1 introduction to bluetooth® march 3, 2011. 2 introduction

1

Introduction to Bluetooth®March 3, 2011

8

Frequency Hopping Spread Spectrum

Information about the Master device determines the channel selection sequence

• The Master’s unique device address (“Bluetooth Device Address” or BD_ADDR) is one of the components in the channel selection sequence

• The Master’s internal clock (“Bluetooth clock”) is another component of the channel selection sequence

• The two components taken together provide enough randomness in the channel selection sequence that a reasonable number of Bluetooth piconets can operate in the same physical space

The Master’s Bluetooth clock is rarely “on the air”, so the frequency hopping provides a measure of security

14

Bluetooth Networks

15

Device Addressing

Bluetooth Device Addressing uses the IEEE 48 bit MAC address format.

• Each Bluetooth device has a unique address known as the Bluetooth Device Address

• The upper 24 bits are an Organizationally Unique Identifier (OUI) assigned by the IEEE

• This is commonly referred to as a BD_ADDR

16

Masters and Slaves

A Bluetooth “Master” is a device that initiates a connection to another deviceA Bluetooth “Slave” is a device that accepts a connection from a MasterA device that is not currently connected is neither a Master or a SlaveA Bluetooth network consists of one Master device and up to seven Slave devices

• This is called a “piconet”• When a device participates in more than one piconet, a “scatternet” is

present

17

Masters and Slaves

The Master device provides timing and access control for Slave devices

• Slaves do not speak unless spoken to

Slave devices only communicate with their associated Master devices

• Slave devices do not directly communicate with one another

After a connection is established, a Master and Slave may chose to trade places

• This is referred to as a “Role Switch”

18

Inquiry and Paging

19

Device Discoverability

Bluetooth devices may be placed into a mode where they periodically listen for a request to locate nearby devices

• This is referred to as “Inquiry Scanning”• A device that is not Inquiry Scanning will not receive the “Inquiry

Request” and is therefore invisible to the Device Discovery process

When an Inquiry request message is received, the device responds with its BD_ADDR, Bluetooth Clock, Class of Device and some other information

• The Class of Device is a rough description of the device and can be used to filter away devices that are not of interest

“Inquiry Scanning”, “Inquireable” and “Discoverable” are often used interchangeably

20

Device Connectability

Bluetooth devices may be placed into a mode where they periodically listen for a request from another device to initiate a physical connection

• This is referred to as “Page Scanning”• A device that is not Page Scanning will not receive the “Page Request” and

is therefore invisible to the Device Connection process

When the device is in this mode, and it receives a request with its device address, it responds to the requesting device and the process of creating a physical connection ensues

“Page Scanning”, “Pageable” and “Connectable” are often used interchangeably

21

Device Connectability

A device may be in any combination of Inquirable and Pageable as needed

22

Security

23

Link Keys

Two devices may establish a common secret known as a "Link Key“This allows two devices to determine that they know each other at a later time

• The devices exchange information based on what they believe is the shared link key

• If the information is correct, the two devices are known to each other• This is known as LMP Authentication

The Link Key itself is never transmitted over the air• Instead, values derived from the Link Key, a large random number, and

some other data items is used to compute the information that appears on the air

24

LMP Authentication

The results from the Authentication process do not persist across connections

• If a connection is broken, the devices must Authenticate again at their next connection

Authentication must be performed before encryption is enabled

• One of the values from the Authentication process is used in the computation of the seed for the encryption key sequence

25

Where Do Link Keys Come From?

The Link Key shared between a pair of devices may be permanently stored in the devices

• This is used for special circumstances and is generally discouraged

Two devices execute a process known as “Pairing” to create their common Link Key

• The Link Key is stored for future use• A new Link Key may be generated at any time by re-executing the

Pairing process

There are two form of Pairing:• Legacy Pairing• Secure Simple Pairing

26

Where Do Link Keys Come From?

