Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
© Sil Janssens - Vrije Universiteit Brussel - Katholieke Universiteit LeuvenLast update Date : 2005/08/1823 : 34 : 23, Revision : 1.39
Abstract
Bluetooth is a wireless technology standard specification developed and maintained by the
Bluetooth Special Interest Group (SIG). This thesis focuses on the low-level security aspects
of the Bluetooth specification. Most of the security features are covered in this thesis, but the
E0 encryption system is discussed in more detail. Both strong and weak points of the Blue-
tooth specification are identified, thus covering the architecture but also many of the recently
discovered security attacks.
The E0 Bluetooth encryption algorithm is based on a stream cipher with four linear feed-
back shift registers (LFSRs) in combination with a memory, linear and nonlinear combiner
function. Stream ciphers and the different types of attacks on stream ciphers will be covered
in detail in this thesis. A simulation of the E0 system and some theoretical attacks on the E0
algorithm are implemented as a way to get a better understanding of their working. But since
these attacks have a high time complexity, between approximately O(280) and O(260), and re-
quire more keystream bits than available in a real Bluetooth system, the implementation will
not have a practical purpose.
Beside the stream ciphers, we also shortly introduce block ciphers, as these are used in the
explored pairing and authentication systems of the Bluetooth architecture.
For completeness, we cover some attacks which are discovered to be functional on some
types of Bluetooth devices. Only a short overview will be given for these attacks, as most of
these attacks are not based on the failing of the Bluetooth protocol, but on the malfunction of
the specific implementations.
ii
Acknowledgements
This dissertation could not have been written without Dr. Philippe Cara who not only served
as my supervisor but also encouraged and challenged me throughout my academic program. He
and the faculty members of the Katholieke Universiteit Leuven from the COSIC Departement,
Robert Maier and Dave Singelee, guided me through the dissertation process, never accepting
less than my best efforts. I thank them all.
iii
CONTENTS
Abstract ii
Acknowledgements iii
List of Figures viii
Chapter 1. Introduction 1
Chapter 2. Bluetooth System Architecture 3
2.1. Connection specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.2. The Bluetooth name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.3. Baseband modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.3.1. Active mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.3.2. Sniff mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.3.3. Hold mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.3.4. Parked mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.3.5. Adaptive transmission power . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.4. Network Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.5. Protocol Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Chapter 3. Security Model 13
3.1. Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3.2. Wireless Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3.3. Shannon’s Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.4. Theorems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3.4.1. Perfect Secrecy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3.4.2. Kerckhoffs’ principle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.4.3. Order notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.4.4. Functions and Correlations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.4.5. Berlekamp-Massey Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
iv
3.5. Hypothesis Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Chapter 4. Stream Ciphers 28
4.1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
4.2. One-time pads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
4.3. Stream Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
4.3.1. Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
4.4. Pseudo-random generator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
4.5. Linear Feedback Shift Register . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Chapter 5. Stream Cipher Attacks 40
5.1. Stream Ciphers Weaknesses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
5.2. Evaluation criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
5.3. Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
5.3.1. Brute-force attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
5.3.2. Trade-off attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
5.3.3. Guess-and-determine attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
5.3.4. Correlation attacks or Siegenthaler’s attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
5.3.5. Fast Correlation attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
5.3.6. Divide and Conquer attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
5.3.7. Algebraic attacks or Linearisation attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
5.3.8. Fast Algebraic attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
5.3.9. Side Channel attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Chapter 6. Block Ciphers 52
6.1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
6.2. History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
6.3. Mode of Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
6.3.1. Iterative Block Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
6.3.2. Electronic Code Block Cipher (ECB) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
6.3.3. Cipher Block Chaining (CBC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
6.3.4. Cipher Feedback (CFB) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
6.3.5. Output Feedback (OFB) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
6.3.6. Counter mode (CTR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
v
6.4. Advantages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Chapter 7. Bluetooth Security overview 56
7.1. Security mode 1: non-secure mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
7.2. Security mode 2: Service-level enforced security mode . . . . . . . . . . . . . . . . . . . . . . . . 57
7.3. Security mode 3: Link-level enforced security mode . . . . . . . . . . . . . . . . . . . . . . . . . . 57
7.4. Link-level security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
7.4.1. Pairing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
7.4.2. Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
7.4.3. Encryption Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
7.5. Problems with the Bluetooth Standard Security [Karygiannis02a] [Muller99] . . 60
7.6. Bluetooth security attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
7.6.1. Bluejacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
7.6.2. Bluetooth Wardriving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
7.6.3. Impersonation attack by inserting/replacing data . . . . . . . . . . . . . . . . . . . . . . . . 65
7.6.4. Nokia 6310i Bluetooth OBEX Message DoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
7.6.5. Brute-Force attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
7.6.6. Denial-of-Service attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
7.6.7. Disclosure of keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
7.6.8. Backdoor attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
7.6.9. BlueStumbling or BlueSnarfing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
7.6.10. BlueBug attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
7.6.11. Pairing attack, Offline PIN recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
7.6.12. On-line PIN recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
7.6.13. Impersonate original sending/receiving unit . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
7.6.14. Attack on the Bluetooth Key Stream Generator . . . . . . . . . . . . . . . . . . . . . . . . . 69
7.6.15. Replay attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
7.6.16. Man-in-the-middle attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Chapter 8. Bluetooth Stream Cipher E0 71
8.1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
8.2. Encryption process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
8.3. Bluetooth Stream Cipher E0 Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
8.3.1. Divide-and-conquer, Correlation attack, Hermelin and Nyberg . . . . . . . . . . . . 78
vi
8.3.2. Divide-and-conquer attack, Correlation attack, Ekdahl and Johansson . . . . . 79
8.3.3. Faster correlation attack, Y. Lu and S. Vaudenay . . . . . . . . . . . . . . . . . . . . . . . . . 82
8.3.4. Guess-and-determine attack, M. O. Saarinen . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
8.3.5. Guess-and-determine attack, S.R. Fluhrer and S. Lucks . . . . . . . . . . . . . . . . . . . 83
8.3.6. Improved guess-and-determine attack, C. De Cannière, T. Johansson, B. Preneel 84
8.3.7. FBDD-attack, M. Krause . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
8.3.8. Algebraic attack, F. Armknecht . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
8.3.9. Fast Algebraic attack, N. Courtois and F. Armknecht . . . . . . . . . . . . . . . . . . . . . 91
Chapter 9. Bluetooth Pairing and Authentication process 92
9.1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
9.2. SAFER+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
9.3. Bluetooth Pairing process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
9.4. Bluetooth Authentication process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
9.5. PIN recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Chapter 10. Conclusion 102
References 105
Appendix A. Abbreviations 113
vii
List of Figures
2.1 The official Bluetooth logo 6
2.2 A scatternet with piconets, masters and slaves [Miller01] 8
2.3 The Bluetooth stack 9
3.1 Shannon’s model: process of encryption, transmission and decryption 16
4.1 Stream cipher classifications [Kiviharju04] 30
4.2 Synchronous stream cipher structure 31
4.3 Asynchronous stream cipher structure 33
4.4 Linear Feedback Shift Register [Wikipedia05] 37
5.1 Meier and Staffelbach’s fast correlation attack model 47
7.1 Bluetooth Key Generation from PIN [Karygiannis02a] 58
7.2 Bluetooth Encryption Process [Karygiannis02a] 60
8.1 Bluetooth encryption process 73
8.2 The E0 keystream generator 76
8.3 Model of attack, [Ekdahl03] 80
9.1 SAFER+ key scheduling [SIG03]. 93
9.2 Initialization key KINIT generation with the E22 algorithm [Shaked05]. 95
9.3 Link key KAB generation with the E21 algorithm [Shaked05]. 96
9.4 Bluetooth Authentication [Karygiannis02a]. 98
9.5 Flowchart of the PIN recovery attack [Shaked05]. 100
10.1 Complexities of the E0 attacks. [Kiviharju04] 104
viii
CHAPTER 1
Introduction
Bluetooth wireless technology is a short-range radio technology that is designed to fulfill the
particular needs of wireless interconnections between different personal devices. The devel-
opment of Bluetooth started in 1994, when a team of researchers at Ericsson Mobile Com-
munications, led by Dr. Jaap Haartsen and Dr. Sven Mattisson, required a way to connect a
keyboard to a computer without a cable. They initiated a feasibility study of universal short-
range, low-power wireless connectivity as a way of eliminating cables between mobile phones
and computers, headsets and other devices. The wireless link turned out to be useful for many
other things and it was developed into a very generic tool for connecting devices. A syn-
chronous mode for voice traffic and support for up to seven slaves was introduced. In order
to gain momentum for the technology and to promote acceptance, the Bluetooth Special In-
terest Group (SIG) was founded in May 1998. The group consists of almost all the biggest
companies from various fields like Ericsson, Nokia, Intel, IBM, Toshiba, Microsoft, Apple,
3Com, Motorola, Toyota, Lexus, BMW, etc. The number of participating companies is now
over 3,000. By joining forces, the SIG members have evolved the radio link to what is now
known as Bluetooth wireless technology. A variety of products is available on the market to-
day, including printers, laptops, keyboards, cars and mobile phones.1 Every week, more than
5 million Bluetooth-enabled products are shipping, according to IDC 2 there will be more than
922 million Bluetooth enabled devices worldwide by 2008.
The Bluetooth specification [SIG03] introduces a fast, short ranged and low cost technology.
The specification is public, all the parts that have adopted it, can have access to it. The compa-
nies within the SIG are responsible for the development and marketing of Bluetooth.
1Mobile phones are the most popular type of Bluetooth enabled devices, with 60% of the Bluetooth market.2IDC is the premier global market intelligence and advisory firm in the information technology and telecom-
munications industries, http://www.idc.com
1
Bluetooth is equipped with encryption, quality of service (QoS) and an authentication mech-
anisms. A stream cipher is used to enable secure exchange of information. The Bluetooth
stream cipher is defined as the E0 algorithm, a nonlinear combination generator. This combi-
nation generator produces key sequences that are used to encipher the Bluetooth data.
A combination generator, as in the Bluetooth E0 algorithm, uses Linear Feedback Shift Regis-
ters (LFSRs). These registers produce pseudo-random sequences. The system is extended with
a memory and a nonlinear combination function. This is needed to introduce sufficient nonlin-
earity (less correlation between the input and output) to make it difficult to recompute the initial
state by observing key stream data. The Bluetooth stream cipher E0 uses a four-bit memory.
Combined with the fact that the E0 system is frequently re-initialized and only generates rather
short key streams (max 2,745 bits ≈ 211 bits), the cryptographical properties are quite adequate
for the intended usage. The best theoretical attack known today works in 239 time given 239
consecutive bits after O(237) precomputations, clearly this is not usable in practice.
This thesis is organized as follows: first we describe the details of the Bluetooth system speci-
fications in Chapter 2. Then we explore some general topics and theorems concerning security
in Chapter 3. Chapters 4 and 5 will cover specific details of stream ciphers and the attacks on
stream ciphers, while Chapter 6 will discuss block cipher generally. Finally Chapters 7, 8 and
9 will describe all details and attacks on the specific Bluetooth encryption, pairing and authen-
tication. We will end this thesis with an overview and the conclusion of the research in Chapter
10.
Since, within the topic of this thesis, a lot of abbreviations appear, Appendix A is included with
a short explanation of all abbreviations used.
The objective of this thesis is not only to explore the Bluetooth system and the security (weak-
nesses) of the Bluetooth system, but also to get a familiar feeling with theoretical and practical
research in cryptography. We will try to cover the security research of wireless networks as
widely as possible, but we will also explore Bluetooth specific security research. As the topic
of research was completely new to me it was not possible to examine each term or algorithm
completely. In order to avoid escalation in the code theory, certain terms shall be introduced in
a brief manner, yet every introduction will hold references to more elaborated research.
2
CHAPTER 2
Bluetooth System Architecture
From the beginning, the Bluetooth specification has been written with use cases for handheld
personal devices in mind. It is designed targeting devices with particular needs and constraints
with main points being low cost and power consumption. Consequently, the assessment be-
tween cost and power consumption on one side and performance on the other was made during
the development. It is now possible to implement rather cheap one-chip radios. But the lack
of external components on the chip (such as filters) decreases the sensitivity of the chips and
thus shortens the range. On the other hand, special attention was paid to handle interference at
frequencies near the intended signal (through adjacent channel rejection). This helps to keep
up the desired throughput when many links are running simultaneously. The Bluetooth system
is designed to function in noisy environments, where interference rather than range is expected
to be the limiting factor of the perceived performance.
With the target devices in mind, there was no need to have an infrastructure (base stations) in
place. Therefore, a flexible master-slave concept was introduced to fit well in a dynamically
changing environment of devices that communicate with each other.
The designers of the Bluetooth implementation added support to a wide range of requirements
for the traffic types for different applications; Bluetooth can handle various data transport chan-
nels: asynchronous (e.g. data), isochronous (e.g. streaming audio/video) and synchronous (e.g.
real-time audio/video). They made it possible to mix asynchronous and synchronous traffic at
the same time. This is one of the reasons that Bluetooth holds so much potential, it promises to
link up many divergent devices such as PDAs, cell phones, GPS systems, car systems, comput-
ers, music systems etc. to different types of hardware and software platforms, linking different
networks and bringing "pervasive connectivity" [Anand01].
3
2.1. Connection specifications
The most important technical connection specification details of the Bluetooth system [SIG03]
are assembled in the following list:
• Bluetooth devices form piconets (wireless ad-hoc networks for the mobile devices) and
share a common communication data channel. The channel has a total capacity of 723.2
kilobits per second (2.1 Mbps for the newest devices). The headers and handshaking
information consume about 20 percent of this capacity.
• A piconet has a master and up to seven slaves. A master can be a slave in another
piconet at the same time, but it cannot be a master in 2 piconets at the same time.
• Many piconets can be operated in parallel before mutual interference cancels the traffic
benefits of the parallelism.
• The master transmits in even time slots, slaves in odd time slots, what is called "Time
Division Duplex" (TDD) [Paulraj02].
• Only master-to-slave or slave-to-master communication is possible, slave-to-slave traf-
fic is relayed through the master.
• All devices have the ability to take the role of either slave or master. The master role
generally is assumed by the device that initiates the communication.
• There are two types of data transfer between devices: SCO (synchronous connection
oriented) for sound/voice and ACL (asynchronous connectionless) for data transmis-
sions.
• In a piconet, there can be up to three SCO links (with one, two or three slaves) of 64,000
bits per second each.
• The SCO point-to-point links use reserved slots set up by the master to avoid collision
problems.
• ACL slaves can only transmit when requested by the master.
• ACL is either a point-to-point (master to one slave) link or a point-to-multipoint (broad-
cast) link to all the slaves in a piconet.
• In the United States and Europe, the frequency range used by Bluetooth is 2,400 to
2,483.5 MHz in the license-free ISM radio band, with 79 1-MHz radio frequency (RF)
4
channels. In practice, the range is 2,402 MHz to 2,480 MHz. In Japan, the frequency
range is 2,472 to 2,497 MHz with 23 1-MHz RF channels.
• A data channel hops randomly 1,600 times per second between the 79 (or 23) RF chan-
nels. This hopping is called frequency hopping [WaveWireless00] and minimizes the
interference with other devices in the ISM band.
• Each channel is divided into time slots 625 microseconds long.
• Packets can be up to five time slots wide.
• Data in a packet can be up to 2,745 bits in length.
• The maximum transmit power is restricted to 100mW reaching approximately 100 me-
ters. But low power devices operate at 2.5mW and have an operating range up to 10
meter.
• The sensitivity level is defined such that the raw Bit Error Rate (BER) 10−3 is met,
limiting the average probability that a received bit is erroneous.
• For data traffic, Cyclic Redundancy Check (CRC) is applied and error correction codes
are optional, thus retransmission occurs on transmission error detections.
2.2. The Bluetooth name
The name Bluetooth comes from Haral Blåtand, who was King of Denmark from approxi-
mately A.D. 940 to 986. He managed to unite Denmark and part of Norway into a single
kingdom and introduced Christianity. He left a large monument, the Jelling rune stone, in
memory of his parents. Harald Bluetooth was killed in 986 during a battle with his son, Svend
Forkbeard. The name Bluetooth has been chosen for the standard, to indicate how important
companies from the Scandinavian region (Denmark, Sweden, Norway and Finland) are to the
communication industry and to unify multinational companies after a Scandinavian king who
united countries, although the name says little about the way the technology works. The name
Bluetooth was initially an unofficial code name for the project but has become the trademark
name of the technology and the special interest group. The logo, Figure 2.1, was inspired by
the initials "H B" for Harald Bluetooth.
5
FIGURE 2.1. The official Bluetooth logo
2.3. Baseband modes
Beside the normal active state mode, the Bluetooth specification also includes various baseband
modes which enables energy conservation by allowing the radios of slaves to enter a parked,
sniff or hold modes for a Bluetooth connection (thus not for the whole device). When a device
is not in a connected state, the baseband is in a standby mode.
2.3.1. Active mode
When a slave is in active mode, it will essentially always listen for transmissions from the
master. The master will send packets to the active slave to keep them synchronized and to
inform them when they may transmit packets back. The slaves in active state will listen to all
the packets from the masters. Although they do not need to listen for the entire packet, just the
packet headers, when it is known that another slave is communicating with the master at that
time. The active state provides the fastest response time but also consumes the most power,
since the slave is always receiving packets and is always prepared to transmit packets.
2.3.2. Sniff mode
The sniff mode makes it possible to reduce the power consumption of a slave by letting the
slave only become active periodically. The master agrees to transmit only at certain regular
intervals for a particular slave (although it may not transmit packets at every such interval).
The slave needs to listen for packets from the master only at the start of each interval (with
some timing tolerances). If packets are sent, the slave receives the packets; otherwise it can
"sleep" until the next interval. The power and responsiveness in the sniff mode depends upon
the length of the sniff interval, although it is likely to be less responsive than the active mode
and to have reduced power consumption.
6
2.3.3. Hold mode
Within the hold mode, a slave agrees upon a hold time with the master and then stops listening
for packets entirely for the specified time interval. During the hold time, the slave can do other
things such as establishing links to other devices, or just sleep. At the end of the hold time
period, the slave resumes listening for packets from the master. The hold mode may be less
responsive than the sniff mode. The power saving depends upon the hold time duration and
what the slave does during the hold time.
2.3.4. Parked mode
Slaves in the parked mode maintain synchronization with the master, but they are no longer
considered as an active part of the piconet. This mode allows the master to organize communi-
cation with more than the seven slaves allowed in a piconet, by exchanging active and parked
slaves. A parked slave stays synchronized with the master by periodically listening to the mas-
ter. The parked mode is the least responsive mode since the slave must make a transition to
become an active member of the piconet before general communication can be resumed. The
parked mode allows greater power conservation than the other modes.
2.3.5. Adaptive transmission power
Besides the different baseband modes, Bluetooth has another power-saving feature which is
called adaptive transmission power. This feature allows slaves to inform the master when the
master’s transmissions power is not appropriate. By using a Received Signal Strength Indicator
(RSSI) value the slave can request a lower power transmission (e.g. on close proximity) to
safe energy or a higher power transmission (e.g. on large distance or weak signal). The master
maintains and adapts transmission power settings for each slave separately in the piconet.
2.4. Network Topology
Bluetooth devices form a so-called piconet when they communicate with each other. A piconet
can contain up to 8 active devices and 3 voice channels per piconet. Within a piconet, a specific
7
hopping pattern is used and all channel access is controlled and synchronized by the master, so
the slaves can only talk to the master and not to other slaves directly.
Multiple piconets can form a scatternet (see Figure 2.2). A master in one piconet can be a
slave in another piconet, and devices can be slaves in different piconets at the same time. To
switch between piconets, time multiplexing is used. The scatternet topology provides a flexible
method by which devices can maintain multiple connections. This can be very useful for mobile
devices which frequently move into and out of proximity to other devices.
When a device establishes a point-to-point link with another device, the role that each device
assumes (master or slave) is often unimportant and irrelevant to higher-level protocols and to
the users.
FIGURE 2.2. A scatternet with piconets, masters and slaves [Miller01]
2.5. Protocol Architecture
The architecture used for Bluetooth consists of Bluetooth specific protocols combined with
adopted protocols such as WAP, WAE, TCP/UDP/IP, PPP, vCard and IrMC. Bluetooth also
8
supports cable replacement protocols as RFCOMM and telephony adapter protocols as AT-
commands. The reason for this mixed architecture of Bluetooth specific and adopted protocols,
is that it allows integration of Bluetooth directly into existing application and transport proto-
cols, without having to build up an entirely separate and parallel architecture. This also allows
application specific security controls to be implemented that would be transparent to the lower
layer security controls (Data Link Layer) at which Bluetooth operates.
The Bluetooth protocol stack is layered according to Figure 2.3 on this page.
FIGURE 2.3. The Bluetooth stack
9
At the bottom of the Bluetooth system stack is the Physical Layer, which is basically the modem
part where the radio signals are processed.
Above the Physical Layer is the Baseband Layer where the packets are formatted. The Base-
band Layer takes care of the header creation, checksum calculations, retransmission procedure
and the encryption and decryption. The Link Controller (LC), in the Lower Baseband Layer,
implements the baseband protocol and procedures. In the Upper Baseband Layer links are
managed by the Link Manager (LM) and are set up using the Link Manager Protocol (LMP).
The Logical Link Communication and Adaption Protocol (L2CAP) takes care of reformatting
the large chunks of user data into smaller units to be transmitted over the Bluetooth link. For
example, a higher level TCP/IP traffic packet is too large to fit a Bluetooth baseband packet.
Therefore, it will be cut into smaller chunks of data, sent to the baseband for transmission and
reassembled on the receiving side.
Since Bluetooth modules are integrated in different types of devices with different types of
architecture and capabilities, the Bluetooth controller (radio part) can be separated from higher
level protocol layers. The higher layers will then be implemented in the host entity and can
communicate with lower layers of the Bluetooth module through the Host Controller Interface
(HCI), separating the radio hardware-related functions from higher layer protocols. Not all
Bluetooth implementations run the lower and higher layer processing on separated processors.
Consequently, integrated implementations will not have the HCI.
The Bluetooth Security Manager [Muller99] forms the key component in the general security
architecture on top of the link-level security features of Bluetooth. The security manager has
the following tasks:
• Initiate pairing and query PIN entry by the user. The PIN entry can also be done by
an application.
• Answer access requests by protocol implementations or applications (access granted or
refused).
• Enforce authentication and/or encryption before connecting to the application.
10
• Store security-related information on services and devices.
• Initiate or process input from an External Security Control Entity (ESCE) 1. It could be
a device user, or a utility application executed on behalf of the user based on prepro-
grammed security policies. In the latter case, this utility could reside within or outside
a particular BT-enabled device, to set-up trusted relationships on device level.
Since this thesis concentrates on the (lower) link-level security, the Bluetooth Security Manager
will not further be analyzed.
A brief description of some higher layer protocols:
• SDP: Service Discovery Protocol. The (Bluetooth specific) Service Discovery Protocol
makes it possible for Bluetooth enabled devices to get information about the device type
and services so that a connection between devices can be set up.
• RFCOMM. Emulates an RS-232 [Association69] serial connection and is thus a cable-
replacement protocol. For a number of upper layer protocols (OBEX, TCP/UDP, IP,...)
no separate standard has to be designed since they interface with the RFCOMM protocol
layer, which in turn interfaces with the core Bluetooth protocols.
• TCS Binary: Telephony Control Specification. TCS specifies the call control signaling
necessary to establish voice and data calls between Bluetooth devices.
• AT Command. The standard Audio/Telephony modem commands.
• OBEX: OBject EXchange protocol. This protocol takes care of data exchange in a
client/server model and file synchronization.
