Introduction

 Bluetooth is a wireless protocol utilizing short-range

communications technology facilitating data
transmission over short distances from fixed and
mobile devices, creating wireless personal area
networks (PANs).
 Bluetooth uses a radio technology called frequency
hopping spread spectrum.
 It chops up the data being sent and transmits chunks
of it on up to 79 different frequencies.
Communication and Connection
 A master Bluetooth device can communicate with up to
seven devices.
 This network group of up to eight devices is called a
Piconet.
 A Piconet is an ad-hoc computer network, using Bluetooth
technology protocols to allow one master device to
interconnect with up to seven active devices.
 Up to 255 further devices can be inactive, or parked, which
the master device can bring into active status at any time.
 At any given time, data can be transferred between the
master and one other device.
Communication and Connection
 The Bluetooth specification allows connecting two or
more piconets together to form a scatternet, with some
devices acting as a bridge by simultaneously playing
the master role in one piconet and the slave role in
another.
 Peak transmission rate is 1 Mbps.
Communication and Connection
Bluetooth Channels
 The piconet channel is represented by a pseudo-random
hopping sequence (through 79/23 RF frequencies)
 The hopping sequence is unique for the piconet and is
determined by the device address of the master of the
piconet.
 The phase is determined by the master clock.
 Channel is divided into time slots - 625 microsecs each .
 Each slot corresponds to a different hop frequency.
 Time Division Duplex - master and slave alternately
transmit/listen.
 Packet start aligned with slot start
Bluetooth Channels
m

s1

625 sec

f1 f2 f3 f4
Physical Link
 Synchronous Connection Oriented (SCO) Link :
 symmetric point-to-point link between M and S
 reserved 2 consecutive slots at regular intervals
 master can support up to 3 simultaneous SCO links
 mainly for audio/voice
 never retransmitted
 Asynchronous Connection-less (ACL) Link
 symmetric/asymmetric
 point-to-multipoint between master and all slaves
 on a per-slot basis (polling scheme for control)
 only one ACL link per piconet
 packets retransmitted (ARQ)
Packets
 All data on the piconet channel is conveyed in
packets
 3 packet types are defined for the Baseband layer
 Control packets (ID, NULL, FHS, POLL)
 Voice packets (SCO)
 Data packets (ACL)
 Packet format - (68/72 bits) Access Code, (54 bits)
Header, (0-2745 bits) Payload.
Packets
Access
Header Payload
code

SCO ACL
Voice data
header CRC
Single-slot packets 1/3/5 slot packets
64 kbps Unprotected/ 2/3 FEC
Unprotected/ 1/3 or ARQ scheme – retran-
2/3 FEC smit lost data pkts
Never retransmitted
Robust CVSD encoding
used
Bluetooth Address
 Bluetooth Device Address (BD_ADDR)
 Unique 48 bit address
 Active Member Address (AM_ADDR)
 3 bit address to identify active slave in a piconet
 MAC address of Bluetooth device
 All 0 is broadcast address
 Parked Member Address (PM_ADDR)
 8 bit parked slave address
Setting up Connection
 Any Bluetooth device will transmit the following
information on demand:
 Device name.
 Device class.
 List of services.
 Technical information, for example, device features,
manufacturer, Bluetooth specification used, clock offset.
Bluetooth Architecture
 Bluetooth is both a hardware-based radio system and a
software stack that specifies the linkages between
layers.
 In this section, you’ll learn about:
 The Bluetooth protocol stack. The protocol stack is
the core of the Bluetooth specification that defines how
the technology works.
 The Bluetooth profiles. The profiles define how to use
Bluetooth technology to accomplish specific tasks.
Bluetooth Architecture
Bluetooth Architecture
 Lower Layer
 Radio Layer
 Responsible for modulation/demodulation
 Define physical characteristics
 Baseband or Link Controller Layer
 Responsible for properly formatting of data for transmission.
 Handles synchronization of link

 Link Manager Protocol

 Translates HCI commands into baseband level operations
 Responsible for maintain and establish links and manage power
change request.
 Host Control Interface
 Act as boundary between low layer protocol stack and upper layers
Bluetooth Architecture
 Upper Layer
 L2CAP (Logical Link Control and Adaptation Protocol)
layer:
 Establishing connections across existing ACL links or requesting an
ACL link if one does not already exist.
 Multiplexing between different higher layer protocols, such as
RFCOMM and SDP, to allow many different applications to use a
single ACL link.
 Repackaging the data packets it receives from the higher layers into
the form expected by the lower layers.
 RFCOMM (Radio frequency communications) layer:
 It connects to the lower layers of the Bluetooth protocol stack
through the L2CAP layer.
 RFCOMM is the cable replacement protocol used to create a virtual
serial data stream.
 RFCOMM provides a simple reliable data stream to the user, similar
to TCP.
Bluetooth Architecture
 Upper Layer
 SDP (Service Discovery Protocol):
 It defines actions for both servers and clients of Bluetooth services.
 Used to allow devices to discover what services each other support,
and what parameters to use to connect to them.
 OBEX (object exchange):
 It is a transfer protocol that defines data objects and a
communication protocol two devices can use to easily exchange
those objects.
 Telephone control protocol-Binary (TCS-Bin):
 It’s a bit oriented protocol.
 It defines the call control signaling for the establishment of voice and
data calls between Bluetooth devices.
 TCS BIN defines mobility management procedures for handling
groups of Bluetooth TCS devices
Connection Establishment
 Two step process :
 Inquiry – to get device address.
 Paging – for Synchronization
Connection Establishment: Inquiry
 No master and slaves at this point

