack, Y. Lu and S. Vaudenay
Although the faster correlation attack proposed by Yi Lu and Serge Vaudenay in[12], has the best known time complexity O(2 ^{3}^{9} ) after O(2 ^{3}^{7} ) it still requires 2 ^{3}^{9} consecutive keystream bits (≈ 64GB). The attack recovers the LFSR1 with a new Maximum Likelihood Decoding (MLD) algorithm, by means of Fast Walsh Transform. This algorithm can speed up a fast correlation attack. The attack applies the concept of convolution to the analysis of the distinguisher based on all known correlations. This allows building an efficient distinguisher that halves the data complexity of the basic uni biasbased distinguisher.
The approach is similar as the Divideandconquer attack from Ekdahl and Johansson 3.2, but with a decreased time complexity. The correlations used for this attack are:
P(c ^{0} _{t} (+) c ^{0} _{t}_{+}_{1} (+) c ^{0} _{t}_{+}_{3} (+) c ^{0} _{t}_{+}_{4} = 1) =1/2+ λ /2,
P(c ^{0} _{t} (+) c ^{0} _{t}_{+}_{5} = 0) =1/2+λ/2, where λ = 25/256
(11)
(10)
3.4 Guessanddetermine attack, M. O. Saarinen
MarkkuJuhani O. Saarinen showed in [4] the first guessanddetermine attack on the Bluetooth keystream generator. This attack consists of guessing the states of the 3 smallest LFSRs and the Final State Machine to derive the contents of remaining fourth LFSR. Using the observed keystream, the consistency of the assumption is checked with the output from LFSR4. The complexity of this attack is expected to be close to O(2 ^{9}^{3} ). We will not treat the attack of Saarinen in further details, since the improved versions of this attack are analysed below.
40
3.5 Guessanddetermine attack, S.R. Fluhrer and S. Lucks
Scott R. Fluhrer and Stefan Lucks refined the attack of M.O. Saarinen in [2]. This attack recovers the initial state of the shift register (level 2 of the keystream generator) and reverses the premixing step to recover the session key KC (level 1 of the keystream generator). The time complexity of the attack has the order of O(2 ^{8}^{4} ) when 132 keystream bits are available. The time complexity required to reconstruct the level 2 keystream generator (LFSRs initial states) is expected to be between O(2 ^{7}^{2} ) and O(2 ^{8}^{4} ), depending on the amount known keystream bits. The work effort to reconstruct the level 1 keystream generator is expected to take between O(2 ^{8}^{1} ) and O(2 ^{5}^{1} ). The algorithm allows the key stream bits to be spread over 83 multiple data packets, unlike correlation attack. The computational complexity can then be improved to the order between O(2 ^{7}^{6} ) and (2 ^{8}^{4} ), depending on the amount of keystream bits available.
The basic approach of guessing the initial states of parts of the cipher and checking consistency stays the same as in Saarinen’s attack. But this attack takes advantage of additional relationships within E _{0} to gain performance. Instead of guessing the three LFSRs as in the attack of Saarinen, this attack guesses the initial state of the FSM and the contents of the two shortest LFSRs. A set of linear equations is build up and checked for inconsistencies. The guess will be rejected as soon an inconsistency can be found. The idea behind the algorithm used in this attack, is that the next state function for the FSM depends only on the number of LFSRs that output a one. Instead of computing the exact value of the two longest LFSRs, we just have to decide if their output will differ or not. The algorithm will also take advantage of the fact that we can efficiently find contradictions in GF(2). The attack will derive the initial LFSRs settings given 132 bit of the keystream output. The initial settings for the FSM contents and LFSR1 and LFSR2 are guessed. By observing the keystream, it is possible to decide whether the XOR of the outputs of LFRS3 and LFSR4 is one or zero, and a set L of linear equations on the LFRS3 and LFSR4 output bits is constructed in a search tree. When enough keystream bits are analysed, the linear equations implied by the LFSR3 and LFSR4 tap equations
41
can be added to the set L of linear equations. As long as the equations in the set L stay consistent, we can continue to analyse the keystream. If an inconsistency appears, we can backtrack in the tree and try another guess in the different steps.
3.6 Improved guessanddetermine attack, C. De Cannière, T. Johansson, B. Preneel
The theoretical attack presented by Christophe De Cannière, Thomas Johansson and Bart Preneel in [5] is based on the attack of Scott Fluhrer [2] described in the precedent section. The time complexity of the attack is in the order O(2 ^{7}^{6} ) when 1 Mbit of keystream data is available.
The approach for this attack is similar to the attack of Fluhrer and Lucks. But instead of guessing two of the LFSRs contents and the FSM, only the shortest LFSR and the initial state of the FSM will be guessed.