• TCP/IP: Transmission Control Protocol / Internet Protocol. TCP/IP is a protocol for
controlling Internet communications, package of protocols which regulate connections
between computers and the Internet [Comer88]
• PPP: Point-to-Point Protocol. This protocol defines how Internet Protocol (IP) is trans-
mitted over serial point-to-point links.
• WAP: Wireless Application Protocol[Forum01] is an open standard and application
environment for wireless information and telephony services on digital mobile phones
1ESCE typically represents a human operating a device who decides how to proceed with security relatedmatters, e.g., provide a PIN whenever needed, decide to create a trust relation with a device, etc. In generalthough, an ESCE represents an entity with the authority and knowledge to make decisions on how to proceed in amanner consistent to this security architecture.
11
specified by WAP Forum. The WAE (Wireless Application Environment) is the top-
most level in the WAP architecture.
To provide support for specific applications and to offer interoperability, the Bluetooth SIG
has developed a set of profiles. Profiles for fundamental and advanced procedures define the
communication interface between two units for a service. Efficient reuse of existing protocols
and procedures is possible by building new profiles on existing ones. The hierarchical structure
of the profiles can be seen in Figure 2.3. The most fundamental profile relates to connection
and channel setup and modes of operation and is defined in the Generic Access Profiles (GAP).
All other profiles make use of the GAP. The Serial Port Profiles defines the original purpose
of Bluetooth: short-range cable replacement. The Generic Object Exchange Profiles is used
for file transfer, push services, synchronization, etc. New profiles are constantly developed,
independently of the core specification.
12
CHAPTER 3
Security Model
3.1. Security
To define the notion of security, it is necessary to introduce a third party that has access to all
public information and tries to derive private secret information. Such a third party is denoted
as an attacker or cryptanalyst. The notion of security can then be defined as: "A system is
secure if an attacker is unable to derive the private secret information".
It is not possible to break a perfectly secure encryption scheme and such schemes do exist.
However, a perfectly secure scheme needs a key with length no smaller than the entropy of the
message that is to be encrypted and this key may never be reused. If the key is smaller than the
entropy of the message, there will always be a correlation between the input and output. An
example of a perfectly secure encryption scheme is the One-time pad or Vernam cipher (see
Section 4.2).
3.2. Wireless Security
Risks are inherent to any wireless technology. Some of these risks are similar to those of wired
networks; some are exacerbated by wireless connectivity; others are new. Perhaps the most
significant source of risks in wireless networks is that the technology’s underlying communica-
tions medium, the airwave, is open to intruders, making it the logical equivalent of an Ethernet
port in the parking lot.
13
Specific threats and vulnerabilities to wireless networks and handheld devices include the fol-
lowing:
• All vulnerabilities that exist in a conventional wired network apply to wireless tech-
nologies.
• Malicious entities may gain unauthorized access to a (company’s) computer network
through wireless connections, bypassing any firewall protections. For example by using
special long distance antenna’s 1 which can connect to internal private unprotected or
weakly protected wireless access points.
• Sensitive information that is not encrypted (or that is encrypted with poor cryptographic
techniques) and that is transmitted between two wireless devices may be intercepted and
disclosed. Several applications 2 exist to "sniff" all the data that is transmitted wirelessly
in some area and recover encrypted passwords.
• DoS attacks may be directed at wireless connections or devices. Such a Denial of
Service attack can take down the functionality of devices: make them unstable, make
them lose data, make them consume a lot of power (drain batteries) or it can be used as
a method to make other attacks possible.
• Malicious entities may steal the identity of legitimate users and masquerade as them on
internal or external corporate networks. Since wireless connections may allow invisible
(or less visible) connections, masquerade and legitimation can be easy(er).
• Sensitive data may be corrupted during improper synchronization. For example by
"sniffing" and inserting or disturbing wireless data connections.
• Malicious entities may be able to violate the privacy of legitimate users and be able to
track their movements. Since data connections need identification, this identification
can be tracked easily on most wireless networks. 3.
• Malicious entities may deploy unauthorized equipment (e.g. client devices and access
points) to surreptitiously gain access to sensitive information. A well known example
of this attack is the so called "Evil Twins", fake clones of wireless hotspots managed by
hackers to intercept sensitive data.
1John Hering from Flexilis explains in detail how to make such a long distance Bluetooth rifle on this site:http://www.tomsnetworking.com/Sections-article106.php.
2For example: Airsnort http://airsnort.shmoo.com and BlueSniferhttp://trifinite.org/.
3Tracking movements of wireless devices and their users, is often called "wardriving".
14
• Handheld devices are easily stolen and can reveal sensitive information.
• Data may be extracted without detection from improperly configured devices.
• Viruses or other malicious code may corrupt data on a wireless device and subsequently
be introduced to a wired network connection. .
• Malicious entities may, through wireless connections, connect to other agencies or or-
ganizations for the purposes of launching attacks and concealing their activities.
• Intruders, from inside or out, may be able to gain connectivity to network management
controls and thereby disable or disrupt operations.
• Malicious entities may use third-party, suspicious wireless network services to gain
access to an agency’s or other organization’s network resources.
• Internal attacks may be possible via ad hoc transmissions.
It should be clear that maintaining secure wireless networks is a process that requires greater
effort than that required for other networks and systems. It is much harder to gain a certain guar-
antee of security within the deployment of wireless networks. Routine security tests, assess-
ments and evaluations of the system security are important. The National Institute of Standards
and Technology (NIST) recommends [Karygiannis02b] agencies not to undertake wireless
deployment for essential operations, until they have examined and can acceptably manage and
mitigate the risks of their information, system operations and continuity of essential operations.
3.3. Shannon’s Model
Shannon introduced the basic settings of cryptography in [Shannon49] as a modification of his
well-known communication model proposed in [Shannon48]. The most basic task of cryptog-
raphy is encryption. When two entities, a sender and a receiver, want to transmit a message in
complete confidentiality, an encryption scheme or cipher is needed. Such an encryption scheme
is defined as a cryptosystem.
DEFINITION 1 (Cryptosystem). A cryptosystem is a five-tuple (P,C,K,E,D) that satisfies:
a) Plaintext space P , a finite set of possible plaintexts.
b) Ciphertext space C, a finite set of possible ciphertexts.
15
c) Key space K, a finite set of possible keys.
d) Encryption functions E = {ek : k ∈ K}, a family of functions ek : P → C.
e) Decryption functions D = {dk : k ∈ K}, a family of functions dk : C → P .
f) For each ke ∈ K, there is a kd ∈ K such that dkd(eke
(p)) = p for every plaintext p ∈ P .
The sender and receiver need to agree on an encryption scheme. They also need to exchange a
secret key k ∈ K or a secret key pair (ke, kd) ∈ K, using a secret channel. After this exchange,
the secret key is all that distinguishes a legitimate sender and receiver from an arbitrary third
party.
Once the secret key has been exchanged, the sender and receiver can communicate privately,
using a public channel, see Figure 3.1. Given a message m ∈ P , the sender encrypts m under
the key k by calculating c = ek(m). This ciphertext can be transmitted over the public channel.
The receiver decrypts the received message c into m = dk(c) and gets the original message m.
FIGURE 3.1. Shannon’s model: process of encryption, transmission and decryption
The process of encryption, transmission and decryption can be seen in Figure 3.1. All infor-
mation on gray background is private and may only be seen by the sender and receiver. All
information on white background is publicly visible for everyone.
3.4. Theorems
3.4.1. Perfect Secrecy
If an attacker learns nothing about the plaintext by observing the ciphertext, the cryptosystem
is said to have perfect secrecy. This property can be formalized mathematically.
16
DEFINITION 2 (Perfect secrecy). A cryptosystem has perfect secrecy if the events that a par-
ticular ciphertext occurs and that a particular plaintext has been encrypted are independent.
P(p|c) = P(p), (1)
for all plaintexts p and all ciphertexts c.
3.4.1.1. Shannon’s Theorem. Claude E. Shannon states in his famous paper [Shannon49]
that a good cipher should require as much work as solving a system of simultaneous equations
in a large number of unknowns of a complex type. Shannon also defined a theorem for perfect
secrecy which states the following:
A cryptosystem, with |C| = |K| and P(p) > 0, has perfect secrecy if and only if the probability
distribution on the key space is the uniform distribution and if for any plaintext p and any
ciphertext c there is exactly one key k with ek(p) = c
Proof:
a) Suppose the cryptosystem has perfect secrecy.
To prove the first assertion we fix a ciphertext c. For a plaintext p, let kp be the key with
ekp(p) = c. From the definition of perfect secrecy (Definition (1)) and by knowing that
P(B)P(A|B) = P(A)P(B|A), for any events A and B with P(A) > 0 and P(B) > 0,
we get:
P(p|c) =P(c|p)P(p)
P(c)=
P(kp)P(p)
P(c)(2)
for each plaintext p. Since the cryptosystem has perfect secrecy, we have from Def-
inition (1): P(p|c) = P(p). And (2) implies P(kp) = P(c). Hence, the probability
P(kp) is the same for each plaintext p. But any key k is equal to kp for some plaintext
p. Therefore, the probability for all keys is the same, which means that the probability
distribution on the key space is the uniform distribution.
The second assertion can be proven by supposing the cryptosystem has perfect secrecy.
Let p be a plaintext. If there is a ciphertext c for which there is no key k with ek(p) = c,
17
then P(p) 6= P(p|c) = 0 since P(p) 6= P(p). This contradicts the perfect secrecy (Equa-
tion (1)). So, for any ciphertext c there is a key k with ek(p) = c. But the number
of keys is equal to the number of ciphertexts. Therefore, for each ciphertext c there is
exactly one key k with ek(p) = c, which proves the second assertion.
b) Prove the cryptosystem has perfect secrecy.
Assume that the probability distribution on the key space is the uniform distribution and
that for any plaintext p and any ciphertext c there is exactly one key k = k(p, c) with
ek(p) = c. Then
P(p|c) =P(p)P(c|p)
P(c)=
P(p)P(k(p, c))∑
q∈P P(q)P(k(q, c))(3)
Now P(k(p, c)) = 1/|K| since all keys are equally probable. Hence,
∑
q∈P
P(q)P(k(q, c)) =
∑
q∈P P(q)
|K|=
1
|K|. (4)
If we use this in equation (3), then we obtain P(p|c) = P(p) and the cryptosystem has
perfect secrecy.
3.4.2. Kerckhoffs’ principle
Auguste Kerckhoffs stated in the 19th century in [Kerckhoffs83] that a cryptosystem should
be secure even if everything about the system, except the key, is publicly known. So instead of
using security through obscurity we suppose security through transparency and assume "the en-
emy knows the system", as Shannon (re)formulated Kerckhoffs’ principle in Shannon’s maxim.
Kerckhoffs’ law consists of six design principles 4:
a) The system must be substantially, if not mathematically, undecipherable.
b) The system must not require secrecy and can be stolen by the enemy without causing
trouble.
c) It must be easy to communicate and remember the keys without requiring written notes,
it must also be easy to change or modify the keys with different participants.
d) The system ought to be compatible with telegraph communication.
4Translated from French by F. Petitcolas.
18
e) The system must be portable, and its use must not require more than one person.
f) Finally, regarding the circumstances in which such system is applied, it must be easy to
use and must neither require stress of mind nor the knowledge of a long series of rules.
3.4.3. Order notation
When evaluating the security and discussing the complexities, the order notation is used [Grimaldi99].
Typically, the order notation indicates how the complexity of the attack grows depending on,
for example, the length of the LFSR or the size of the key.
DEFINITION 3 (Big-Oh). Let f , g be two functions mapping the natural numbers to themselves.
We say that g dominates f , or f is dominated by g, or f ∈ O(g) if and only if there exist natural
numbers N and c such that, for all n ≥ N , we have |f(n)| ≤ c · |g(n)|.
As we consider the values of f(1), g(1), f(2), g(2), · · · , there is a point (namely N ) after which
the size of f(n) is bounded above by a positive multiple (c) of the size of g(n). When g
dominates f , f is of order g, then |f(n)/g(n)| ≤ c. That is, the size of the quotient f(n)/g(n)
is bounded by c for those n where n ≥ N and g(n) 6= 0. As suggested by the notation
f ∈ O(g), O(g) represents the set of all functions dominated by g.
When dealing with the concept of function dominance, we seek the best (or highest) bound
[Grimaldi99]. If we suppose f ∈ O(g) and g ∈ O(h), then we also have f ∈ O(h). But
if h /∈ O(g), the statement f ∈ O(g) provides a better bound on |f(n)| than the statement
f ∈ O(h). For example, if f(n) = 5, g(n) = 5n, and h(n) = n2, for al natural numbers n,
then f ∈ O(g), g ∈ O(h), and f ∈ O(h), bug h /∈ O(g). Therefore, we are provided more
information by the statement f ∈ O(g) than by the statement f ∈ O(h).
The special names that are designated for certain orders that often occur are listed in Table 1.
3.4.4. Functions and Correlations
Throughout this thesis we shall consider the field GF (2n) as a linear space with a given fixed
basis. xt denotes an n-dimensional vector in GF (2n) as xt = (x1t , x
2t , · · · , xn
t ).
19
Order NameO(1) ConstantO(log2 n) LogarithmicO(n) LinearO(n log2 n) n log2 nO(n2) QuadraticO(n3) CubicO(nm),m = 0, 1, 2, · · · PolynomialO(cn), c > 1 ExponentialO(n!) Factorial
TABLE 1. Names of frequently occurring orders.
The inner product "·" between two vectors v = (v1, v2, · · · , vn) and w = (w1, w2, · · · , wn) of
the space GF (2n) is defined as:
v · w = v1w1 ⊕ v2w2 ⊕ · · · ⊕ vnwn (5)
The linear function Lu(x) is then Lu(x) = u · x, u ∈ GF (2n).
DEFINITION 4. We say a function L : GF (2n) → GF (2n) is linear if for any vectors v and w
in GF (2n):
L(v + w) = L(v) + L(w), (6)
and for any vector x in GF (2n) and scalar a,
L(av) = aL(v). (7)
An affine function is just a linear function plus a translation.
DEFINITION 5. We say a function A : GF (2m) → GF (2n) is affine if there is a linear function
L : GF (2m) → GF (2n) and a vector b in GF (2n) such that:
A(x) = L(x) + b (8)
for all x in GF (2m)
A Boolean function f is a mapping from GF (2n)n into GF (2n). The support of f is defined
as sup(f) = v ∈ GF (2n)n : f(v) = 1. The cardinality of sup(f) represents the weight wt(f)
of the function.
20
A Boolean function can be uniquely represented by means of its algebraic normal form (ANF):
f(v) = f(xn−1,··· ,x0) = ⊕(an−1,··· ,a0)∈GF (2n)nh(an−1, · · · , a0)xan−1
n−1 · · · xa0x , (9)
where f and h are Boolean functions on GF (2n)n. The algebraic degree of f , denoted by
deg(f), is defined as the highest number of variables in the terms xan−1
n−1 · · · xa00 in the ANF of
f .
Alternatively, a Boolean function can be represented by its Walsh spectrum:
Wf (w) =∑
v∈GF (2n)n
(−1)f(v)⊕v·w = 2n−1 − 2wt(f ⊕ v · w). (10)
Several properties of Boolean functions are important from a cryptographic viewpoint:
• A function is said to be balanced if wt(f) = 2n−1. .
• The nonlinearity Nf of the function f is defined as the minimum distance between f
and any affine function; it can be calculated as Nf = 2n−1 − 1
2maxw∈GF (2n)n |Wf (w)|.
The best affine approximation l(v) is associated with this notion.
• f has bias ε if it has the same output as its best affine approximation with probability
0.5 + ε. ε = Nf/2n − 0.5 =
maxw∈GF (2n)n |Wf (w)|
2n+1 .
• A function is said to be correlation-immune of order ρ, CI(ρ), if and only if its Walsh
transform Wf satisfies Wf (w) = 0, for 1 ≤ wt(w) ≤ ρ. If the function is also balanced,
then the function is called t-resilient.
• The lowest degree of the function g from GF (2n)n into GF (2n) for which f · g = 0 or
(f + 1) · g = 0 is called the algebraic immunity of the function f .
• The function g is said to be an annihilator of f if f · g = 0.
• A vectorial Boolean function F from GF (2n)n into GF (2n)m, also called (n,m) S-box,
can be represented by an m-tuple (fm−1, · · · , f 0) of Boolean functions f i on GF (2n)n
(corresponding to the output bits).
DEFINITION 6 (Correlation). Let f, g = GF (2n) → GF (2) be a Boolean functions. The
correlation between f and g is:
C(f, g) =#{x ∈ GF (2n)|f(x) = g(x)} − #{x ∈ GF (2n)|f(x) 6= g(x)}
2n(11)
21
3.4.5. Berlekamp-Massey Algorithm
The Berlekamp-Massey algorithm is used for finding the minimal polynomial of a linearly re-
current sequence. Before we can handle the algorithm, we need to introduce the linear recurrent
sequences and the minimal polynomial.
DEFINITION 7 (Linearly Recurrent Sequence). Suppose the infinite sequence a with elements
from a field K has the property that there exist constants c1, · · · , ck in K such that, for all
t > k,
at = at−1c1 + at−2c2 + · · · + at−kck.
Then a is called a linearly recurrent sequence.
The linear complexity of a recurrentor periodic sequence a is just the length of the shortest
linear recurrence which generates a, i.e., the degree of the corresponding characteristic poly-
nomial.
DEFINITION 8 (annihilator). Given a linearly recurrent sequence a, suppose c0 · · · ck ∈ K with
c0 6= 0 satisfy, for all t > k,
c0at = at−1c1 + at−2c2 + · · · + at−kck.
Then the polynomial
c0xk − c1x
k−1 − c2xk−2 − · · · − ck
is called an annihilator for a.
The annihilators of a form an ideal5 of K[x].
DEFINITION 9 (Minimal Polynomial). Since K[x] is a principal ideal domain, the ideal of a’s
annihilators have a unique monic generator of minimal degree. This annihilator is called the
minimal polynomial of a.
Let K/L be a finite field extension. Then the minimal polynomial of κ ∈ K, m(x) ∈ L[x] is the
unique, monic non-zero polynomial such that m(κ) = 0 and any other polynomial f ∈ L[x]
5An ideal is a non-empty, downward closed subset which is also closed under binary least upper bounds. I.e.anything less than an element is also an element and the least upper bound of any two elements is also an element.
22
with f(κ) = 0 is divisible by m.
Given κ, a polynomial m is the minimal polynomial of κ if and only if m is monic, irreducible,
and m(κ) = 0.
To find the minimal polynomial, we need to be given an upper bound m on its degree; having
done so, the minimal polynomial is uniquely determined by the first 2m elements of a (since
we need to get m equations to solve for the unknowns c1, · · · , cm).
There is another way to determine the minimal polynomial, which uses the Euclidean Algo-
rithm. It can be shown that the characteristic polynomial of a sequence is the unique monic
polynomial C(x) of least degree for which the infinite product
C(x)(a1 + a2x + a3x2 + · · · )
has finitely many nonzero terms. (In fact, the nonzero terms will have coefficients up to xk−1
where k is the degree of C).
We can rewrite this as
C(x) · (a1 + a2x + · · · + a2mx2m−1) − Q(x) · x2m = R(x)
where R(x) is a remainder polynomial of degree < m, and Q(x) is a quotient polynomial.
Denote by A(x) the sum Σ2mi=1aix
i−1.
This is where the Euclidean Algorithm comes in; if we take the GCD of A(x) and x2m, keeping
track of remainders, we get two sequences Pi(x), Qi(x) such that Pi(x) · A(x) − Qi(x) · x2m
forms a series of polynomials whose degree is decreasing; as soon as this degree is less than
m, we have the needed polynomials with C = Pi, Q = Qi.
23
3.5. Hypothesis Testing
An important part of cryptanalysis is based on hypothesis testing or statistical testing [Zenner04],
[Maurer90]. Choices and guesses must be made, but they should be made based on a hypothe-
sis, denoting which choice will have the best chance to be the correct one. Hypothesis testing is
also used when determining of whether a sequence of observations is more likely to be sampled
from a system with output distribution P0, or from a system having output distribution P1.
It is very important that no regularities can be observed in the output stream. An attacker could
predict additional bits of the output sequence if regularities occur, so it must not be possible to
tell the output stream apart from a truly random sequence.
The intention of hypothesis testing is to attempt to predict the quality of the sequence and
predict the reliability of the sequence. The basic theoretical background of hypothesis testing
will be discussed in this section.
Assume we have a sequence of n independent and identically distributed random variables
X1, X2, · · · , Xn over an alphabet N. The distribution of this sequence is denoted by
Q(x) = P(Xi = x), 1 ≤ i ≤ n (12)
and the sampled values are denoted by x = x1, x2, · · · , xn, where xi ∈ N, 1 ≤ i ≤ n. So we
can consider two hypotheses, one selecting P0 and one selecting P1:
• H0 : Q = P0.
• H1 : Q = P1.
To decide which hypothesis will be accepted, we use a decision function φ(x). If φ(x) = 0,
hypothesis H0 is accepted, φ(x) = 1 implies that H1 is accepted. Since φ(x) only takes two
possible values, we can specify a set A ∈ {N}n, over which φ(A) = 0 and its complementary
set A∗ ∈ {N}n, over which φ(A) = 1. Furthermore, let Pn0 (xi) denote the simultaneous
probability∏n
i=1 P0(xi) and Pn1 (xi) =
∏ni=1 P1(xi).
24
With this hypothesis, two types of errors can occur that we want to minimize. We can choose
H0, while H1 should have been chosen, which is seen in some cases as a false alarm (PF ), or
we can choose H1, while H0 was true, which is sometimes seen as a worse missed alarm (PM ).
PF = P(φ(x) = 1|H0 = true) = Pn0 (A∗), (13)
PM = P(φ(x) = 0|H1 = true) = Pn1 (A). (14)
To choose the optimum hypotheses, the lemma of Neyman-Pearson can be used:
LEMMA 10 (Neyman-Pearson[Neyman33]). Let X1, X2, · · · , XN be drawn identically dis-
tributed according to the mass function Q. Consider the decision problem corresponding to the
hypotheses Q = P0 versus Q = P1. For T ≥ 0 define a region
An(T ) =
{
P0(x1, x2, · · · , xn)
P1(x1, x2, · · · , xn)> T
}
Let PF = Pn0 (A∗
n(T )) and PM = Pn1 (An(T )) be the probabilities of error corresponding to the
decision region An(T ). Let Bn be any other decision region with associated probabilities of
error PBF and P
MF . If P
BF ≤ PF then P
BM ≥ PM .
So the region An(T ), determined by the likelihood ratio P0(x)P1(x)
≥ T , is the one that minimize
PF and PB.
Ekdahl rewrote, in [Ekdahl03], this test to the computational robust test of Equation (18), using
a 2-logarithmic measure and T = 1 (to make the probabilities of PF and PM equally large).
This test, called log-likelihood test, can tell us which of the two hypotheses H0 and H1 is the
most likely.
P0(x1, x2, · · · , xn)
P1(x1, x2, · · · , xn)> 1, (15)
∏ni=1 P0(xi)
∏ni=1 P1(xi)
> 1, (16)
log2
(∏ni=1 P0(xi)
∏ni=1 P1(xi)
)
> 0, (17)
n∑
i=1
(
log2
P0(xi)
P1(xi)
)
> 0. (18)
25
In this test we will have equally high probabilities for the two error events PF and PM . However,
it is sometimes desired to use an unsymmetrical threshold, by decreasing the "false" error PF
at the expense of the "missed" error PM . In [Cover91] it is shown that the probabilities of error
can be expressed as:
PM = 2−n D(Pλ||Pe), (19)
PF = 2−n D(Pλ||PU ), (20)
where Pλ is the probability distribution on the boundary between the two decision regions
determined by T , PU(X = 0) = 12
is the uniform distribution and D(P0||P1) is the relative
entropy defined as:
D(P0||P1) =∑
x∈N
P0(x) log2
P0(x)
P1(x)(21)
The boundary distribution Pλ is determined by the chosen threshold such that:
D(Pλ||Pe) − D(Pλ||PU) =log2 T
n. (22)
Another interesting hypothetical test tries to estimate the number of samples we will need in
order to achieve a certain level of confidence in the test, i.e. how large n must be so that the
probability of error is below a certain value.
