Cryptography Reference
In-Depth Information
logical address and produces a 128-bit value. E22 takes an additional PIN code of
L
bytes where 1
16. Note that E21 is a kind of SAFER+ encryption of the address
by using the random value as a key, and that E22 is a kind of SAFER+ encryption of
the random value by using a combination of the PIN and the address as a key.
≤
L
≤
Finally, the encryption key is generated by E3. E3 takes as input the 128-bit link
key
K
, a 128-bit random value EN RAND, and a 96-bit value COF. This value called
ciphering offset is either the concatenation of the two logical addresses of the master
and the slave, or the ACO value coming from the authentication, depending on what
kind of link key is used. It produces a 128-bit value which is linearly shrunk to the
required length for giving the encryption key
K
c
. E3 is defined from SAFER+ in the
same hash mode as that of E1.
We can now describe how these primitives are used in order to set up the encrypted
channel between two peers.
First of all, the peers negotiate who is the master and who is the slave. Then they
have to do some key management through a “pairing protocol,” which leads to a secret
128-bit “link key.” Typically, this link key is semipermanent and will be used in a future
connection so that key management will not be required. Indeed, if the peers are already
paired, then the link key already exists on both sides. When a session starts they perform
a bidirectional authentication based on this key using E1 as depicted in Fig. 5.9. When
they need to start encryption they agree on a key length, derive an encryption key using
E3, and encrypt using E0.
When two devices want to set up a pairing, a human user typically has to securely
type a random ephemeral PIN code on both devices as depicted in Fig. 5.10. If one
device does not have any keyboard, a PIN code can be built in by a manufacturer (on
Bluetooth headsets, the PIN code is usually 0000). The key management consists of
generating an initialization key, generating a link key, and exchanging the link key.
The initialization key is generated using E22 using a PIN code and a 128-bit random
value IN RAND which is communicated by the master to the slave. Then both peers
pick a fresh random value LK RAND and exchange the XOR of this value with the
initialization key. They can then compute two keys LK K with E21 using the two
Master
A
Slave
B
AU RAND
B
−−−−−−−−−−−−−−−−−−−→
pick AU RAND
B
SRES
B
←−−−−−−−−−−−−−−−−−−−
check SRES
B
compute SRES
B
AU RAND
A
←−−−−−−−−−−−−−−−−−−−
pick AU RAND
A
SRES
A
−−−−−−−−−−−−−−−−−−−→
compute SRES
A
check SRES
A
SRES
B
=
E1
(
K
,
BD ADDR
B
,
AU RAND
B
)
SRES
A
=
E1
(
K
,
BD ADDR
A
,
AU RAND
A
)
Figure 5.9.
Bidirectional authentication protocol in bluetooth.
Search WWH ::
Custom Search