3.7 FBDDattack, M. Krause
In [6] Matthias Krause proposes a FBDDattack on the Bluetooth keystream generator. This attack has a time complexity of O (2 ^{7}^{7} ) while requiring only 128 known keystream bits.
Free Binary Decision Diagrams (FBDD) are data structures for representing and manipulating Boolean functions [7] [8]. An FBDDattack is a shortkeystream attack, where the number of key bits needed for computing the secret initial state, x Є {0, 1} ^{n} is at most cn for some constant c >=1.
The attack exploits that many LFSRbased stream ciphers produce keystream according to the rule z = C(L(x)), where L(x) denotes an internal linear bit stream generated by a small number of parallel LFSRs and C denotes some nonlinear compression function. The weakness of LFSRbased keystream generators is that the compressor C has to produce the keystream in an online manner and at high speed. To achieve this, C uses
42
only a small memory and consumes only a few new internal bits for producing the next output bit. These requirements imply that the decision if an internal bitstream z generates
a prefix of a given keystream y via C can be computed by small FBDDs. This allows to
compute dynamically a sequence of FBDDs Pm, m >= n, which test a given initial state
x Є{ 0, 1} ^{n} whether C(L _{<}_{=}_{m}_{(}_{x}_{)} ) is prefix of y, where L _{<}_{=}_{m}_{(}_{x}_{)} denotes the first m bits of the internal linear bitstream generated via L on the secret initial state x.
3.8 Algebraic attack, F. Armknecht
Frederik Armknecht proposed an algebraic attack to reconstruct the initial state of E _{0} in [9]. This attack is based on a system of nonlinear equations of degree 4, which holds with probability 1 at each clocking. By linearization, the system becomes solvable, assuming that enough independent equations can be collected. The number of possible terms in the linearized system is T ≈ 2 ^{2}^{4}^{.}^{0}^{5}^{6} and by employing Strassen’s algorithm for solving the system of linear equations, the complexity of this approach is concluded to be about O (2 ^{6}^{7}^{.}^{5}^{8} ). In order to get enough independent linear equations, the number of observed keystream bits must be approximately 2 ^{2}^{4}^{.}^{0}^{5}^{6} (≈16MB). We will explore this attack in more detail.
Theorem 2 makes up the basis of the algebraic attack on the combiner with memory.
THEOREM 2: (Krause, Armknecht, 2003). For each combiner C with k LFSRs and l memory bits, a nontrivial relation F _{C} of degree [k(l + 1)/2] with 0 = F _{C} ( X _{t} , …,X _{t}_{+}_{l} , z _{t} ,…, z _{t}_{+}_{l} )
can be constructed. Basically, we are able to transform some equations z based on the LFSRs output bits x
and memory bits c to a system of linear equations which depends not on the memory bits and can be used to find the initial values of the LFSRs.
z _{t} = F(x ^{1} _{t} , zt = F( (x ^{1} _{t} ,
zt = F _{t} (x _{1} , … ,x _{n} ,c ^{1} _{1} , … ,
,
x ^{4} _{t} , c ^{1} _{t} ,
,
c ^{4} _{t}
)
x ^{4} _{t} , C _{t} (x ^{1} _{1} ,……
c ^{4} 1
x ^{4} _{t}_{}_{1} , c ^{1} _{1} ,……., c ^{4} _{1} ) )
43
0 = F’(x ^{1} _{t} ,
0 = F’(x _{1} ,
For each clock t, the new key stream output z _{t} is produced and the next memory bits
c ^{0} _{t}_{+}_{1} and c ^{1} _{t}_{+}_{1} are computed. We will reformulate this equation to have the functions for
the individual memory bits c ^{0} _{t}_{+}_{1} and c ^{1} _{t}_{+}_{1} :
,
x ^{4} t ,x ^{1} t+1 ,
,
x ^{4} t+1 ,x ^{1} t+2 , …. x ^{4} t+2 , x ^{1} t+3 ,
,
x ^{4} t+3 , z t , z t+1 , z t+2 , z t+3 )
,
x n , z t , z t+1 , z t+2 , z t+3 )
c _{t}_{+}_{1} = (c ^{1} _{t}_{+}_{1} , c ^{0} _{t}_{+}_{1} )
(12)
= T _{0} (s _{t}_{+}_{1} ) (+) T _{1} (c _{t} ) (+) T _{2} (c _{t}_{}_{1} )
= (s ^{1} _{t}_{+}_{1} (+) c ^{1} _{t} (+) c ^{0} _{t}_{}_{1} , s ^{0} _{t}_{+}_{1} (+) c ^{0} _{t} (+) c ^{1} _{t}_{}_{1} (+)
(13)
c ^{0} _{t}_{}_{1} ).