We can write the overall probability of error as:
Pe = π0PF + π1PM , (23)
where π0 is the prior probability of H0 and π1 is the prior probability of H1 and π0 + π1 = 1.
In [Cover91] it is shown that this overall probability Pe is equal to:
Pe = 2−nC(P0,P1), (24)
where n is the number of samples and C(P0, P1) is the Chernoff information, defined by:
C(P0, P1) = −minO≤λ≤1 log2
(
∑
x∈N
(P0(x))λ(P1(x))1−λ
)
(25)
26
With λ = 0, 5 we can get an upper bound for Equation (24). Using this rule, the well-known
"rule of thumb" is derived; to separate the two binary distributions 12+ ε and 1
2we need approx-
imately 1/ε2 samples.
27
CHAPTER 4
Stream Ciphers
Parts of this chapter are based on RSA Laboratories’ very clear "Frequently Asked Questions
About Today’s Cryptography", Version 4.1 [Laboratories00], with permission of the author.
4.1. Introduction
A stream cipher is a type of symmetric encryption algorithm. Stream ciphers can be designed
to be exceptionally fast, much faster than any block cipher, which makes them very suitable for
use in telecommunication and low-level network encryption. While block ciphers operate on
large blocks of data, stream ciphers typically operate on individual symbols of the underlying
alphabet, usually bits. The encryption of any particular plaintext with a block cipher will result
in the same ciphertext when the same key is used. With a stream cipher, the transformation
of these smaller plaintext units will vary, depending on when they are encountered during the
encryption process, the encryption function is time-varying. Stream ciphers also have limited
error propagation if the encrypted data is corrupted and limited buffer requirements since the
symbol size is relatively small and each symbol is encrypted independently of the others.
A stream cipher generates what is called a keystream (a sequence of bits used as a key). Encryp-
tion is accomplished by combining the keystream with the plaintext, usually with the bitwise
XOR operation. The generation of the keystream can be independent of the plaintext and ci-
phertext, yielding what is termed a synchronous stream cipher, or it can depend on the data and
its encryption, in which case the stream cipher is said to be self-synchronizing. Most stream
cipher designs are for synchronous stream ciphers.
28
4.2. One-time pads
Current interest in stream ciphers is most commonly attributed to the appealing theoretical
properties of the one-time pad, attributed to the work of Shannon [Shannon49]. A one-time
pad, sometimes called the Vernam cipher [Vernam26], uses a string of bits that is generated
completely at random. This means usually measuring some random phenomena in nature, like
the movements of particles. The keystream is the same length as the plaintext message and
can only be used once, clearly a vast amount of keystreams might be required. The random
string is combined using bitwise XOR with the plaintext to produce the ciphertext. Since the
entire keystream is random, even an opponent with infinite computational resources can only
guess the plaintext if he or she sees the ciphertext. Such a cipher is said to offer perfect secrecy
[Shannon49], since the ciphertext is statistically independent of the plaintext. The analysis
of the one-time pad is seen as one of the cornerstones of modern cryptography. While the
one-time pad saw use during wartime over diplomatic channels requiring exceptionally high
security, the fact that the secret key (which can be used only once) is as long as the message
introduces severe key management problems. While perfectly secure, the one-time pad is in
general impractical.
4.3. Stream Ciphers
Stream ciphers were developed as an approximation to the action of the one-time pad. While
contemporary stream ciphers are unable to provide the satisfying theoretical security of the
one-time pad, they are at least practical. The keystream can be generated independently of the
plaintext or ciphertext, which gives the advantage that the keystream can be generated prior to
encryption or decryption with only an easy combining step left when the message or ciphertext
is to be processed. Clearly, the largest part of the strength (or the weakness) of the stream
cipher depends on the keystream combined with it. As can be seen in Figure 4.1, different
classifications for stream ciphers exist. The next section will introduce the synchronous and
asynchronous (or self-synchronous) stream ciphers.
29
FIGURE 4.1. Stream cipher classifications [Kiviharju04]
4.3.1. Classification
4.3.1.1. Synchronous. If the next state of the cryptosystem is defined independently of
both plaintext and ciphertext and only depending on the key, then the stream cipher is termed
(classified) synchronous1. In such a scheme each plaintext bit is encrypted independently of
the others and the corruption of a bit of the ciphertext during transmission will not affect the
decryption of other ciphertext bits. The cipher is described as having no error-propagation and
though this appears to be a desirable property, it has several implications. First, it limits the
opportunity to detect an error when decryption is performed, but more importantly, an attacker
is able to make controlled changes to parts of the ciphertext knowing fully well what changes
are being caused on the corresponding plaintext. Therefore, additional mechanisms for message
authentication are needed.
Both encryption and decryption units must remain in step since decryption cannot proceed
successfully unless the keystreams used to encrypt and decrypt are synchronized. The synchro-
nization is achieved by including ’marker positions’ or ’frames’ in the transmission; the effect
of the marker is that if a bit of ciphertext is lost during transmission, it results in an incorrect
decryption until one of the marker positions is attained.
1The E0 stream cipher used in the Bluetooth encryption process, uses a synchronous mechanism, which wewill discuss in Chapter 8.
30
A synchronous stream cipher can be described at a time t ≥ 0 by the equations:
st+1 = f(st, k), (26)
zt = g(st, k), (27)
ct = h(zt,mt), (28)
where s0 is the initial state, which may depend on the key k. f is the next-state function, g is the
function which produces the keystream zt, t ≥ 0, and h is the output function which combines
the keystream bits zt and the plaintext bits mt to produce the ciphertext ct. This procedure is
represented by Figure 4.2.
FIGURE 4.2. Synchronous stream cipher structure
DEFINITION 11 (Synchronous Stream Cipher). A synchronous stream cipher is a finite state
machine for which the keystream is generated from the key, but independently of the plaintext
message and the ciphertext.
At each time instance t ≥ 0, the cipher produces a new keystream symbol zt ∈ Z. Typically,
Z is the binary field F2. The symbol size for the stream cipher is defined to be W bits. The
message m is split into symbols of size W bits m = m0,m1,m2, · · · ,mN−1 where mt ∈ P , the
plaintext alphabet, and encrypted symbol by symbol using the output function h. The output
is a sequence of ciphertext symbols c = c0, c1, c2, · · · , cN−1 where ct ∈ C, the ciphertext
alphabet. Often the eXclusive OR (XOR) function is used as the output function h. The stream
cipher is then called an additive stream cipher, since XOR is the field addition operation. The
31
addition operation of the additive stream cipher requires that the plaintext alphabet P and the
ciphertext alphabet C are equal to Z, P = C = Z.
The additive stream cipher can also be described as a pseudo-random number generator or
a keystream generator whose output is XORed to the plaintext. The key is used to initialize
the generator, which will then produce pseudo-random bits. So, instead of using a complete
keystream as the secret key, like the one-time pad does, a (relative) short key is used for seeding
and the generator will produce a long keystream which is as random looking as possible.
Deciphering is done by adding the encrypted message ct and the keystream zt and applying the
inverse function of h (of Equation (28)).
h−1(zt, ct) = mt (29)
So receiver has to generate the same keystream zt as the sender. The inverse of the output
function, h−1, is the same as h for additive stream ciphers, h−1 = h. This useful property
makes the decryption device exactly the same as the encryption device.
4.3.1.2. Asynchronous. The other possible stream cipher class is called self-synchronizing
or asynchronous [Proctor85] [Daemen95]. Asynchronous stream ciphers have the property
that they will resynchronize after a finite number of received ciphertext symbols. Thus the state
of such a cipher is only dependent on the previous generated keystream symbols. It can be
described at a time t ≥ 0 by the equations:
st = (ct−v, ct−v+1, · · · , ct−1), (30)
zt = g(st, k), (31)
ct = h(zt,mt), (32)
where st is the initial state, k is the key, g is the function which produces the keystream zt,
and h is the output function which combines the keystream bits zt and the plaintext bits mt
to produce the ciphertext ct. The initial state st = (ct−v, ct−v+1, · · · , ct−1) may be publicly
known. In contrast to the synchronous stream ciphers, the encryption and decryption processes
differ for the asynchronous stream ciphers, as can be seen structure represented in Figure 4.3.
32
FIGURE 4.3. Asynchronous stream cipher structure
DEFINITION 12 (Asynchronous stream ciphers). An asynchronous stream cipher is a finite
state machine for which the keystream is generated as a function of the key and a fixed number
of the previous ciphertext symbols.
Asynchronous stream ciphers have the facility to resume correct decryption if the keystream
generated by the decrypting unit falls out of synchronization with the encrypting keystream.
Since the E0 encryption system of Bluetooth uses a synchronous stream cipher, the remainder
of this thesis will not take into account asynchronous stream ciphers.
4.4. Pseudo-random generator
Pseudo-random numbers are used if it is too time-consuming to generate true random num-
bers (e.g. with Johnson noise, semi-conductor diodes or Schmitt trigger [Davenport58]). The
pseudo-random generator is an algorithm that, given a short sequence of random bits, produces
33
a long sequence of bits that "looks" random. The output sequence cannot be distinguished in
polynomial time from a true random sequence.
As mentioned above, pseudo-random generators are used to extend a secret key into a keystream
for a stream cipher cryptosystem. Some of the earliest practical keystream generators were in-
tended to act as pseudo-random number generators.
The pseudo-random generator inputs some initial state vector {x0, · · · , xn−1}, which is derived
from the fixed-length key. The output of the generator is a bitstream {xi}i≥0, which is used to
encrypt the message m = (m0,m1, · · · ) as
mi + xi ≡ ci mod 2, 0 ≤ i ≤ len(m) − 1, (33)
where {ci}i≥0 is the ciphertext.
The period of a bitstream {xi}i≥0 is the smallest positive integer p that satisfies:
xi+p = xi, (34)
for all i ≥ 0. If the period of the keystream is too short then different parts of the plaintext
will be encrypted in an identical way and this constitutes a severe weakness. Knowledge of the
plaintext allows recovery of the corresponding portion of the keystream and the cryptanalyst
can then use the fact that this position of keystream is used elsewhere in the encryption to
successfully decrypt the ciphertext.
The autocorrelation [Golomb67] AC(k) of a periodic sequence {xi}i≥0 with period p is
AC(k) =A − D
p(35)
where
A = |{0 ≤ i < p|xi = xi+k}| (36)
and
D = |{0 ≤ i < p|xi 6= xi+k}| (37)
34
The autocorrelation is described by Golomb as the notion of independent trials: knowing some
previous value in the sequence is essentially of no help in deducing the current value. It is some
measure of the ability of being able to distinguish between a sequence and a copy of the same
sequence that has been started at some other point in the period.
If k is a multiple of period p, then the autocorrelation is said to be in-phase and the value of
AC(k) is 1. If this is not the case, the autocorrelation is called out-of-phase.
Golomb’s Randomness Postulates [vT88] state a few facts a pseudo-random generator should
fulfill regarding the quality:
G1: The number of zeros and ones are as equal as possible per period. Zeros and ones
occur with roughly the same probability.
G2: Half of runs2 in a cycle have length 1, one quarter have length 2, · · · , 2−k runs have
length k. Half of the runs of a certain length are gaps3 and the other half are blocks.
After 01 the symbol 0 has almost the same probability as the symbol 1.
G3: The out-of-phase autocorrelation AC(k) has the same value for all k. Counting the
number of agreements between a sequence and a shifted version of that sequence does
not give any information about the period of the sequence unless one shifts over a
multiple of the period.
Other cryptographical properties of a good pseudo-random generator are collected in the fol-
lowing list:
• The period p of {xi} has to be taken very long.
How long mainly depends on the computing power and application assumed to be in
use. So the size of the period can be different for different senders and receivers and
for different cryptosystems. The keystream should be long enough to ensure that it
is overwhelmingly unlikely that the same portion of keystream is used twice during
encryption. In general, if the result is exponential with respect to the length of the
pseudo-random generator’s initial state, the rule is fulfilled.
2A run of length k starts at moment t, if xt−1 6= xt = xt+1 = · · · = xt+k−1 6= xt+k.3A block and a gap of length k is a run of k consecutive 1’s and 0’s, respectively.
35
• The sequence {xi} should be easy to generate.
This states the properties of the hardware or software implementation.
• The system should resist the known-plaintext attack.
Knowledge of a part of the plaintext with corresponding ciphertext should not enable to
generate any more terms of the sequence {xi}.
4.5. Linear Feedback Shift Register
As mentioned above, the fundamental property of a keystream generator is to produce as ran-
dom looking symbols as possible. The distribution of symbols should be uniform and unpre-
dictable. To generate such a sequence of binary bits, a Linear Feedback Shift Register (LFSR)
can be used. Although the direct output of an LFSR is not a good keystream generator, since
each element is simply a linear combination of the previous symbols, LFSRs are widely used
inside stream ciphers.
A LFSR is a shift register whose input is the exclusive-or (XOR) of some of its outputs. The
register (see Figure 4.4) consists of a series of number of cells, able to hold one symbol at a
time. The outputs that influence the input are called tabs. The content of the register at time t
is called the state of the LFSR at time t.
DEFINITION 13. A Linear Feedback Shift Register (LFSR) of length n is a collection of n 1-bit
memory elements s0t , s
1t , · · · , sn−1
t . At each time t the memory is updated as follows:
sit = si+1
t−1 for i = 0, · · · , n − 2
sn−1t = ⊕n
i=1ci · sn−it−1
where the ci are fixed binary coefficients that define the feedback equation of the LFSR. The
LFSR stream (st)t≥0 consists of the successive values in the memory element s0.
A maximal LFSR produces an n-sequence, unless it contains all zeros. The tap sequence of an
LFSR can be represented as a polynomial mod 2, which is called the feedback polynomial
P (X) of degree n, P (X) = 1+∑n
i=1 ci ·Xi. The weight of the feedback polynomial is equal to
the number of its nonzero terms. If this polynomial is primitive, then the LFSR is maximal. A
36
polynomial is primitive if it has polynomial order 2n − 1. The state of the register, taken at any
time, together with the feedback polynomial, completely determines the produced sequence.
For example, if the taps are at the 1st, 3rd, 4th and 6th bits (as in Figure 4.4), the polynomial is
x16 + x5 + x3 + x2 + 1.
The behaviour of the register is regulated by a counter (in hardware this counter is often referred
to as a ’clock’). At each time t ≥ 0, the device is clocked and the contents of the cells of the
register are shifted right by one position, and the XOR of the contents of a subset of the cells
(the tabs) is placed in the leftmost cell. One bit of output is usually derived during this update
procedure.
FIGURE 4.4. Linear Feedback Shift Register [Wikipedia05]
37
Since there are only a finite number of possible states, the sequence produced by the LFSR
must repeat itself after a finite period p, i.e. every sequence s0s1 · · · of period p satisfies a linear
recurrence of length p, namely si+p = si for all i ≥ 0. A sequence may additionally satisfy a
shorter recurrence, that is each bit of the sequence can be defined using some linear expression
which involves bits that are less than p bits away. The length of the shortest recurrence is
defined to be the linear complexity of the sequence. A high linear complexity means that more
of the sequence has to be observed before the recurrence can be identified and that a longer
register is required to duplicate the sequence.
For a register of length n, a sequence with maximum period that satisfies Golomb’s Postulates,
has period 2n−1 (since there are 2n states and the state 0 ·0 cannot occur). An output sequence
of an LFSR of length n is called a PN (pseudo-noise) sequence if its period is 2n−1. Hence, all
non-zero sequences of this LFSR are shifted versions of each other. These sequences can easily
and quickly be generated and have good properties of random appearance. But the drawback is
that they only have linear complexity n since they are generated using a n-stage linear feedback
shift register.
The Berlekamp-Massey algorithm [Massey69], introduced in Section 3.4.5, can be used on 2n
successive bits of the output sequence to deduce the feedback and the initial state of the register
used to generate the sequence. The algorithm calculates the linear recurrence of the sequence
and this offers some indication for how difficult a sequence might be to replicate.
Sequences generated by maximum-length LFSRs have good statistical properties, desirable for
keystream generator construction, but it is needed to destroy the linearity. The linear complexity
has to be increased before the sequence can be used. A classical method is to use several LFSRs
and combine the output from each of them using a Boolean function.
A shift register cascade is a set of LFSRs connected together in such a way that the behaviour
of one particular LFSR depends on the behaviour of the previous LFSRs in the cascade. This
38
dependent behaviour is usually achieved by using one LFSR to control the counter of the fol-
lowing LFSR. For instance, one register might be advanced by one step if the preceding register
output is 1 and advanced by two steps otherwise.
A stream cipher based on the simple interaction between the outputs from two LFSRs is called
a shrinking generator. The shrinking generator was developed by Coppersmith, Krawczyk,
and Mansour[Coppersmith94]. The bits of one output are used to determine whether the
corresponding bits of the second output will be used as part of the overall keystream. The
shrinking generator is simple and scaleable, and has good security properties. One drawback
of the shrinking generator is that the output rate of the keystream will not be constant unless
precautions are taken. A variant of the shrinking generator is the self-shrinking generator,
where instead of using one output from one LFSR to "shrink" the output of another (as in the
shrinking generator), the output of a single LFSR is used to extract bits from the same output.
LFSRs are fast and easy to implement in both hardware and software. With a judicious choice
of feedback taps the sequences that are generated can have a good statistical appearance, al-
though still linear. LFSRs are useful as building blocks in more secure systems that require
very fast generation of a pseudo-random sequence, such as a direct-sequence spread spectrum
radio.
The next chapter covers different types of attacks on stream ciphers.
39
CHAPTER 5
Stream Cipher Attacks
5.1. Stream Ciphers Weaknesses
The most typical use of a stream cipher for encryption is to generate a keystream in a way that
depends on the secret key and then to combine this (typically using bitwise XOR) with the
message being encrypted.
It is imperative the keystream "looks" random; that is, after seeing increasing amounts of the
keystream, an adversary should have no additional advantage in being able to predict any of
the subsequent bits of the sequence. While there are some attempts to guarantee this property
in a provable way, most stream ciphers rely on ad hoc analysis. A necessary condition for
a secure stream cipher is that it passes a battery of statistical tests. These tests can estimate
(among other things) the frequencies with which individual bits or consecutive patterns of bits
of different sizes occur. Such tests might also check for correlation between bits of the sequence
occurring at some time instant and those at other points in the sequence. Clearly the amount
of statistical testing will depend on the thoroughness of the designer. It is a rare and poorly
designed stream cipher that does not pass most suites of statistical tests.
The only secret information (besides the plaintext) is the initial state, which must be exchanged
before starting the transmission using a suitable key-exchange protocol. It is usual to make the
assumption that an attacker knows not only the encrypted bit stream, but even some short piece
of the plaintext, and therefore, can easily compute some piece of the keystream. Consequently,
the security of keystream generators has to be based on the assumption that there is no feasible
way to compute the secret initial state.
40
The keystream will always leak information about the initial key and will always have statistical
deviations from a truly random sequence. An attacker can almost always derive some useful
information, given a long enough keystream sequence. The aim for any stream cipher is to
minimize that information leakage.
A keystream might potentially have structural weaknesses that allow an adversary to deduce
some information of the keystream. Most obviously, if the period of a keystream, that is, the
number of bits in the keystream before it begins to repeat again, is too short, the adversary can
apply discovered parts of the keystream to help in the decryption of other parts of the ciphertext.
A stream cipher design should be accompanied by a guarantee of the minimum period for the
keystreams that might be generated or alternatively, good theoretical evidence for the value of
the lower bound to such a period. Without this, the user of the cryptosystem cannot be assured
that a given keystream will not repeat sooner than might be required for cryptographic safety.
A more involved set of structural weaknesses might offer the opportunity of finding alternative
ways to generate parts or even the whole of the keystream. Chief among these approaches might
be using a linear feedback shift register to replicate part of the sequence. The motivation to use a
linear feedback shift register is due to the algorithm of Berlekamp and Massey [Massey69] that
takes as input a finite sequence of bits and generates as output the details of a linear feedback
shift register that could be used to generate that sequence. This gives rise to the measure
of security known as the linear complexity of a sequence; for a given sequence, the linear
complexity is the size of the linear feedback shift register that needs to be used to replicate the
sequence. Clearly a necessary condition for the security of a stream cipher is that the sequences
it produces have a high linear complexity.
Other attacks attempt to recover part of the secret key that was used. Apart from the most
obvious attack (that always can be performed) of searching for the key by brute force (exhaus-
tive key search), a powerful class of attacks can be described by the term divide and conquer.
The security of stream ciphers is thus always measured relative to the complexity of exhaustive
searching for the correct key. If the complexity of an attack is less than that of the exhaustive
search, the cipher is said to be broken. For a stream cipher in practical application, the ac-
tual security is often much more dependent on other parts of the system than the cipher, e.g.
protocols, users, key management/storage, implementation problems like software bugs, etc.
41
During off line analysis the cryptanalyst identifies some part of the key that has a direct and
immediate effect on some aspect or component of the generated keystream. By performing a
brute-force search over this smaller part of the secret key and observing how well the sequences
generated match the real keystream, the cryptanalyst can potentially deduce the correct value
for this smaller fraction of the secret key [Koç95]. This correlation between the keystream
produced after making some guess to part of the key and the intercepted keystream gives rise
to what are termed correlation attacks and later the more efficient fast correlation attacks.
Finally there are some implementation considerations. A synchronous stream cipher allows an
adversary to change bits in the plaintext without any error-propagation to the rest of the mes-
sage. If authentication of the message being encrypted is required, the use of a cryptographic
Message Authentication Code (MAC) might be advisable. Sometimes the synchronization be-
tween sender and receiver might be lost with a stream cipher and some method is required to
ensure the keystreams can be put back into step. One typical way of doing this is for the sender
of the message to intersperse synchronization markers into the transmission so only that part of
the transmission, which lies between synchronization markers, might be lost.
Stream ciphers seem to be inherently weaker than block ciphers. Attacks on block ciphers (e.g.
differential attacks) are also applicable to stream ciphers, but specific stream cipher attacks (e.g.
correlation attacks) are not applicable to block ciphers. It also seems that algebraic attacks and
generic time-memory trade-off attacks are more effective against stream ciphers. Ultimately
most stream ciphers will be replaced with block ciphers in most departments, except in some
applications where a software oriented scheme with a very high speed or a hardware oriented
scheme with a very small footprint is required.
5.2. Evaluation criteria
While analyzing and evaluating the security of stream ciphers, the following criteria should be
considered [Dasgupta05]:
Time complexity: The required number of operations that are needed to carry out the at-
tack. It is of less theoretical importance to specify the operations that are performed,
42
as long as they can be performed in polynomial time. The time complexity can be
split up into pre-computational complexity and active attack complexity. The pre-
computational part can be performed without the observed keystream and is often re-
quired to be performed only once. The result can be used for attacking the cipher with
different keys. The active attack part is the complexity of the operations needed to be
performed while observing the keystream.
The best known attack should not be faster than an exhaustive search on the secret key.
Data complexity: The amount of observed keystream data required for the attack to be
successful with a certain probability.
Memory complexity: The required amount of memory needed to perform the attack. If
the complete observed keystream needs to be available during the attack, the memory
complexity will be equal to the data complexity.
An attack that requires fewer resources than supposed at the design of the stream cipher
makes the stream cipher less recommendable.
Environment: The evaluation should occur in the stated environment, considering side
channel attacks (these attacks are based on information gained form the physical imple-
mentation rather than the weakness in the algorithm).
Resistance: A stream cipher should be resistant to cryptanalytic attacks at the relevant
security level.
