Bluetooth v2.1 – Another Security Foundation and New Vulnerabilities.

Uploaded on:
Category: Funny / Jokes
Bluetooth v2.1 – Another Security Foundation and New Vulnerabilities Andrew Lindell Aladdin Information Frameworks and Bar-Ilan College, Israel Talk Diagram Foundation Disconnected from the net versus online lexicon assaults Secure watchword based validation Bluetooth v2.0
Slide 1

Bluetooth v2.1 – A New Security Infrastructure and New Vulnerabilities Andrew Lindell Aladdin Knowledge Systems and Bar-Ilan University, Israel

Slide 2

Talk Outline Background Offline versus online word reference assaults Secure secret key based verification Bluetooth v2.0 Bluetooth v2.1 security base The four matching modes: portrayal and essential investigation Password spillage from BT2.1 passkey mode Passive and versatile assaults Man-in-the-center assaults Applications of assaults Devices with altered passwords Bluetooth smartcards and smartcard perusers Suggestions for BT SIG, makers and clients

Slide 3

How Did I Get to This? Security audit of Bluetooth with the end goal of building a Bluetooth-based smartcard The smartcard ought to associate by means of Bluetooth just and ought to act like a consistent smartcard Can we depend on Bluetooth security? To ensure the correspondence line between the smartcard and PC To counteract unapproved access to the smartcard

Slide 4


Slide 5

Online versus Offline Dictionary Attacks An online word reference assault Attacker interfaces with the server/gadget and enters a watchword figure every time Easily ruined: retry counter, exponentially-expanding deferrals, CAPTCHA

Slide 6

Online versus Offline Dictionary Attacks A disconnected from the net lexicon assault Attacker acquires a secret key\'s component (e.g., a hash) Attacker re-registers the capacity itself for “all” conceivable passwords Examples: encryption with passwords, logon secret word record

Slide 7

Online versus Offline Dictionary Attacks Password length keeping in mind the end goal to avert online lexicon assaults, short hard-to-figure passwords suffice to avoid logged off lexicon assaults, long irregular passwords are required You require around 8 really arbitrary characters (numerous kinds) It is verging on unthinkable for people to recollect such long genuinely irregular passwords!

Slide 8

Secure Password Protocols A watchword convention is secure if: After a fruitful execution, the confirming gatherings share a top notch cryptographic key that can be utilized to safely impart The best a foe can do is to do an online lexicon assault on the convention – regardless of the fact that it completes a dynamic man-in-the-center assault This is ideal (an online word reference assault is constantly conceivable) Secure secret word conventions exist Most are secured by licenses (here we ought to fly off the handle) But there are others as well…

Slide 9

Bluetooth v2.0 Pairing in Bluetooth 2.0 (legacy matching) The introduction key K init is produced by applying a cryptographic capacity E 22 to: The BD_ADDR The secret word and its length A 128-bit irregular number that is transmitted in plaintext K init is then utilized as a part of the following stage (to create connection key) Given BD_ADDR, the arbitrary number and the secret word, can foresee the following stage This implies that a spy can figure the watchword and check the estimate – OFFLINE DICTIONARY ATTACK

Slide 10

Bluetooth v2.0 The logged off word reference assault on the blending convention of BT2.0 yields The watchword The connection key This is obliterating in light of the fact that the connection key ensures all correspondence An aggressor who spies can later infer the connection key and decode all correspondence between the gatherings

Slide 11

Bluetooth v2.1 (BT2.1) Many changes – we concentrate just on security Stated point Improve convenience and enhance security Provide assurance against man-in-the-center assaults My desires that were not met The secret key convention is not secure At slightest not in the way that we would expect The secret word convention is anything but difficult to abuse No unequivocal notices are given anyplace Many vital gadgets are left without insurance

Slide 12

Bluetooth v2.1 security foundation

Slide 13

BT2.1 Secure Simple Pairing BT2.1 matching has four distinct modes Numeric correlation: utilized for gadgets that both have shows User thinks about a number that shows up on both showcases and “accepts” on the off chance that they are equivalent Just works: the same as numeric examination however no examination is made Only listening in assurance No MITM assurance nor security against associations

Slide 14

BT2.1 Secure Simple Pairing BT2.1 matching modes (proceeded) Out of band: utilized when an extra channel exists (e.g., if a physical association can be utilized for matching) Passkey section: utilized as a part of the case that both gadgets have the same secret word keeping in mind the end goal to legitimately comprehend the security gave (and not gave) by BT2.1, we portray the convention in subtle element ! What\'s more, investigate it…