(14)
In this equation we can reformulate s ^{1} _{t}_{+}_{1} and s ^{0} _{t}_{+}_{1} from Equation which says
y _{t}
Bluetooth Key Stream Generator, 2002:
x ^{1} _{t}
x ^{2} _{t}
x ^{3} _{t}
x ^{4} _{t}
=
+
+
+
as stated
by
F. Armknecht, A Linearisation Attack on the
s _{t}_{+}_{1} = (s ^{1} _{t}_{+}_{1} , s ^{0} _{t}_{+}_{1} )
(15)
= [x ^{1} _{t} + x ^{2} _{t} + x ^{3} _{t} + x ^{4} _{t} + 2c ^{1} _{t} + c ^{0} _{t} ] / 2 (16)
s ^{1} _{t}_{+}_{1} = ∏ _{4} (t) (+) ∏ _{3} (t)c ^{0} _{t} (+) ∏ _{2} (t)c ^{1} _{t} (+) ∏ _{1} (t)c ^{0} _{t} c ^{1} _{t} (17)
s ^{0} _{t}_{+}_{1} = ∏ _{2} (t) (+) ∏ _{1} (t)c ^{0} _{t} (+) c ^{1} _{t} (18)
Where ∏ _{i} (t) is the XOR over all possible products in {x ^{1} _{t} , x ^{2} _{t} , x ^{3} _{t} , x ^{4} _{t} } of degree i:
∏ _{1} (t) = x ^{1} _{t} (+) x ^{2} _{t} (+) x ^{3} _{t} (+) x ^{4} _{t}
∏ _{2} (t) = x ^{1} _{t} x ^{2} _{t} (+) x ^{1} _{t} x ^{3} _{t} (+) x ^{1} _{t} x ^{4} _{t} (+) x ^{2} _{t} x ^{3} _{t} (+) x ^{2} _{t} x ^{4} _{t} (+) x ^{3} _{t} x ^{4} _{t}
∏ _{3} (t) = x ^{1} _{t} x ^{2} _{t} x ^{3} _{t} (+) x ^{1} _{t} x ^{2} _{t} x ^{4} _{t} (+) x ^{1} _{t} x ^{3} _{t} x ^{4} _{t} (+) x ^{2} _{t} x ^{3} _{t} x ^{4} _{t}
∏ _{4} (t) = x ^{1} _{t} x ^{2} _{t} x ^{3} _{t} x ^{4} _{t}
which leads to the following equations for the individual bits c ^{1} _{t}_{+}_{1} and c ^{0} _{t}_{+}_{1} (from
Equation(14)):
c ^{1} _{t}_{+}_{1} = s ^{1} _{t}_{+}_{1} (+) c ^{1} _{t} (+) c ^{0} _{t}_{}_{1} (19)
= ∏ _{4} (t) (+) ∏ _{3} (t)c ^{0} _{t} (+) ∏ _{2} (t)c ^{1} _{t} (+) ∏ _{1} (t)c ^{0} _{t} c ^{1} _{t} (+) c ^{1} _{t} (+) c ^{0} _{t}_{}_{1} (20)
c ^{0} _{t}_{+}_{1} = s ^{0} _{t}_{+}_{1} (+) c ^{0} _{t} (+) c ^{1} _{t}_{}_{1} (+) c ^{0} _{t}_{}_{1}
(21)
= ∏ _{2} (t) (+) ∏ _{1} (t)c ^{0} _{t} (+) c ^{1} _{t} (+)c ^{1} _{t}_{}_{1} (+) c ^{0} _{t} (+) c ^{0} _{t}_{}_{1} (72)
44
Now we can define the additional variables A(t) and B(t):
A(t) = ∏ _{4} (t) (+) ∏ _{3} (t)c ^{0} _{t} (+) c ^{0} _{t}_{}_{1} B(t) = ∏ _{2} (t) (+) ∏ _{1} (t)c ^{0} _{t} (+)1
so that the Equations (20) and (22) can be simplified to (using the fact that for Boolean variables x2 = x):
and
c ^{1} _{t}_{+}_{1} = A(t) (+) B(t)c ^{1} _{t}
(23)
c ^{1} _{t}_{+}_{1} B(t) = A(t)B(t) (+) B(t)c ^{1} _{t} (24)
0 = B(t) (A(t) (+) c ^{1} _{t} (+) c ^{1} _{t}_{+}_{1} (25)
c ^{0} _{t}_{+}_{1} = B(t) (+) 1 (+) c ^{0} _{t}_{}_{1} (+) c ^{0} _{t} (+) c ^{1} _{t} (+) c ^{1} _{t}_{}_{1} (26)
(27)
c ^{1} _{t} (+) c ^{1} _{t}_{}_{1} = B(t) (+) 1 (+) c ^{0} _{t}_{}_{1} (+) c ^{1} _{t} (+) c ^{0} _{t}_{+}_{1}
By inserting Equation (27) into (25) with index t+1 instead of t we get the following equation:
0 = B(t)(A(t) (+) B(t + 1) (+) 1 (+) c ^{0} _{t} (+) c ^{0} _{t}_{+}_{1} (+) c ^{0} _{t}_{+}_{2} ) (28)
In this equation, we can eliminate all unknown memory bits c ^{0} _{t} by using the observed keystream z _{t} and by knowing in X ^{2} = X and X (+) X = 0 in GF(2):
z _{t} = x ^{1} _{t} (+) x ^{2} _{t} (+) x ^{3} _{t} (+) x ^{4} _{t} (+) c ^{0} _{t} c ^{0} _{t} = x ^{1} _{t} (+) x ^{2} _{t} (+) x ^{3} _{t} (+) x ^{4} _{t} (+) z _{t} = ∏ _{1} (t) (+) z _{t} B(t) = ∏ _{2} (t) (+) ∏ _{1} (t)c ^{0} _{t} (+) 1 = ∏ _{2} (t) (+) ∏ _{1} (t) (+) ∏ _{1} (t)zt (+) 1 A(t) = ∏ _{4} (t) (+) ∏ _{3} (t)c ^{0} _{t} (+) c ^{0} _{t}_{}_{1} = ∏ _{4} (t) (+) ∏ _{3} (t)∏ _{1} (t) (+) ∏ _{3} (t)zt (+) ∏ _{1} (t  1) (+) z _{t}_{}_{1}