Two devices which have executed the pairing process and computed a common link key are said to be Bonded

• After two devices have Bonded, there may be no need for either of them to be Discoverable

27

Legacy Pairing

Legacy Pairing generally involves the use of a shared four digit PIN CodeThe devices exchange large random numbers and then perform some math on those numbers factoring in the PIN Code

• The result of the math is a Link Key• The PIN Code itself is never transmitted over the air

LMP Authentication is used to confirm that both devices computed the same answer (Link Key)

28

Vulnerabilities Of Legacy Pairing

PIN Codes may be up to 16 bytes in length and may be binary4 digits are commonly used to reduce the amount of input that the user needs to provideThe limited number of buttons on mobile phones has caused only the digits 0 to 9 to be used in common practiceThe lack of a user interface on devices such has mobile phone headsets had led to the common use of “0000” as the PIN Code

29

Vulnerabilities Of Legacy Pairing

If the PIN Code is known to a third party, and the exchange of random numbers can be captured over the air, then the third party can compute the Link Key

30

Secure Simple Pairing

Secure Simple Pairing was introduced in version 2.1 of the Bluetooth Core Specification to address the issues in Legacy PairingA two phase approach is used to compute the Link KeyThe first phase involves the use of the Diffie Helman Elliptic Curve algorithm to compute a common numeric value

31

Secure Simple Pairing

The second phase varies based on the capabilities of the two devicesThe second phase methods are known as

• Numeric Comparison• Just Works• Passkey Entry• Out Of Band

When a Bluetooth 2.1 (or later) device learns that its peer device is also a 2.1 device, Secure Simple Pairing MUST be used to generate the common Link Key

32

Secure Simple Pairing – Numeric Comparison

This method may be chosen when both devices have a display and the ability for the user to enter a “Yes” or “No” value

• A 6 digit random number is displayed on both devices• The user must then confirm on both devices that the same number is

displayed

33

Secure Simple Pairing – Just Works

This method may be chosen when one of the devices has neither a display or a keyboard

• A 6 digit random number is exchanged between the devices• The devices automatically accept value without user intervention

This method is not as secure as Numeric ComparisonThe resulting Link Key is labeled “un-authenticiated” so that the application software can decide if it is usable

34

Secure Simple Pairing – Passkey Entry

This method may be chosen when one device has a display and the other device has a keyboard

• A 6 digit random number is displayed on the device containing the display• The 6 digit number is entered on the device which has the keyboard

35

Secure Simple Pairing – Out Of Band

When two devices share a secure means of transferring data without using Bluetooth, the Out Of Band mechanism may be usedThe cryptographic information may be exchanged using

• Smart Cards• Near Field Communications• RFID

36

Encryption

Because the “seed” for the encryption key sequence comes from the most recent LMP Authentication, the encryption key sequence is different each time two devices connectBluetooth currently uses Safer+

• A stronger method, possibly AES-128, may be used in the future

37

Security Modes

The Bluetooth Core Specification defines four security modesSecurity Mode 1 is “non secure”Security Mode 2 is “service level enforced security”

• In this mode, an application (service) initiates security• The security features used may be trusted device Authentication, or

Authentication and Encryption

Security Mode 3 is “link level enforced security”• In this mode, security is initiated when the devices connect to one

another• The security features are the same as with mode 2

38

Security Modes

Security Mode 4 is a more stringent form of Security Mode 2• All applications (services) are required to initiate security procedures• Both Authenticiation and Encryption are required to be used• Services may choose to re-initiate the pairing process based on the

strength of the existing Link Key.• An un-authenticated Link Key may not be strong enough for some

applications

When a Bluetooth 2.1 (or later) device learns that its peer device is also a 2.1 device, Security Mode 4 MUST be used

• An exception is the Service Discovery Protocol, which is used to learn the set of services available on the peer device

39

Secure Simple Pairing Debug Mode

The first phase of Secure Simple Pairing (Diffie Helman algortihm) was chosen to make it difficult to capture the pairing process using an “Air Sniffer”Secure Simple Pairing Debug Mode may be enabled on a device to cause the pair of devices to used a predefined set of public and private keys

• An Air Sniffer when seeing one of the predefined public keys on the air automatically knows the rest of the keys and can excute the Diffie Helman algorithm

A Link Key that results from Debug Mode is labeled as a Debug Key and is not considered to be secure

40

The Host Controller Interface

41

The Host Controller Interface

Bluetooth defines two entities that make up a complete implementation

• Hosts• Host Controllers• You need one of each

“Host Controllers” are often simply referred to as “Controllers”

Bluetooth Device 1

HOST

HOST Controller

42

Hosts and Host Controllers

The Host is where the application executes• If a device has a CPU, it may be convenient

for the Host to execute there

The Host Controller is where the radio work gets done

• The Host Controller creates links to other Bluetooth devices upon request from the Host

• It maintains the quality of the radio link• It responds to a limited class of messages

without involving the Host

Bluetooth Device 1

HOST

HOST Controller

43

Host and Controller Interconnection

The connection point between a Host and a Controller is the Host Controller Interface

