Professional Documents
Culture Documents
Microsoft Corporation
Published: June 2005
Abstract
This paper provides an overview of Bluetooth technology with a specific focus on security and one class of Bluetooth
Human Interface Devices: keyboards and mouse products. Bluetooth computing has created a major advance in personal
computer interaction and, as with any new technology, understanding it is the key to envisioning how it can make a
contribution in the workplace.
M
The information contained in this document represents the current view of
Microsoft Corporation on the issues discussed as of the date of
publication. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of
Microsoft, and Microsoft cannot guarantee the accuracy of any information
presented after the date of publication.
This White Paper is for informational purposes only. MICROSOFT
MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS
TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document
may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the
express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights,
or other intellectual property rights covering subject matter in this
document. Except as expressly provided in any written license agreement
from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual
property.
2005 Microsoft Corporation. All rights reserved.
Microsoft is either a registered trademark or trademark of Microsoft
Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be
the trademarks of their respective owners.
Contents
Contents .......................................................................................................................................................1
Introduction..................................................................................................................................................2
What is Bluetooth ? ....................................................................................................................................3
Encryption ..................................................................................................................................................5
Pairing ..........................................................................................................................................................7
Discovery ...................................................................................................................................................7
Keys ...........................................................................................................................................................7
Authentication ............................................................................................................................................8
Bluetooth Settings......................................................................................................................................9
Adding a Device.......................................................................................................................................10
Summary ....................................................................................................................................................12
Appendix 1: Bluetooth Security on Microsoft Desktop Products.....................................................13
Pairing Process for Microsoft Bluetooth Keyboards ................................................................................13
Conclusion ...............................................................................................................................................15
Appendix 2: Bluetooth Specification v1.2 Controller Volume, Part H SECURITY SPECIFICATION16
Bluetooth and Microsoft Desktop Products 1
Introduction
Connections between people are changing as an ever-increasing number of wireless products
enable them to enjoy mobility and simplicity without cabling. Introduced in 1999 and evolving,
Bluetooth is a low power, short range radio technology that revolutionizes communications for a
wide array of products from mobile phones to computer peripherals. An open specification,
*
Bluetooth offers convenience, enhanced immunity from interference, and security which have
made it the choice of a large and growing number of companies.
This paper provides an overview of Bluetooth technology with a specific focus on communications
security and reliability for one class of Bluetooth Human Interface Devices: keyboards and mouse
products. Bluetooth computing has created a major advance in personal computer interaction
and, as with any new technology, understanding it is the key to envisioning how it can make a
contribution in the workplace.
For readers who wish some additional technical detail, this appendix provides a brief
summary of the implementation for Microsoft Bluetooth keyboards.
*
The Microsoft products referenced within use Bluetooth wireless technology so that users have a more secure computing
experience. The degree of security achieved with any technology depends upon the specific circumstances under which it is
deployed.
Bluetooth and Microsoft Desktop Products 2
What is Bluetooth?
Bluetooth is an open technology specification owned by the Bluetooth Special Interest Group
(SIG), a trade association comprised of members from the telecommunications, computing, and
various other technology industries. Ensuring compatibility in a wide variety of products from
many manufacturers, Bluetooth technology is increasingly seen as a smart choice for local,
private device networking.
Bluetooth is a low power, short range, 2.4 GHz radio technology that eliminates cables between
electronic devices such as phones, computers, keyboards, mouse products, printers, and other
equipment. Bi-directional radio transmission between these devices delivers physical freedom
and ease of use through automatic wireless connection. Up to 7 devices may be connected in a
piconet, the fundamental Bluetooth network. The maximum data rate is 1 Mbps, with typical
performance in the range of several hundred to 700 kbps.
Bluetooth has a longer range and yet is less susceptible to interference, enabling co-location of
more devices in a smaller area than is possible with 27 MHz devices. The range of Bluetooth
devices such as keyboards is generally 10 meters or about 30 feet. 27 MHz devices are much
more susceptible to interference and have to contend with signal loss if interference is
encountered. Frequency hopping makes Bluetooth devices more immune to interference.
Devices that encounter interference on a channel will switch channels and retransmit a packet.
This is possible because Bluetooth transmission is bi-directional, and devices are able to
communicate whether a packet is not received.
Bluetooth and Microsoft Desktop Products 3
Industry standard encryption is the basis for Bluetooth security, which is not the case for 27 MHz
technology. 27 MHz devices generally do not use encryption or, if they do, it is a proprietary
implementation.
Bluetooth Devices
The Bluetooth specification accommodates different devices that are organized into device
profiles based on the capabilities of the device. For example, Bluetooth devices range in
functionality from headsets to printers and modems. Each class of device has a suitable set of
commands, but it is not practical or desirable for all devices to understand all possible
commands. For example, a printer without FAX functionality will never need to make a phone call,
so the modem commands are not necessary for the printer. For this reason the Bluetooth
specification classifies devices based on their functionality. These classes are called profiles.
Keyboards and mouse products fall into the general Human Interface Device (HID) profile.
Because HID devices have fewer and simpler capabilities, such devices tend to represent a lower
security risk. They have fewer potential avenues for compromise than devices such as mobile
phones, which support a large variety of device profiles.
Range
Bluetooth devices are grouped into three power classes or levels with typical operating range
distances of 10 m, 20 m, and 100 m (approximately 30, 60, and 300 feet, respectively). Most
keyboards and mouse products operate at the 10 or 20 meter ranges. The actual effective range
for any device may be less, as radio signals can be affected by the physical environment. Since
keyboards are generally used within a building, which attenuates radio signals, the actual range
could be less than 10 m. A consideration for using Bluetooth in offices is that the range may
extend through a floor or ceiling.
Many Bluetooth radios, including the radios used in Microsoft products, have an active transmit
power control feature. If the keyboard is moved closer to the transceiver, the two radios will
reduce transmission power accordingly so that they are not transmitting any louder than
necessary. This further reduces the effective range, but helps to minimize potential interference
with other networks.
Master/Slave Relationship
A Bluetooth piconet employs a master/slave topology where there is a single master and multiple
slave devices. The master device controls communication timing and frequency hopping, as well
as determines encryption keys used within the network. While certain classes of devices in one
piconet may also be connected to other Bluetooth piconets, this is never the case for keyboards
and mouse products. The HID profile requires a single master.
In this paper the term PC will refer to the master while the keyboard is a slave. PC is used
throughout and is interchangeable with host or master.