Different approaches for these cryptanalytic attacks should be considered:
Ciphertext only attack: This attack is the most powerful, since it only requires
passive eavesdropping on the ciphertext. The information known by the cryptan-
alyst is minimal, but may include information about the distribution of the plain-
text, e.g. the language of the encrypted plaintext.
Known Plaintext attack: For this attack it is assumed that the attacker already
knows a portion of the plaintext. The aim may be to recover the secret key of
the cipher or at least determine some unknown portion of the ciphertext.
Chosen Plaintext attack: This scenario gives the attacker the ability to encrypt a
chosen plaintext. This situation can occur if an encryption box with an unknown
secret key is available or when it is possible to send a chosen plaintext to the
owner of the secret key and then eavesdrop the transmission of the chosen text in
encrypted form.
43
Chosen Ciphertext attack: This attack is similar to the previous, but requires the
ability to choose the ciphertext for a decrypting device.
Adaptive chosen plaintext or ciphertext attack: This theoretically interesting sit-
uation assumes the ability of adaptive choice of encrypted text based on already
available results of encryption or decryption. This is only possible if the attacker
has a device with an unknown secret key.
Related keys: For this attack, the knowledge of a relation between keys in differ-
ent encryptions is assumed. This attack is combined with one of the scenarios
described above. Important flaws in the key scheduling algorithm of the cipher
may be discovered with this attack.
Partial knowledge of the key: In this scenario the attacker possess partial knowl-
edge of the secret key. This can occur for example due to a flaw in the random-
ization procedure which generates the encryption keys. In a good cipher, the
knowledge of a part of the key should not make finding the rest of the key easier.
Strength of Modified Primitives: This technique assess the strength of a stream
cipher by examining the strength of a modified one, by changing or removing a
component. Conclusions about the original stream cipher based on assessment of
the modified one have to be carefully considered as the influence may or may not
be straightforward.
While analyzing and evaluating the security of stream ciphers, it is customary to consider
known plaintext attacks. This is based on the famous principle of Kerckhoffs, discussed in
Section 3.4.2, Section 3.4.2.
5.3. Attacks
Different types of attacks on stream ciphers exist. In this section we will provide a basic
overview of the best-known attacks and the weakness they are building upon.
44
5.3.1. Brute-force attack
For the brute-force attack, or exhaustive key search attack, we consider a nonlinear combination
generator with k bits of key, where the length of the LFSR is k bits. The key initialization is
simply done by loading the LFSR with the key bits. The attack is performed by storing the
first 2k bits of the observed keystream. We then load each possible key into the cipher and
clock it 2k times and compare the output of each run with the stored sequence. When we find a
match, we have identified the correct key. We see that the time complexity is O(k2k), the data
complexity is O(k) and the memory complexity is O(k).
5.3.2. Trade-off attacks
In this type of attacks, the time taken to find the secret key is reduced at the expense of the
memory required to mount the attack. The attack has a pre-processing phase and a real-time
(active) processing phase. Within the pre-processing phase, the cryptanalyst explores the algo-
rithm and stores pre-computed data in a table. During the real-time or active phase, the actual
data, based on an unknown key, is provided and the pre-computed tables are to be used to find
the key as quickly as possible.
For many ciphers we can do a trade-off for the time, memory, and data complexity in the case
of an exhaustive key search.
Consider again the attack on a nonlinear combination generator of Section 5.3.1, but now we
start with a pre-computation of the generated sequences for 2k/2 randomly selected keys. We
store the first 2k bits of output for each chosen key together with the key used. In the active
phase we observe 2k/2 bits of keystream material, generated with the unknown key. Now, scan-
ning the observed sequence and for each position, we try to match the next 2k bits with the
sequences we have pre-computed. When we find a match we can directly get the state of the
LFSR that generated the subsequence. Reversing the LFSR to the initial state, we have now
found the correct key. This approach has time complexity O(2k/2) for scanning the observed
sequence and matching subsequences to our pre-computed database. The memory complexity
is O(k2k/2) for storing the pre-computed sequences and the respective key, and finally the data
complexity is O(2k/2).
45
This trade-off between time, memory and data complexities is not only limited to an exhaus-
tive key search, but could also be employed in other attack scenarios as well, using the same
basic ideas. The trade-off is based on the well known birthday paradox, which implies that two
random subsets of a space with N points are likely to intersect when the product of their sizes
exceeds N .
To protect the stream cipher against a trade-off attack, the state space of the cipher must be at
least twice the size of the key space. In the context of stream ciphers, this usually means that
the combined lengths of the LFSRs in the cipher must be twice as large as the key size and
during the initialization of the cipher, the key material must be spread into the state space in a
random fashion.
5.3.3. Guess-and-determine attacks
In this attack we start by guessing some internal variables of the cipher (e.g. a part of the LFSR)
and then try to determine the other variables based on the observed keystream and the evolution
of the cipher in time. If our guess is correct, we can confirm it by running the cipher for some
time and match the output from our trial generator with the observed sequence. If our guess is
false, we simply make a new guess and start over again. The time complexity of such an attack
is O(2b), where b is the number of bits we have to guess, since in the worst case we have to
try all possible combinations of the guessed bits. The difficult part of this attack is to discover
which part of the state space should be guessed in order to obtain the rest.
5.3.4. Correlation attacks or Siegenthaler’s attack
A correlation attack is a widely applicable type of attack which might be used with success
on generators which attempt to combine the output from several (cryptographically weak)
keystream generators.
Siegenthaler introduced the correlation attack in [Siegenthaler84] and [Siegenthaler85].
A correlation attack exploits the weakness in some combining function which allows informa-
tion about individual input sequences to be observed in the output sequence. In such a case,
46
there is a correlation between the output sequence and one of the (internal) input sequences.
This correlation can be used to extract information about the correlated input sequences. In the
simplest case, a correlation means that the output is equal to one of the input variables with a
probability not equal to 0.5. Siegenthaler showed in his paper [Siegenthaler84] that a smaller
linear complexity of the output sequence means greater correlation immunity.
As a protection against these correlation attacks, Rueppel introduced in [Rueppel86] the idea of
a combining function with memory that makes it possible to attain maximum-order correlation
and maximum linear complexity simultaneously making a separation to the ideas of correlation
immunity and linear complexity.
5.3.5. Fast Correlation attack
Meier and Staffelbach refined the correlation attack in [Meier89] and [Meier94]. This new
model (see Figure 5.1) is known as a fast correlation attack. The fast correlation attack is based
on using certain parity check equations created from the feedback polynomial of the LFSR.
FIGURE 5.1. Meier and Staffelbach’s fast correlation attack model
The attack assumes that there is a correlation between one shift register of the LFSR and the
output keystream zt,: P(s1t = zt) = p = 1
2+ ε, t ≥ 0. Meier and Staffelbach saw this as
if the sequence from LFSR1 was transmitted over a Binary Symmetric Channel (BSC)1, with
crossover probability 1 − p, i.e. the BSC transmits the symbol correctly with a probability
p. The combined effect of the other shift registers and the nonlinear combiner is modeled
as the BSC. Since the feedback polynomial of LFSR1 is linear, each st for different t must
satisfy a number of linear equations, based on how many taps the feedback polynomial has,
1A Binary Symmetric Channel (BSC) is an idealize model of a binary communication channel. Within aBSC, the probability of a 1 becoming a 0 is assumed to be the same as the probability of a 0 becoming a 1(symmetric). This assumption makes analysis much easier, but is often not valid in practical situations (e.g.pulses). [Wikipedia05]
47
and where the taps are located. If the correlation between st and zt is high enough, most of
the corresponding symbols in the keystream zt must also fulfill these linear equations. So, by
attempting to slightly modify the sequence zt to compensate for a possible crossover in the BSC
model, Meier and Staffelbach showed that the sequence s = s01, s
11, · · · , sN
1 can be recovered
and thus the initial state of the shift register.
The drawback of this algorithm is that it is only successful if the feedback polynomial has very
few terms which corresponds to a LFSR with few taps.
The idea of a communication channel was reconsidered by Johansson and Jönsson in [Johansson00]
where they identified an embedded convolution code2 in the sequences and could apply stan-
dard decoding techniques, e.g. the Viterbi algorithm3, to recover the initial state even if the
correlation probability was very close to 0.5. Typically, a shift register of length 40 with a cor-
relation probability of 0.45 can be attacked with modest computational effort. This algorithm
is independent of the number of taps of the feedback polynomial.
5.3.6. Divide and Conquer attack
In a Divide and Conquer attack, a part of the key is guessed and this constraint on the keystream
may make it possible to determine the rest of the key faster. This attack is mostly combined
with a correlation attack to determine the rest of the key.
5.3.7. Algebraic attacks or Linearisation attack
Algebraic attacks are based on a technique called relinearisation, introduced by Kipnis and
Shamir in [Kipnis99]. In most cases, the generated keystream can be described by a complex
system of multivariate polynomial equations with the key bits as the indeterminants.
2Essentially, a convoultional code is a linear system defined over a finite field.3The Viterbi algorithm, named after its developer Andrew Viterbi, is a dynamic programming algorithm for
finding the most likely sequence of hidden states U known as the Viterbi path U that result in a sequence ofobserved events, especially in the context of hidden Markov models.
48
The general idea behind algebraic attacks is to form (non-linear) equations consisting of the
observable keystreams zt for all clock ticks t, and the initial secret key bits of the LFSRs
as unknowns. The pre-computation of these equations need only to be performed once, the
attacker can use the same equations for attacking different keystream. Once the equations are
set up, the attacker has to observe the keystream and substitutes these keystream bits into the
algebraic equations. Now, the equations will merely depend on the initial secret LFSR key
bits. The equations have to be solved to determine the value of the LFSRs initialization keys.
This is possible if sufficient equations can be constructed from the observed keystream and the
equations are of low degree in the bits of the initialization keys.
To solve a system of nonlinear equations, we have to linearize the equations. This can be done
by assigning a new unknown variable to each monomial term that appears in the system. If the
same monomial appears in a distinct equation, the same variable will be assigned. This results
in a system of linear equations, with a large number of unknown variables.
A straightforward example of a linearisation process:
x + y = 1
x + xy = 0
xy = 0
x = 0
y = 1→
a + b = 1
a + c = 0
c = 0
a = 0
b = 1
c = 0
5.3.8. Fast Algebraic attacks
Since the complexity of the algebraic attacks from Section 5.3.7 are exponential in the de-
gree of the equations, a way of reducing the degree of the equations was needed. Courtois
[Courtois03a] introduced a method to achieve this in his Fast Algebraic attacks. His method
requires an additional pre-computation step to determine a linear combination of equations in
the initial system of the algebraic attack. This linear combination can cancel out terms of high
degree, making it easier to solve the system of equations. His approach is based on the fact that
we can multiply the multivariate polynomial with another multivariate polynomial such that the
product is of a lower degree in the initial state bit variables.
49
Courtois proposes to use the Berlekamp-Massey algorithm (see Section 3.4.5) to determine the
linear combination for the pre-computation step. The algorithm finds the minimal polynomial
of a linear recurrent sequence.
5.3.9. Side Channel attacks
Side channel attacks [Quisquarter02] try to attack a certain implementation of an algorithm,
instead of a direct attack on the keystream generator algorithm. These attacks use information
leakage form other channels than the ciphertext or keystream output.
An example of such a side channel attack is the power analysis. The general idea in this attack
is to measure the power usage of a cryptographically system. For example, electromagnetic
emissions can be used. This kind of attack has been shown to be surprisingly efficient. Kocher,
Jaffe and Jun presented a paper on differential power analysis on DES [Kocher99]. Certain
implementations of DES revealed, in the power usage, the structure of the cipher and small
portions of the key could be guessed and verified independently.
Another example of such a side channel attack is the timing attack. The attacker measures the
execution time or delay of various steps in the algorithm. This can reveal information on the
secret key bits if they are evaluated in branching with different execution time. This attack
can also be applied to clock-controlled generators, which outputs keystream bits at irregular
intervals. By measuring these intervals, the attacker can obtain information on the clocking
sequence. Such weaknesses can be prevented by buffering the output.
Electromagnetic radiations can be used to attack a system with electromagnetic leakage side
channel attacks. The quality of the antennas and the frequency stability of local oscillators
are important for good results. The presence of electromagnetic radiations is often enough to
provide useful information to an attacker. Some systems recreate a false magnetic field around
them, in order to mask their presence or radiations. However, by repeating measurement, it is
still possible to remove the noise and obtain a high signal noise ratio.
The work of M. Kuhn [Kuhn98] indicates that it is also possible to extract useful information
50
from the light emitted by screens. He was able to reconstruct a video image starting from the
luminosity of a distant screen.
51
CHAPTER 6
Block Ciphers
6.1. Introduction
Block ciphers are symmetric cryptographic mechanisms that transform individually a fixed-
length amount of plaintext data (a block) to a block of ciphertext using a key. The decryption
algorithm uses the inverse transformation with the same key. So the key is a secret key that must
be protected and secured. The distinction between stream ciphers and block ciphers is not very
clear. If a block cipher is used in cipher block chaining (CBC) mode, we can consider this as a
stream cipher which operates on large symbols of the size of one block. To encrypt messages
longer than the block size, a mode of operation is used, these will be discussed in Section 6.3,
but we will first introduce the history of block ciphers.
6.2. History
Based on the work of Horst Feistel [Feistel73], the first block cipher Lucifer was developed at
IBM in the 1970s. The US National Bureau of Standards (NBS) adopted a revised version of
the algorithm as the Data Encryption Standard (DES) after a public invitation for submissions.
DES was publicly released in 1976 and has been widely used. DES was specifically designed
to resist differential cryptanalysis, a general attack against block ciphers. DES prompted a large
amount of other work and publications in cryptography and cryptanalysis in the open commu-
nity and it inspired many new cipher designs. A variant of DES, 3DES, triple-encrypts blocks
with (usually) two different keys. It was widely adopted as a replacement and is still considered
secure. DES has been superseded as a Federal Standard by the Advanced Encryption Standard
52
(AES), adopted by National Institute of Standards and Technology (NIST) in 2001 after a 5-
year public competition. The AES cipher was developed by two Belgian cryptographers, Joan
Daemen and Vincent Rijmen, and submitted under the name Rijndael.
Till the mid 90s all used block cipher were based on the Feistel structure. Later Substitution-
Permutation Networks (SPNs) were used to design new block ciphers. Together with the "Wide
trail design strategy" [Rijmen01], used to design Rijndael, block ciphers got valuable proper-
ties and bounds on the resistance against linear and differential attack were proved.
Whereas stream ciphers work in a particular mode of operation, block ciphers are just building
blocks to construct mode of operation. The next section will cover some of the different block
cipher modes.
6.3. Mode of Operation
We will give a short overview of the different types of block cipher modes of operation:
• Iterative Block Cipher
• Electronic Code Block Cipher (ECB)
• Cipher Block Chaining (CBC)
• Cipher Feedback (CFB)
• Output Feedback (OFB)
• Counter mode (CTR).
6.3.1. Iterative Block Cipher
Iterated block ciphers use several rounds to encrypt the plaintext. A set of subkeys is derived
from the original secret key and for each round, the same round function or transformation is
applied to the block of plaintext data using a subkey. Depending on the required security level,
the number of iterations can be adapted. The strength will improve by increasing the number
of rounds, but this will have a trade-off on the time performance.
53
The original block cipher algorithms of Feistel and DES were a special class of iterative block
ciphers.
6.3.2. Electronic Code Block Cipher (ECB)
In the Electronic Code Block cipher, each plaintext block is encrypted independently with the
block cipher. The data is thus encrypted in parallel, what makes the Electronic Code Block
cipher faster than the iterative Block cipher. But since each identical block of plaintext gives
an identical block of ciphertext, the plaintext can be easily manipulated by removing, repeating
or interchanging blocks.
6.3.3. Cipher Block Chaining (CBC)
The Cipher Block Chaining mode uses an initialization vector c0 as a "seed" for the process. It
then starts by seeding this random value and XORing that with the first block. The encrypted
result becomes the first block of ciphertext. That encrypted block is used to XOR itself with
the next block. This process continues, thus each plaintext block is XORed with the previous
ciphertext block and then encrypted. The advantage is that everything is concealed in the Arc-
ing process. Any random block gives no indication on what the other blocks are. Manipulation
of the plaintext is only possible in the first part of the ciphertext. The random value does not
have to be encrypted and can be transmitted with the ciphertext.
6.3.4. Cipher Feedback (CFB)
The Cipher Feedback mode is similar to the Cipher Block Chaining mode, but instead of en-
crypting the XORed blocks, the encrypted block is XORed with plaintext block. Again, the
initialization vector c0 is used as a seed for the process. In this mode, not the first block can
be attacked as in CBC, but the last block can be attacked. By removing blocks of from the
beginning or the end of the ciphertext, the resulting plaintext can be manipulated.
54
6.3.5. Output Feedback (OFB)
Output Feedback mode is similar to Cipher Feedback mode, except that the quantity XORed
with each plaintext block depends on a sequence of data blocks si, derived from the encryption
of the previous data block si−1. Again, an initialization vector s0 is used as the seed. This mode
has the advantage over CFB that transmission errors are not propagated in subsequent blocks
during decryption. But this mode makes it possible to easily manipulate the sent plaintext when
the original plaintext is known. If the observed ciphertext block is XORed with the plaintext
block known by the attacker, that result can be used to XOR a new plaintext and send it as
ciphertext without obstructing the decryption for the intended receiver.
Although in this mode the process cannot be parallelized, time can be saved by generating the
key stream before the actual encryption.
6.3.6. Counter mode (CTR)
This mode has been proposed by Diffie to resolve the shortcomings of the OFB mode. Instead
of deriving one data block as the encryption of the previous data block, Diffie proposed en-
crypting the quantity i + IV mod 264 for the ith data block, where IV is some initialization
vector.
6.4. Advantages
Block Cipher algorithms are very simple to implement. They also have the advantage that it
is not difficult to encrypt or decrypt the message, since the same key is used. Although Block
Cipher cannot operate as fast as Stream Ciphers, the convenience, ease of use and relative
secure algorithms make Block Ciphers a good choice for many communication security tasks.
55
CHAPTER 7
Bluetooth Security overview
The security architecture of Bluetooth is designed to provide built-in security features for al
types of security demanding cases. The baseband defines security algorithms and procedures
needed to authenticate devices, and if needed to encrypt the data flowing on the link between
them. The baseband part of the specification includes algorithms for the generation of authen-
tication and encryption keys and the operations for verifying the authenticity of a device.
Bluetooth has three different modes of security. Each Bluetooth device can operate in one mode
only at a particular time. The three modes are the following:
• Security mode 1: Non-secure mode.
• Security mode 2: Service-level enforced security mode.
• Security mode 3: Link-level enforced security mode.
7.1. Security mode 1: non-secure mode
In the non-secure mode, a device will not initiate any security procedures. In this mode, the
security functionality (authentication and confidentiality) is completely bypassed. In effect,
the Bluetooth mode 1 is an "open" mode that allows other Bluetooth devices to connect to it
without applying any security mechanisms. This mode is provided for applications for which
security is not required, such as exchanging business cards.
56
7.2. Security mode 2: Service-level enforced security mode
In the service-level enforced security mode, security procedures are initiated after channel es-
tablishment at the Logical Link Control and Adaptation Protocol (L2CAP) level (see Section
2.5). L2CAP resides in the data link layer and provides connection-oriented and connection-
less data services to upper layers. For this security mode, a security manager (as specified in
the Bluetooth architecture) controls access to services and to devices. The centralized security
manager maintains policies for access control and interfaces with other protocols and device
users. Varying security policies and "trust" levels to restrict access may be defined for appli-
cations with different security requirements operating in parallel. Therefore, it is possible to
grant access to some services without providing access to other services. Obviously, in this
mode, the notion of authorization – that is the process of deciding if device A is allowed to
have access to service X – is introduced.
7.3. Security mode 3: Link-level enforced security mode
In the link-level enforced security mode, a Bluetooth device initiates security procedures before
the channel is established. This is a built-in security mechanism, and it is not aware of any
application layer security that may exist. This mode supports authentication and confidentiality.
These features are based on a secret link key that is shared by a pair of devices. To generate
this key, a pairing procedure is used when the two devices communicate for the first time.
7.4. Link-level security
A number of different key types are used in the security provided by the Bluetooth system.
Symmetric-key cryptographic mechanisms are used for authentication, key generation and link
encryption. A link is a communication channel established between two Bluetooth devices.
The PIN entry, device association and key derivation are depicted conceptually in Figure 7.1.
57
FIGURE 7.1. Bluetooth Key Generation from PIN [Karygiannis02a]
7.4.1. Pairing
The pairing process requires a PIN code to be entered into both Bluetooth devices. The
Bluetooth system allows this PIN code to be 128 bits long. Such a large code would be rather
user unfriendly for manual input. However, by this feature it is possible to make use of a higher
level automated key agreement scheme which can feed the agreed PIN code into the pairing
procedure. For some (mostly small) devices, it is possible the PIN is a fixed key that cannot be
changed. These devices come with a factory preset PIN code when delivered to the customer.
The fixed PIN code is used when there is no user interface to input a value to the Bluetooth
device. In such cases, the fixed PIN must be entered into the peer device. Following this, it
is impossible to pair two devices with a fixed PIN , which means they can never communicate
with each other. An example of such devices with a fixed PIN code are mice and headsets.
On some devices with a fixed PIN code it is still possible to change this code in some way. A
wired connection could be used or it may be allowed to change the PIN code over Bluetooth
using an already paired device and a secure connection.
A number of keys are used within the pairing process, they are reviewed in depth in Chapter 9.
58
7.4.2. Authentication
The Bluetooth authentication procedure is in the form of a "challenge-response" scheme. Two
devices interacting in an authentication procedure are referred to as the claimant and the veri-
fier. The verifier is the Bluetooth device validating the identity of another device. The claimant
is the device attempting to prove its identity. The challenge-response protocol validates devices
by verifying the knowledge of a secret key (a Bluetooth link key). The authentication proce-
dure is only one way, so the procedure must be repeated with switched roles for the verifier and
claimant to achieve mutual authentication.
7.4.3. Encryption Process
The Bluetooth specification also allows three different encryption modes to support the confi-
dentiality service:
• Encryption mode 1:
No encryption is performed on any traffic.
• Encryption mode 2:
Broadcast traffic goes unprotected (not encrypted), but individually addressed traffic is
encrypted according to the individual link keys.
• Encryption mode 3:
All traffic is encrypted according to the master link key.
As shown in Figure 7.2, the Bluetooth encryption procedure is based on a stream cipher, E0.
A key stream output is exclusive-OR-ed with the payload bits and sent to the receiving device.
This key stream is produced using a cryptographic algorithm based on linear feedback shift
registers (LFSR). The encryption function takes as inputs the master identity (BD_ADDR),
the random number (EN_RAND), a slot number, and an encryption key, which initialize the
LFSRs before the transmission of each packet. Since the slot number used in the stream cipher
changes with each packet, the ciphering engine is also reinitialized with each packet although
the other variables remain static. As shown in Figure 7.2, the encryption key provided to the
encryption algorithm is produced using an internal key generator (KG) E3. This key generator
59
produces stream cipher keys based on the link key, random number (EN_RAND again), and
the ACO value. The ACO parameter, a 96-bit Authenticated Cipher Offset, is another output
produced during the authentication procedure. The link key is the 128-bit secret key that is
held in the Bluetooth devices and is not accessible to the user. Moreover, this critical security
element is never transmitted outside the Bluetooth device. If forms the shared secret of two
devices, created after pairing, that can be used when they meet again. Further explanation of
the E0 stream cipher is given in Chapter 8.
FIGURE 7.2. Bluetooth Encryption Process [Karygiannis02a]
7.5. Problems with the Bluetooth Standard Security [Karygiannis02a] [Muller99]
Some of the known problems with the standard security of Bluetooth are listed here. The most
important problems will be discussed in furter details in Chapter 8 and Chapter 9.