• Bluetooth defines a messaging protocol to be used at the interface - HCI

• HCI allows application software from one vendor to be used with a Bluetooth radio (Controller) from another vendor

Bluetooth Device 1

HOST

HOST Controller

HCI

HCI

HostControllerInterface

44

HCI Transports USB Sometimes referred to as

“H2” The USB transport takes

advantage of the robustness and increased data rates provided by the Universal Serial Bus

Secure Digital (SD) The SD transport allows

for Bluetooth HCI to be carried over SDIO interfaces

Bluetooth Device 1

HOST

HOST Controller

HCI

HCI


HCI TransportsAsynchronous Serial

HCI UART (H4)

Three-Wire UART (H5)

BCSPI/O Busses USB (H2)

Secure Digital (SD)

45

HCI TransportsFuture Transports Under Consideration SPI PCI

Bluetooth Device 1

HOST

HOST Controller

HCI

HCI



HCI UART (H4)


BCSPI/O Busses USB (H2) Secure Digital (SD)

46

The Bluetooth Protocol Stack

47

Host Controller Side Protocols

Transmitting and receiving of data is performed by the Baseband layer

Bluetooth Device 1

HOST

HOST Controller

HCI

HCI



HCI UART (H4)



Secure Digital (SD)

Baseband

48

Host Controller Side Protocols

The Link Controller provides packet link level control and maintenance of a communications linkThe Link Manager Protocol provides the command and control interface for Link Controller & Baseband HCI commands often result in the

exchange of one or more Link Manager Protocol messages

A number of HCI events are generated in response to messages from the Link Manager

Bluetooth Device 1

HOST

HOST Controller

HCI

HCI



HCI UART (H4)



Secure Digital (SD)

Baseband

Link Controller/ Link Manager

49

Host Side Protocols

The L2CAP protocol is used to create and control virtual channels over an existing ACL link

• L2CAP provides protocol multiplexing allowing a single ACL connection to be used for multiple purposes

Bluetooth Device 1

HOST

HOST Controller

HCI

HCI



HCI UART (H4)



Secure Digital (SD)

Baseband


L2CAP

50

Host Side Protocols

The Service Discovery Protocol allows a device to learn about the applications that are supported on another device

Bluetooth Device 1

HOST

HOST Controller

HCI

HCI



HCI UART (H4)



Baseband


L2CAP

SDP

51

Host Side Protocols

RFCOMM is used for general purpose datastreams by the application profiles

• RFCOMM has a flow control mechanism based on credits

Bluetooth Device 1

HOST

HOST Controller

HCI

HCI


Baseband


L2CAP

SDPRFCOMM HCI TransportsAsynchronous Serial

HCI UART (H4)



52

Profiles

Profiles are used at the application level as a way of specifying high level functionalityThe profile specifications define the rules and messaging required to implement a particular application client or server

Bluetooth Device 1

HOST

HOST Controller

HCI

HCI


Baseband


L2CAP

SDPRFCOMM

Profiles


HCI UART (H4)



53

HOST

RFCOMM

L2CAP

Bluetooth Device 1

HOST Controller

Profiles

SDP


Baseband

HCI

HCI

HOST

RFCOMM

L2CAP

Bluetooth Device 2

HOST Controller

Profiles

SDP


Baseband

HCI

HCI


HCI Transports


Asynchronous SerialHCI UART (H4)

Three-Wire UART (H5)BCSP

I/O Busses USB (H2)

Secure Digital (SD)

54

Profiles

55

Profiles

Each profile is developed by a Working Group and consists of three documents

• Profile Specification• Defines the features available in the profile• Defines the functions used to create the given features

• Profile Implementation Conformance Statement (PICS)• A list of the features provided by the profile along with an indication of

those that are Mandatory versus those that are optional• Profile Test Specification

• Defines the procedures used to test the application functions defined in the Profile

• Provides a mapping between the features listed in the PICS and the functions used to implement them

56

Roles and Responsibilities

A Profile specification defines one or more roles for a given Bluetooth application

• Most Profiles define two roles, one for each side of the application purpose• For example, a mobile phone and a headset

Each Profile feature is defined in terms of the overall roles for the profile

• For example, a mobile phone can place a call using the phone number provided to it by a headset.