Virtual Cable
The keyboard and mouse are so tightly coupled with the PC, the master device to which they are
paired, that this pairing is described as being a virtual cable. That is, they have a 1:1 relationship
that permits no other devices to join that pairing. Once a device has been virtually cabled, it acts
Bluetooth and Microsoft Desktop Products 4
as if a physical cable exists between it and its PC. A
The Virtual Cable protects against connection
intrusion attacks (which has been a problem for paired keyboard will refuse to connect to any other
some phone implementations). The term virtual device, therefore making it very difficult to attack
cable is used to indicate that the HID* has a 1:1
association with a particular host [PC]. (*From through a Bluetooth connection. The latter problem
section 6.4 of the Bluetooth Human Interface Device has been encountered with some phone
Profile 1.0 specification.)
implementations of the Bluetooth standard.
The Microsoft Bluetooth keyboard supports only one
connection at a time. For example, a device cannot
connect to a keyboard by forming a second This virtual cable remains intact even if power is
connection in order to listen to or manipulate the removed and reapplied to the device, and can only be
devices. If a keyboard device is virtually cabled to a
PC it means: broken if either the PC or keyboard unplugs itself via a
The device has identified itself as virtually specific Bluetooth command. Should the connection
cabled. between the paired devices be broken for any other
There is a 1:1 relationship with that PC.
reason (for example, moving out of range), the virtual
The HID device will refuse any attempts by
other devices to connect to it. cable will not be broken. The devices will automatically
The device will automatically reconnect to its attempt to reconnect when the cause for the break is
bonded PC if the connection is dropped. removed (moving back into range).
Breaking the virtual cable requires user
intervention, e.g., pressing the Make/Break
Connection button on the bottom of the Encryption
Microsoft Bluetooth keyboard, or clicking the
Remove button from the Bluetooth Devices
Encryption is at the core of Bluetooth security,
dialog in Windows Control Panel. employing a strong algorithm with high speed
Pages 35-38, section 6.4, of the Bluetooth Human encryption, long encryption keys (or passwords), and
Interface Device Profile 1.0 specification contain
more details about virtual cables. encryption keys that change for each working session.
Communications are secured by up to 128-bit
encryption using an enhanced version of a strong,
publicly available encryption algorithm known as SAFER+.
Encryption is a Bluetooth recommendation for HID devices such as keyboards, which are often
used to enter sensitive information. For example, all Microsoft Bluetooth keyboards use 128-bit
Bluetooth encryption, although Windows permits unencrypted connections to Bluetooth
keyboards. Simple devices, such as a mouse or pointer, may use encryption, but they are not
required to do so and generally do not. A Microsoft Bluetooth mouse is not encrypted.
The foundation for encryption is built by the pairing process (described later) which begins with a
user-entered PIN (password) and ultimately results in the creation of a semi-permanent Link Key.
The Link Key is also knows as the Combination Key or KAB in the Bluetooth Specification. That
Link Key is, in turn, used to create the Encryption Keys for communication. No keys are ever
transmitted over the radio; only random numbers are exchanged when devices are establishing
keys.
While the Link Key must be 128 bits, the Bluetooth specification allows the Encryption Key to be
as short as 8 bits. Microsoft Bluetooth keyboards always use 128-bit encryption. The keys are
generated through a combination of three inputs: an input key, a 128-bit random number received
from the other device, and a third number. The third number is either a 48-bit device address or
another generated number. Such a combination key is more secure than a static random number,
plus it enables the PC and each slave device pair to have its own unique key. Additional
information on encryption can be found in the appendix Bluetooth Security on Microsoft Desktop
Products.
Bluetooth and Microsoft Desktop Products 5
Frequency Hopping Technology
High speed frequency hopping technology significantly reduces radio interference. The general
frequency hopping technique is employed in a broad range of products and applications because
of this inherent benefit.
Bluetooth devices operate at a frequency of 2.4 GHz, an open, license-free band that is shared
around the world by a wide range of applications and devices. One application is wireless
Ethernet based on the IEEE 802.11 standards. This sharing of the frequency band is a key
reason why Bluetooth communications need to be robust and resistant to interference.
The frequency band is divided into 79 frequency channels, and time is divided into slots that are
625 s long. Data packets are 1 to 5 slots in length. Two Bluetooth devices will synchronously
switch to a new channel in a random manner after each packet is received. Thus channel
switching is very fast, up to 1,600 times every second.
Figure 1 provides a graphical depiction of this
channel switching. The 79 channels are shown
with a total of 16 horizontal elapsed time slots,
which represent a total time of just 0.01 second.
The channel that was selected for transmission for
each time slot is shown and graphed.
Communications can be monitored once the sequence is known, so Bluetooths security defense
is based principally on encryption. Frequency hopping makes it more difficult for communication
to be intercepted and monitored, but it does not prevent it.
Bluetooth and Microsoft Desktop Products 6
Pairing
Secure, encrypted communication between two devices requires that they share a common
starting point, or password/PIN, for encryption and decryption. Nearly everyone recognizes that a
password can be weak (simple to break) or strong (difficult to break). Longer passwords are more
difficult to break than shorter passwords. Security is also enhanced if passwords are changed
frequently, and if there is more than just a single password. And, of course, passwords should
never be shared (communicated) openly. These same security characteristics are found in
Bluetooth encryption:
Use of an initial password
Pairing is the process by which two Bluetooth devices bond and share a key, which is another
word for password. Both devices begin with an initial password, but pairing is a highly secure
multi-step, multi-password process. Its purpose is to create the semi-permanent key, called the
Link Key. The Link Key is the password that is used to generate a second key, the Encryption
Key, which is unique for each operating session (defined below). The creation of the Link Key
begins with the use of a PIN or Passkey.
Discovery
Devices must be discovered before actual communication can begin. For Bluetooth devices, this
involves enabling device discovery and making inquiry scans. Once the PC finds a device, it
requests basic information that identifies the devices type and capabilities.
Discovery is not certain. Devices may or may not be discoverable depending on their applications
or configuration settings. While discovery might happen automatically for some Bluetooth
devices, for added security Windows XP SP2 (SP2) and Microsoft keyboards require user
intervention. Discovery is turned off by default, which means the PC and device cannot be found
unless a user specifically turns on that capability. Conversely, a mouse and keyboard that are
paired to a PC can return from a powered-off state and find the PC even if it is not discoverable.
The PC must respond to a connection request from a paired device.
Keys
For keyboards, the pairing process comprises the entry of a Passkey/PIN, the creation and
verification of an Authentication key, and the creation and verification of the Link Key. Pairing is
complete when the Link Key has been generated and verified. Figure 2 shows the sequential
relationship between the keys. The first two keys are temporary and are discarded immediately
after use. Once the Link Key has been created and verified, an Encryption Key is created for the
next session and communication can begin:
Bluetooth and Microsoft Desktop Products 7
Pairing Session
Pairing is done only once. It is unaffected by powering the PC off and on, moving out of and back
within range, or by battery replacement. Those actions do, however, constitute the end of an
operating session and the beginning of a new session, so they result in the Link Key being used
to generate a new Encryption Key for the new session. But the Link Key remains the same unless
a user takes specific action to change it. The basic pairing and subsequent session process flow
is shown from top to bottom in the simplified diagram in Figure 3:
PC Bluetooth Keyboard
Enter Enter
Passkey/PIN Passkey/PIN
Authentication
Link Keys are unique between each device and PC, so a PC paired with three devices would
share three different Link Keys. Link Keys are used for each party (device and PC) to verify that
the other party is in fact who it says it is, as well as for generating encryption keys.