0 = B(t)(A(t) (+) B(t + 1) (+) 1 (+) c ^{0} _{t} (+) c ^{0} _{t}_{+}_{1} (+) c ^{0} _{t}_{+}_{2} ) = ∏ _{2} (t) (+) ∏ _{1} (t) (+) ∏ _{1} (t)z _{t} (+) 1( ∏ _{4} (t) (+) ∏ _{3} (t)∏ _{1} (t) (+) ∏ _{3} (t)zt (+) ∏ _{1} (t  1) (+) z _{t}_{}_{1} (+) ∏ _{2} (t + 1) (+) ∏ _{1} (t + 1) (+) ∏ _{1} (t + 1)z _{t}_{+}_{1} (+) 1 (+) 1 (+) ∏ _{1} (t) (+) z _{t} (+) ∏ _{1} (t + 1) (+) z _{t}_{+}_{1} (+) ∏ _{1} (t + 2) (+) z _{t}_{+}_{2} )
= 1 (+) z _{t}_{}_{1} (+)
z _{t} (+) z _{t}_{+}_{1} (+)
z _{t}_{+}_{2}
45
(+) ∏ _{1} (t)(z _{t} z _{t}_{+}_{2} (+) z _{t} z _{t}_{+}_{1} (+) z _{t} z _{t}_{}_{1} (+) z _{t}_{}_{1} (+) z _{t}_{+}_{1} (+) z _{t}_{+}_{2} (+) 1) (+) ∏ _{2} (t)(1 (+) z _{t}_{}_{1} (+) z _{t} (+) z _{t}_{+}_{1} (+) z _{t}_{+}_{2} ) (+) ∏ _{3} (t)zt (+) ∏ _{4} (t) (+)∏ _{1} (t 1) (+) ∏ _{1} (t  1)∏ _{1} (t)(1 (+) z _{t} ) (+) ∏ _{1} (t  1)∏ _{2} (t) (+)∏ _{1} (t + 1)z _{t}_{+}_{1} (+) ∏ _{1} (t + 1) ∏ _{1} (t)z _{t}_{+}_{1} (1 (+) zt) (+) ∏ _{1} (t + 1)∏ _{2} (t)z _{t}_{+}_{1} (+)∏ _{2} (t + 1) (+) ∏ _{2} (t + 1)∏ _{1} (t)(1 (+) z _{t} ) (+) ∏ _{2} (t + 1)∏ _{2} (t)
(+)∏ _{1} (t + 2) (+) ∏ _{1} (t + 2)∏ _{1} (t)(1 (+) zt) (+) ∏ _{1} (t + 2)∏ _{2} (t) This equation has terms of degree of at most 4 in the variables {x ^{1} _{t} , x ^{2} _{t}_{,} x ^{3} _{t} , x ^{4} _{t}_{}} (in ∏) and holds for any t. By iterating this equation we can build a system of nonlinear equations (SNE) of degree 4, with the initial value of the four LFSRs unknown. These initial states of the LFSRs have length 25, 31, 33 and 39, so the key to recover with the attack has the form:
K0 = (a _{0} ,…
,
a _{2}_{4} , b _{0} ,……., b _{3}_{0} , c _{0} ,……., c _{3}_{2} , d _{0} ,……, d _{3}_{8} )
= (k _{0} , k _{1} ,……
,
k
127 )
Although the long Equation (29) uses the output bits of the LFSRs at clock t, we are able to rewrite the equation in terms of the initial state bits. This is possible since we can construct a linear function L: GF(2) ^{n} → GF(2) ^{n} , where n is the length of the LFSR, which linearly maps the state K _{t} to K _{t}_{+}_{1} : Kt+1 = L(Kt), for each clock t:
K1 = L(k _{0} ,k _{1} ,…………., k _{1}_{2}_{7} ) = L(K _{0} ) K2 = L(k _{1} , k _{2} ,…………, k _{1}_{2}_{8} ) = L(L(k _{0} , k _{1} ,……., k127)) = L ^{2} (K _{0} )
Kt = L(k t1 , k t ,
So we can rewrite Equation (29), following the notation of Theorem 2, as:
0
0 = F(L(K _{0} ),……., L ^{4} (K0), z _{1} , ……
0
0
,
k t+126 ) = L ^{t} (K 0 )
= F(K _{0} ,………., L ^{3} (K _{0} ), z _{0} , z _{1} , z _{2} , z _{3} )
,
z _{4} )
= F(L ^{2} (K _{0} ),………., L ^{5} (K _{0} ), z _{2} ,……, z _{5} )
= F(L ^{3} (K _{0} ),………, L ^{6} (K _{0} ), z _{3} ,……
,
z _{6}
)
0
where F is a multivariate relation of degree 4 (at most). Since the LFSRs output bits {x ^{1} _{t} , x ^{2} _{t} , x ^{3} _{t} , x ^{4} _{t} } g can be expressed as a linear equation of the initial state bits, only a finite number of different terms can occur. Armknecht found
= F(L ^{t} (K _{0} ),
,
L ^{t}^{+}^{3} (K _{0} ), z _{t} ,
,
z
t+3
)
46
