1 introduction to bluetooth® march 3, 2011. 2 introduction
TRANSCRIPT
1
Introduction to Bluetooth®March 3, 2011
8
Frequency Hopping Spread Spectrum
Information about the Master device determines the channel selection sequence
• The Master’s unique device address (“Bluetooth Device Address” or BD_ADDR) is one of the components in the channel selection sequence
• The Master’s internal clock (“Bluetooth clock”) is another component of the channel selection sequence
• The two components taken together provide enough randomness in the channel selection sequence that a reasonable number of Bluetooth piconets can operate in the same physical space
The Master’s Bluetooth clock is rarely “on the air”, so the frequency hopping provides a measure of security
14
Bluetooth Networks
15
Device Addressing
Bluetooth Device Addressing uses the IEEE 48 bit MAC address format.
• Each Bluetooth device has a unique address known as the Bluetooth Device Address
• The upper 24 bits are an Organizationally Unique Identifier (OUI) assigned by the IEEE
• This is commonly referred to as a BD_ADDR
16
Masters and Slaves
A Bluetooth “Master” is a device that initiates a connection to another deviceA Bluetooth “Slave” is a device that accepts a connection from a MasterA device that is not currently connected is neither a Master or a SlaveA Bluetooth network consists of one Master device and up to seven Slave devices
• This is called a “piconet”• When a device participates in more than one piconet, a “scatternet” is
present
17
Masters and Slaves
The Master device provides timing and access control for Slave devices
• Slaves do not speak unless spoken to
Slave devices only communicate with their associated Master devices
• Slave devices do not directly communicate with one another
After a connection is established, a Master and Slave may chose to trade places
• This is referred to as a “Role Switch”
18
Inquiry and Paging
19
Device Discoverability
Bluetooth devices may be placed into a mode where they periodically listen for a request to locate nearby devices
• This is referred to as “Inquiry Scanning”• A device that is not Inquiry Scanning will not receive the “Inquiry
Request” and is therefore invisible to the Device Discovery process
When an Inquiry request message is received, the device responds with its BD_ADDR, Bluetooth Clock, Class of Device and some other information
• The Class of Device is a rough description of the device and can be used to filter away devices that are not of interest
“Inquiry Scanning”, “Inquireable” and “Discoverable” are often used interchangeably
20
Device Connectability
Bluetooth devices may be placed into a mode where they periodically listen for a request from another device to initiate a physical connection
• This is referred to as “Page Scanning”• A device that is not Page Scanning will not receive the “Page Request” and
is therefore invisible to the Device Connection process
When the device is in this mode, and it receives a request with its device address, it responds to the requesting device and the process of creating a physical connection ensues
“Page Scanning”, “Pageable” and “Connectable” are often used interchangeably
21
Device Connectability
A device may be in any combination of Inquirable and Pageable as needed
22
Security
23
Link Keys
Two devices may establish a common secret known as a "Link Key“This allows two devices to determine that they know each other at a later time
• The devices exchange information based on what they believe is the shared link key
• If the information is correct, the two devices are known to each other• This is known as LMP Authentication
The Link Key itself is never transmitted over the air• Instead, values derived from the Link Key, a large random number, and
some other data items is used to compute the information that appears on the air
24
LMP Authentication
The results from the Authentication process do not persist across connections
• If a connection is broken, the devices must Authenticate again at their next connection
Authentication must be performed before encryption is enabled
• One of the values from the Authentication process is used in the computation of the seed for the encryption key sequence
25
Where Do Link Keys Come From?
The Link Key shared between a pair of devices may be permanently stored in the devices
• This is used for special circumstances and is generally discouraged
Two devices execute a process known as “Pairing” to create their common Link Key
• The Link Key is stored for future use• A new Link Key may be generated at any time by re-executing the
Pairing process
There are two form of Pairing:• Legacy Pairing• Secure Simple Pairing
26
Where Do Link Keys Come From?