For device A to authenticate device B, device A creates a random number and sends it to B.
Device B receives the random number, encrypts it with its Link Key, and sends it back to A.
Device A then decrypts this transmission using its Link Key and compares it to the original
random number. If those numbers match, then device A knows that device B has the same Link
Key, and device B is therefore authenticated. Device B also performs the same process with
device A to verify its identity. Authentication has taken place once both numbers are verified.
Bluetooth and Microsoft Desktop Products 8
Understanding Pairing An Example
Microsoft Windows XP helps with discovering, authenticating, and connecting to Bluetooth
devices through its wizard. The wizard serves as a good vehicle to describe and understand the
pairing process. The discussion that follows uses the Microsoft Optical Desktop Elite for
Bluetooth, a keyboard and mouse desktop combination, to illustrate pairing.
Bluetooth Settings
The pairing process for Bluetooth devices can be started from the
Control Panel, assuming that SP2 has been installed. Windows XP
SP2 includes the drivers for certain Bluetooth radios
(http://support.microsoft.com/?id=841803). It is important to note that
standard user level rights are sufficient for installing the Bluetooth
drivers or for pairing keyboards and mouse products. Clicking on
Bluetooth Devices (Figure 4) in the Control Panel will display the
Figure 4 Control Panel Bluetooth Devices dialog.
Figure 5 Devices
The Options tab (Figure 6) contains the settings that control how
Windows XP SP2 manages Bluetooth connections. In the
Connections grouping, the checkbox Allow Bluetooth devices to
connect to this computer should be on. This enables a keyboard and
mouse to recover from their power saving states. Disabling this box
will disallow Bluetooth communications with the Microsoft keyboard
and mouse.
If security is a concern, the Turn discovery on checkbox should be
left unchecked. This will prevent the PC from responding to a general
inquiry and make the PC undiscoverable by unpaired devices. Only a
Bluetooth device that is already paired with the PC will be able to
discover the PC. For security purposes, this is the default setting.
Figure 6 Options The checkbox Alert me when a new Bluetooth device wants to
connect is checked by default in Windows XP SP2. This can be
Bluetooth and Microsoft Desktop Products 9
unchecked if security is a concern, with the effect that the user will not be prompted if a device
tries to pair with the PC. Thus any connection attempt not initiated by the user through the PC will
fail. Alternatively, leaving the box checked would also serve to detect and alert a user to the
existence of potential threats. Any such attempt could simply be declined. Users always have the
option to manually initiate pairing from the user interface by adding a new device through the
Control Panel.
Adding a Device
On the Devices tab there is an Add button that will initiate
pairing by running the Bluetooth Device Wizard (Figure
7).
Note the security warning at the bottom: Add only
Bluetooth devices that you trust. A trusted device is one
that the user or the users company owns and controls.
An untrusted device is one that is public, or it may be one
that is in a different physical location.
Passkey Challenge
Some Bluetooth devices require authentication before the device can be used with Windows .
During authentication, the same passkey must be entered into the Bluetooth Connection Wizard
and into the Bluetooth device. As discussed earlier, the passkey, or PIN, is a temporary key that
is entered by the user. Its only purpose is to generate an initial Authentication key and then the
PIN is discarded. The PIN and all keys are never transmitted over the radio.
Windows XP SP2 offers the following PIN options when connecting a Bluetooth device (also
shown in Figure 9 below):
Bluetooth and Microsoft Desktop Products 10
Choose a passkey for me the default choice, this creates an 8-character random
numerical string.
Use the passkey found in the documentation not applicable for keyboards, this
applies to devices like a printer that do not have a method for PIN input.
Let me choose my own passkey Windows recommends that the user choose a
numeric PIN 8 - 16 characters in length, but it does not enforce the minimum length.
This is the recommended choice.
Dont use a passkey this pairs both devices with security turned off. This option is
meant for devices like mouse products that do not support authentication or
encryption. (This is not recommended for keyboards, since this would mean that the
keystrokes would be sent unencrypted. Windows will not enforce this, so it is possible
for a user to pair a keyboard with security turned off.)
Once the passkey has been entered on the PC, the user
is prompted to enter the same PIN from the Bluetooth
keyboard (Figure 10). If the PIN entered on the Bluetooth
keyboard matches the PIN entered on the PC (with the
attached keyboard), authentication succeeds. If the PINs
do not match, authentication fails. For security purposes,
there is a timeout for completion of this step.
Bluetooth and Microsoft Desktop Products 11
Summary
Bluetooth technology delivers on the promise of reliable wireless connectivity with respect to
interference, security, and range, Bluetooth is the best wireless implementation available for
personal computing hardware in the workplace. Security and freedom from interference are
concerns whenever communications are involved, and they are particularly important when
considering wireless technology instead of wired or cabled technology. In the previous
discussion, and in the keyboard example, different elements of Bluetooth security and
interference immunity have been mentioned. Some of those elements are fundamental to the
Bluetooth specification, while others are application implementations unique to the devices. As
we have seen, the Bluetooth standard basically encompasses the following:
Frequency-hopping spread spectrum technology, which makes Bluetooth
communications relatively immune to interference.
Procedures for configuring and controlling security, such as the pairing sequence for
creating Link and Encryption Keys, where keys are never transmitted over the radio.
Virtual cable or an exclusive 1:1 relationship between the Bluetooth keyboard and
the PC, meaning that no other devices are permitted to have that relationship.
Additionally, when compared to 27 MHz devices, Bluetooth also offers the advantages of
being able to connect multiple devices and longer range.
We have also seen Bluetooth keyboard security elements that are provided by Windows XP
SP2:
Bluetooth Wizard for device connection that is fast and simple, relying on a
Passkey/PIN that is not transmitted over the radio.
Bluetooth Devices dialog in Control Panel for configuration, where, by default, the PC
cannot be discovered by another Bluetooth device.
Refer to http://www.microsoft.com/hardware for more information about Microsoft Bluetooth
products.
Bluetooth and Microsoft Desktop Products 12
Appendix 1: Bluetooth Security on Microsoft Desktop Products
The information contained within this Appendix is a more detailed, technical description of how
the Bluetooth encryption process works.