Slide 15

Pairing Protocol Structure All four modes take after the same structure Phase 1: Public-key trade Phase 2: Authentication stage 1 Phase 3: Authentication stage 2 Phase 4: Link key count Phase 5: LMP confirmation and encryption Involves producing real correspondence keys from the connection key (we’ll overlook this stage)

Slide 16

Phase 1: Public-Key Exchange Diffie - Hellman key trade over Elliptic bends Parties trade open keys PKa and PKb PKa , PKb are acquired by reproducing the generator of an Elliptic bend bunch by an arbitrary component Denote the generator by G , and the irregular components by an and b ( PKa = a  G ; PKb = b  G ) Given PKa and b , can register DHkey = b PKa = baG Given PKb and a , can process DHkey = a PKb = abG The security of Diffie - Hellman over EC gatherings expresses that given PKa and PKb The key DHkey looks totally random!

Slide 17

Let’s pair PKb PKa DHkey A = a PKb DHkey B = b PKa Diffie - Hellman Key Exchange Device A Device B DHkey A = a PKb = a bG = baG = bPKa = DHkey B

Slide 18

Phase 1: Public-Key Exchange Eavesdropping security After trading PKa and PKb , the gatherings can infer DHkey No listening in foe knows anything about the key Man-in-the-center assaults A MITM foe can catch PKa sent by Device An and send its own key PKc to Device B Likewise, it catches PKb sent by Device B and sends its own key PKc to Device A

Slide 19

Let’s pair PKb PKc PKa DHkey A = a PKc DHkey B = b PKc DHkey A = c PKa DHkey B = c PKb MITM Attacks on Plain DH Device A Device B Important: the assailant must “inject” its own particular key in the trade

Slide 20

Public-Key Exchange Conclusion Plain Diffie-Hellman key trade is not secure against man-in-the-center assaults BT2.1 matching convention method The point of stage 2 of the blending convention is to guarantee that both sides got the true open keys This is basic to all modes If gadget A does not get PKb or gadget B does not get PKa, then they ought to dismiss

Slide 21

The Just Works Mode Just works: security of plain Diffie - Hellman A typical misstep! Case: plain DH is secure against spying and MITM is difficult to do, so it’s enough Refutation: In the Bluetooth world, MITM is not all that hard Just publicize yourself as the other gadget (utilizing its “name” and trust the client picks you) MITM assaults are not by any means the only issue, shouldn\'t something be said about rebel associations (e.g., auto whisperer)? When your BD_ADDR is known, anybody can unite with your gadget (relies on upon execution)

Slide 22

Phase 2: Authentication 1 The point: Use the numerical correlation , out-of-band correspondence or passkey to check that gadget A got gadget B’s open key and the other way around We will quickly portray the thought behind numerical examination and out-of-band correspondence, and will depict the passkey mode in subtle element Background – responsibilities A promise to a quality is a cryptographic capacity that gives concealing and tying Conceptually: the advanced simple of an envelope

Slide 23

Numerical Comparison Devices trade duties to the two open keys and irregular values The gadgets show an open\'s component keys and arbitrary qualities (6 digits) Why does this avert MITM assaults? A MITM aggressor must infuse its own open key For this situation, the gadgets see diverse open keys and the capacity\'s aftereffect deciding the 6 digits will be distinctive

Slide 24

Out-of-Band Communication Essentially, utilize the out-of-band channel to trade the general population keys Technically it meets expectations in an unexpected way, yet this is the general thought A MITM assault is obstructed on the grounds that the MITM assailant must infuse its own open key into the key trade

Slide 25

A Digression – NFC Another mode for matching uses Near Field Communication This mode takes after the out-of-band convention; the NFC is utilized to get the out-of-band message

Slide 26

Passkey Entry Protocol

Slide 27

Passkey Entry Protocol - Analysis The responsibilities Cai and Cbi are traded before Nai and Nbi are uncovered Cai and Cbi are duties to people in general keys and the i th bit of the secret key This implies that all together for a MITM assailant to pass the i th round, it must figure the i th bit of the watchword: The dedication by the genuine gadget uncovers nothing about the bit (and doesn’t help the aggressor) The dedication by the assailant ties it to its worth so it can’t transform it subsequently A MITM must utilize its own dedication in light of the fact that it needs to put its own particular open key inside

Slide 28

Passkey Entry Protocol - Analysis Main perception all together for a MITM foe to effectively infuse its open key (as required for a Diffie-Hellman MITM assault) it should effectively figure the secret key Otherwise, the duties will be mistaken in no less than one round of the convention

Slide 29

The Final Phases Phase 3 – confirmation 2 Verify that the key trade was fruitful Phase 4 – connection key estimation Compute the co

View more...