Many of our electronic devices have transitioned to wireless technology over the years for connectivity. Instead of long, tangled cords attached to the mouse, keyboard, headphones, and speakers, we have easy-to-use and practical wireless items that let us enjoy technology even more.
Because many of these wireless devices are based on Bluetooth technology, the Bluetooth SIG (the authority on Bluetooth technology) has added a variety of security protocols while maintaining convenience and reliability.
What makes Bluetooth security possible is its clever encryption methods and algorithms. Read on if you are interested in how Bluetooth security is designed and uses encryption.
Table of Contents
Latest Bluetooth versions and Low Energy Privacy
Bluetooth security aims to provide standard protocols for Bluetooth-enabled devices in terms of authentication, integrity, confidentiality and privacy, all using encryption. It has been in use since 1998 and has gone through several iterations.
In 2010, in response to the increasing need for better short-range wireless technology, Bluetooth SIG developed a newer version of Bluetooth – Bluetooth 4.0. The most significant difference between the older generations of Bluetooth and Bluetooth 4.0 is the addition of BLE (Bluetooth Low Energy).
Note that “Low Energy” in BLE does not necessarily mean that it consumes less power; it just means it works well with low-power devices like wireless headphones that have minimal battery life.
Since most devices run on Bluetooth 4.0 and higher, we will be specific about the design stack of these newer versions. In addition, this version solved many of the security problems of previous Bluetooth generations.
Current versions of Bluetooth currently use the BLE stack shown below:
We’re interested in part of the fourth layer of the stack, known as the security manager, which takes care of everything related to authentication, security, confidentiality, and privacy. The Security Manager implements its protocols by pairing and bonding devices.
BLE pairing methods
Pairing is an integral part of Bluetooth Security Manager. It authenticates the device you’re connecting to if it’s the intended device, and then generates an encryption key that both devices can use throughout the session.
Your devices can use multiple authentication methods to ensure you are connected to the intended device. These methods would include:
- Works simply: The fastest but less secure way to pass encryption keys between both devices
- OOB (Out of Band): Uses authentication methods other than Bluetooth to send encryption keys. An example would be connecting via NFC or using your device’s camera to scan a QR code on the other device’s display
- master key: Users authenticate by entering the correct passkey when prompted
- Numerical comparison: Works the same as Passkey, but devices automatically send passkeys. Users just need to confirm whether both devices have the same passkeys
BLE encryption algorithms
Now that your devices have authenticated the identity of the connecting device. They would then send encryption keys, which your devices would use to encrypt and decrypt data throughout the session.
Bluetooth’s security manager has different phases in which it uses different encryption algorithms to work correctly. The most common encryption algorithms used by the latest version of Bluetooth (4.0 and later) are the following:
- Ciphers with symmetric keys: This type of encryption uses a single key to decrypt hashes or ciphers
- Ciphers with asymmetric key: This type of encryption uses a so-called public key and a private key. A public key is used to encrypt data while a private key decrypts the encrypted data
- Elliptic Curve Cryptography (ECC): uses an elliptic curve equation to create keys that are much shorter than symmetric or asymmetric keys, but just as secure
- Advanced Encryption Standard (AES): is a symmetric block cipher with a size of 128 bits
The security manager pairing and bonding process
The security manager layer is designed to handle all security aspects within Bluetooth through so-called pairing and bonding processes. In a Bluetooth connection there is always a master device and a slave device.
The master device is the device that searches for transmitting Bluetooth-enabled devices. In contrast, a slave is a device that broadcasts its location to the world.
An example of a master-slave relationship would be your phone and a pair of wireless headphones. Your phone is the master device because it searches for Bluetooth devices, while your wireless headset is the slave because it broadcasts its signals that your phone can find.
The pairing process consists of the first two of the three phases of Security Manager’s security phases. The pairing process involves the initial connection of devices attempting to connect.
- For the initial pairing, both the master and slave devices share a list of the features each device offers and the version of Bluetooth they run. These capabilities would include whether or not the device has a screen, keyboard, camera, and NFC.
- After sharing their capabilities with each other, the slave and master devices would decide which security protocol and encryption algorithms to use.
- The shared encryption for the initial pairing of both devices is called STK (Short-Term Key). As the name suggests, a STK would be the encryption key that both master and slave devices would use until the session ended.
- When both devices are successfully paired, they use the STK to encrypt every packet of data they would share. And with the data encrypted, anyone trying to monitor your session will not have an STK to decrypt data.
- The problem with a STK is that it’s only good for one session. Both devices must still be paired to generate a new STK for each session. Because of this, an additional optional stage called Bonding was developed.
- The binding phase is the third phase of the Bluetooth security manager. This is the optional prompt you get on your device asking if you want to trust and connect to the paired device when the device broadcasts.
- Since both devices are already paired (have a secured connection via an STK), the binding process requires no further security checks. What this stage would do is generate an LTK (Long-Term Key) and an IRK (Identity Resolve Key). Both devices then use these keys to decrypt data and automatically identify your device when Bluetooth is on.
- An LTK is an encryption key similar to an STK in that devices use it to encrypt and decrypt data. The difference is that an LTK is generated over ECC instead of AES-120 and is used long-term.
To understand an IRK, let’s talk briefly about the Bluetooth MAC address. All Bluetooth-enabled devices are equipped with a NIC (Network Interface Controller). Each NIC has a unique MAC (Media Access Control) address. You cannot change these MAC addresses because the specified addresses are hard-coded into the physical hardware of the NIC.
Although you can spoof a MAC address via software, this is not a viable option if you want your device to be identified by connected devices. With this in mind, Bluetooth SIG added an IRK system that allows your device to be discoverable by connected devices and unidentifiable to unknown Bluetooth devices.
dig deep
Bluetooth is a complex mix of technologies that offers a wide range of device compatibility, convenience, and reliability. The nature of Bluetooth makes Bluetooth security a bit of a touchy subject.
The points above are simplified and are intended to give a general idea of how Bluetooth encryption and security works. Hopefully this serves as a gateway for security enthusiasts to dig deeper and learn more about the inner workings of Bluetooth. Interested people are welcome to the rabbit hole!
This article was previously published on Source link