Once the Link Key has been created, each working session begins with:
Generation of the Encryption Key (using the Link Key). A new Encryption Key is
generated each time a session is begun.
As described previously, pairing is initiated by pressing the Make/Break Connection button under
the keyboard and running the Add Bluetooth Device Wizard in Windows XP SP2. It is necessary
to pair the keyboard to the PC only once.
With the exception of the PIN, which can be generated by the user, all other input security keys
employed by Microsoft Bluetooth keyboards are 128 bits in length. These keys are combination
keys that require three inputs:
Input key, which is one of the keys in the process. See Figure 11 for process flow.
Random number
Bluetooth address
The PIN chosen and entered by the user is comprised of only numerical characters. It is 1 to 16
characters in length. The Windows XP SP2 user interface presents the following options when
pairing a Bluetooth device:
Choose a passkey for me This default option creates a random numerical string of
8 characters.
Use the passkey found in the documentation Not applicable for keyboards, this
option applies to devices like printers that do not have a method for PIN input.
Let me choose my own passkey Windows recommends that the user choose a
numeric PIN 8 to 16 characters in length, but does not enforce the minimum length.
Dont use a passkey This option pairs both devices with security turned off. This
option is meant for devices like mice that do not support authentication or encryption.
It is NOT recommended for keyboards, since keystrokes would be sent unencrypted.
Windows does not enforce this, so it is possible for a user to pair a keyboard with
security turned off.
Bluetooth and Microsoft Desktop Products 13
Length and entropy of the Random Number
The 128-bit random number is the output of the same Massey/Rueppel generator used for the
encryption operations. The seed that is used in the random number generator is a 128-bit value
which is a combination of the:
32-bit Bluetooth clock snapped at a random time in the firmware
Other values read from the hardware, such as radio symbol tracking register values,
piconet slot offset register values, and a few others.
Length and entropy of the Bluetooth address
The 48-bit Bluetooth address is a unique number assigned to the device. All Bluetooth devices
have unique addresses that are assigned by the IEEE to device manufacturers.
The top 24 bits identify the manufacturer and are assigned out of the same IEEE OUI space as
MAC addresses. The lower 24 bits are assigned by the manufacturer to identify the specific
device.
The 128-bit Initialization Key is generated by the E2 algorithm and takes the following inputs:
PIN PIN
1-16 characters
Random
E22 Numbers E22
Generate Generate
Initialization 128 bits Initialization
Key Key
Random
E21 Numbers
E21
Generate Generate
Link 128 bits Link
Key Key
Authentication
E1 Authentication Exchange E1 Authentication
Link Link
Key Key
Random
E3 Numbers
E3
Generate Generate
Encryption 128 bits Encryption
Key Key
Encrypted
E0 Stream Cipher Traffic
E0 Stream Cipher
Figure 11
PIN (8 to 128 bits)
Bluetooth and Microsoft Desktop Products 14
RND (128 bits)
The Initialization Key is discarded after the combination Link Key is generated. The 128-bit Link
Key is generated by the E1 algorithm and takes the following inputs:
128-bit Random Number from device A (RANDA)
A new 128-bit Encryption Key is generated by the E3 algorithm whenever a new encrypted
connection is formed, i.e., a new session. In the case of a keyboard, this occurs when the
keyboard reconnects to Windows XP through user activity after becoming disconnected, e.g.,
after 10 minutes of inactivity.
The Bluetooth specification allows for the negotiation of the size of the Encryption Key, which
can be as short as 8 bits and up to 128 bits. Microsoft keyboards with the Microsoft Wireless
Transceiver for Bluetooth (included with the Microsoft Optical Desktop Elite for Bluetooth) and
Windows XP SP2 always use 128-bit encryption keys.
The COF is the number (Authentication Ciphering Offset or ACO) generated by E1 during pairing.
Conclusion
SAFER+ 128-bit encryption is employed.
Bluetooth and Microsoft Desktop Products 15
Appendix 2: Bluetooth Specification v1.2 Controller Volume, Part H
SECURITY SPECIFICATION
Bluetooth and Microsoft Desktop Products 16
Core System Package [Controller volume]
Part H
SECURITY SPECIFICATION
Security Specification
Security Specification
CONTENTS
Security Specification
Security Specification
1 SECURITY OVERVIEW
Entity Size
BD_ADDR 48 bits
The secret keys are derived during initialization and are never disclosed. The
encryption key is derived from the authentication key during the authentication
process. For the authentication algorithm, the size of the key used is always
128 bits. For the encryption algorithm, the key size may vary between 1 and 16
octets (8 - 128 bits). The size of the encryption key is configurable for two rea-
sons. The first has to do with the many different requirements imposed on cryp-
tographic algorithms in different countries both with respect to export
regulations and official attitudes towards privacy in general. The second reason
is to facilitate a future upgrade path for the security without the need of a costly
redesign of the algorithms and encryption hardware; increasing the effective
key size is the simplest way to combat increased computing power at the oppo-
nent side.
The encryption key is entirely different from the authentication key (even
though the latter is used when creating the former, as is described in Section
6.4 on page 783). Each time encryption is activated, a new encryption key shall
be generated. Thus, the lifetime of the encryption key does not necessarily cor-
respond to the lifetime of the authentication key.
It is anticipated that the authentication key will be more static in its nature than
the encryption key once established, the particular application running on the
device decides when, or if, to change it. To underline the fundamental impor-
Security Specification
In the remainder of this chapter, the terms user and application will be used
interchangeably to designate the entity that is at either side.
Security Specification
The expression non-repeating means that it shall be highly unlikely that the
value will repeat itself within the lifetime of the authentication key. For example,
a non-repeating value could be the output of a counter that is unlikely to repeat
during the lifetime of the authentication key, or a date/time stamp.
The expression randomly generated means that it shall not be possible to pre-
dict its value with a chance that is significantly larger than 0 (e.g., greater than
1 2 L for a key length of L bits).
The LM may use such a generator for various purposes; i.e. whenever a ran-
dom number is needed (such as the RANDs, the unit keys, Kinit, Kmaster, and
random back-off or waiting intervals).
Security Specification
Security Specification
3 KEY MANAGEMENT
It is important that the encryption key size within a specific device cannot be set
by the user this should be a factory preset entity. In order to prevent the user
from over-riding the permitted key size, the Bluetooth baseband processing
shall not accept an encryption key given from higher software layers. When-
ever a new encryption key is required, it shall be created as defined in Section
6.4 on page 783.
Changing a link key shall also be done through the defined baseband proce-
dures. Depending on what kind of link key it is, different approaches are
required. The details are found in Section 3.2.7 on page 760.
In the following, a session is defined as the time interval for which the device is
a member of a particular piconet. Thus, the session terminates when the
device disconnects from the piconet.