Two devices which have executed the pairing process and computed a common link key are said to be Bonded
• After two devices have Bonded, there may be no need for either of them to be Discoverable
27
Legacy Pairing
Legacy Pairing generally involves the use of a shared four digit PIN CodeThe devices exchange large random numbers and then perform some math on those numbers factoring in the PIN Code
• The result of the math is a Link Key• The PIN Code itself is never transmitted over the air
LMP Authentication is used to confirm that both devices computed the same answer (Link Key)
28
Vulnerabilities Of Legacy Pairing
PIN Codes may be up to 16 bytes in length and may be binary4 digits are commonly used to reduce the amount of input that the user needs to provideThe limited number of buttons on mobile phones has caused only the digits 0 to 9 to be used in common practiceThe lack of a user interface on devices such has mobile phone headsets had led to the common use of “0000” as the PIN Code
29
Vulnerabilities Of Legacy Pairing
If the PIN Code is known to a third party, and the exchange of random numbers can be captured over the air, then the third party can compute the Link Key
30
Secure Simple Pairing
Secure Simple Pairing was introduced in version 2.1 of the Bluetooth Core Specification to address the issues in Legacy PairingA two phase approach is used to compute the Link KeyThe first phase involves the use of the Diffie Helman Elliptic Curve algorithm to compute a common numeric value
31
Secure Simple Pairing
The second phase varies based on the capabilities of the two devicesThe second phase methods are known as
• Numeric Comparison• Just Works• Passkey Entry• Out Of Band
When a Bluetooth 2.1 (or later) device learns that its peer device is also a 2.1 device, Secure Simple Pairing MUST be used to generate the common Link Key
32
Secure Simple Pairing – Numeric Comparison
This method may be chosen when both devices have a display and the ability for the user to enter a “Yes” or “No” value
• A 6 digit random number is displayed on both devices• The user must then confirm on both devices that the same number is
displayed
33
Secure Simple Pairing – Just Works
This method may be chosen when one of the devices has neither a display or a keyboard
• A 6 digit random number is exchanged between the devices• The devices automatically accept value without user intervention
This method is not as secure as Numeric ComparisonThe resulting Link Key is labeled “un-authenticiated” so that the application software can decide if it is usable
34
Secure Simple Pairing – Passkey Entry
This method may be chosen when one device has a display and the other device has a keyboard
• A 6 digit random number is displayed on the device containing the display• The 6 digit number is entered on the device which has the keyboard
35
Secure Simple Pairing – Out Of Band
When two devices share a secure means of transferring data without using Bluetooth, the Out Of Band mechanism may be usedThe cryptographic information may be exchanged using
• Smart Cards• Near Field Communications• RFID
36
Encryption
Because the “seed” for the encryption key sequence comes from the most recent LMP Authentication, the encryption key sequence is different each time two devices connectBluetooth currently uses Safer+
• A stronger method, possibly AES-128, may be used in the future
37
Security Modes
The Bluetooth Core Specification defines four security modesSecurity Mode 1 is “non secure”Security Mode 2 is “service level enforced security”
• In this mode, an application (service) initiates security• The security features used may be trusted device Authentication, or
Authentication and Encryption
Security Mode 3 is “link level enforced security”• In this mode, security is initiated when the devices connect to one
another• The security features are the same as with mode 2
38
Security Modes
Security Mode 4 is a more stringent form of Security Mode 2• All applications (services) are required to initiate security procedures• Both Authenticiation and Encryption are required to be used• Services may choose to re-initiate the pairing process based on the
strength of the existing Link Key.• An un-authenticated Link Key may not be strong enough for some
applications
When a Bluetooth 2.1 (or later) device learns that its peer device is also a 2.1 device, Security Mode 4 MUST be used
• An exception is the Service Discovery Protocol, which is used to learn the set of services available on the peer device
39
Secure Simple Pairing Debug Mode
The first phase of Secure Simple Pairing (Diffie Helman algortihm) was chosen to make it difficult to capture the pairing process using an “Air Sniffer”Secure Simple Pairing Debug Mode may be enabled on a device to cause the pair of devices to used a predefined set of public and private keys
• An Air Sniffer when seeing one of the predefined public keys on the air automatically knows the rest of the keys and can excute the Diffie Helman algorithm
A Link Key that results from Debug Mode is labeled as a Debug Key and is not considered to be secure
40
The Host Controller Interface
41
The Host Controller Interface
Bluetooth defines two entities that make up a complete implementation
• Hosts• Host Controllers• You need one of each
“Host Controllers” are often simply referred to as “Controllers”
Bluetooth Device 1
HOST
HOST Controller
42
Hosts and Host Controllers
The Host is where the application executes• If a device has a CPU, it may be convenient