60
• Strength of the challenge-response pseudorandom generator is not known:
The Random Number Generator (RNG) may produce static number or periodic num-
bers that may reduce the effectiveness of the authentication scheme.
• Short PIN codes are allowed:
Weak PIN codes, which are used for the generation of link and encryption keys, can
be easily guessed. Increasing the PIN length in general increases the security. People
have a tendency to select short PIN codes. A global agreement must be established on
minimum key length.
• An elegant way to generate and distribute PIN codes does not exist:
Establishing PIN codes in large Bluetooth networks with many users may be difficult.
Scalability problems frequently yield security problems.
• Encryption key length is negotiable:
The encryption key size varies from 8 to 128 bits. Each device has a parameter defining
the maximum allowed key length. The key length is negotiated between the master and
the slave. Applications can define a minimum acceptable key size to avoid situations
where malicious devices force the encryption to be low.
• Unit key is reusable and becomes public once used:
A unit key is a link key that one unit generates by itself and uses as a link key with
any other device. Unit keys can only be safely used when there is full trust among the
devices that are paired with the same unit key. This is because every paired device can
impersonate or eavesdrop any other device holding the same unit key. A unit key can
be used on very small units with very low resources. Since Bluetooth version 1.2, the
use of unit keys is not recommended. But, for legacy reasons, unit keys have not been
completely removed from the specification.
• The initialization key strength is based on the used PIN code:
The E22 initialization key generation algorithm derives the key from the PIN code, the
length of the PIN code and a random number, which is transmitted over the air. Only
the PIN code is secret, making the trustworthiness of most initialization keys low and
completely dependent of the users chosen PIN code.
• No user authentication exists:
Only device authentication is provided. Application level security and user authentica-
tion can be employed.
61
• Attempts for authentication may be repeated:
The Bluetooth specification requires a time-out period between repeated attempts that
will increase exponentially. But the Bluetooth SIG needs to develop a limit feature to
prevent unlimited requests. .
• E0 stream cipher algorithm is weak:
The stream cipher E0 has its roots in the so-called summation combiner stream cipher.
This was a stream cipher that was proposed by Massey and Rueppel in the mid-1980s
[Massey89]. The most powerful attacks on this type of stream ciphers are the corre-
lation attacks in combination with exhaustive search over a limited key space (this is
sometimes also referred to as initial guessing). The cryptanalysis, reviewed in Chapter
8, shows that the E0 cipher is weaker than the supposed exhaustive search attack.
• Privacy may be compromised if the Bluetooth device address (BD_ADDR) is cap-
tured. Once the BD_ADDR is associated with a particular user, that user’s activities
could be logged, resulting in a loss of privacy.
• End-to-end security is not performed:
Only individual links are encrypted and authenticated. Data is decrypted at intermediate
points. But applications running on top of Bluetooth can provide end-to-end security
mechanisms.
• Security services are limited:
Audit, no-repudiation, and other services do not exist. If needed, these can be developed
at particular points in a Bluetooth network.
• Denial-of-service attacks are possible:
Repeated refused requests can make the unit crash and drain the battery. The denial of
service attack can be combined with other attacks.
• Support for legacy applications:
The legacy application will not make calls to the security manager. Instead, a Bluetooth-
aware "adapter" application is required to make security-related calls to the Bluetooth
security manager on behalf of the legacy application.
• Preset per service authorization is not possible:
There is no mechanism defined to preset authorization per service. However, a more
flexible security policy could be implemented in the higher-level architecture, without
a need to change the Bluetooth protocol stack. Of course, modifications of the higher-
level security manager and the registration processes would be necessary.
62
• Enforce unidirectional traffic is not possible:
The approach only allows access control at connection set-up. The access check can be
asymmetric, but once a connection is established, data flow is in principle bi-directional.
It is not possible within the scope of this architecture to enforce unidirectional traffic.
7.6. Bluetooth security attacks
Although this thesis mainly concentrates on the link-level security of Bluetooth, we will also
give a brief overview of many popular and practical attacks on Bluetooth in this section. These
attacks are less significant, since most of them are not based on the failing of the Bluetooth
protocol, but on the malfunction of the specific implementation of the manufacturers.
We will take a closer look at the link level security and the known attacks on that part of the
Bluetooth protocol in Chapter 8 and Chapter 9.
7.6.1. Bluejacking
Although known to the technical community and early adopters for some time, the process now
known as "Bluejacking" has recently come to the fore in the consumer arena, and is becoming
a popular mechanism for exchanging anonymous messages in public places. The technique
involves abusing the Bluetooth pairing protocol, the system by which Bluetooth devices au-
thenticate each other, to pass a message during the initial handshake phase. This is possible
because the "name" of the initiating Bluetooth device is displayed on the target device as part
of the handshake exchange, and, as the protocol allows a large user defined name field - up to
248 characters - the field itself can be used to pass the message. This is fairly harmless, but,
there is a potential security problem with this. The more the practice grows and is accepted
by the user community, and leveraged as a marketing tool by the vendors, the worse it will
get. The problem lies in the fact that the protocol being abused is designed for information
exchange. The ability to interface with other devices and exchange, update and synchronize
data, is the reason of existence of Bluetooth. The Bluejacking technique is using the first part
of a process that allows that exchange to take place, and is therefore open to further abuse if
the handshake completes and the bluejacker successfully pairs with the target device. If such
an event occurs, then all data on the target device becomes available to the initiator, including
63
such things as phone books, calendars, pictures and text messages. As the current wave of PDA
and telephony integration progresses, the volume and quality of such data will increase with
the devices’ capabilities, leading to far more serious potential compromise.
7.6.2. Bluetooth Wardriving
This attack will map the physical whereabouts of users carrying Bluetooth-enabled devices.
Since each Bluetooth device freely broadcasts its unique 48-bit address, it is possible to track
the user movements.
To protect a device against location tracking, an anonymity mode is needed. Devices operating
in such an anonymous mode could regularly update their device address by randomly choosing
a new one.
Different types of location tracking attacks are possible:
7.6.2.1. Inquiry attack. The attack distributes one or more Bluetooth devices throughout a
region to locate Bluetooth users.
If the potential victim of such an attack has left his/her device in discoverable mode, attacking
device can simply interrogate the area using frequent inquiry messages for devices and maintain
a log of all the device addresses that are discovered.
7.6.2.2. Traffic monitoring attack. This attack succeeds even if the victim device is not
in discoverable mode. The attacker simply monitors the communication between two trusted
devices belonging to the victim. These devices will communicate using a specific Channel
Access Code (CAC). This CAC is computed from the device address of the master device in
the piconet.
Furthermore, the whole device address is sent in the Frequency Hop Synchronization (FHS)
packets of the devices, allowing an attacker to uniquely determine the identity of a device. But
the FHS packets are only used at connection establishment.
64
7.6.2.3. Pagin attack. This attack allows the attacker to determine if a given device with a
known BD_ADDR or Device Access Code (DAC)1 is present within range.
The attack requires that the victim’s device is connectable.
The attacking device pages the target device, waits for the ID packet to be returned, and then
does not respond. If an ID is returned, then the attacker knows that the victim device is present.
The target device, waiting for the response, will just time out and the incident will not be
reported to the application layer.
7.6.2.4. Frequency hopping attack. The frequency hopping scheme in Bluetooth is deter-
mined by a repeating hopping sequence. The hopping scheme is calculated from different input
parameters, such as an address and the master clock. In the connection state, the LAP and the
four least significant bits in the UAP of the master device are used. In the page state, the
LAP/UAP of the paged unit is used. Thus, it is (at least theoretically) possible to get informa-
tion of the LAP and four bits in the UAP based on the observed hopping scheme.
7.6.2.5. User-friendly name attack. A Bluetooth device can request the user-friendly name
anytime after a successful baseband paging procedure. The name request command can be used
to mount a location tracking attack.
7.6.3. Impersonation attack by inserting/replacing data
When no encryption is activated, an impersonation attack can easily be achieved by correctly
setting the CRC check data in the payload after the data in the payload has been changed.
When ciphering is activated, the attacker can compute how to modify the CRC to make it agree
with modifications in the encrypted data bits.
In a practical system or when encryption is activated, it is not at all easy to make something
useful of this attack beyond the point of just disrupting the communication. The attacker must
somehow know the context of the payload data to conduct changes that are meaningful or
effective.
1A Device Access Code (DAC) is a code derived from a specific connected slave device.
65
7.6.4. Nokia 6310i Bluetooth OBEX Message DoS
Many Nokia 6310i GSMs contain a flaw that allows a remote denial of service attack. The issue
is triggered when invalid Bluetooth OBEX messages are sent by an attacker, and will result in
loss of availability for the phone, without loss of data.
7.6.5. Brute-Force attack
The brute-force attack can make it possible to connect to a device, even while it is set in the
hidden (not discoverable) Bluetooth mode. A brute-force attack on the BD_ADDR of a device
can achieve this.
Some manufacturers claim this would take an unreasonable amount of time, more than 11
hours. However, the security company @stake build an application RedFang [Whitehouse03a]
with a multi-threaded version of the brute-force attack. This could simultaneously exploit up to
8 USB Bluetooth devices which would reduce the required time from 11hrs to approximately
90 minutes (based on one vendor’s range).
Once the BD_ADDR is discovered with the brute-force attack, other attacks could be mounted
without alerting the owner of the device, who thinks it is not discoverable.
7.6.6. Denial-of-Service attack
The Denial-of-Service (DoS) attack makes it possible for an attacker to prevent or prohibit
the normal use or management of communications facilities. The system degradation by DoS
attacks can, for example, be the result of the system being fully occupied by handling fake
connection requests or by inserting flawed data transmission packets.
7.6.7. Disclosure of keys
• A Bluetooth device attached to the computer may be exchanged for a false one, whose
only purpose is to ’suck’ out link keys from the host.
• A rightful USB plug or PCMCIA card may be removed from the owner’s computer and
inserted into a corresponding slot of the adversary’s computer. On this computer, one
66
or more keys stored on the Bluetooth controller can be read out. Once the list of keys
has been read out, the USB plug (or card) is returned to its proper owner, who may be
completely unaware.
• Malicious software
A Trojan horse disguised as something quite innocent can send the key database to some
place where the adversary can access it. If this malicious code is distributed through a
virus or worm, the attack can quickly spread to a large number of computers.
Once the link key of a computer and phone (and the BD_ADDR of the computer) is known,
the adversary can SsilentlyT connect to the mobile phone, impersonate the computer, and make
use of any service the phone offers over Bluetooth.
7.6.8. Backdoor attack
The Backdoor attack involves establishing a trust relationship through the vulnerable pairing
mechanism of some devices (e.g. some phones of Motorola), but ensuring that it no longer
appears in the target’s register of paired devices. In this way, unless the owner is actually
observing their device at the precise moment a connection is established, they are unlikely to
notice anything untoward, and the attacker may be free to continue to use any resource that
a trusted relationship with that device grants access to. This means that not only data can be
retrieved from the phone, but other services, such as modems or Internet, WAP and GPRS
gateways may be accessed without the owner’s knowledge or consent. Once the Backdoor
is installed, the Bluesnarf attack will function on devices that previously denied access, and
without the restrictions of a plain BlueSnarf attack (see Section 7.6.9).
7.6.9. BlueStumbling or BlueSnarfing
It is possible, on some Bluetooth phone types, to connect to the device without alerting the
owner of the target device of the request, and gain access to restricted portions of the stored
data, including the entire phonebook, images, the calendar data, the real-time clock, business
cards, properties, the change log and the IMEI (International Mobile Equipment Identity, which
uniquely identifies the phone to the mobile network, and is used in illegal phone ’cloning’).
67
This attack has been developed by Adam Laurie, Marcel Holtman and Martin Herfurt from
Trifinite [Herfurt05]. The attack is an OBEX Push attack. The OBEX Push profile, which
has been specified for easy exchange of business cards, allows to push items anonymously.
But some type of (phone-)devices had an erroneous implementation, which allows to perform
OBEX Get request through the OBEX Push connection and to retrieve all files where the name
is known or guessed correctly. Recently the developers of Trifinite made an improved version
of the BlueSnarf attack, the BlueSnarf++ attack, which allows to connect to the OBEX FTP
server through the OBEX Push connection. This gives the attacker full read and write access
to the device’s file system.
The impact of this attack can be high, since many popular phones are/were vulnerable for this
attack. Even long distance (1 mile) BlueSnarf attacks were proven to be possible with an ex-
tended Bluetooth antenna device. The attack has been demonstrated at CeBIT [Herfurt04] and
the Oscar nominations, which showed that a lot of devices were vulnerable.
The user is dependent on the vendor’s implementation of OBEX/Bluetooth stack and the ven-
dor’s solutions to resolve the security leaks (e.g. patches).
7.6.10. BlueBug attack
The BlueBug attack creates a serial profile connection to the device, thereby giving full access
to the AT command set, which can then be exploited using standard off the shell tools, such
as PPP for networking and gNokii for messaging, contact management, diverts and initiating
calls. With this facility, it is possible to use the phone to initiate calls to premium rate numbers,
send sms messages, read sms messages, connect to data services such as the Internet, and even
monitor conversations in the vicinity of the phone.
The loophole identified in BlueBug allows to control the device via a plain serial connection.
7.6.11. Pairing attack, Offline PIN recovery
The Bluetooth specification is sensitive to passive and active attacks on the pairing procedure.
The attacks only work if the attacker is present at the pairing occasion, which typically only
occurs once between one pair of devices. If pairing is performed in public places during a
connection to an access point, point-of-sale machine, or printer, this can be a dangerous threat.
68
Attackers can sniff data transmissions between devices while pairing (KINIT transmission).
An improved version of this attack, will be discussed in Section 9.5.
7.6.12. On-line PIN recovery
This attack can be possible if a fixed PIN is used on a device (i.e. same PIN is used for
every connecting device). The attacker can change (spoof) the Bluetooth address BD_ADDR
several times and try different PIN codes. By changing the Bluetooth address, the attacker
will bypass the ever increasing delay between failed pairing retries.
7.6.13. Impersonate original sending/receiving unit
This attack would require the attacker to provide the correct response on the authentication
challenge of a correspondent. Currently, no attack on the SAFER+-based E1 authentication
function is known that achieves this within any realistic computational effort.
7.6.14. Attack on the Bluetooth Key Stream Generator
Many different attacks on the Bluetooth Key Stream Generator E0 are published (e.g. correla-
tion attacks, algebraic attack, FBDD-attack) and they will be reviewed in more detail in Chapter
8.
7.6.15. Replay attacks
A hacker could record Bluetooth transmissions in all 79 frequencies and then in some way
figure out the frequency hopping sequence to replay the whole transmission. Although special
devices would be necessary for this attack, the attack could be possible since the Bluetooth
devices cannot check if a message is new or old.
69
7.6.16. Man-in-the-middle attack
By intervening in the "middle" of two pairing devices, and simulating the opponent on each
device connection by passing through the connection data, an attacker could receive all keys and
data. This is possible since there is no real mutual authentication and no public key certification
is used during authentication, although special devices are required.
70
CHAPTER 8
Bluetooth Stream Cipher E0
8.1. Introduction
In Chapter 7 the E0 encryption engine has already been described informally, we will now take
a closer look at it.
E0 is a so-called autonomous finite state machine. Loaded with an initial state, it will move to
a new state and produce one single output bit of the key stream on every clock cycle.
The Bluetooth specification defines the stream cipher algorithm E0 to be used for point-to-
point encryption of the packet payload, the access code and the packet headers shall never be
encrypted. The E0 additive stream cipher was designed to provide the wireless connections
with a strong protection against eavesdropping. It is based on a direct design and uses a Blue-
tooth proprietary algorithm that is inspired by Massey and Rueppel’s [Rueppel86] summation
combiner stream cipher. The core of E0 is built around four independent linear feedback regis-
ters (LFSR) and a finite state machine (FSM) as a combining circuitry.
The cryptanalysis covered in Section 8.3 shows that E0 stream cipher is weaker than supposed
at its design. But the frequent rekeying in Bluetooth and the rather short generated key streams
keep the system safe for most attacks.
71
8.2. Encryption process
When two Bluetooth devices need to communicate securely, they first undergo a key exchange
protocol that completes with each unit agreeing on a shared secret key. Within this exchange
protocol the devices negotiate to decide the encryption key size to use. Each device has a
parameter defining the maximal allowed key length, Lmax, 1 ≤ Lmax ≤ 16 and for each
application using encryption a number Lmin must be defined to indicate the smallest acceptable
key size for that application. The devices negotiate and try to use the largest key size supported
by both. If the Lmax value of one of the devices is smaller than the Lmin value of the other
device, the negotiation will fail and a link encryption cannot be employed. This possibility of a
failure in setting up a secure link is an unavoidable consequence of letting the application decide
whether to accept or reject a suggested key size. However, this is a necessary precaution, since
otherwise a fraudulent device could enforce a weak protection on a link by claiming a small
maximum key size Lmax.
In the E0 stream cipher algorithm bits are bit-wise modulo-2 (XOR) added to the data stream
to be sent over the air interface. All units in the piconet must be able to read the packet header
to see if the message is for them or not. Therefore, it is only the payload of each packet that
is ciphered separately by the cipher algorithm E0. The payload data is ciphered after the CRC
bits are appended, but before the optional Forward Error Correction (FEC) encoding.
The E0 stream ciphering process consists of three parts: (see Figure 8.1)
a) Initialization: payload key generation.
The payload key generator combines the input bits in an appropriate order and shifts
them into four LFSRs of the key stream generator.
b) Main part: Key stream bits generation.
c) Encryption and decryption.
72
FIGURE 8.1. Bluetooth encryption process
The cipher algorithm E0 uses as input the 48 bits of the master Bluetooth device address
(BD_ADDR), 26 bits of the master real-time clock, CLK, and an encryption key KC . By
using the 26 bits of the master clock, which toggles every 625µs, and a reinitialization of
the E0 algorithm after each (multi-)packet, frequent changes of the starting state of the key
stream generator are assured, which forms a key factor in the resistance to security attacks. E0
generates a binary keystream Kcipher which will be modulo-2 (XOR) added to the data to be
encrypted. The cipher is symmetric; decryption shall be performed in exactly the same way
using the same key as used for encryption.
The private encryption key (KC) is derived by algorithm E3 from the current link key, a 96-
bit Ciphering OFfset number (COF), and a 128-bit random number EN_RAND. COF is set
to the concatenation of the master BD_ADDR if the current link key is a master key. Else
COF it is set to the value of Authenticated Ciphering Offset (ACO) as computed during the
authentication procedure.
KC = E3(Kmaster, EN_RAND,COF ) (38)
The Bluetooth system is said to be a two level operation. The first level consists of the initial-
ization and the second level performs the actual keystream generation.
73
Within the first level, the initialization of the E0 algorithm, the encryption key KC is trans-
formed to an intermediate constraint key K ′C :
K ′C(x) = g
(L)2 (x)(KC(x) mod g
(L)1 (x)), (39)
where deg(g(L)1 (x)) = 8L and deg(g
(L)2 (x)) ≤ 128 − 8L. The values for the polynomials g
(L)1
and g(L)2 are collected in a table1. The maximum effective size of this key shall be factory preset
and may be set to any multiple of eight between one an sixteen (8-128bits).
This constraint key K ′C is used together with the BD_ADDR and the clock CLK to load the
initial values of the four LFSRs (128 bits) and the four memory bits c0 and c−1. At the end of
the first level, the generator will generate 200 stream cipher bits, of which the last 128 bits are
fed back into the key stream generator as the initial values of the four LFSRs of the second
level. The values of the memory bits c0 and c−1 are kept as the initial values for the second
level. Further details of the complex initialization and the premixing of the initially loaded key
material can be found in the Bluetooth specification document ([SIG03], Section 4.5, pages
769-790).
After the initialization steps of first level and the initialization of the second level, a loop is
started (step 2 and 3 in Figure 8.1), until the maximum number of plaintext bits are encrypted
and the generator must be re-initialized to disable various kinds of statistical analysis attacks.
The core of the E0 keystream generator consists of four Linear Feedback Shift Registers
(LFSR), with a key of at most 128 bits, and a 4 bit finite state machine, feeding a Summa-
tion Combiner Logic (combining circuitry).
In the previous chapter it was noted that LFSR is not cryptographically secure, since it is linear.
In [Rueppel86] the use of memory in the combination generator was proposed to achieve
nonlinearity in an LFSR system. The finite state machine is used in the Bluetooth system to
introduce sufficient nonlinearity to make it difficult to recompute the initial state from observed
key stream data.
1Table 4.4, p770-771 of the Bluetooth SIG, "Bluetooth Specification v1.2", vol. 2, November 2003.
74
As we know from Section 4.5, LFSRs can be described with feedback polynomials. The
feedback polynomials of the four LFSRs used within E0 are all primitive maximum length
polynomials. This ensures that the period of a LFSR with degree n is 2n − 1. The smallest
period of all the Bluetooth LFSRs is the product of the four periods: P = (P1P2P3P4)/7 =
(225 − 1)(231 − 1)(233 − 1)(239 − 1) / 7 ≈ 2125.2. The period is divided by 7 since P3 and
P4 have 7 as their greatest common divisor. This entire period is never generated by the Blue-
tooth generator, since it is re-initialized after a maximum of 2745 bits. The total length of the
registers is 128. The Hamming weight2 of all the feedback polynomials is chosen to be five
- a reasonable trade-off between reducing the number of required XOR gates in the hardware
implementation and obtaining good statistical properties of the generated sequences. The poly-
LFSR Degree Feedback polynomial Ouput tap Period lengthLFSR1 25 t25 + t20 + t12 + t8 + 1 24 225 − 1LFSR2 31 t31 + t24 + t16 + t12 + 1 24 231 − 1LFSR3 33 t33 + t28 + t24 + t4 + 1 32 233 − 1LFSR4 39 t39 + t36 + t28 + t4 + 1 32 239 − 1
TABLE 1. Feedback polynomials of the four LFSRs
nomials are in fact maximum length windmill polynomials[Smeets98]. This can be exploited
in a hardware or software realization of the LFSR. The windmill polynomials have the property
that one can construct a linear sequential machine that, provided it is correctly initialized, for
each clock cycle generates four consecutive symbols of the sequence that the normal LFSR
would generate.
For each bit output, each LFSR is clocked once, and the output of all four LFSRs and the output
of the finite state machine is exclusive-or’ed together to form the keystream output. Then, the
4 LFFSR outputs are summed together to form a 3 bit output. The upper 2 bits of that sum are
used to update the state of the finite state machine (FSM). The least significant bit (LSB) of the
sum of the four LFSRs is their bit-wise XOR.
During the encryption loop, the following steps are walked through:
a) output xt for the four LFSRs
b) calculate the keystream zt = f0(xt, ct)
2The Hamming weight denotes the number of "1" bits in the binary sequence.
75
c) calculate the encrypted message bit et = zt ⊕ mt, where mt is the corresponding mes-
sage bit
d) calculate st+1 = f1(xt, ct)
e) calculate next FSM state ct+1 = T (st+1, ct)
f) put memory bits ct = ct+1 of FSM .
During decryption, the same loop is walked through, but in the third step, the calculation is
mt = zt ⊕ et, where et is the corresponding received encrypted bit.
The combination generator process is represented in Figure 8.2, where the z−1 labeled boxes
denote delay elements holding two bits each and the small numbers under the nodes indicate
the number of bits passing.