The lifetime of a temporary link key is limited by the lifetime of the current ses-
sion it shall not be reused in a later session. Typically, in a point-to-multipoint
configuration where the same information is to be distributed securely to sev-
eral recipients, a common encryption key is useful. To achieve this, a special
link key (denoted master key) may temporarily replace the current link keys.
The details of this procedure are found in Section 3.2.6 on page 759.
In the following, the current link key is the link key in use at the current moment.
It can be semi-permanent or temporary. Thus, the current link key is used for all
authentications and all generation of encryption keys in the on-going connec-
tion (session).
Security Specification
In addition to these keys there is an encryption key, denoted Kc. This key is
derived from the current link key. Whenever encryption is activated by an LM
command, the encryption key shall be changed automatically. The purpose of
separating the authentication key and encryption key is to facilitate the use of a
shorter encryption key without weakening the strength of the authentication
procedure. There are no governmental restrictions on the strength of authenti-
cation algorithms. However, in some countries, such restrictions exist on the
strength of encryption algorithms.
The combination key KAB and the unit key KA are functionally indistinguishable;
the difference is in the way they are generated. The unit key KA is generated in,
and therefore dependent on, a single device A. The unit key shall be generated
once at installation of the device; thereafter, it is very rarely changed. The com-
bination key is derived from information in both devices A and B, and is there-
fore always dependent on two devices. The combination key is derived for
each new combination of two devices.
The master key, Kmaster, shall only be used during the current session. It shall
only replace the original link key temporarily. For example, this may be utilized
when a master wants to reach more than two devices simultaneously using the
same encryption key, see Section 3.2.6 on page 759.
The initialization key, Kinit, shall be used as the link key during the initialization
process when no combination or unit keys have been defined and exchanged
yet or when a link key has been lost. The initialization key protects the transfer of
initialization parameters. The key is derived from a random number, an L-octet
PIN code, and a BD_ADDR. This key shall only be used during initialization.
Security Specification
The PIN may be a fixed number provided with the device (for example when
there is no user interface as in a PSTN plug). Alternatively, the PIN can be
selected by the user, and then entered in both devices that are to be matched.
The latter procedure should be used when both devices have a user interface,
for example a phone and a laptop. Entering a PIN in both devices is more
secure than using a fixed PIN in one of the devices, and should be used when-
ever possible. Even if a fixed PIN is used, it shall be possible to change the
PIN; this is in order to prevent re-initialization by users who once got hold of the
PIN. If no PIN is available, a default value of zero may be used. The length of
this default PIN is one byte, PIN(default) = 0x00. This default PIN may be pro-
vided by the host.
For many applications the PIN code will be a relatively short string of numbers.
Typically, it may consist of only four decimal digits. Even though this gives suffi-
cient security in many cases, there exist countless other, more sensitive, situa-
tions where this is not reliable enough. Therefore, the PIN code may be chosen
to be any length from 1 to 16 octets. For the longer lengths, the devices
exchanging PIN codes may not use mechanical (i.e. human) interaction, but
rather may use software at the application layer. For example, this can be a Dif-
fie-Hellman key agreement, where the exchanged key is passed on to the K init
generation process in both devices, just as in the case of a shorter PIN code.
Security Specification
A link key is used temporarily during initialization, the initialization key K init .
This key shall be derived by the E 22 algorithm from a BD_ADDR, a PIN code,
the length of the PIN (in octets), and a random number IN_RAND. The princi-
ple is depicted in Figure 6.4 on page 783. The 128-bit output from E 22 shall be
used for key exchange during the generation of a link key. When the devices
have performed the link key exchange, the initialization key shall be discarded.
When the initialization key is generated, the PIN is augmented with the
BD_ADDR. If one device has a fixed PIN the BD_ADDR of the other device
shall be used. If both devices have a variable PIN the BD_ADDR of the device
that received IN_RAND shall be used. If both devices have a fixed PIN they
cannot be paired. Since the maximum length of the PIN used in the algorithm
cannot exceed 16 octets, it is possible that not all octets of BD_ADDR will be
used. This procedure ensures that K init depends on the identity of the device
with a variable PIN. A fraudulent device may try to test a large number of PINs
by claiming another BD_ADDR each time. It is the applications responsibility
to take countermeasures against this threat. If the device address is kept fixed,
the waiting interval before the next try may be increased exponentially (see
Section 5.1 on page 775).
The details of the E 22 algorithm can be found in Section 6.3 on page 781.
3.2.2 Authentication
A unit key K A shall be generated when the device is in operation for the first time;
i.e. not during each initialization. The unit key shall be generated by the E 21 algo-
rithm as described in Section 6.3 on page 781. Once created, the unit key should
be stored in non-volatile memory and very rarely changed. If after initialization
Security Specification
the unit key is changed, any previously initialized devices will possess a wrong
link key. At initialization, the application must determine which of the two parties
will provide the unit key as the link key. Typically, this will be the device with
restricted memory capabilities, since this device only has to remember its own
unit key. The unit key shall be transferred to the other party and then stored as
the link key for that particular party. So, for example in Figure 3.1 on page 757,
the unit key of device A, K A , is being used as the link key for the connection A-B;
device A sends the unit key K A to device B; device B will store K A as the link key
K BA . For another initialization, for example with device C, device A will reuse its
unit key K A , whereas device C stores it as K CA .
UNIT A UNIT B
Kinit K
init
KA KBA = KA
Figure 3.1: Generation of unit key. When the unit key has been exchanged, the initialization key is
discarded in both devices.
and
Security Specification
When the random numbers LK_RANDA and LK_RAND B have been mutually
exchanged, each device shall recalculate the other devices contribution to the
combination key. This is possible since each device knows the Bluetooth
device address of the other device. Thus, device A shall calculate (EQ 2) on
page 757 and device B shall calculate (EQ 1) on page 757. After this, both
devices shall combine the two numbers to generate the 128-bit link key. The
combining operation is a simple bitwise modulo-2 addition (i.e. XOR). The
result shall be stored in device A as the link key K AB and in device B as the link
key K BA . When both devices have derived the new combination key, a mutual
authentication procedure shall be initiated to confirm the success of the trans-
action. The old link key shall be discarded after a successful exchange of a
new combination key. The message flow between master and slave and the
principle for creating the combination key is depicted in Figure 3.2 on page
758.
Unit A Unit B
CB
LK_RAND B = C B K LK_RAND A = C A K
LK_K B = E 21(LK_RAND B, BD_ADDR B) LK_K A = E 21(LK_RAND A, BD_ADDR A)
K AB = LK_K A LK_K B K BA = LK_K A LK_K B = K AB
Authentication
Figure 3.2: Generating a combination key. The old link key (K) is discarded after the exchange of a
new combination key has succeeded
The encryption key, K C , is derived by algorithm E 3 from the current link key, a
96-bit Ciphering OFfset number (COF), and a 128-bit random number. The
COF is determined in one of two ways. If the current link key is a master key,
then COF shall be derived from the master BD_ADDR. Otherwise the value of
COF shall be set to the value of ACO as computed during the authentication
procedure. Therefore:1
Security Specification
COF = BD_ADDR BD_ADDR, if link key is a master key (EQ 3)
ACO, otherwise.