that this limit is T = 17,440,047 ≈ 2 ^{2}^{4}^{.}^{0}^{5}^{6} .This means that we will get a system of nonlinear equations with T unknown. To solve this system we will thus need at least T equations by clocking the system that many times. The system can be solved with the Strassen algorithm in O(7Tlog _{2} ^{7} ) or with the CoppersmithWinograd algorithm[24] in O(T ^{w} ), w <=2.376 through linearization
3.9 Fast Algebraic attack, N. Courtois and F. Armknecht
As an extension on the algebraic attack of F. Armknecht, the Fast Algebraic attack enables us work with equations with a lower degree. By reducing the degree of the system of equations, the runtime complexity will decrease. The Fast Algebraic attack
was introduced by Nicolas Courtois in [10] and Frederik Armknecht [11]. The attack will decrease the degree of the system of equations by using linear combinations of equations. Equation (29) can be written in the form:
0 = F(L ^{t} (K _{0} ),
, where F = (F _{1} , F _{2} ) and F _{1} and F _{2} are a multivariate relations with high degree d1 for F _{1} and a lower degree d2 for F2. The linear combination will cancel out the highdegree monomials of degree {d _{2} + 1, d _{2} + 2,………, d1} that occurs in Equation (29). In [25] another approach has been proposed: by using the Fast Fourier Transform (FFT) the complexity of substituting the keystream into the equations can be decreased, resulting in a expected process complexity of O(2 ^{4}^{9} ). These 2 ^{4}^{9} can be performed in about 35 hours on a 4GHz machine. The attack requires 2 ^{2}^{3}^{.}^{4} keystream output bits.
0 = F _{1} (L ^{t} (K _{0} ),
,
L ^{t}^{+}^{3} (K _{0} ), z _{t} ,
,
z
t+3 )
L ^{t}^{+}^{3} (K _{0} )) + F _{2} (Lt(K _{0} ),
,
L ^{t}^{+}^{3} (K _{0} ), z _{t} ,
,
z
t+3 )
47
Chapter 4
4. HOW DO STREAM CIPHER ATTACKS AFFECT BLUETOOTH SECURITY
4.1 Encryption Revisited:
Encryption can optionally be used once at least one of the two communicating devices has authenticated itself to the other. Either the master or the slave can request encryption. However, encryption itself is always initiated by the master after it has negotiated the necessary parameters with the slave. For this purpose the two devices first of all agree the length of the key to be used. The master then initiates the encryption process by sending a random number to the slave. The cipher key is computed from the link key, a cipher offset and the random number. Encryption can operate in two ways, pointtopoint and pointtomultipoint. Under pointtopoint encryption, the authenticated cipher offset of the authentication protocol is used as cipher offset. Under pointtomultipoint encryption, on the other hand, the device address of the master is used as cipher offset. The link key must then be replaced by a master key before encryption can be initiated. A stream cipher is used for encryption (in the standard this is designated E _{0} ). For each data packet a new initialisation vector (the message key) is computed from the device address and the Bluetooth clock of the master. The data is only encrypted during transportation by radio. Prior to transmission and after receipt the data is held unencrypted in the two devices. Encryption is thus not endtoend (i.e. the data is not encrypted from input into device A up until output or processing in device B).