FIGURE 8.2. The E0 keystream generator 3
The function f0, called summation combiner, produces an output sequence of 200 bits z1, z2, · · · ,
where zt ∈ GF (2). It computes these zt of the modulo two sum of the xt vector and the first
bit c0t of the current contents of the memory. xi
t denotes the output from LFRSi at time t. The
76
output from the LFRS is taken from the shift register taps given in Table 1.
zt = f0(xt, c0t ) (40)
= x1t ⊕ x2
t ⊕ x3t ⊕ x4
t ⊕ (c0t mod 2) ∈ {0, 1} (41)
The nonlinear function f1 also takes the vector xt as input, but combined with the latest memory
update vector ct. f1 has a 2-bit vector st+1 as output. It is nonlinear since integer addition is
nonlinear in GF (2)
st+1 = (s1t+1, s
0t+1) (42)
= f1(xt, ct) (43)
=
⌊
yt + 2c1t + c0
t
2
⌋
∈ {0, 1, 2, 3} (44)
yt = x1t + x2
t + x3t + x4
t ∈ {0, 1, 2, 3, 4} (45)
The state of the FSM is determined by 4 bits, which are stored in a pair of 2-bit delay elements.
At each time t, the lower delay element stores the previous value of the upper element and we
can therefore refer to these 2-bit values as ct and ct+1 respectively. The function T is used to
mix these carry-bits. It takes the 4 memory bits and st+1 as input. It produces the 2-bit vector
ct+1 to be put in the memory.
The new content ct+1 of the upper delay element is computed as follows:
ct+1 = (c1t+1, c
0t+1) (46)
= T (st+1, ct, ct−1) (47)
= T0(st+1) ⊕ T1(ct) ⊕ T2(ct−1) (48)
ct+1 defines a linear infinite impulse response (IIR) filter4 that lowers the correlation factor,
an important parameter in the correlation attack. T1 and T2 are two different linear bijections
4An infinite impulse response is a type of digital signalfilter, in which every sample of output is the weightedsum of past and current samples of input, using all past samples, but the weights of past samples are an inversefunction of the sample age, approaching zero for old samples.[Howe05]
77
over GF (4), (x1, x0) → (y1, y0), where T0 = T1 : (x1, x0) → (x1, x0) and T2 : (x1, x0) →
(x0, x1 ⊕ x0).
This concludes the description process within the E0 keystream generator. To get better un-
derstanding in the way the E0 keystream generator works, a basic simulation of E0 has been
implemented in C. The working of the simulator could be checked with the testdata available
in [SIG03], pp. 652-676.
In the next section, we will present the known attacks on this algorithm.
8.3. Bluetooth Stream Cipher E0 Attacks
A lot of research has been done on the Bluetooth encryption and different types of attacks on
E0 are discovered. They will be described in this section. Although, within the scope of this
master thesis, not all attacks could be analysed in full detail, we will describe each type of
attack. Some parts of the attacks that are reviewed, are implemented besides the E0 simulator,
as a way to get better understanding in the working of the attack.
Since the nonlinear E0 algorithm uses memory bits beside the linear LSFR, the correlation
attacks introduced in Section 5.3.4 of Chapter 5 are not applicable right away. For most attacks
it is needed to remodel the cipher in such a way that the nonlinear part is replaced with a
sequence of random variables with some correlation probability.
Most of the theoretical attacks on the Bluetooth E0 stream cipher require a far larger amount
of consecutive keystream output than available in a practical environment. By Kerckhoffs’
principle (see Section 3.4.2), they assume the keystream generator and some key stream bit zt
are known and they try to recover the initial state of the LFSRs.
8.3.1. Divide-and-conquer, Correlation attack, Hermelin and Nyberg
In [Hermelin00b] Hermelin and Nyberg published a theoretical attack to recover the keystream
generators initial state with a time complexity of O(264) given O(264) known keystream bits
(≈ 2.097.152 TB).
78
The attack is based on a weak linear correlation between the output of the LFSRs vt = x1t ⊕x2
t ⊕
x3t ⊕ x4
t and the keystream output zt, to verify the accuracy of one of the LFSRs. The sequence
vt is generated by a fictive LFSR, based on the product of the four feedback polynomials form
the LFSRs in E0, that is, a feedback polynomial gt with degree 128, gt = f1(t)f2(t)f3(t)f4(t).
If the attack is successful, the attacker will discover the initial state of this fictive LFSR, from
which the initial state of the four original LFSRs of E0 can be computed by solving a set of
linear equations in 128 unknown variables.
Hermelin and Nyberg discovered the following correlation in the Bluetooth E0 stream cipher:
C(zt ⊕ zt−1 ⊕ zt−3, vt ⊕ vt−1 ⊕ vt−3) = −1
16, (49)
where vt denotes the XORed output of the four LFSRs.
Since the attack of Ekdahl and Johansson (Section 8.3.2) is based on the same principles of this
attack, but with better computational complexities, we will not analyse this attack in further
detail.
8.3.2. Divide-and-conquer attack, Correlation attack, Ekdahl and Johansson
A theoretical attack by Ekdahl and Johansson [Ekdahl00] describes how the initial state of
the keystream generator can be extracted given O(234) known keystream bits (≈ 2 GB) and a
computational complexity of O(263) . This attack is also based on a weak linear correlation
between the LFSRs output and the keystream output to verify if a guess on one of the LFSRs
is accurate. This attack remodels the cipher in such a way that the nonlinear part is replaced
with a sequence of random variables with some correlation probability. The nonlinear part of
the keystream can be found in the memory block ct.
Fluhrer and Lucks [Fluhrer01] discovered the following correlation for ct:
P(ct ⊕ ct−5 = 0) =1
2+ 0.04883 (50)
for all t ≥ 0.
79
The attacker observes a keystream zt of length N . The attack will primarily target the initial
state of the first LFSR, LFSR1. The other three LFSRs can be combined into a single equivalent
LFSR. The output from this equivalent LFSR is a sequence ut, 0 ≤ t ≤ (N − 1).
c0t is assumed to be a random noise sequence with correlation P(ct ⊕ ct−5 = 0) = 1
2+ 0.04883
(Equation (50)). Now we can remodel E0 into a simplified system as showed in Figure 8.3.
With this model, we need to guess the initial state of LFSR1 and add this, x′t, to zt. If the guess
is correct, we can write the resulting sequence as:
vt = zt + x′t = ut + c0
t (51)
FIGURE 8.3. Model of attack, [Ekdahl03]
From the equivalent LFSR of LFSR2, LFSR3 and LFSR4, we will get a sequence u0, u1, · · · , uN−1
which is a linear (N, l)-block code C5. In this block code C, there are l information symbols,
which is equal to the length of the equivalent shift register, the sum of the length of LFSR2,
LFRS3 and LFSR4. The sequence ut can be rewritten as a row vector u = (u0, u1, · · · , uN−1).
And this row vector can then be written as u = u0G, where u0 is the initial state of the equiv-
alent shift register and G the generator matrix. If we suppose we can find k columns in G such
that
Gi1 + Gi2 + · · · + Gik = 0, (52)
then we must have ui1 +ui2 + · · ·+uik = 0 for the sequence ut. Since the block code is cyclic,
we can write∑
i∈I
ut+1 = 0, (53)
5A linear block code is a class of block codes, which consists of a fixed finite alphabet and a set of strings,codewords, of fixed length from the alphabet. Block codes are mostly used in coding theory for error detectionand error correction. A linear block code is a vector subspace of F
nq where Fq is the finite field with q elements.
80
for any time index t ≥ 0, where I is the set of indices in Equation (52).
By summing over the indices in I , indicated by Equation (53), it possible to remove the influ-
ence of ut in vt (Equation (51)) and go towards the correlation Equation ().
vt = ut + ct (54)∑
i∈I
vt+i + vt+i−5 = 0 +∑
i∈I
ct+i + ct+i−5 (55)
∑
i∈I
vt+i + vt+i−5 = (ct+i + ct+ik−5) + (ct+i2 + ct+i2−5) + · · · + (ct+ik + ct+ik−5) (56)
P
(
∑
i∈I
vt+i + vt+i−5 = 0)
= (57)
P
(
(ct+i + ct+ik−5) + (ct+i2 + ct+i2−5) + · · · + (ct+ik + ct+ik−5) = 0)
=1
2+ 2k−1εk (58)
If vt is sampled at many different time instances, according to Equation (56) and depending on
the magnitude ε in Equation (58), it is possible to get statistical significance if the assumption
on the initial state of LFSR1 was good. If LFSR1 was guessed correctly, the correlation in
Equation (58) can be detected, else the correlation will not be detectable, since more noise will
have been added to the sequence vt and the sum of Equation (56) will tend to 12.
The attack requires a length, N , of the received sequence zt which depends on two parameters,
the value of the highest index in I for Equation (53) and the number of shifts in time, m, in
Equation (56).
An estimate for the highest index in I is needed since we need to search for a span of zt such
that the indices can be found that satisfy Equation (53). A good estimation of the required
length of the received sequence in order to find k columns that add up to the all-zero column in
the generator matrix from Equation (52) can be made using Theorem 14.
THEOREM 14. There are approximately 2l/(k−1) columns required in a random generator ma-
trix G of a cyclic code C, to find k columns that add to the all-zero column, where l is the
number of rows in G
81
To estimate the second parameter, the needed number of samples m, we will use the theoret-
ical background from Section 3.5. From this section we know we can separate the uniform
distribution PU(X = 0) = 12
from the indicator distribution PE0(X = 0) = 12
+ 2k−1εk using
approximately 1/(2k−1εk)2 samples. With increasing k, PE0(X = 0) gets closer to 1/2 and the
Chernoff information6. C(PU , PE0) is decreasing. So the required number of samples, m, in-
creases when k increase for a fixed error probability. The total number of columns w ≈ 2l/(k−1)
in G required to find k columns that add to the all-zero column decreases if k increases. The
total number of required keystream bits to observe, N , is the sum N = m + w, so we need to
chose k such that we minimize N .
When performing the attack, we count the number of times Equation (56) equals to zero, n0,
and the number of times it equals to 1, n1. Thus, the number of samples needed, m, equals
to m = n0 + n1. To simplify the application of the Lemma of Neyman-Pearson (Section 3.5,
Lemma 10), we replace 2k−1εk with ε′. We can now easily write PE0 = 1/2 + ε′. According to
the Lemma, we can test between the two hypotheses H0 : PU and H1 : PE0:
(12)m
(12
+ ε′)n0( 12−ε′)n1
> T, (59)
with T ≥ 0 being the decision threshold.
For this attacks, it is desired to use an unsymmetrical threshold and decrease PF at the expense
of PM . We would like to have PF << PM . In [Ekdahl03] an unsymmetrical threshold of
T = 25 was chosen, resulting in a threshold of PM ≈ 2−4 and a threshold of PF ≈ 2−10. It is
shown that the value for the parameter k = 4 is the best choice for attacking LFSR1, since the
value of N will then be minimized to 234.6.
8.3.3. Faster correlation attack, Y. Lu and S. Vaudenay
Although the faster correlation attack proposed by Yi Lu and Serge Vaudenay in [Lu04], has the
best known time complexity O(239) after O(237) it still requires 239 consecutive keystream bits
(≈ 64 GB). The attack recovers the LFSR1 with a new Maximum Likelihood Decoding (MLD)
algorithm, by means of Fast Walsh Transform. This algorithm can speed up a fast correlation
6The Chernoff bound gives information (distance) between two probability densities. Relatively large Cher-noff information means low error probabilty. [Cover91]
82
attack. The attack applies the concept of convolution to the analysis of the distinguisher based
on all known correlations. This allows building an efficient distinguisher that halves the data
complexity of the basic uni-bias-based distinguisher.
The approach is similar as the Divide-and-conquer attack from Ekdahl and Johansson 8.3.2,
but with a decreased time complexity.
The correlations used for this attack are:
P(c0t ⊕ c0
t+1 ⊕ c0t+3 ⊕ c0
t+4 = 1) =1
2+
λ
2, (60)
P(c0t ⊕ c0
t+5 = 0) =1
2+
λ
2, (61)
where λ = 25256
8.3.4. Guess-and-determine attack, M. O. Saarinen
Markku-Juhani O. Saarinen showed in [Saarinen00] the first guess-and-determine attack on
the Bluetooth keystream generator. This attack consists of guessing the states of the 3 smallest
LFSRs and the Final State Machine to derive the contents of remaining fourth LFSR. Using the
observed keystream, the consistency of the assumption is checked with the output from LFSR4.
The complexity of this attack is expected to be close to O(293). We will not treat the attack of
Saarinen in further details, since the improved versions of this attack are analysed below.
8.3.5. Guess-and-determine attack, S.R. Fluhrer and S. Lucks
Scott R. Fluhrer and Stefan Lucks refined the attack of M.O. Saarinen in [Fluhrer01]. This
attack recovers the initial state of the shift register (level 2 of the keystream generator) and
reverses the premixing step to recover the session key KC (level 1 of the keystream generator).
The time complexity of the attack has the order of O(284) when 132 keystream bits are avail-
able. The time complexity required to reconstruct the level 2 keystream generator (LFSRs
initial states) is expected to be between O(272) and O(284), depending on the amount known
keystream bits. The work effort to reconstruct the level 1 keystream generator is expected to
take between O(281) and O(251). The algorithm allows the key stream bits to be spread over
83
multiple data packets, unlike correlation attack. The computational complexity can then be
improved to the order between O(276) and (284), depending on the amount of keystream bits
available.
The basic approach of guessing the initial states of parts of the cipher and checking consistency
stays the same as in Saarinen’s attack. But this attack takes advantage of additional relation-
ships within E0 to gain performance. Instead of guessing the three LFSRs as in the attack of
Saarinen, this attack guesses the initial state of the FSM and the contents of the two shortest
LFSRs. A set of linear equations is build up and checked for inconsistencies. The guess will
be rejected as soon an inconsistency can be found.
The idea behind the algorithm used in this attack, is that the next state function for the FSM
depends only on the number of LFSRs that output a one. Instead of computing the exact value
of the two longest LFSRs, we just have to decide if their output will differ or not. The algorithm
will also take advantage of the fact that we can efficiently find contradictions in GF (2).
The attack will derive the initial LFSRs settings given 132 bit of the keystream output. The
initial settings for the FSM contents and LFSR1 and LFSR2 are guessed. By observing the
keystream, it is possible to decide whether the XOR of the outputs of LFRS3 and LFSR4 is
one or zero, and a set L of linear equations on the LFRS3 and LFSR4 output bits is constructed
in a search tree. When enough keystream bits are analyzed, the linear equations implied by
the LFSR3 and LFSR4 tap equations can be added to the set L of linear equations. As long
as the equations in the set L stay consistent, we can continue to analyze the keystream. If an
inconsistency appears, we can backtrack in the tree and try another guess in the different steps.
8.3.6. Improved guess-and-determine attack, C. De Cannière, T. Johansson, B. Preneel
The theoretical attack presented by Christophe De Cannière, Thomas Johansson and Bart Pre-
neel in [Cannière01] is based on the attack of Scott Fluhrer [Fluhrer01] described in the
precedent section. The time complexity of the attack is in the order O(276) when 1 Mbit of
keystream data is available.
84
The approach for this attack is similar to the attack of Fluhrer and Lucks. But instead of
guessing two of the LFSRs contents and the FSM, only the shortest LFSR and the initial state
of the FSM will be guessed.
8.3.7. FBDD-attack, M. Krause
In [Krause01] Matthias Krause proposes a FBDD-attack on the Bluetooth keystream generator.
This attack has a time complexity of O(277) while requiring only 128 known keystream bits.
Free Binary Decision Diagrams (FBDD) are data structures for representing and manipulat-
ing Boolean functions [Gergov94] [Sieling95]. An FBDD-attack is a short-keystream attack,
where the number of key bits needed for computing the secret initial state, x ∈ {0, 1}n is at
most cn for some constant c ≥ 1.
The attack exploits that many LFSR-based stream ciphers produce keystream according to the
rule z = C(L(x)), where L(x) denotes an internal linear bit stream generated by a small
number of parallel LFSRs and C denotes some nonlinear compression function. The weakness
of LFSR-based keystream generators is that the compressor C has to produce the keystream
in an online manner and at high speed. To achieve this, C uses only a small memory and
consumes only a few new internal bits for producing the next output bit. These requirements
imply that the decision if an internal bitstream z generates a prefix of a given keystream y via C
can be computed by small FBDDs. This allows to compute dynamically a sequence of FBDDs
Pm, m ≥ n, which test a given initial state x ∈ 0, 1n whether C(L≤m(x)) is prefix of y, where
L≤m(x) denotes the first m bits of the internal linear bitstream generated via L on the secret
initial state x.
8.3.8. Algebraic attack, F. Armknecht
Frederik Armknecht proposed an algebraic attack to reconstruct the initial state of E0 in [Armknecht02].
This attack is based on a system of nonlinear equations of degree 4, which holds with proba-
bility 1 at each clocking. By linearisation, the system becomes solvable, assuming that enough
independent equations can be collected. The number of possible terms in the linearized system
85
is T ≈ 224.056 and by employing Strassen’s algorithm for solving the system of linear equations,
the complexity of this approach is concluded to be about O(267.58). In order to get enough inde-
pendent linear equations, the number of observed keystream bits must be approximately 224.056
(≈ 16MB). We will explore this attack in more detail.
Theorem 15 makes up the basis of the algebraic attack on the combiner with memory.
THEOREM 15 (Krause, Armknecht, 2003). For each combiner C with k LFSRs and l memory
bits, a nontrivial relation FC of degree dk(l + 1)/2e with
0 = FC
(
Xt, · · · , Xt+l, zt, · · · , zt+l
)
can be constructed.
Basically, we are able to transform some equations z based on the LFSRs output bits x and
memory bits c to a system of linear equations which depends not on the memory bits and can
be used to find the initial values of the LFSRs.
zt = F(
x1t , · · · , x4
t , c1t , · · · , c4
t
)
zt = F(
x1t , · · · , x4
t , Ct(x11, · · · , x4
t−1, c11, · · · , c4
1))
zt = Ft
(
x1, · · · , xn, c11, · · · , c4
1
)
0 = F ′(
x1t , · · · , x4
t , x1t+1, · · · , x4
t+1, x1t+2, · · · , x4
t+2, x1t+3, · · · , x4
t+3, zt, zt+1, zt+2, zt+3
)
0 = F ′(
x1, · · · , xn, zt, zt+1, zt+2, zt+3
)
For each clock t, the new key stream output zt is produced and the next memory bits c0t+1 and
c1t+1 are computed. This is done by Equation (48). We will reformulate this equation to have
86
the functions for the individual memory bits c0t+1 and c1
t+1:
ct+1 = (c1t+1, c
0t+1) (62)
= T0(st+1) ⊕ T1(ct) ⊕ T2(ct−1) (63)
= (s1t+1 ⊕ c1
t ⊕ c0t−1 , s0
t+1 ⊕ c0t ⊕ c1
t−1 ⊕ c0t−1). (64)
In this equation we can reformulate s1t+1 and s0
t+1 from Equation (45) as7:
st+1 = (s1t+1, s
0t+1) (65)
=
⌊
x1t + x2
t + x3t + x4
t + 2c1t + c0
t
2
⌋
(66)
s1t+1 = Π4(t) ⊕ Π3(t)c
0t ⊕ Π2(t)c
1t ⊕ Π1(t)c
0t c
1t (67)
s0t+1 = Π2(t) ⊕ Π1(t)c
0t ⊕ c1
t (68)
where Πi(t) is the XOR over all possible products in {x1t , x
2t , x
3t , x
4t} of degree i:
Π1(t) = x1t ⊕ x2
t ⊕ x3t ⊕ x4
t
Π2(t) = x1t x
2t ⊕ x1
t x3t ⊕ x1
t x4t ⊕ x2
t x3t ⊕ x2
t x4t ⊕ x3
t x4t
Π3(t) = x1t x
2t x
3t ⊕ x1
t x2t x
4t ⊕ x1
t x3t x
4t ⊕ x2
t x3t x
4t
Π4(t) = x1t x
2t x
3t x
4t
which leads to the following equations for the individual bits c1t+1 and c0
t+1 (from Equation
(64)):
c1t+1 = s1
t+1 ⊕ c1t ⊕ c0
t−1 (69)
= Π4(t) ⊕ Π3(t)c0t ⊕ Π2(t)c
1t ⊕ Π1(t)c
0t c
1t ⊕ c1
t ⊕ c0t−1 (70)
c0t+1 = s0
t+1 ⊕ c0t ⊕ c1
t−1 ⊕ c0t−1 (71)
= Π2(t) ⊕ Π1(t)c0t ⊕ c1
t ⊕ c1t−1 ⊕ c0
t ⊕ c0t−1 (72)
7F. Armknecht, A Linearisation Attack on the Bluetooth Key Stream Generator, 2002.
87
Now we can define the additional variables A(t) and B(t):
A(t) = Π4(t) ⊕ Π3(t)c0t ⊕ c0
t−1
B(t) = Π2(t) ⊕ Π1(t)c0t ⊕ 1
so that the Equations (70) and (72) can be simplified to (using the fact that for Boolean variables
x2 = x):
c1t+1 = A(t) ⊕ B(t)c1
t (73)
c1t+1B(t) = A(t)B(t) ⊕ B(t)c1
t (74)
0 = B(t)(
A(t) ⊕ c1t ⊕ c1
t+1
)
(75)
and
c0t+1 = B(t) ⊕ 1 ⊕ c0
t−1 ⊕ c1t ⊕ c1
t−1 (76)
c0t+1 ⊕ c1
t−1 = B(t) ⊕ 1 ⊕ c0t−1 ⊕ c1
t (77)
By inserting Equation (77) into (75) with index t+1 instead of t we get the following equation:
0 = B(t)(
A(t) ⊕ B(t + 1) ⊕ 1 ⊕ c0t ⊕ c0
t+1 ⊕ c0t+2
)
(78)
88
In this equation, we can eliminate all unknown memory bits c0t by using the observed keystream
zt (Equation (41)) and by knowing in X2 = X and X ⊕ X = 0 in GF (2):
zt = x1t ⊕ x2
t ⊕ x3t ⊕ x4
t ⊕ c0t
c0t = x1
t ⊕ x2t ⊕ x3
t ⊕ x4t ⊕ zt
= Π1(t) ⊕ zt
B(t) = Π2(t) ⊕ Π1(t)c0t ⊕ 1
= Π2(t) ⊕ Π1(t) ⊕ Π1(t)zt ⊕ 1
A(t) = Π4(t) ⊕ Π3(t)c0t ⊕ c0
t−1
= Π4(t) ⊕ Π3(t)Π1(t) ⊕ Π3(t)zt ⊕ Π1(t − 1) ⊕ zt−1
0 = B(t)(
A(t) ⊕ B(t + 1) ⊕ 1 ⊕ c0t ⊕ c0
t+1 ⊕ c0t+2
)
= Π2(t) ⊕ Π1(t) ⊕ Π1(t)zt ⊕ 1(
Π4(t) ⊕ Π3(t)Π1(t) ⊕ Π3(t)zt ⊕ Π1(t − 1) ⊕ zt−1 ⊕ Π2(t + 1)
⊕Π1(t + 1) ⊕ Π1(t + 1)zt+1 ⊕ 1 ⊕ 1 ⊕ Π1(t) ⊕ zt ⊕ Π1(t + 1) ⊕ zt+1 ⊕ Π1(t + 2) ⊕ zt+2
)
= 1 ⊕ zt−1 ⊕ zt ⊕ zt+1 ⊕ zt+2
⊕Π1(t)(ztzt+2 ⊕ ztzt+1 ⊕ ztzt−1 ⊕ zt−1 ⊕ zt+1 ⊕ zt+2 ⊕ 1)
⊕Π2(t)(1 ⊕ zt−1 ⊕ zt ⊕ zt+1 ⊕ zt+2) ⊕ Π3(t)zt ⊕ Π4(t)
⊕Π1(t − 1) ⊕ Π1(t − 1)Π1(t)(1 ⊕ zt) ⊕ Π1(t − 1)Π2(t)
⊕Π1(t + 1)zt+1 ⊕ Π1(t + 1)Π1(t)zt+1(1 ⊕ zt) ⊕ Π1(t + 1)Π2(t)zt+1
⊕Π2(t + 1) ⊕ Π2(t + 1)Π1(t)(1 ⊕ zt) ⊕ Π2(t + 1)Π2(t)
⊕Π1(t + 2) ⊕ Π1(t + 2)Π1(t)(1 ⊕ zt) ⊕ Π1(t + 2)Π2(t)
This equation has terms of degree of at most 4 in the variables {x1t , x
2t , x
3t , x
4t} (in Π) and holds
for any t. By iterating this equation we can build a system of nonlinear equations (SNE) of
degree 4, with the initial value of the four LFSRs unknown. These initial states of the LFSRs
89
have length 25, 31, 33 and 39, so the key to recover with the attack has the form:
K0 = (a0, · · · , a24, b0, · · · , b30, c0, · · · , c32, d0, · · · , d38)
= (k0, k1, · · · , k127)
Although the long Equation (79) uses the output bits of the LFSRs at clock t, we are able to
rewrite the equation in terms of the initial state bits. This is possible since we can construct
a linear function L : GF (2)n → GF (2)n, where n is the length of the LFSR, which linearly
maps the state Kt to Kt+1 : Kt+1 = L(Kt), for each clock t:
K1 = L(k0, k1, · · · , k127) = L(K0)
K2 = L(k1, k2, · · · , k128) = L(
L(k0, k1, · · · , k127))
= L2(K0)
...