It is possible for the master to use separate encryption keys for each slave in a
point-to-multipoint configuration with ciphering activated. Then, if the applica-
tion requires more than one slave to listen to the same payload, each slave
must be addressed individually. This can cause unwanted capacity loss for the
piconet. Moreover, a slave might not be capable of switching between two or
more encryption keys in real time (e.g., after looking at the LT_ADDR in the
header). Thus, the master cannot use different encryption keys for broadcast
messages and individually addressed traffic. Therefore, the master may tell
several slave devices to use a common link key (and, hence, indirectly also to
use a common encryption key) and may then broadcast the information
encrypted. For many applications, this key is only of temporary interest. In the
following discussion, this key is denoted by K master .
Note that the master must negotiate the encryption key length to use individu-
ally with each slave that will use the master key. If the master has already
negotiated with some of these slaves, it has knowledge of the sizes that can be
accepted. There may be situations where the permitted key lengths of some
devices are incompatible. In that case, the master must exclude the limiting
device from the group.
When all slaves have received the necessary data, the master can communi-
cate information on the piconet securely using the encryption key derived from
the new temporary link key. Each slave in possession of the master key can
eavesdrop on all encrypted traffic, not only the traffic intended for itself. The
master may tell all participants to fall back to their old link keys simultaneously.
Security Specification
A link key based on a unit key can be changed. The unit key is created once
during first use. Typically, the link key should be changed rather than the unit
key, as several devices may share the same unit key as link key (e.g. a printer
whose unit key is distributed to all users using the printers unit key as link key).
Changing the unit key will require re-initialization of all devices connecting.
Changing the unit key can be justified in some circumstances, e.g. to deny
access to all previously allowed devices.
If the key change concerns combination keys, then the procedure is straightfor-
ward. The change procedure is identical to the procedure described in Figure
3.2 on page 758, using the current value of the combination key as link key.
This procedure can be carried out at any time after the authentication and
encryption start. Since the combination key corresponds to a single link, it can
be modified each time this link is established. This will improve the security of
the system since then old keys lose their validity after each session.
This key is a 128-bit random number. The reason for using the output of E 22
and not directly choosing a random number as the key, is to avoid possible
problems with degraded randomness due to a poor implementation of the ran-
dom number generator within the device.
Then, a third random number, RAND, shall be transmitted to the slave. Using
E 22 with the current link key and RAND as inputs, both the master and the
slave shall compute a 128-bit overlay. The master shall send the bitwise XOR
of the overlay and the new link key to the slave. The slave, who knows the
overlay, shall recalculate K master . To confirm the success of this transaction, the
devices shall perform a mutual authentication procedure using the new link
key. This procedure shall then be repeated for each slave that receives the
new link key. The ACO values from the authentications shall not replace the
current ACO, as this ACO is needed to (re)compute a ciphering key when the
master falls back to the previous (non-temporary) link key.
Security Specification
where the value of COF shall be derived from the masters BD_ADDR as spec-
ified by equation (EQ 3) on page 759. The details of the encryption key gener-
ating function are described in Section 6.4 on page 783. The message flow
between the master and the slave when generating the master key is depicted
in Figure 3.3. Note that in this case the ACO produced during the authentica-
tion is not used when computing the ciphering key.
Master Slave
K master = E 22(RAND1, RAND2, 16)
RAND
OVL = E 22(K, RAND, 16) OVL = E 22(K, RAND, 16)
C = OVL K master
C
K master = OVL C
Authentication
Figure 3.3: Master link key distribution and computation of the corresponding encryption key.
Security Specification
Security Specification
4 ENCRYPTION
The Massey and Rueppel method has been thoroughly investigated, and there
exist good estimates of its strength with respect to presently known methods
for cryptanalysis. Although the summation generator has weaknesses that can
be used in correlation attacks, the high re-synchronization frequency will dis-
rupt such attacks.
Kc payload key
plain text/cipher text
address
payload key Key stream z
clock generator
generator
RAND
cipher text/ plain text
Security Specification
Security Specification
No encryption No encryption
Table 4.1: Possible encryption modes for a slave in possession of a master key.
For the encryption routine, a stream cipher algorithm is used in which ciphering
bits are bit-wise modulo-2 added to the data stream to be sent over the air
interface. The payload is ciphered after the CRC bits are appended, but, prior
to the FEC encoding.
The encryption key KC is derived from the current link key, COF, and a random
number, EN_RANDA (see Section 6.4 on page 783). The random number shall
be issued by the master before entering encryption mode. Note that
EN_RANDA is publicly known since it is transmitted as plain text over the air.
Within the E 0 algorithm, the encryption key K C is modified into another key
denoted K C . The maximum effective size of this key shall be factory preset
and may be set to any multiple of eight between one and sixteen (8-128 bits).
The procedure for deriving the key is described in Section 4.5 on page 769.
The real-time clock is incremented for each slot. The E 0 algorithm shall be re-
initialized at the start of each new packet (i.e. for Master-to-Slave as well as for
Slave-to-Master transmission). By using CLK26-1 at least one bit is changed
between two transmissions. Thus, a new keystream is generated after each re-
initialization. For packets covering more than a single slot, the Bluetooth clock
as found in the first slot shall be used for the entire packet.
Security Specification
BD_ADDRA BD_ADDRA
E0 E0
clockA clockA
Kc Kc
Kcipher Kcipher
dataA-B
data
dataB-A
Security Specification
LFSR2 x2t
LFSR3 x3t
XOR Encryption Stream Zt
LFSR4 x4t
c0t
blend
1
z-1
2
ct T1
x1t
z-1 T2
2 ct+1
x2t XOR
x3t + st+1
2
2
2
x4t
3
+ 3
/2 2
yt
1 25 t 25 + t 20 + t 12 + t 8 + 1 5
2 31 t 31 + t 24 + t 16 + t 12 + 1 5
3 33 t 33 + t 28 + t 24 + t 4 + 1 5
4 39 t 39 + t 36 + t 28 + t 4 + 1 5
Let x ti denote the t th symbol of LFSRi. The value y t is derived from the four-
tuple x t1, , x t4 using the following equation:
yt = xti , (EQ 6)
i=1
where the sum is over the integers. Thus y t can take the values 0,1,2,3, or 4.