for the Host to execute there
The Host Controller is where the radio work gets done
• The Host Controller creates links to other Bluetooth devices upon request from the Host
• It maintains the quality of the radio link• It responds to a limited class of messages
without involving the Host
Bluetooth Device 1
HOST
HOST Controller
43
Host and Controller Interconnection
The connection point between a Host and a Controller is the Host Controller Interface
• Bluetooth defines a messaging protocol to be used at the interface - HCI
• HCI allows application software from one vendor to be used with a Bluetooth radio (Controller) from another vendor
Bluetooth Device 1
HOST
HOST Controller
HCI
HCI
HostControllerInterface
44
HCI Transports USB Sometimes referred to as
“H2” The USB transport takes
advantage of the robustness and increased data rates provided by the Universal Serial Bus
Secure Digital (SD) The SD transport allows
for Bluetooth HCI to be carried over SDIO interfaces
Bluetooth Device 1
HOST
HOST Controller
HCI
HCI
HostControllerInterface
HCI TransportsAsynchronous Serial
HCI UART (H4)
Three-Wire UART (H5)
BCSPI/O Busses USB (H2)
Secure Digital (SD)
45
HCI TransportsFuture Transports Under Consideration SPI PCI
Bluetooth Device 1
HOST
HOST Controller
HCI
HCI
HostControllerInterface
HCI TransportsAsynchronous Serial
HCI UART (H4)
Three-Wire UART (H5)
BCSPI/O Busses USB (H2) Secure Digital (SD)
46
The Bluetooth Protocol Stack
47
Host Controller Side Protocols
Transmitting and receiving of data is performed by the Baseband layer
Bluetooth Device 1
HOST
HOST Controller
HCI
HCI
HostControllerInterface
HCI TransportsAsynchronous Serial
HCI UART (H4)
Three-Wire UART (H5)
BCSPI/O Busses USB (H2)
Secure Digital (SD)
Baseband
48
Host Controller Side Protocols
The Link Controller provides packet link level control and maintenance of a communications linkThe Link Manager Protocol provides the command and control interface for Link Controller & Baseband HCI commands often result in the
exchange of one or more Link Manager Protocol messages
A number of HCI events are generated in response to messages from the Link Manager
Bluetooth Device 1
HOST
HOST Controller
HCI
HCI
HostControllerInterface
HCI TransportsAsynchronous Serial
HCI UART (H4)
Three-Wire UART (H5)
BCSPI/O Busses USB (H2)
Secure Digital (SD)
Baseband
Link Controller/ Link Manager
49
Host Side Protocols
The L2CAP protocol is used to create and control virtual channels over an existing ACL link
• L2CAP provides protocol multiplexing allowing a single ACL connection to be used for multiple purposes
Bluetooth Device 1
HOST
HOST Controller
HCI
HCI
HostControllerInterface
HCI TransportsAsynchronous Serial
HCI UART (H4)
Three-Wire UART (H5)
BCSPI/O Busses USB (H2)
Secure Digital (SD)
Baseband
Link Controller/ Link Manager
L2CAP
50
Host Side Protocols
The Service Discovery Protocol allows a device to learn about the applications that are supported on another device
Bluetooth Device 1
HOST
HOST Controller
HCI
HCI
HostControllerInterface
HCI TransportsAsynchronous Serial
HCI UART (H4)
Three-Wire UART (H5)
BCSPI/O Busses USB (H2) Secure Digital (SD)
Baseband
Link Controller/ Link Manager
L2CAP
SDP
51
Host Side Protocols
RFCOMM is used for general purpose datastreams by the application profiles
• RFCOMM has a flow control mechanism based on credits
Bluetooth Device 1
HOST
HOST Controller
HCI
HCI
HostControllerInterface
Baseband
Link Controller/ Link Manager
L2CAP
SDPRFCOMM HCI TransportsAsynchronous Serial
HCI UART (H4)
Three-Wire UART (H5)
BCSPI/O Busses USB (H2) Secure Digital (SD)
52
Profiles
Profiles are used at the application level as a way of specifying high level functionalityThe profile specifications define the rules and messaging required to implement a particular application client or server
Bluetooth Device 1
HOST
HOST Controller
HCI
HCI
HostControllerInterface
Baseband
Link Controller/ Link Manager
L2CAP
SDPRFCOMM
Profiles
HCI TransportsAsynchronous Serial
HCI UART (H4)
Three-Wire UART (H5)
BCSPI/O Busses USB (H2) Secure Digital (SD)
53
HOST
RFCOMM
L2CAP
Bluetooth Device 1
HOST Controller
Profiles
SDP
Link Controller/ Link Manager
Baseband
HCI
HCI
HOST
RFCOMM
L2CAP
Bluetooth Device 2
HOST Controller
Profiles
SDP
Link Controller/ Link Manager
Baseband
HCI
HCI
HostControllerInterface
HCI Transports
HostControllerInterface
Asynchronous SerialHCI UART (H4)
Three-Wire UART (H5)BCSP
I/O Busses USB (H2)
Secure Digital (SD)
54
Profiles
55
Profiles
Each profile is developed by a Working Group and consists of three documents
• Profile Specification• Defines the features available in the profile• Defines the functions used to create the given features
• Profile Implementation Conformance Statement (PICS)• A list of the features provided by the profile along with an indication of
those that are Mandatory versus those that are optional• Profile Test Specification
• Defines the procedures used to test the application functions defined in the Profile
• Provides a mapping between the features listed in the PICS and the functions used to implement them
56
Roles and Responsibilities
A Profile specification defines one or more roles for a given Bluetooth application
• Most Profiles define two roles, one for each side of the application purpose• For example, a mobile phone and a headset
Each Profile feature is defined in terms of the overall roles for the profile
• For example, a mobile phone can place a call using the phone number provided to it by a headset.