Kt = L(kt−1, kt, · · · , kt+126) = L t(K0)
So we can rewrite Equation (79), following the notation of Theorem 15, as:
0 = F (K0, · · · , L3(K0), z0, z1, z2, z3)
0 = F (L(K0), · · · , L4(K0), z1, · · · , z4)
0 = F (L2(K0), · · · , L5(K0), z2, · · · , z5)
0 = F (L3(K0), · · · , L6(K0), z3, · · · , z6)
...
0 = F (L t(K0), · · · , L t+3(K0), zt, · · · , zt+3)
where F is a multivariate relation of degree 4 (at most).
Since the LFSRs output bits {x1t , x
2t , x
3t , x
4t} can be expressed as a linear equation of the initial
state bits, only a finite number of different terms can occur. Armknecht found that this limit
is T = 17, 440, 047 ≈ 224.056. This means that we will get a system of nonlinear equations
with T unknown. To solve this system we will thus need at least T equations by clocking the
90
system that many times. The system can be solved with the Strassen algorithm in O(7T log2 7)
or with the Coppersmith-Winograd algorithm[Coppersmith90] in O(T w), w ≤ 2.376 through
linearisation.
8.3.9. Fast Algebraic attack, N. Courtois and F. Armknecht
As an extension on the algebraic attack of F. Armknecht, the Fast Algebraic attack enables
us work with equations with a lower degree(see also Section 5.3.7 and Section 5.3.8). By
reducing the degree of the system of equations, the run-time complexity will decrease. The Fast
Algebraic attack was introduced by Nicolas Courtois in [Courtois03a] and Frederik Armknecht
[Armknecht04c]. The attack will decrease the degree of the system of equations by using
linear combinations of equations. Equation (79) can be written in the form:
0 = F (L t(K0), · · · , L t+3(K0), zt, · · · , zt+3)
0 = F1(L t(K0), · · · , L t+3(K0)) + F2(L t(K0), · · · , L t+3(K0), zt, · · · , zt+3)
where F = (F1, F2) and F1 and F2 are a multivariate relations with high degree d1 for F1 and
a lower degree d2 for F2. The linear combination will cancel out the high-degree monomials of
degree {d2 + 1, d2 + 2, · · · , d1} that occurs in Equation (79).
In [Hawkes04] another approach has been proposed: by using the Fast Fourier Transform
(FFT) the complexity of substituting the keystream into the equations can be decreased, result-
ing in a expected process complexity of O(249). These 249 can be performed in about 35 hours
on a 4GHz machine. The attack requires 223.4 keystream output bits.
91
CHAPTER 9
Bluetooth Pairing and Authentication process
9.1. Introduction
This section will explore in depth the pairing and authentication process used by the Bluetooth
system when operating in the Bluetooth Security Mode 3: Link-level security mode. Within
this security mode, the Bluetooth devices will initiate security measures before establishing a
channel by pairing (bonding).
Very recently, Y. Shaked an A. Wool discovered a new attack [Shaked05] on this security mech-
anism. This attack will be discussed in Section 9.5. But first we wil introduce the SAFER+
block cipher, used in the pairing and authentication key generation.
9.2. SAFER+
SAFER+ is a non-proprietary block cipher algorithm used within the generation of different
keys of the Bluetooth pairing and authentication processes. SAFER+ is invented by Prof. J.L.
Massey, Prof. G.H. Khachatrian and Dr. M.K. Kuregian for Cylink Corporation. SAFER+ was
one of the candidates for the Advanced Encryption Standard (AES). SAFER+ is based on the
SAFER block cipher family. If sufficient rounds are used, SAFER is still a safe algorithm. But
SAFER uses blocks of 64-bits, which is too small for Bluetooth. SAFER+ uses a block size of
128-bits for the plaintext and ciphertext and supports three user-selected-key lengths, namely
128, 192 and 256 bits. The standard Bluetooth key length uses 128-bit keys which require 8
rounds in the SAFER+ algorithm. SAFER+ has also an important improvement on the SAFER
92
algorithm, an Armenian Shuffle permutation is used which boosts the diffusion of single-bit
modifications in the input data. This is a highly desirable property for a good block cipher.
SAFER+ consists of an encryptions subsystem and the key scheduling subsystem. The key
scheduling subsystem (KSA) (see Figure 9.1) provides 17 different 128-bit subkeys, called
round keys, for each encryption round in the encryption subsystem. Such a round key con-
sists of two vectors of 16 octets. We regard octets as being integer numbers 0, 1,... , 255
or as being eight-dimensional binary valued vectors. Each of these 16-octects vectors Ki =
(Ki[0], Ki[1], · · · , Ki[15]) , except the first, are offset by a bias Bi = (bi[0], bi[1], · · · , bi[15]),
i = 2, 3, · · · , 17 using modulo 256 addition. The bias vectors are defined by
bi[j] =[(
45(4517i+j+1 mod 257) mod 257)
mod 256]
, for j = 0,1,... ,15. (79)
In each step of the key scheduling algorithm, each byte is cyclic-rotated left by 3 bit positions
and 16 bytes of the 17 are selected for the output round key.
FIGURE 9.1. SAFER+ key scheduling [SIG03].
93
In the encryption subsystem, the round keys are fed into the 8 SAFER+ identical rounds and
added into the round data. Each round uses 2 round keys and the last key is used in the SAFER+
output transformation. This addition is done by intertwined modulo 256 and XOR additions,
implemented by a Pseudo Hadamard Transform (PHT) mapping, a 16-byte transformation by
the Armenian Shuffles and two substitution tables E and L.
The Pseudo Hadamard Transform takes two input bytes and produces two output bytes:
PHT (a, b) =(
(2a + b) mod 256, (a + b) mod 256)
(80)
The Armenian Shuffles permutates the PHT output bits as follows:
(0 8)(1 11)(2 12)(3 15)(4 2)(5 1)(6 6)(7 5)(8 10)(9 9)(10 14)(11 13)(12 0)(13 7)(14 4)(15 3)
(81)
The mappings E and L introduce the nonlinearity for SAFER+.
E,L : {0, 1, · · · , 255} → {0, 1, · · · , 255} (82)
E : x 7→ (45x mod 257) mod 256 (83)
L : x 7→ y such that x = E(y) (84)
9.3. Bluetooth Pairing process
The first time two devices communicate with each other they are authenticated during the ini-
tialization process and a link key KAB is generated. This link key will also be used in further
authentications and the encryption procedures.
During the initialization or pairing (see Figure 9.2), two associated devices simultaneously pro-
duce their own temporary initialization key KINIT . This key is generated by a part of the E2
link key generation function, more specific the E22 function, which is based on the SAFER+
algorithm. The E22 function uses the PIN -code entered by the user (on both devices), the
shared 48-bit Bluetooth device address (BD_ADDR) and a 128-bit shared random number
(IN_RAND) to generate the 128-bit initialization key KINIT . The PIN code used in Blue-
tooth devices can vary between 1 and 16 bytes. The typical 4-digit PIN may be sufficient for
some applications; however, longer codes may be necessary. If the identical PIN -code was
94
put-in on both devices, the generated (and exchanged) KINIT will be equal on both devices
which means they are authorized to create a link. If one of the devices has a fixed PIN , the
BD_ADDR of the peer device will be used, else the PIN code of the slave device that re-
ceives the IN_RAND will be used. Within the E22 algorithm, the PIN and the BD_ADDR
are combined. If the PIN is to short, it is lengthened with bits from the BD_ADDR. If this
new word is still to short, it will be expanded cyclically until it has 128 bits.
FIGURE 9.2. Initialization key KINIT generation with the E22 algorithm [Shaked05].
Once both devices have the same initialization key KINIT , they will use it to generate the
semi permanent link key KAB so that the pairing can be remembered by the devices and thus
eliminating the initialization phase on subsequent connections. Both devices will immerse The
initialization key KINIT is only used during the pairing process. After the link key KAB is
created, KINIT is removed.
This authorization will be remembered by the devices by creating the semi permanent link
key KAB, eliminating the initialization phase on subsequent connections, since the two devices
possess a shared secret that they can use when they meet again.
95
The link key is a generated by exchanging two 128-bit random words between the devices.
These random words, LD_RANDA and LD_RANDB, are sent to the other device after bit-
wise XORing it with the KINIT key they both have. After both devices have both random num-
bers LD_RANDA and LD_RANDB they both create the semi permanent link key KAB with
the algorithm E21, which also based on the SAFER+ algorithm. This algorithm is used twice,
once with the BD_ADDRA, which is cyclic expanded to 128 bits, and the LK_ADDRA of
one device to create LK_KA and once with the BD_ADDRB , which is cyclic expanded to
128bits, and the LK_ADDRB of the other device to create LK_KB, after which those two
LK_KA and LK_KB are XOR combined to form KAB. See Figure 9.3
FIGURE 9.3. Link key KAB generation with the E21 algorithm [Shaked05].
The link key can be a unit key for devices with limited memory. The unit key is generated by the
device on its own with the E21 with input parameters KINIT , BD_ADDR and 128-bit random
number LK_RAND. This unit key will then be used within any other link, which makes it
unsafe since any linked device knowing this unit key can impersonate any other device with the
96
same unit key. It is possible to create a link key using higher layer key exchange methods and
then import the link key into the Bluetooth modules.
The master device has the possibility to broadcast data to all or several slave devices. The
master will use a temporary master link key for this purpose, which is also generated by the
E22 function and two 128-bit random numbers. Each slave receives this master key by using
an overlay number which is generated from an exchanged random number and the link key.
The E21 algorithm used to create the link key KAB is build around a modified SAFER+ algo-
rithm A′r. This modified SAFER+ is used so that the E21 algorithm cannot be applied directly
as an invertible encryption algorithm. This is done in order to prevent the algorithm from be-
ing used for encryption and avoid problems with export regulations. The difference between
the original Ar and the E21 A′r involves the third round of the SAFER+ algorithm. In A′
r, the
original input to the algorithm is also added to the input of this third round, which is not in Ar.
The authentication procedure which uses the E1 function and the encryption-key generation
function E3 are explained in more detail in the following sections.
9.4. Bluetooth Authentication process
The Bluetooth challenge-response authentication procedure, briefly introduced in Section 7.4.2,
is depicted conceptually in Figure 9.4. As shown, one of the Bluetooth devices (the claimant)
attempts to reach and connect another device (the verifier).
The steps in the authentication process are the following:
a) The claimant transmits its 48-bit address (BD_ADDR) to the verifier.
b) The verifier generates and transmits (in plaintext) a 128-bit random challenge (AU_RANDA)
to the claimant.
c) The claimant and the verifier both use the authentication function E1 to compute an
authentication response SRES using the BD_ADDR (which is expanded cyclically
to 128-bits), the link key KAB and the random challenge as inputs AU_RANDA. .
97
d) The claimant returns the computed signed response, SRES, to the verifier.
e) The verifier compares the SRES from the claimant with the SRES that it computes.
f) If the two 32-bit SRES values are equal, the claimant is authenticated by the veri-
fier and the mutual authentication is repeated with switched roles for the verifier and
claimant.
g) If the mutual authentication has been fulfilled with success, the connection is estab-
lished and the devices can exchange information.
FIGURE 9.4. Bluetooth Authentication [Karygiannis02a].
Within the authentication procedure, the E1 algorithm is used. This algorithm is called a mes-
sage authentication code (MAC) algorithm and it is also built around the SAFER+ block cipher
algorithm.
9.5. PIN recovery
If we take a look at all messages sent between two devices during the pairing and authentication
process, we would come up with the following list for the messages send from the first device
98
A to the second B: BD_ADDR, IN_RAND, LK_RANDA, AU_RANDA and SRES.
The messages send from the second device B to the first A would then be: BD_ADDR,
LK_RANDB, SRES and AU_RANDB. All these messages are send as plaintext, except
the LK_RAND messages, which are XORed with the K_INIT key.
So it is easy to see that an attacker could eavesdrop the entire pairing and authentication process
to try to break the algorithm and recover the PIN code used. Since the attacker knows the
IN_RAND and BD_ADDR of the first device A, the attacker can recover the PIN code with
a brute force attack. By guessing the value of the PIN code and running the E22 algorithm,
a hypothesis for the K_INIT can be found (see Figure 9.2). To test if this hypothesis for
K_INIT is right, the attacker should first use the K_INIT key to decode the LK_RAND
values and then use these decoded values to compute the link key KAB with the E21 algorithm
(see Figure 9.3). Now the attacker can test if the PIN code was guessed correctly by testing
if the observed SRES values are equal to the value the attacker can compute by using the
link key KAB and the observed AU_RAND values (see Figure 9.4). Since the SRES values
provide 64 bits of data to test again, the attacker can successfully recover PIN codes under
64 bits or 19 decimal digits. The whole process of this attack is illustrated by the flowchart of
Figure 9.5.
As this attack is very straightforward, the concept was known during the design of the Bluetooth
specifications by the Bluetooth SIG. For this reason, the Bluetooth SIG recommends to use long
PIN codes and only establish the first pairing process in a safe environment. Newer versions
of the Bluetooth specification will switch to longer-sequence alphanumeric PIN codes to drive
the number of combinations into millions and make the attack impractical. But until this newer
version is released, users should be aware of this risk.
Recently, the attack described above has been implemented and optimized by Yaniv Shaked
and Avishal Wool [Shaked05]. But since the initial pairing has to be established only once
when a new devices is connected, and the attack requires recording all pairing and authenti-
cation messages, the attack was not very practical. Once the link key KAB has been created,
99
FIGURE 9.5. Flowchart of the PIN recovery attack [Shaked05].
the Bluetooth devices will store this link key and reuse it on later connections with the same
device, to skip the pairing process. So Yaniv Shaked and Avishal Wool created a new attack
[Shaked05] that exploits the connection establishment protocol to force the communicating
devices to repeat the pairing process. This will make it possible for an attacker to record the
pairing messages and use it with the first attack.
The connection protocol of the Bluetooth specification allows Bluetooth devices to forget the
link key KAB from a previous pairing. An attacker can abuse this if he has a special Bluetooth
device that makes it is possible to spoof the BD_ADDR and to inject a specific message at
precise points in the communication protocol. The attacker can then pretend to be another
device and inject, during the authentication, the special protocol codes [SIG03] that denote it
has forgotten the link key. Instead of using the special protocol codes, the attacker can also
return a wrong answer on the authentication request. Both cases will make the devices discard
the link key and run through the pairing process during the next connection establishment. This
allows the attacker to record all pairing messages and use the first attack to recover the PIN
100
code. It has to be noted that a user may realize the attack since he will have to enter his PIN
code again.
101
CHAPTER 10
Conclusion
The main goal of this thesis was to study and analyze the security of the Bluetooth archi-
tecture. We tried to cover the whole low-level security features supported by the Bluetooth
specifications. The thesis concentrated on the stream cipher and block cipher properties, on the
encryption and on the pairing and authentication.
The starting point of this thesis was the Bluetooth specification with all the properties of the
Bluetooth architecture. Although not all these properties are related to the security of the
Bluetooth system, they were explored in this thesis as the author is a member of the faculty
of Computer Science and thus also interested in other parts of the specifications besides the
security.
Within the thesis, we always went from a more general and theoretical overview to the specific
and practical details. This was the result of a lot of research, both very theoretically as very
specific to Bluetooth. The study of the encryption system started by reviewing existing litera-
ture, covering theorems of the information theory, cryptography and the general properties of
stream ciphers. This was essential to understand the design principles of the Bluetooth secu-
rity properties. We reviewed in detail which types of attacks on wireless networks exists and
covered generally the attacks on stream ciphers.
The different modes and levels of security have been discussed generally and an overview
of different types of practical attacks on Bluetooth devices has been given. Most of these
attacks, for example Snarf attack, Backdoor attack, Bluejacking, etc. are of less interest within
the Bluetooth protocol security research, since they are based on the malfunction of specific
Bluetooth implementations. Nevertheless, these attacks can be used in practice and can thus
102
have an impact on the overall security. The Bluetooth technology is relatively young and quite
complex, making it very difficult to verify all aspects that could result in security problems.
The study covered an in depth analysis of the E0 encryption algorithm. We did not only cover
the complete functionality of the E0 system, we also analysed many of the recent attacks.
A basic simulation of the E0 algorithm and some parts of the attack of Armknecht (Section
8.3.8) and Fluhrer (Section 8.3.5) were implemented, although this was more a way to be able
to fully understand them.
The most important attacks on the E0 encryption system include the correlation attacks and
the algebraic attacks. The correlation attacks are based on a presumed correlation between the
input and output bits. The algebraic attacks exploit the fact that the output bits can be expressed
with an algebraic relation in terms of the initial state bits. The best attacks currently known are
the fast algebraic attack of Armknecht [Armknecht04c] and Courtois [Courtois03a] and the
fast correlation attack of Lu and Vaudenay [Lu04]. We have seen that this attack can recover the
initial state of the LFSRs and FSM in a known plaintext attack approximately O(239) keystream
bits and a time complexity of approximately O(239). If we compare the different attacks on the
encryption engine, Figure 10.1, we can see that the complexity of the attacks has been greatly
optimized the last year(s).
We can conclude that currently there is no attack known that breaks the complete encryption
procedure with reasonable effort and pratical available keystream bits. However, the security
margin is insufficient to feel comfortable about the years to come. Since the research on the
attacks continues actively, future attacks may succeed to reduce the cryptanalytic workload to
a practical level.
Besides the encryption system based on stream ciphers, we also analysed the pairing and au-
thentication mechanisms of Bluetooth, based on the SAFER+ block cipher. So again we first
explored the general and theoretical elements of the block cipher, before analysing the details
of SAFER+ and the specific Bluetooth pairing and authentication properties.
103
FIGURE 10.1. Complexities of the E0 attacks. [Kiviharju04]
Recently a new attack to break the Bluetooth pairing process was published by Yaniv Shaked
and Avishal Wool in [Shaked05]. We analysed this attack, which makes it possible to recover
the PIN code used by two observed pairing devices. It has been shown that this could even
be exploited after the devices passed the pairing process. Yet this attack requires a special
Bluetooth device to be able to manipulate the Bluetooth protocol messages.
After this research we may conclude that there are a lot of security problems with Bluetooth,
the most important are related to encryption, pairing, location tracking and implementation
flaws. But still, Bluetooth can be seen as a quite safe for the intended usage. For a practical
multifunctional protocol as Bluetooth, many considerations must be made to find a good bal-
ance between functionality, user-friendliness, speed and security. The active research on this
topic will help enhance the Bluetooth system in future versions.
104
References
[Abdelhameed01] A. Abdelhameed and S.A. Ibrahim. VLSI Design and Implemantation of
ASICs for the Security Core of Bluetooth Wirelees Communication System Stan-
dard. Masters thesis. Ain Shames University. 2000-2001.
[Aissi04] S. Aissi, C. Gehrmann and K. Nyberg. Proposal for Enhancing Bluetooth Se-
curity Using an Improved Pairing Mechanism. 2004.
[Anand01] N. Anand. An Overview of Bluetooth Security. February 2001.
[Anderson94] R. Anderson. Searching for the Optimum Correlation Attack. 1994.
[Armknecht02] F. Armknecht. A linearisation attack on the Bluetooth key stream generator.
2002.
[Armknecht04a] . An Algebraic attack on the Bluetooth Key Stream Generator. 2004.
[Armknecht04b] . Algebraic Attacks on Stream Ciphers. 2004.
[Armknecht04c] . On Fast Algebraic Attacks. March 2004. Talk at the 9th Estonian
Winter School in Computer Science, Palmse, Estonia.
[Armknecht04d] . On the Existence of low-degree Equations for Algebraic Attacks.
2004.
[Armknecht04e] F. Armknecht, J. Lano and B. Preneel. Extending the Resynchronization At-
tack. 2004.
[Armknecht05a] F. Armknecht. Algebraic Attacks and Annihilators. 2005.
[Armknecht05b] F. Armknecht and W. Meier. Fault attacks on Cominers with Memory. 2005.
U.S.Patent No. 4,797,922.
[Association69] Electronics Industries Association. EIA Standard RS-232-C Interface Between
Data Terminal Equipment and Data Communication Equipment Employing Se-
rial Data Interchange. August 1969. reprinted in Telebyte Technology "Data
Communication Library", Greenlawn NY, 1985.
[BE03] H. Bar-El. Introduction to Side Channel Attacks. 2003.
[Biryukov03] A. Biryukov, C. De Cannière and G. Dellkrantz. Cryptanalysis of Safer++.
2003.
105
[Biryukov04] A. Biryukov. Block Ciphers and Stream Ciphers: the State of the Art. 2004.
[Blewitt97] G. Blewitt. Basics of the GPS Technique: Observation Equations. 1997.
[Brassard88] G. Brassard. Modern Cryptology. Springer-Verlag. 1988.
[Candolin00] C. Candolin. Security Issues for Wearable Computing and Bluetooth Technol-
ogy. 2000.
[Cannière01] C. De Cannière, T. Johansson and B. Preneel. Cryptanalysis of the Bluetooth
Stream Cipher. 2001.
[Chepyzhov03] V.V. Chepyzhov, T. Johansson and B. Smeets. A simple algorithm for fast cor-
relation attacks on stream ciphers. 2003.
[Comer88] D.E. Comer. Internetworking with TCP/IP: principles, protocols, and architec-
ture. Prentice Hall. Englewood Cliffs, N.J.. 1988.
[Coppersmith90] D. Coppersmith and S. Winograd. Matrix Multiplication via Arithmetic Pro-
gressions. 1990. pp. 251–280.
[Coppersmith94] D. Coppersmith, H. Krawczyz and Y. Mansour. The shrinking generator.
dvances in Cryptology - Crypto ’93. 1994. pp. 22–38.
[Cormen90] T.H. Cormen, C.E. Leiserson and R.L. Rivest. Introduction to Algorithms. 24
ed.. The MIT Press. 1990.
[Courtois00] N.T. Courtois, A. Klimov, J. Patarin and A. Shamir. An Algebraic attack on the
Bluetooth Key Stream Generator. 2000. pp. 392–407.
[Courtois02] N.T. Courtois. Higher Order Correlation Attacks, XL algorithm, and Crypt-
analysis of Toyocrypt. 2002.
[Courtois03a] . Fast Algebraic Attacks on Stream Ciphers with Linear Feedback. 2003.
pp. 177–194.
[Courtois03b] N.T. Courtois and W. Meier. Algebraic Attacks on Stream Ciphers with Linear
Feedback. 2003.
[Courtois04] N.T. Courtois. Algebraic Attacks on Combiners with Memory and Several Out-
puts. 2004.
[Cover91] T. Cover and J.A. Thomas. Elements of Information Theory. Wiley. 1991.