The output of the summation generator is obtained by the following equations:
z t = x t1 x t2 x t3 x t4 c t0 { 0, 1 }, (EQ 7)
Security Specification
yt + ct
s t + 1 = ( s t1+ 1 , s t0+ 1 ) = - { 0, 1, 2, 3 },
------------- (EQ 8)
2
where T 1 [ . ] and T 2 [ . ] are two different linear bijections over GF(4). Suppose
GF(4) is generated by the irreducible polynomial x 2 + x + 1 , and let be a zero
of this polynomial in GF(4). The mappings T 1 and T 2 are now defined as:
T 1 : GF(4) GF(4)
x
| x
T 2 : GF(4) GF(4)
| ( + 1 )x.
x
x T1 [ x ] T2 [ x ]
00 00 00
01 01 11
10 10 01
11 11 10
Since the mappings are linear, they can be implemented using XOR gates; i.e.
T1 : ( x 1, x 0 )
| ( x 1, x 0 ),
T2 : ( x 1, x 0 )
| ( x 0, x 1 x 0 ).
Figure 4.4 on page 768 gives an overview of the operation in time. The encryp-
tion algorithm shall run through the initialization phase before the start of trans-
mission or reception of a new packet. Thus, for multislot packets the cipher is
initialized using the clock value of the first slot in the multislot sequence.
Figure 4.4: Overview of the operation of the encryption engine. Between each start of a packet (TX
or RX), the LFSRs are re-initialized.
Security Specification
The effective length of the encryption key may vary between 8 and 128 bits.
Note that the actual key length as obtained from E 3 is 128 bits. Then, within E 0 ,
the key length may be reduced by a modulo operation between K C and a poly-
nomial of desired degree. After reduction, the result is encoded with a block
code in order to distribute the starting states more uniformly. The operation
shall be as defined in (EQ 10) on page 770.
When the encryption key has been created the LFSRs are loaded with their ini-
tial values. Then, 200 stream cipher bits are created by operating the genera-
tor. Of these bits, the last 128 are fed back into the key stream generator as an
initial value of the four LFSRs. The values of c t and c t 1 are kept. From this
point on, when clocked the generator produces the encryption (decryption)
sequence which is bitwise XORed to the transmitted (received) payload data.
1. Create the encryption key to use from the 128-bit secret key K C and
the 128-bit publicly known EN_RAND. Let L, 1 L 16 , be the
Security Specification
After the parallel load in item 4, the blend register contents shall be updated for
each subsequent clock.
(L) (L)
L deg g1 deg g2
1 [8] 00000000 00000000 00000000 0000011d [119] 00e275a0 abd218d4 cf928b9b bf6cb08f
2 [16] 00000000 00000000 00000000 0001003f [112] 0001e3f6 3d7659b3 7f18c258 cff6efef
3 [24] 00000000 00000000 00000000 010000db [104] 000001be f66c6c3a b1030a5a 1919808b
4 [32] 00000000 00000000 00000001 000000af [96] 00000001 6ab89969 de17467f d3736ad9
Security Specification
(L) (L)
L deg g1 deg g2
5 [40] 00000000 00000000 00000100 00000039 [88] 00000000 01630632 91da50ec 55715247
6 [48] 00000000 00000000 00010000 00000291 [77] 00000000 00002c93 52aa6cc0 54468311
7 [56] 00000000 00000000 01000000 00000095 [71] 00000000 000000b3 f7fffce2 79f3a073
8 [64] 00000000 00000001 00000000 0000001b [63] 00000000 00000000 a1ab815b c7ec8025
9 [72] 00000000 00000100 00000000 00000609 [49] 00000000 00000000 0002c980 11d8b04d
10 [80] 00000000 00010000 00000000 00000215 [42] 00000000 00000000 0000058e 24f9a4bb
11 [88] 00000000 01000000 00000000 0000013b [35] 00000000 00000000 0000000c a76024d7
12 [96] 00000001 00000000 00000000 000000dd [28] 00000000 00000000 00000000 1c9c26b9
13 [104] 00000100 00000000 00000000 0000049d [21] 00000000 00000000 00000000 0026d9e3
14 [112] 00010000 00000000 00000000 0000014f [14] 00000000 00000000 00000000 00004377
15 [120] 01000000 00000000 00000000 000000e7 [7] 00000000 00000000 00000000 00000089
16 [128] 1 00000000 00000000 00000000 00000000 [0] 00000000 00000000 00000000 00000001
In Figure 4.5, all bits are shifted into the LFSRs, starting with the least signifi-
cant bit (LSB). For instance, from the third octet of the address, BD_ADDR[2],
first BD_ADDR16 is entered, followed by BD_ADDR17, etc. Furthermore, CL0
corresponds to CLK1,..., CL25 corresponds to CLK26.
i
Note that the output symbols x t, i = 1, , 4 are taken from the positions 24, 24,
32, and 32 for LFSR1, LFSR2,LFSR3, and LFSR4, respectively (counting the
leftmost position as number 1).
8 12 20
CL[0]U = CL 7 ... CL 4
Security Specification
In Figure 4.6, the 128 binary output symbols Z0,..., Z127 are arranged in octets
denoted Z[0],..., Z[15]. The LSB of Z[0] corresponds to the first of these sym-
bols, the MSB of Z[15] is the last output from the generator. These bits shall be
loaded into the LFSRs according to the figure. It is a parallel load and no
update of the blend registers is done. The first output symbol is generated at
the same time. The octets shall be written into the registers with the LSB in the
leftmost position (i.e. the opposite of before). For example, Z24 is loaded into
position 1 of LFSR4.
Z[12]0
8 12 20
Figure 4.6: Distribution of the 128 last generated output symbols within the LFSRs.
Sample data of the encryption output sequence can be found in [Part G] Sec-
tion 1 on page 649. A necessary, but not sufficient, condition for all Bluetooth
compliant implementations of encryption is to produce these encryption
streams for identical initialization values.
Security Specification
5 AUTHENTICATION
AU_RANDA AU_RANDA
AU_RANDA
BD_ADDRB BD_ADDRB
E1 E1
Link key Link key
SRES
ACO ACO
SRES SRES
?
=
SRES
1. The reflection attack actually forms no threat because all service requests are dealt with on
a FIFO bases. When preemption is introduced, this attack is potentially dangerous.
Security Specification
Verifier Claimant
(User A) (User B, with identity IDB)
RAND
The verifier is not required to be the master. The application indicates which
device has to be authenticated. Some applications only require a one-way
authentication. However, some peer-to-peer communications, should use a
mutual authentication in which each device is subsequently the challenger
(verifier) in two authentication procedures. The LM shall process authentication
preferences from the application to determine in which direction(s) the authen-
tication(s) takes place. For mutual authentication with the devices of Figure 5.1
on page 773, after device A has successfully authenticated device B, device B
could authenticate device A by sending an AU_RANDB (different from the
AU_RANDA that device A issued) to device A, and deriving the SRES and
SRES from the new AU_RANDB, the address of device A, and the link key
KAB.