48
4.2
Problems with Encryption:
Encryption is only optional in Bluetooth and has a number of vulnerabilities:
Security of the stream cipher E0
Although E0 accepts key lengths of 116 bytes (8128 bits), Fluhrer and Lucks have shown that the maximum key length does not exceed 73 or 84 bits, depending on the
power of the attacker.
The initialisation vector does not depend on the full clock.
Every data packet transmitted is encrypted using a new initialisation vector. This is computed from the master's clock amongst other things. However, the highest value bit of
the clock is "forgotten", so that even when encryption is used, man in the middle attacks is possible.
Encrypted data can be manipulated.
Even if strong encryption is used, data can still be manipulated during transmission. The characteristics of stream ciphers allow the data intercepted in a man in the middle attack
to be deliberately altered as long as some of the encrypted plaintext is known. Thus it is
possible, for example, to deliberately manipulate IP headers.
4.3 Affect Of Divideandconquer, Correlation attack
In a Divide and Conquer attack, a part of the key is guessed and this constraint on the
keystream may make it possible to determine the rest of the key faster and hence is a challenge to the Bluetooth Encryption. This attack is mostly combined with a correlation attack to determine the rest of the key. A correlation attack is a widely applicable type of attack which might be used with success on generators which attempt to combine the output from several (cryptographically weak) keystream generators.
A correlation attack exploits the weakness in some combining function which allows
information about individual input sequences to be observed in the output sequence. In such a case, there is a correlation between the output sequence and one of the (internal) input sequences.
49
This correlation can be used to extract information about the correlated input sequences. In the simplest case, a correlation means that the output is equal to one of the input variables with a probability not equal to 0.5. Siegenthaler showed in his paper [31] that a smaller linear complexity of the output sequence means greater correlation immunity. As a protection against these correlation attacks, Rueppel introduced in [27] the idea of a combining function with memory that makes it possible to attain maximumorder correlation and maximum linear complexity simultaneously making a separation to the ideas of correlation immunity and linear complexity.
4.4 Affect Of Faster Correlation Attack
The fast correlation attack is based on using certain parity check equations created from the feedback polynomial of the LFSR. The attack assumes that there is a correlation between one shift register of the LFSR and the output keystream z _{t} ,: P(s ^{1} _{t} = z _{t} ) = p = 1 /2 + ε, t >= 0. Meier and Staffelbach saw this as if the sequence from LFSR1 was transmitted over a Binary Symmetric Channel (BSC), with crossover probability 1  p, i.e. the BSC transmits the symbol correctly with a probability p. The combined effect of the other shift registers and the nonlinear combiner is modelled as the BSC. Since the feedback polynomial of LFSR1 is linear, each s _{t} for different t must satisfy a number of linear equations, based on how many taps the feedback polynomial has, and where the taps are located. If the correlation between s _{t} and z _{t} is high enough, most of the corresponding symbols in the keystream z _{t} must also fulfil these linear equations. So, by attempting to slightly modify the sequence z _{t} to compensate for a possible crossover in the BSC model, Meier and Staffelbach showed that the sequence s = s ^{0} _{1} , s ^{1} _{1} …s ^{N} _{1} can be recovered and thus the initial state of the shift register. This is again a risk for the Bluetooth Encryption process. The drawback of this algorithm is that it is only successful if the feedback polynomial has very few terms which corresponds to a LFSR with few taps. The idea of a communication channel was reconsidered by Johansson and Jönsson in [32] where they identified an embedded convolution code in the sequences and could apply standard decoding techniques, e.g. the Viterbi algorithm, to recover the initial state even if the correlation
50
probability was very close to 0.5. Typically, a shift register of length 40 with a correlation probability of 0.45 can be attacked with modest computational effort. This algorithm is independent of the number of taps of the feedback polynomial.
4.5 Affect Of GuessAndDetermine Attack
In this attack we start by guessing some internal variables of the cipher (e.g. a part of the LFSR) and then try to determine the other variables based on the observed keystream and the evolution of the cipher in time. If our guess is correct, we can confirm it by running the cipher for some time and match the output from our trial generator with the observed sequence. If our guess is false, we simply make a new guess and start over again. The time complexity of such an attack is O (2 ^{b} ), where b is the number of bits we have to guess, since in the worst case we have to try all possible combinations of the guessed bits. The difficult part of this attack is to discover which part of the state space should be guessed in order to obtain the rest. In this way in this type of attacks we try to break up the Bluetooth encryption cycle by guessing the internal variables of cipher that is part of the LFSR.