57
Profile Testing
The Bluetooth SIG has released the Profile Tuning Suite (PTS)PTS can be used to test implementations to ensure function in accordance with the specificationsIf two devices that are supposed to communicate with each other can pass the profile tests, there is high confidence that the devices will interoperateUse of the PTS is required by the Bluetooth Qualification Program
58
Common Profiles
59
Headset Profiles
The Headset profiles are used with mobile phones, personal headsets for hands free phone usage, and hands free phone systems used in automobilesHandsFree Profile (HFP)
• Roles• HandsFree Unit: Headset or car kit• Audio Gateway: Mobile phone
Headset Profile (HSP)• Roles
• Headset• Audio Gateway
60
Printing Profiles
The Printing profiles are used to transfer data from devices to printers. They can also be used for moving photos to “smart picture frames”Basic Imaging Profile (BIP)
• Used for printing pictures and other graphics• Roles
• Initiatiator: The device that is sending a picture• Responder: The device that is receiving a picture to be printed or
otherwise displayed
61
Printing Profiles
Basic Printing Profile (BPP)• Printer support for text based descriptions of the printed output
• Simple text files• HTML web pages• Structured text objects such a vCards
• Roles• Sender• Printer
62
Printing Profiles
Hardcopy Cable Replacement Profile (HCRP)• A simple command and messaging structure to allow for the
elimination of cables between printers and other devices• Roles
• HCRP Client• HCRP Server
63
Transfer Profiles
The Transfer profiles are used to transfer information between devicesFile Transfer Profile (FTP)
• General purpose file transfer between devices• Supports file system directory structures on the serving device• Session based connection where multiple operations may be carried out
• Roles• File Transfer Client• File Transfer Server
64
Transfer Profiles
Object Push Profile (OPP)• Primarily used for transferring common items such as business cards
betweens mobile phones, PDAs, etc• Used to “push” (send) an item from one to device to the another• Not session based, a single connection is used for item to be pushed• Many implementations support the transfer or arbitrary files• Also considered a Printing profile since the target device may be a printer
• Roles• Object Push Client• Object Push Server
65
Input Profiles
There is only one Input profile – HIDHuman Interface Device Profile (HID)
• Based on computing industry standard Human Interface Device specifications
• Used for computer keyboards, mice, etc• Roles
• Host: Computer or other device needing input• Device: Mouse, Keyboard, etc
66
Music Profiles
The Music profiles are used to transmit high quality audio (music) from MP3 players, home stereo systems, etc. In addition, the Music profiles provide a means to remotely control such systemsAdvanced Audio Distribution Profile (A2DP)
• Streaming audio transfer from a music source to headphone, speakers or other devices
• Roles• Source: MP3 player, home stereo, etc• Sink: Stereo headphones, speakers, etc
67
Music Profiles
Audio/Video Remote Control Profile• Remote control of an entertainment device such as an MP3 player,
television, home stereo etc• Often used in conjuction with A2DP devices to allow the A2DP Sink to
control the A2DP Source• Roles
• Controller: The remote control unit• Target: The device being controlled
68
Miscellaneous Profiles
Serial Port Profile (SPP)• Wireless serial cable emulation• Commonly used for cable elimination between devices using
asynchronous serial communications• Roles
• Device A: The device that initiates a serial port connection• Device B: The device that accepts a serial port connection• Note that “Device A” and “Device B” have no correspondence to the
common “DTE” (Data Terminal Equipment) and “DCE” (Data Communications Equipment) terminology. “Device A” may be a “DTE” or a “DCE”; “Device B” may be either as well
69
Miscellaneous Profiles
SIM Access Profile• This profile is used to allow HandsFree car kits and similar devices to
access the setup information of a mobile phone• The setup information can be used to allow the car kit to disable the
mobile phone and operate on its behalf• Roles
• SIM Access Client• SIM Access Server
70
Miscellaneous Profiles
Phone Book Access Profile (PBAP)• The Profile provides a standardized way for a car kit or similar device
to access the address book in a mobile phone• Roles
• Client• Server
71
References
72
Books
"Bluetooth 1.1: Connect Without Cables"• By Jennifer Bray, Charles F Sturman• Generally considered a good place to start when learning about Bluetooth• Some parts are technical but can be skimmed over
"Bluetooth Application Developer's Guide"• Edited by Jennifer Bray• This book is often mentioned as the next place to go for those who will be
working with Bluetooth
73
Websites
www.bluetooth.org• Profile and protocol specifications• Test specifications• Much more