Security Specification
Security Specification
Security Specification
This section describes the algorithms used for authentication and key genera-
tion.
The details of A r are given in the next section. The function E 1 is constructed
using A r as follows
128 128 48 32 96
E 1 : { 0, 1 } { 0, 1 } { 0, 1 } { 0, 1 } { 0, 1 }
(EQ 12)
( K, RAND, address )
| ( SRES, ACO ),
and where
8L 8 16
E: { 0, 1 } { 6, 12 } { 0, 1 }
(EQ 14)
( X [ 0, , L 1 ], L )
| ( X [ i(mod L) ] for i = 0...15 ),
1. The operator +16 denotes bytewise addition mod 256 of the 16 octets, and the operator 16
denotes bytewise XORing of the 16 octets.
2. The constants are the largest primes below 257 for which 10 is a primitive root.
Security Specification
RAND address
48
K Ar
128
K add +16 E
L = 6
A' r
32 96
Security Specification
In Figure 6.2 on page 780 two boxes are shown, marked e and l. These
boxes implement the same substitutions as are used in SAFER+; i.e. they
implement
e, l : { 0, , 255 } { 0, , 255 },
e : i
| ( 45 i (mod 257) ) (mod 256),
l : i
| j s.t. i = e(j).
Security Specification
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
128
A input[0..15]
128
K2r-1 [0..15]
e l l e e l l e e l l e e l l e
128
K2r [0..15]
K 2r[0] K [15]
2r
PERMUTE: 8 11 12 15 2 1 6 5 10 9 14 13 0 7 4 3
PERMUTE: 8 11 12 15 2 1 6 5 10 9 14 13 0 7 4 3
PERMUTE: 8 11 12 15 2 1 6 5 10 9 14 13 0 7 4 3
bitwise XOR
PHT(x,y)= (2x+y mod 256, x+y mod 256)
Figure 6.2: One round in A r and A' r . The permutation boxes show how input byte indices are
mapped onto output byte indices. Thus, position 8 is mapped on position 0 (leftmost), position 11 is
mapped on position 1, et cetera.
In each round, 2 batches of 16 octet-wide keys are needed. These round keys
are derived as specified by the key scheduling in SAFER+. Figure 6.3 on page
781 gives an overview of how the round keys K p [ j ] are determined. The bias
vectors B2, B3, ..., B17 shall be computed according to following equation:
17p + i + 1
( 45 mod 257 )
B p [ i ] = ( ( 45 mod 257 ) mod 256 ), for i = 0, , 15. (EQ 17)
Security Specification
sum octets
bit-by-bit
modulo two
Select octets
0 1 14 15 16 K
1
0,1,2,...,14,15
Rotate each octet left by 3 bit positions
B 17
The key used for authentication shall be derived through the procedure that is
shown in Figure 6.4 on page 783. The figure shows two modes of operation for
the algorithm. In the first mode, E 21 produces a 128-bit kink key, K , using a
128-bit RAND value and a 48-bit address. This mode shall be utilized when
creating unit keys and combination keys. In the second mode, E 22 produces a
128-bit link key, K , using a 128-bit RAND value and an L octet user PIN. The
second mode shall be used to create the initialization key, and also when a
master key is to be generated.
When the initialization key is generated, the PIN is augmented with the
BD_ADDR, see Section 3.2.1 on page 756 for which address to use. The aug-
mentation shall always start with the least significant octet of the address
immediately following the most significant octet of the PIN. Since the maximum
length of the PIN used in the algorithm cannot exceed 16 octets, it is possible
that not all octets of BD_ADDR will be used.
Security Specification
This key generating algorithm again exploits the cryptographic function. E 2 for
mode 1 (denoted E 21 ) is computed according to following equations:
128 48 128
E 21 : { 0, 1 } { 0, 1 } { 0, 1 }
(EQ 18)
( RAND, address )
| A' r(X, Y)
i=0
Let L be the number of octets in the user PIN. The augmenting is defined by
where
15
X =
PIN' [ i (mod L') ] ,
(EQ 22)
i=0
Y = RAND [ 014 ] ( RAND [ 15 ] L' ),
Security Specification
Mode 1 L Mode 2
RAND PIN
128 8L
E 21 E 22
BD_ADDR RAND
48 128
128 128
Key Key
Figure 6.4: Key generating algorithm E 2 and its two modes. Mode 1 is used for unit and
combination keys, while mode 2 is used for K init and K master .
where Hash is the hash function as defined by (EQ 13) on page 777. The key
length produced is 128 bits. However, before use within E 0 , the encryption key
K C is shortened to the correct encryption key length, as described in Section
4.5 on page 769. A block scheme of E 3 is depicted in Figure 6.5.
EN_RAND
128
COF E3
96
Link key
128
128
KC
Security Specification
Security Specification
7 LIST OF FIGURES
Figure 3.1: Generation of unit key. When the unit key has been exchanged,
the initialization key is discarded in both devices. ...................757
Figure 3.2: Generating a combination key. The old link key (K) is discarded
after the exchange of a new combination key has succeeded 758
Figure 3.3: Master link key distribution and computation of the corresponding
encryption key. ........................................................................761
Figure 4.1: Stream ciphering for Bluetooth with E0. ..................................763
Figure 4.2: Functional description of the encryption procedure ................766
Figure 4.3: Concept of the encryption engine. ..........................................767
Figure 4.4: Overview of the operation of the encryption engine. Between each
start of a packet (TX or RX), the LFSRs are re-initialized. ........ 768
Figure 4.5: Arranging the input to the LFSRs. ...........................................771
Figure 4.6: Distribution of the 128 last generated output symbols within the
LFSRs. ....................................................................................772
Figure 5.1: Challenge-response for the Bluetooth. ....................................773
Figure 5.2: Challenge-response for symmetric key systems. ....................774
Figure 6.1: Flow of data for the computation of E 1 . ...................................778
Figure 6.2: One round in and . The permutation boxes show how input byte
indices are mapped onto output byte indices. Thus, position 8 is
mapped on position 0 (leftmost), position 11 is mapped on
position 1, et cetera. ................................................................780
Figure 6.3: Key scheduling in A r . ..............................................................781
Figure 6.4: Key generating algorithm E 2 and its two modes. Mode 1 is used
for unit and combination keys, while mode 2 is used for K init and
K master . ....................................................................................783
Figure 6.5: Generation of the encryption key. ...........................................783
Security Specification
Security Specification
8 LIST OF TABLES
Security Specification
Bluetooth and Microsoft Desktop Products 17