4.6 Affect Of Algebraic Attack
Algebraic attacks are based on a technique called relinearization, introduced by Kipnis and Shamir in [33]. In most cases, the generated keystream can be described by a complex system of multivariate polynomial equations with the key bits as the in determinants.
The general idea behind algebraic attacks is to form (nonlinear) equations consisting of the observable keystreams z _{t} for all clock ticks t, and the initial secret key bits of the LFSRs as unknowns. The precomputation of these equations need only to be performed once, the attacker can use the same equations for attacking different keystream. Once the equations are set up, the attacker has to observe the keystream and substitutes these keystream bits into the algebraic equations. Now, the equations will merely depend on the initial secret LFSR key bits. The equations have to be solved to determine the value
51
of the LFSRs initialization keys. This is possible if sufficient equations can be constructed from the observed keystream and the equations are of low degree in the bits of the initialization keys. To solve a system of nonlinear equations, we have to linearize the equations. This can be done by assigning a new unknown variable to each monomial term that appears in the system. If the same monomial appears in a distinct equation, the same variable will be assigned. This results in a system of linear equations, with a large number of unknown variables. Since the complexity of the algebraic attacks is exponential in the degree of the equations, a way of reducing the degree of the equations was needed. Courtois [10] introduced a method to achieve this in his Fast Algebraic attacks. His method requires an additional precomputation step to determine a linear combination of equations in the initial system of the algebraic attack. This linear combination can cancel out terms of high degree, making it easier to solve the system of equations. His approach is based on the fact that we can multiply the multivariate polynomial with another multivariate polynomial such that the product is of a lower degree in the initial state bit variables. Courtois proposes to use the BerlekampMassey algorithm to determine the linear combination for the precomputation step. The algorithm finds the minimal polynomial of a linear recurrent sequence. So these attacks tries to affect the Bluetooth encryption process by forming an algebraic equation based on observable keystream Z _{t}_{.}
52
Chapter 5
5. CONCLUSION
5.1 Analysis And Conclusion
We are concluding this thesis by analysing the E0 encryption Algorithm on the basis of all the possible attacks on E0 stream cipher discussed in the previous chapters. We have tried to cover the whole lowlevel security features supported by the Bluetooth specifications. But still we have kept stream ciphers as the main topic of discussion and further we have discussed encryption, pairing procedure and authentication in full details.
The study covered an in depth analysis of the E _{0} encryption algorithm. We did not only cover the complete functionality of the E _{0} system, we also analysed many of the recent attacks. The most important attacks on the E _{0} encryption system include the correlation attacks and the algebraic attacks.
Encryption is one of the most important security mechanisms which deals with the transfer of data between any two communicating wireless in the present case Bluetooth devices. Bluetooth uses E0 Encryption Which is discussed in details in the previous chapters. By taking in to consideration all the possible attacks like the correlation attacks which are based on a presumed correlation between the input and output bits. The algebraic attacks exploit the fact that the output bits can be expressed with an algebraic relation in terms of the initial state bits. The best attacks currently known are the fast algebraic attack of Armknecht [11] and Courtois [10] and the fast correlation attack of Lu and Vaudenay [12]. We have seen that this attack can recover the initial state of the LFSRs and FSM in a known plaintext attack approximately O (2 ^{3}^{9} ) keystream bits and a time complexity of approximately O (2 ^{3}^{9} ) and therefore it became possible for the intruder to decipher the text and hence breaks the Bluetooth security mechanism. But in
53
the light of present scenario we can say that currently there is no attack known that breaks the complete encryption procedure and hence the security mechanism of Bluetooth security architecture with reasonable effort and practical available keystream bits. However, the security margin is insufficient to feel comfortable about the years to come. Since the research on the attacks continues actively, future attacks may succeed to reduce the cryptanalytic workload to a practical level.
After this research we may conclude that there are a lot of security problems with Bluetooth, the most important are related to encryption which is protected by the E0 Encryption Algorithm. But still, Bluetooth can be seen as a quite safe for the intended usage. For a practical multifunctional protocol as Bluetooth, many considerations must be made to find a good balance between functionality, userfriendliness, speed and security. The active research on this topic will help enhance the Bluetooth system in future versions.
54
References
[1] P. Ekdahl, T. Johansson, "Some results on correlations in the Bluetooth stream cipher", Abstract, Proceedings of 10th Joint Conference on Communications and Coding, Obertauern, Austria, 2000
[2] S.R.Fluhrer and S. Lucks. Analysis of the E0 encryption system. 2001. pp. 38–48.
[3] P. Ekdahl, "On LFSR based Stream Ciphers  Analysis and Design", Ph.D. Thesis, Lund University, 2003
[4] M.J. Saarinen. Bluetooth und E0. 2000.
