Cryptography Reference
In-Depth Information
For the encryption, the A5/1 algorithm is a standard algorithm for A5. It is actually
a pseudorandom generator which is initialized with a 22-bit counter and the 64-bit
secret key KC. It generates a 114-bit block which is XORed to the plaintext. This is
just a one-time pad with 114-bit block sequences. The heart of A5/1 is explained in
Section 2.8.3.
Once the setup phase is complete, confidentiality is ensured. A counter-based
stream cipher protects against attempts to erase, swap, or replay packets. However,
integrity protection is rather poor. It is easy for an adversary to replace a confidential
message x by a message x
of her choice (even without knowing x ). Hence
it is hard to say that authentication is protected.
δ
for a
δ
5.6.2 The Bluetooth Network
Bluetooth networks 10 are other nice examples of security infrastructure based on con-
ventional cryptography only. We briefly outline how it works based on the Bluetooth
version 1.2 standard (Ref. [4]).
Bluetooth uses several conventional cryptographic algorithms. The core ones are
the stream cipher E0 that was described in Section 2.8.4, and the block cipher SAFER+,
which is a successor of the block cipher SAFER K-64. They are used in order to define a
series of cryptographic algorithms E0, E1, E21, E22, and E3. E0 serves for encryption.
E1 serves for peer authentication. E2 (including E21 and E22) is a key generator for
authentication. E3 is a key generator for encryption.
E0 was described in Section 2.8.4.
The authentication algorithm E1 works like a MAC. No matter who is the master
and who is the slave, authentication can be done in the two directions, so we talk about
a “verifier” and a “claimant.” E1 takes the 48-bit logical address BD ADDR of the
claimant, a 128-bit random challenge AU RAND, which is transmitted by the verifier,
and a 128-bit “link key” K , which is the secret key. E1 produces a 32-bit response
SRES and a 96-bit value ACO (authentication ciphering offset). With this primitive,
authentication is quite trivial: the verifier picks a random challenge and sends it to the
claimant; the claimant computes the response and sends it to the verifier; the verifier
does the same computation and compares the two values. The output of E1 is defined
by using SAFER+ twice in a (strange) hash mode. Note that E1 must keep track of
successful and unsuccessful authentications. Indeed, E1 starts with a waiting interval
whose value is kept in memory. If an authentication is not successful, this value is
multiplied by a factor greater than 1. Otherwise, it is divided by a factor greater than
1. The value must further be bounded.
The authentication challenge is generated either by E21 or by E22 depending on
what kind of authentication is required. E21 takes a 128-bit random value and a 48-bit
10
Following the Bluetooth folklore, “network” should be replaced by “piconet.”
Search WWH ::




Custom Search