Inquiry pkt
Inquiry Inquiry Scan

FHS pkt Inquiry Response

Device A Device B
Connection Establishment: Pagging
Master Slave
Page pkt
Page Page Scan

ID pkt Slave Page

Response
Master Page FHS pkt
Response Uses FHS to get
ID pkt CAC and clk info
Assigns active
addr
POLL

NULL

Connected Connected
Connection Establishment Time

Inquiry Paging Connected

Typical 5.12 s 0.64 s

Max 15.36 s 7.38 s

Connection Modes
 Active Mode :
 Device actively participates on the piconet channel

Power Saving modes

 Sniff Mode :
 Slave device listens to the piconet at a reduced rate .
 Least power efficient.
 Hold Mode :
 The ACL link to the slave is put on hold.
 SCO links are still supported.
 Frees capacity for inquiry, paging, participation in another piconet.
 Park Mode :
 The slave gives up its active member address.
 But remains synchronized (beacon channel).
 Listens to broadcasts.
 Most power efficient.
Bluetooth security
 First, the transmitters use the lowest power required
for their data to be received. This means that intruder
nodes farther away from the transmitter than the
receiver is find the signal to be weak at best.
 Channel hopping provides additional protection,
making it difficult to snoop on the data stream. The fast
rate of hopping makes it hard for a casual observer to
“sniff” the data stream off of one channel or guess the
hopping sequence.
 Data are protected by the optional use of encryption.
The encryption algorithm is, essentially, a stream cipher
that XORs the data stream with a stream of numbers
from a pseudorandom-number generator (PRNG)
seeded by an encryption key. The keys are created and
distributed by a key exchange algorithm.
 Finally, nodes can perform authentication and
authorization to verify the identity and access of both
parties that are communicating.
Bluetooth Security Modes
 Bluetooth defines three modes of security for devices:
 non secure,
 service level enforced security, and
 link-level enforced security.
 Non- secure. A device in the non-secure mode does not initiate
any security procedure. This is intended for public use devices,
such as a walkup printer.
 Service-level enforced security. A device in the service-level
enforced security mode permits access to itself depending on the
service request. For example, a PC may allow a user to download
files to it but does not allow its own files to be read.
 Link-level enforced security. A device in the link-level enforced
security mode requires authentication and authorization for use,
e.g., cell phones.
Security Mechanisms
 Bluetooth uses encryption and link-layer keys.
Encryption keys protect the data in a session,
whereas link-layer keys provide authentication
and serve as a parameter when deriving the
encryption keys.
 Link-layer key lifetimes are either semi-permanent or
temporary.
 Semi-permanent keys can be used after the current
session to authenticate Bluetooth devices.
 Temporary keys can be used only during the current
session; they are often used in point-to-multipoint
communication in which the same information is
transmitted to several recipients.
Four entities are used for link-layer security:
 A 48-bit publicly available device address, fixed and
unique for each device
 A 128-bit pseudorandom private key for authentication.
 An 8- to 128-bit private key for encryption .
 A 128-bit pseudorandom number generated by the
device
The four basic types of link-layer keys used in Bluetooth
security are:
 The initialization key is used as a link-layer key when there
are not yet any unit or combination keys. This key is used
only during installation and typically requires the user to
enter a personal identification number (PIN) on the unit.
 The unit key is generated in each device when the device is
installed and is stored in nonvolatile memory and (almost)
never changed.
 The combination key is derived from information from
two devices that communicate with each other. A different
combination key is generated for each pair of
communicating devices.
 The master key is a temporary key that replaces the
current linklayer key. It can be used when the master
device wants to transmit to multiple recipients at once.
Initialization Key
 The security layer uses the initialization key to form a
secure channel to exchange other link-layer keys.
 PIN code, which varies from 1 to 16 octets (8 to 128
bits)
 with the (fixed) Bluetooth device address (48 bits),
 a random 128-bit number using the E22 algorithm.

 The strength of the initialization key lies in the length

of the PIN, which can be entered manually into each
device or stored. The initialization key is used only for
key exchange during the generation of the other link-
layer keys and is discarded after the key exchange.
Unit Key
 The unit key is associated with the device. It is 128 bits
and is generated with the E21 algorithm using the
Bluetooth device address and a random number, both
128 bits long.
 The device creates the key the first time it is operated,
stores the unit key in nonvolatile memory, and rarely
changes it.
 Devices can choose whose unit key to use. This is
particularly useful if one device has limited memory
and cannot store extra keys.
Combination Key
 The combination key allows two devices to
communicate with each other securely. This key is
generated during the initialization process if it is
needed by both devices concurrently.
 The two devices, A and B, each compute a number,
LK_KAand LK_KB, respectively. Each node computes
this number using the E21 algorithm, which takes a
random number and the Bluetooth device address
(a fixed 48-bit number) as input.
 The two devices then securely exchange the random
numbers they used by XORing the number with the
current link-layer key (which is the initialization key)
and transmitting the result to the other device. Each
device extracts the random number by XORing it with
the current link-layer key.
Master Key
 The master key is the only temporary key. The master
device generates it using the E22 algorithm with two
128-bit random numbers.
 A random number is sent to slaves, which use it and
the current link-layer key to generate an overlay.
 The master key is XORed with the overlay by the
master and sent to the slaves, which can extract the
master key from it. This procedure must be done for
each slave .