[5] C. De Cannière, T. Johansson, B. Preneel, “Cryptanalysis of the Bluetooth Stream Cipher”, Internal Report, November 2001.
[6] M. Krause. BDDbased Cryptanalysis of Keystream Generators. Cryptology EPrint Archive, Report 2001/092. 2001.
[7] J. Gergov and CH. Meinel.” Efficient Boolean function manipulation with OBDDs can be generalized to FBDDs.” IEEE. Trans. on Computers, Vol. 43, pp. 1197–1209,
1994.
[8] D. Sieling. “Graph driven BDDs  a new data structure for Boolean functions.” Theoretical computer science 141:1212, 283310, Elsevier, 1995.
[9] F. Armknecht. A linearization attack on the Bluetooth key stream generator. Posted on eprint in December 2002.
[10] Nicolas Courtois:”Fast Algebraic Attacks on Stream Ciphers with Linear Feedback.” In Crypto 2003, LNCS 2729, pp: 177194, Springer.
[11] Frederik Armknecht “On Fast Algebraic Attacks” March 2004. Talk at the 9th Estonian Winter School in Computer Science, Palmse, Estonia.
[12] Y. Lu and S. Vaudenay. “Faster Correlation Attack on Bluetooth Keystream Generator E0” M. Franklin (Ed.): CRYPTO 2004, LNCS 3152, pp. 407–425, 2004.
[13] Term paper on Bluetooth security May 2006
http://netlab.cs.iitm.ernet.in/cs650/2006/TermPapers/siddeshkarra.pdf
[14] On Bluetooth. Security Nikos Mavrogiannopoulos December 16, 2005 available from
http://members.hellug.gr/nmav/papers/other/Bluetooth%20security.pdf
55
[15] Cybertrust “Article on Bluetooth security” updated June 2005 available from
http://www.cybertrust.com/media/white_papers/cybertrust_wp_blue.pdf
[16] Netsec “Article on Bluetooth security “ July 2005 available from
http://www.netsec.net/content/securitybrief/archive/200507_Bluetooth.pdf
[17] Alexander Grimm: Matsushita Electronic “Presentation on security aspects on wireless Bluetooth applications” available from http://www.holtmann.org/papers/bluetooth/saimba_english.pdf
[18] Bundesamt für Sicherheit in der Informationstechnik 2003” Article on Bluetooth threats and security measures “available from
http://www.bsi.de/english/publications/brosch/B05_bluetooth.pdf
[19] Bluetooth security notes by university of Western Australia available at
http://www.ucs.uwa.edu.au/ data/page/5183/bluetooth_security.pdf
[20]Thomas Muller “Bluetooth Security white paper 1.C.116/1.0 July 99” available from http://www.bluetooth.com/NR/rdonlyres/C222A81ED9F948CA91DE
9C81F5C8B94F/0/Security_Architecture.pdf
[21] Bluetooth protocol stack available from
http://www.bluetooth.com/NR/rdonlyres/7F6DEA5005CC4A8DB87B
F5AA02AD78EF/0/Protocol_Architecture.pdf
[22] Bluetooth Special Interest Group. Specification of the Bluetooth system:
Core package version 2.0 + edr, 2004. Available from http://www.bluetooth.org.
[23] Master of Applied Computer Science by. Sil Janssens. 20042005
http://student.vub.ac.be/~sijansse/2e%20lic/BT/Thesis/Thesis.pdf
[24] D. Coppersmith, H. Krawczyz and Y. Mansour. “The shrinking generator”. Advances in Cryptology  Proc. Crypto'93, Lect. Notes Computer. Sci. 773, pp.22–39, Springer Verlag, 1994.
[25] P. Hawkes and G.G. Rose. “Rewriting Variables: the Complexity of Fast Algebraic Attacks on Stream Ciphers.” Advances in Cryptology  CRYPTO 2004.
56
[26] M. Hermelin and K. Nyberg. “Correlation properties of the Bluetooth combiner”. Proceedings of 2nd international Conference on information security and cryptology pp. 17–29 year 1999.
[27] R.A. Rueppel. “Correlation immunity and the summation combiner”. Generator, Advances. In CryptologyCrypto’85, Proceedings, pp. 260272, SpringerVerlag, 1986
[28] Bluetooth Special Interest Group SIG. “The Bluetooth core specification version 1.2”. November 2003. http://www.bluetooth.org.
[29] S.R.Fluhrer and S.Lucks:” Analysis of the E _{0} Encryption System, Selected Areas in. Cryptography  SAC 2001, Lecture Notes in Computer Science
Molto più che documenti.
Scopri tutto ciò che Scribd ha da offrire, inclusi libri e audiolibri dei maggiori editori.
Annulla in qualsiasi momento.