57

Profile Testing

The Bluetooth SIG has released the Profile Tuning Suite (PTS)PTS can be used to test implementations to ensure function in accordance with the specificationsIf two devices that are supposed to communicate with each other can pass the profile tests, there is high confidence that the devices will interoperateUse of the PTS is required by the Bluetooth Qualification Program

58

Common Profiles

59

Headset Profiles

The Headset profiles are used with mobile phones, personal headsets for hands free phone usage, and hands free phone systems used in automobilesHandsFree Profile (HFP)

• Roles• HandsFree Unit: Headset or car kit• Audio Gateway: Mobile phone

Headset Profile (HSP)• Roles

• Headset• Audio Gateway

60

Printing Profiles

The Printing profiles are used to transfer data from devices to printers. They can also be used for moving photos to “smart picture frames”Basic Imaging Profile (BIP)

• Used for printing pictures and other graphics• Roles

• Initiatiator: The device that is sending a picture• Responder: The device that is receiving a picture to be printed or

otherwise displayed

61

Printing Profiles

Basic Printing Profile (BPP)• Printer support for text based descriptions of the printed output

• Simple text files• HTML web pages• Structured text objects such a vCards

• Roles• Sender• Printer

62

Printing Profiles

Hardcopy Cable Replacement Profile (HCRP)• A simple command and messaging structure to allow for the

elimination of cables between printers and other devices• Roles

• HCRP Client• HCRP Server

63

Transfer Profiles

The Transfer profiles are used to transfer information between devicesFile Transfer Profile (FTP)

• General purpose file transfer between devices• Supports file system directory structures on the serving device• Session based connection where multiple operations may be carried out

• Roles• File Transfer Client• File Transfer Server

64

Transfer Profiles

Object Push Profile (OPP)• Primarily used for transferring common items such as business cards

betweens mobile phones, PDAs, etc• Used to “push” (send) an item from one to device to the another• Not session based, a single connection is used for item to be pushed• Many implementations support the transfer or arbitrary files• Also considered a Printing profile since the target device may be a printer

• Roles• Object Push Client• Object Push Server

65

Input Profiles

There is only one Input profile – HIDHuman Interface Device Profile (HID)

• Based on computing industry standard Human Interface Device specifications

• Used for computer keyboards, mice, etc• Roles

• Host: Computer or other device needing input• Device: Mouse, Keyboard, etc

66

Music Profiles

The Music profiles are used to transmit high quality audio (music) from MP3 players, home stereo systems, etc. In addition, the Music profiles provide a means to remotely control such systemsAdvanced Audio Distribution Profile (A2DP)

• Streaming audio transfer from a music source to headphone, speakers or other devices

• Roles• Source: MP3 player, home stereo, etc• Sink: Stereo headphones, speakers, etc

67

Music Profiles

Audio/Video Remote Control Profile• Remote control of an entertainment device such as an MP3 player,

television, home stereo etc• Often used in conjuction with A2DP devices to allow the A2DP Sink to

control the A2DP Source• Roles

• Controller: The remote control unit• Target: The device being controlled

68

Miscellaneous Profiles

Serial Port Profile (SPP)• Wireless serial cable emulation• Commonly used for cable elimination between devices using

asynchronous serial communications• Roles

• Device A: The device that initiates a serial port connection• Device B: The device that accepts a serial port connection• Note that “Device A” and “Device B” have no correspondence to the

common “DTE” (Data Terminal Equipment) and “DCE” (Data Communications Equipment) terminology. “Device A” may be a “DTE” or a “DCE”; “Device B” may be either as well

69


SIM Access Profile• This profile is used to allow HandsFree car kits and similar devices to

access the setup information of a mobile phone• The setup information can be used to allow the car kit to disable the

mobile phone and operate on its behalf• Roles

• SIM Access Client• SIM Access Server

70


Phone Book Access Profile (PBAP)• The Profile provides a standardized way for a car kit or similar device

to access the address book in a mobile phone• Roles

• Client• Server

71

References

72

Books

"Bluetooth 1.1: Connect Without Cables"• By Jennifer Bray, Charles F Sturman• Generally considered a good place to start when learning about Bluetooth• Some parts are technical but can be skimmed over

"Bluetooth Application Developer's Guide"• Edited by Jennifer Bray• This book is often mentioned as the next place to go for those who will be

working with Bluetooth

73

Websites

www.bluetooth.org• Profile and protocol specifications• Test specifications• Much more

http://www.bluetooth.org/

1 introduction to bluetooth® march 3, 2011. 2 introduction

Documents

devices bluetooth

ism band bluetooth

data links acl links

mbitsec data rate slide

time slide

purpose of bluetooth

introduction slide

used devices