Frequency hopping

Bluetooth operates in the license-free ISM band at 2.4 GHz. To avoid interfering with other protocols that use the 2.4 GHz band, the Bluetooth protocol uses a radio technology called Frequency-Hopping Spread Spectrum and divides the band into 79 channels (each 1 MHz wide) and changes channels up to 1600 times per second.




All Bluetooth devices participating in a given piconet are synchronized to the frequency-hopping channel for the piconet. The frequency hopping sequence is determined by the master's device address and the phase of the hopping sequence (the frequency to hop at a specific time) is determined by the master's internal clock. Therefore, all slaves in a piconet must know the master's device address and must synchronize their clocks with the master's clock.

During the connection handshake, the slave receives one packet (FHS, Frequency Hop Synchronization) that contains information about the master's BD_ADDR and the clock, so the slave's internal clock can be synchronized.

Any device not belonging to the piconet is unable to participate in communications by sending or listening to the data exchanged because does not have access to the frequency hopping sequence. Therefore, the frequency hopping technology strengthens the security on the Bluetooth protocol.

Pairing

Bluetooth pairing is understood as a trust relationship between two devices. When two Bluetooth devices agree to communicate with each other and establish a connection both devices must be paired up.

In order to pair two Bluetooth devices, a passkey needs to be exchanged between the two users. This passkey, also known as PIN code, is a security code (1 to 16 bytes in length) shared by both Bluetooth devices, which proves that both users have agreed to pair with each other .

   


With this PIN code, a link key is generated based on the following procedure:

1) A initialization key Kinit is created using the E22 algorithm, whose inputs are the PIN code and its lenght, the BD_ADDR and a 128 bit random number IN_RAND.

2) The devices use the initialization key Kinit to exchange two new random numbers, known as LK_RAND A and LK_RAND B. Each device generates a random number and sends it to the other device after XORing it with Kinit. Since both devices know Kinit, each device holds both LK_RAND random numbers too. With BD_ADDR and LK_RAND as inputs, the E21 algorithm creates the 128 bit link key Kab.



3) Once the link key Kab has been created, both devices use this shared key to authenticate each other on the next connection attempts.

Authentication

Authentication is the procedure which ensures that a device attempting a connection is indeed who it claims to be.

All the security functions performed on the link layer are based on the 128 bit link key created after the pairing process. The authentication requires no user interaction, but is based on a Challenge-Response scheme between two Bluetooth devices sharing a secret link key. This scheme is based on the following procedure:

1) One of the devices, the claimant, sends its own BD_ADDR to the other.

2) The other device, the verifier, randomizes and sends the challenge, a 128 bit number called AU_RAND.

3) The claimant calculates a word called SRES using the E1 algorithm using its own BD_ADDR, the link key Kab stored and the challenge as inputs. The verifier performs the same calculations meanwhile.

4) The claimant sents the SRES response to the verifier.

5) The verifier verifies the response received with the word calculated on its own.

6) If the SRES words match successfully, the verifier and the claimant change roles and repeat the entire process.

Bluetooth protocol specifies that, in order to prevent a massive random link keys injection attack, any error occurring during the authentication process will cause the authentication phase to restart until certain number of failed attempts, then the master device will declare that the authentication process has failed, the link key is discarded and both devices must initiate pairing.

Microsoft Windows stores the Bluetooth link keys inside the registry.




Linux stores the Bluetooth link keys inside /var/lib/bluetooth/BD_ADDR/linkkeys.

Authorization

Authorization is the procedure that determines whether a requesting device is allowed to access to specific services.

Three different levels of trust between devices are defined, each level establishes the capacity for a remote device to access to a particular Bluetooh service: trusted, untrusted or unknown.

• A trusted device has been previously authenticated and has access granted to all services.
• An untrusted device has been previously authenticated but does not have access to all or many services.
• An unknown device has not been previously authenticated and has access to no services.

Trusted devices are allowed to access to services automatically, no access approval is required before service access is granted.

Untrusted or unknown devices require manual authorization based on user interaction before access to services is granted. A service may be configured to require authorization but not authentication, so a temporary access can be granted for non-authenticated devices, like the Object Push Profile.




Usually, most devices allow users to mark authenticated devices as trusted devices, so connections can be performed automatically.

   

Data encryption

Encryption helps to ensure confidentiality by protecting private data from being received by unintended recipients.

Bluetooth strives to maintain confidentiality by offering a 128-bit encryption service. A Bluetooth device ensures that only a recipient with the proper decryption key can view the data by encrypting its transmissions.

The encryption on Bluetooth uses the E3 algorithm. The encryption key is based on the link key created during the pairing process. This simplifies the key generation process as both the sender and receiver share the link key.