[Daemen95] J. Daemen. Cipher and Hash Function Design. Ph.D. thesis. Katholieke Uni-
versiteit Leuven. 1995.
[Dasgupta05] A. Dasgupta. Analysis of Different types of Attacks on Stream Ciphers and Eval-
uation of Security of Stream Ciphers. 2005.
106
[Davenport58] W.B. Davenport and W.L. Root. Introduction to the Theory of Random Signals
and Noise. McGraw-Hill. New York. 1958.
[Ekdahl00] P. Ekdahl and T. Johansson. Some results on correlations in the Bluetooth
stream cipher. 2000.
[Ekdahl03] P. Ekdahl. On LFSR based Stream Ciphers, Analysis and Design. Ph.D. thesis.
Lund University. November 2003.
[Feistel73] H. Feistel. Cryptography and Computer Privacy. 1973.
[Fluhrer01] S.R. Fluhrer and S. Lucks. Analysis of the E0, encryption system. 2001. pp. 38–
48.
[Flurher02] S. R. Flurher. Improved Key Recovery of Level 1 of the Bluetooth Encryption
System. 2002.
[Forum01] WAP Forum. Wireless Application Protocol (WAP) Architecture 2.0. July 2001.
http://www.wapforum.org.
[Gauthier02] E. Gauthier. A man-in-the-middle attack using Bluetooth in a WLAN interwork-
ing environnment. 2002.
[Gehrmann02] C. Gehrmann. Bluetooth Security White Paper. 2002.
[Gehrmann04] C. Gehrmann, J. Persson and B. Smeets. Bluetooth Security. Artech House,
Inc.. 2004.
[Gergov94] J. Gergov and CH. Meinel. Efficient Boolean function manipulation with OB-
DDs can be generalized to FBDDs. 1994. pp. 1197–1209.
[Golic02] J.D. Golic, V. Bagini and G.Morgari.. Linear cryptanalysis of Bluetooth stream
cipher. 2002. pp. 238–255.
[Golomb67] S.W. Golomb. Shift Register Sequences. 1967.
[Grimaldi99] R.P. Grimaldi. Discrete and combinatorial mathematics: an applied introduc-
tion. 4th ed.. Addison Wesley Longman, Inc. 1999.
[Group03] The Shmoo Group. BlueSniff, The next Wardriving Frontier. 2003.
[Haartsen99] J. Haartsen. Hardware Architecture Overview. 1999.
[Hawkes04] P. Hawkes and G.G. Rose. Rewriting Variables: the Complexity of Fast Alge-
braic Attacks on Stream Ciphers. 2004.
[Herfurt04] M. Herfurt. Bluesnarfing @ CeBiT 2004: Detecting and Attacking bluetooth-
enabled Cellphones at the Hannover Fairground. 2004.
[Herfurt05] M. Herfurt, C. Mulliner, A. Laurie and M. Holtmann. trifinte.group. 2004-2005.
http://trifinite.org.
107
[Hermelin00a] M. Hermelin. Cryptographic properties of the Bluetooth Combination Genera-
tor. Masters thesis. Helsinki University of Technology. 2000.
[Hermelin00b] M. Hermelin and K. Nyberg. Correlation properties of the Bluetooth combiner.
2000. pp. 17–29.
[Heys01] H.M. Heys. A Tutorial on Linear and Differential Cryptanalysis. 2001.
[Hopkins03] B. Hopkins and R. Antony. Bluetooth for Java. 2003.
[Howe05] D. Howe. Free On-Line Dictionary of Computing. 2005.
[Jakobsson03] M. Jakobsson and S. Wetzel. Security Weaknesses in Bluetooth. 2003.
[Johansson00] T. Johansson and F. Jönsson. Fast correlation attacks through reconstruction of
linear polynomials. 2000. pp. 300–315.
[Kammer02] D. Kammer, G. McNutt, B. Senese and J. Bray. Bluetooth. Application Devel-
oper’s Guide: The Short Range Interconnect Solution. 2002.
[Kardach98] J. Kardach. Bluetooth Architecture Overview. 1998.
[Karygiannis02a] T. Karygiannis and I. Owens. Wireless Network Security 802.11, Bluetooth
and Handheld Devices. November 2002.
[Karygiannis02b] T. Karygiannis and L. Owens. Wireless Network Security; 802.11, Bluetooth
and Handheld devices. November 2002.
[Käsper04] E. Käsper. Linear Cryptanalysis of Stream Ciphers. 2004.
[Kerckhoffs83] A. Kerckhoffs. La cryptographie militaire. 1883. pp. 5–38.
[Kipnis99] A. Kipnis and A. Shamir. Cryptanalysis of the HFE public key cryptosystem.
1999. pp. 19–30.
[Kitsos03] P. Kitsos, N. Sklavos, K. Papadomanolakis and O. Koufopavlou. Hardware Im-
plementation of Bluetooth Security. 2003.
[Kiviharju04] M. Kiviharju. Algebraic Attacks and Stream Ciphers. 2004.
[Kocher99] P. Kocher, J. Jaffe and B. Jun. Differential power analysis. 1999. pp. 388–397.
[Koç95] Ç. K. Koç. RSA Hardware Implementation, Technical Report TR-801 version
1.0. RSA Security Inc.. August 1995.
[Krause01] M. Krause. BDD-based Cryptanalysis of Keystream Generators. Cryptology
ePrint Archive, Report 2001/092. 2001.
[Kuhn98] M. Kuhn and R. Anderson. Hidden data transmission using electromagnetic
emanations. 1998. pp. 124–142.
[KZ98] C.-H. Yang K. Zeng and T. Rao. On the Linear Consistency Test (LCT) in Crypt-
analysis with Applications. 1998. pp. 164–174.
108
[Laboratories00] RSA Laboratories. RSA Laboratories’ Frequently Asked Questions About To-
day’s Cryptography, Version 4.1. 2000.
[Lano] J. Lano, N. Mentens, B. Preneel and I. Verbauwhede. Power Analysis of Syn-
chronous Stream Ciphers with Resynchronization Mechanism.
[Laurie03] A. Laurie. Serious flaws in bluetooth security lead to disclosure of personal
data. 2003.
[Laurie04] A. Laurie, M. Holtmann and M. Herfurt. Hacking Bluetooth enabled mobile
phones and beyond - Full Disclosure. 2004.
[Levy05] O. Levy and A. Wool. A Uniform Framework for Cryptanalysis of the Bluetooth
E0 Cipher. 2005.
[Long03] W. F. Long. Overview of Bluetooth Security. 2003.
[Ltd04] PaloWireless Pty Ltd. Bluetooth Resource Center. 2004.
http://www.palowireless.com/bluetooth/.
[Lu04] Y. Lu and S. Vaudenay. Faster Correlation Attack on Bluetooth Keystream Gen-
erator E0. 2004. pp. 407–425.
[Massey69] J.L. Massey. Shift-register synthesis and BCH decoding.. 1969. pp. 122–127.
[Massey89] J.L. Massey and R.A. Rueppel. Method of, and Apparatus for, Transforming a
Digital Sequence into an Encoded Form. 1989. U.S.Patent No. 4,797,922.
[Maurer90] U. Maurer. A Universal Statistical Test for Random Bit Generators. Advances
in Cryptology - CRYPTO ’90. Lecture Notes in Computer Science, vol. 537.
Springer-Verlag. Aug 1990. pp. 409–420.
[Mceliece02] R.J. Mceliece. The Theory of Information and Coding. 2nd ed.. Cambridge Uni-
versity Press. 2002.
[Meier89] W. Meier and O. Staffelbach. Fast correlation attacks on certain stream ciphers.
1989. pp. 159–176.
[Meier94] . The self-shrinking generator. 1994. pp. 205–214.
[Meier02] W. Meier. Cryptanalysis of Stream Ciphers. 2002.
[Menezes96] A. Menezes, P. van Oorschot and S. Vanstone. Handbook of Applied Cryptog-
raphy. CRC Press. 1996.
[Mihaljevic03] M.J. Mihaljevic, M.P.C. Fossorier and H. Imai. A Low-Complexity and High-
Performance Algorithm for the Fast Correlation Attack. 2003. p. 196.
[Miller00] B.A. Miller and C. Bisdikian. Bluetooth revealed. The Insider’s Guide to an
Open Specification for Global Wireless Communications. Prentice Hall. 2000.
109
[Miller01] M. Miller. Discovering Bluetooth. Sybex Inc.. 2001.
[Muller99] T. Muller. Bluetooth Security Architecture. July 1999.
[Muller00] N.J. Muller. Bluetooth Demystified. McGraw-Hill Professional. 2000.
[Neyman33] J. Neyman and E.S. Pearson. On the problem of the most ecient tests of statisti-
cal hypotheses. 1933. pp. 289–337.
[Ollikainen] V. Ollikainen. Bluetooth Applications in New Media Technology.
http://citeseer.ist.psu.edu/393407.html.
[Paulraj02] A.J. Paulraj, P.K. Sebastian, J. Tellado, R.W. Heath Jr., S. Talwar
and H. Bolcskei. Wireless communication system and method us-
ing stochastic space-time/frequency division multiplexing. Apr 2002.
http://www.nari.ee.ethz.ch/commth/pubs/p/patent1.
[Preneel05] B. Preneel. Research Challenges in Cryptology and Security. 2005.
[Proctor85] N. Proctor. A self-synchronizing cascaded cipher system with dynamic control
of error-propagation. Springer-Verlag. 1985.
[Quisquarter02] J.J. Quisquarter and D. Samyde. Side channel cryptanalysis. 2002.
[Rechberger04] C. Rechberger. Side channel analysis of Stream Ciphers. Masters thesis. Graz
University of Technology. 2004.
[Rijmen01] V. Rijmen and J. Daemen. The Wide Trail Design Strategy. 2001. p. 222.
[Roberts04] S. Roberts. Bluetooth Encryption. 2004.
[Robshaw95] M.J.B. Robshaw. Stream Ciphers. RSA Laboratories Technical Report TR-701.
1995.
[Rousseau01] L. Rousseau, C. Arnoux and C. Cardonnel. A Trusted Device to Secure a Blue-
tooth Piconet. 2001.
[Rowe04a] M. Rowe and T. Hurman. Bluetooth Security. Isseus, threats and consequences.
2004.
[Rowe04b] . Bluetooth Vulnerabilities. Fact and Fiction. 2004.
[Rueppel86] R.A. Rueppel. Correlation immunity and the summation combiner. 1986.
pp. 260–272.
[Rueppel89] . Security models and notions for stream ciphers. 1989. pp. 213–230.
[Rueppel92] . Stream ciphers. 1992. pp. 65–134.
[Saarinen00] M.J. Saarinen. Bluetooth und E0. 2000.
[Seys04] S. Seys, D. Singelée and B. Preneel. Wireless Network Security. 2004. pp. 25–
35.
110
[Shaked05] Y. Shaked and A. Wool. Cracking the Bluetooth PIN. 2005.
[Shannon48] C.E. Shannon. A mathematical theory of communication. Tech. Report 27. Bell
Laboratories, Inc.. 1948.
[Shannon49] . Communication theory of secrecy systems. Tech. Report 28. Bell Lab-
oratories, Inc.. 1949.
[Siegenthaler84] T. Siegenthaler. Correlation-immunity of nonlinear combining functions for
cryptographic applications. September 1984. pp. 776–779.
[Siegenthaler85] . Decrypting a class of stream ciphers using ciphertext only. 1985.
pp. 81–85.
[Sieling95] D. Sieling. Graph driven BDDs - a new data structure for Boolean functions.
1995. pp. 283–310.
[SIG03] Bluetooth Special Interest Group SIG. The Bluetooth core specification version
1.2. November 2003. http://www.bluetooth.org.
[Singelée03] D. Singelée. Overview of the Security Weaknesses in Bluetooth. 2003.
[Singelée04] D. Singelée and B. Preneel. Security Overview of Bluetooth. 2004.
[Smeets98] B.J.M. Smeets. Pseudo-random sequence generator and associated method.
1998.
[Song04] B. Song. Observations on the Cryptologic Properties of the AES Algorithm.
Ph.D. thesis. University of Wollongong. April 2004.
[Stamp93] M. Stamp and C.F.Martin. An Algorithm for the k-Error Linear Complexity of
Binary Sequences with Period 2n. 1993.
[Sun02] J.-Z. Sun, D. Howie, A. Koivisto and J. Sauvola. Design, Implementation and
Evaluation of Bluetooth Security. 2002.
[Tanenbaum03] A.S. Tanenbaum. Computer Networks. 4th ed.. Prentice Hall. 2003.
[Träskbäck00] M. Träskbäck. Security of Bluetooth: an overview of Bluetooth Security. 2000.
[Vainio00] J.T. Vainio. Bluetooth Security. 2000.
[Vernam26] G.S. Vernam. Cipher printing telegraph systems for secret wire and radio tele-
graphic communications. J. Amer. Inst. Elec. Eng.. 1926. pp. 109–115.
[vT88] H. van Tilborg. An Introduction to Cryptology. first ed.. Kluwer Academic Pub-
lishers. 1988.
[WaveWireless00] WaveWireless. Direct sequence vs. Frequency Hopping. 2000.
[Whitehouse03a] O. Whitehouse. RedFang. 2003. http://cansecwest.com,
http://www.securiteam.com.
111
[Whitehouse03b] . War Nibbling: Bluetooth Insecurity. 2003.
[Wikipedia05] Wikipedia. Linear Feedback Shift Register. 2005.
http://en.wikipedia.org/wiki/Linear_feedback_shift_register.
[Xydis02] T. G. Xydis and S. Blake-Wilson. Security Comparison: Bluetooth Communi-
cations vs. 802.11. 2002.
[Yang04] B.-Y. Yang and J.-M. Chen. All in the XL Family: Theory and Practice. 2004.
[Zenner04] E. Zenner. On Cryptographic Properties of LFSR-based Pseudorandom Gener-
ators. Ph.D. thesis. Universität Mannheim. 2004.
112
APPENDIX A
Abbreviations
Following is a table of all the abbreviations, symbols and notation used, common within the
topic of this thesis.
Abbreviation Definition.
ACL Asynchronous ConnectionLess. Data transfer, logical transport.
ACO Authenticated Ciphering Offset. A parameter binding devices to
a particular authentication event.
AES Advanced Encryption Standard. Adopted block cipher algorithm
by National Institute of Standards and Technology (NIST) in 2001
after a 5-year public competition. The AES Rijndael algorithm
was submitted by Joan Daemen and Vincent Rijmen.
AG Audio Gateway. A mobile phone or other outloud-playing device
(connected to a headset).
AT command set This is set of commands for controlling a modem.
BB BaseBand. This is the lowest layer of the Bluetooth specification.
BD_ADDR Bluetooth Device ADDRess.
BER Bit Error Rate. Average probability that a received bit is erroneous
10−3 for Blueooth.
BNEP Bluetooth Network Encapsulation Protocol. Emulation of Ether-
net over Bluetooth links.
CA Certificate Authority. Trusted issuer of certificates.
CAC Channel Access Code. A code derived from the master device
address in a Bluetooth connection.
113
CAK Common Access Key. A common key that can be used when
connecting to different access points belonging to a particular net-
work provider.
CBC Cipher Block Chaining. Block Cipher mode.
CFB Cipher Feedback. Block Cipher mode.
CID Channel IDentifier. End points at an L2CAP channel.
COF Ciphering OFfset. Additional secret input to ciphering key gener-
ation procedure.
CPU Central Processing Unit. .
CRC Cyclic Redundancy Check. A checksum added to the payload by
the sender that the receiver can use to detect transmission errors.
CTR Counter Mode. Block cipher mode.
DAC Device Access Code. A code derived from a specific slave device
in a Bluetooth connection.
DES Data Encryption Standard. US National Bureau of Standards
(NBS) adopted a reveised version of the original block cipher al-
gorithm of Feistel as the Data Encryption Standard (DES) after a
public invitation for submissions.
DH Diffie-Hellman. The name of the first public key exchange
scheme.
DoS Denial of Service. Incident in which a user or organization is
deprived of the services of a resource they would normally expect
to have.
DSP Digital Signal Processor. Editing of sounds in order to produce
different sound effects.
DT Data Terminal.
E0 Bluetooth ciphering algorithm built around four independent lin-
ear feedback registers and a finite state machine as a combining
circuitry. The final state machine is needed to introduce sufficient
nonlinearity to make it difficult to recompute the initial state from
observing key stream data.
114
E1 Bluetooth authentication function build around SAFER+. E1 is
called a Message Authentication Code (MAC) algorithm.
E2 Bluetooth link key generation function. Consits of the E21 and
E22
E21 Bluetooth unit key algorithm, used for unit key derivation, build
around a slightly modified SAFER+ algorithm. Because of this,
the algorithm E21 cannot be used directly as an invertible encryp-
tion algorithm.
E22 Bluetooth initial key algorithm. Used for initial key derivation and
also build around a slightly modified SAFER+ algorithm. E21 and
E22 are very similar, this simplified the implementation.
E3 Bluetooth encryption key KC algorithm.
EAP Extensible Authentication Protocol. An authentication protocol
standardized by the IETF organization.
EAPoL Encapsulation over LANs.
ECB Electronic Code Block Cipher. Block Cipher mode. .
ECDH Elliptic-Curve Diffie-Hellman.
EDR Enhanced Data Rate, New Bluetooth specification released in
2005 that allows a data with throughput up to 2.1Mbps
eSCO Enhanced Synchronous Connection-Oriented. A logical channel
for transport of prioritized synchronous user data.
FBDD Free Binary Decision Diagram. Data structure for representing
and manipulating Boolean functions.
FEC Forward Error Correction. Another notion for an error correcting
code.
FFT Fast Fourier Transform.
FH Frequency Hopping. Sending transmissions over a different car-
rier frequency at different times.
FHS Frequency Hop Synchronization.
115
FHSS Frequency Hopping Spread Spectrum. The FHSS carrier will hop
on a predetermined, pseudo random pattern defined using a pool
of 79 1MHz sub-channels defined across the entire band changing
frequency about 1600 times per second. Each channel is used in
625 microseconds followed by a hop in a pseudo-random order
to another channel. Bluetooth uses FHSS to solve interference
problems with numerous other technologies that also operate in
the 2.4GHz-2.4835GHz ISM frequency band.
FSM Final State Machine.
GAP Generic Access Profile. A Bluetooth profile that determines com-
mon connection handling functions for all other Bluetooth pro-
files.
GSM Global Mobile System.
HC Host Controller.
HCI Host Controller Interface.
HS Headset.
IAC Inquiry Access Code.
ICC Integrated Circuit Card.
ID IDentifier.
IEEE Institute of Electrical and Electronics Engineers. A nonprofit
technical professional association for engineers in this area.
IETF Internet Engineering Task Force.
IIR Infinite Impulse Response.
IKE Internet Key Exchange. An IETF protocol used to authenticate IP
connections and to exchange IPSEC keys.
IP Internet Protocol.
IPSEC IP SECurity protocol. An IETF security protocol used to protect
IP packets.
Filter used in the E0 combination generator to lower the correla-
tion factor.
116
ISM Industrial-Scientific-Medical. A part of the radio spectrum
(2.4GHz) that is free and globally available.
IrMC Server This provides an object exchange server. The IrMC server must
comply with the interoperability requirements for the server of the
GOEP, if not defined to the contrary.
KFB Key Feedback. Block cipher mode.
KSA Key Scheduling Algorithm. The key scheduling algorithm pro-
duces 17 different 128-bit subkeys for the SAFER+ block cipher.
KSG Key Stream Generator. Used in the two levels of the E0 encryp-
tion system.
L2CAP Logical Link Communication and Adaptation Protocol. It is lay-
ered over the Baseband Protocol and resides in the data link
layer. L2CAP provides connection-oriented and connectionless
data services to upper layer protocols with protocol multiplexing
capability, segmentation and reassembly operation, and group ab-
stractions. L2CAP permits higher level protocols and applications
to transmit and receive L2CAP data packets up to 64 kilobytes in
length.
LAN Local Area Network.
LAP Lower Address Part. Bits 0 to 23 of the unique 48-bit IEEE device
address BD_ADDR.
LC Link Controller. Entity that implements the baseband protocol
and procedures.
LFSR Linear Feedback Shift Register.
LM Link Manager. Entity that sets up and maintains the Bluetooth
link.
LMP Link Manager Protocol.
LSB Least Significant Bit.
LT_ADDR Logical Transport ADDRess. A logical 3-bit address assigned to
each slave in a piconet.
MAC Message Authentication Code, E1 is a MAC algorithm.
117
MANA Manual Authentication.
MSB Most Significant Bit.
NAcP Network Access Point.
NAP Nonsignificant Address Part. Bits 32 to 47 of the unique 48-bit
IEEE device address.
NBS National Bureau of Standards. The NBS is now called NIST.
NIST The National Institute of Standards and Technology,
http://www.nist.gov, is a non-regulatory federal
agency within the U.S. Commerce Department’s Technology
Administration, formely known as the NBS. NIST’s mission is to
develop and promote measurement, standards, and technology to
enhance productivity, facilitate trade, and improve the quality of
life. .
OBEX OBject EXchange. Bluetooth protocol for data exchange.
OFB Output Feedback. Block cipher mode.
OpCode Operation code. A code used to identify different types of PDUs.
PAN Personal Area Network.
PCD Personal Certification Device.
PDA Personal Digital Assistant.
PDU Protocol Data Unit.
PHT Pseudo Hadamard Transform. Component of the SAFER+ en-
cryption algorithm
PIN Personal Identification Number.
PPP Point to Point Protocol. Protocol used for connecting computers
to the Internet through telephone lines.
PKI Public Key Infrastructure.
PRG Pseudo-Random Generator.
PSM Protocol/Service Multiplexor. An identifier used by L2CAP dur-
ing channel establishment to route the connection request to the
right upper layer protocol. Several protocols can be multiplexed
over L2CAP.
118
QoS Quality of Service. Defines the specific requirements on the link
(e.g., with respect to bit rate, delay, latency) needed by certain
applications.
RFCOMM The RFCOMM protocol provides emulation of serial ports over
the L2CAP protocol.
RS-code Reed-Solomon code.
RSA Rivest, Shamir, and Adleman. The name of a public-key cryp-
tosystem for both encryption and authentication.
RSSI Received Signal Strength Indicator. Thrugh this indicator, a slave
can request a transmission power adaptation to the master.
SCO Synchronous Connection-Oriented. A logical channel for trans-
port of synchronous user data, e.g. voice and sound.
SDP Service Discovery Protocol. A protocol for locating services pro-
vided by or available through a Bluetooth device.
SIG Special Interest Group. The organization owning the Bluetooth
trademark, also responsible for the evolution of Bluetooth wire-
less technology.
SIM Subscription Identity Module. An ICC used in the GSM mobile
telephony system. The module stores subscription and user data.
SLE System of Linear Equations.
SNE System of Nonlinear Equations.
TCP Transmission Control Protocol. An IETF protocol for reliable IP
communication.
TCS Binary Telephony Control Specification. Call control signaling necessary
to establish voice and data calls between Bluetooth devices.
TDM Time Division Multiplexing. This is a type of multiplexing that
combines data streams by assigning each stream a different time
slot in a set. TDM repeatedly transmits a fixed sequence of time
slots over a single transmission channel.
TLS Transport Layer Security. An IETF security protocol used to au-
thenticate peers, exchange keys, and protect TCP traffic.
119
UAP Upper Address Part. Bits 24 to 31 of the unique 48-bit IEEE
device address.
UART Universal Asynchronous Receiver/Transmitter. An integrated cir-
cuit used for serial communication with the transmitter and re-
ceiver clocked separately.
USB Universal Serial Bus.
vCard Virtual Business Card. Standard for electronic business cards and
applications that handle them on networks. .
WAE Wireless Application Environment. This is the top-most level in
the WAP architecture. It is based on WWW and Mobile Tele-
phony technologies. The primary objective of the WAE is to pro-
vide the operators and service providers an interoperable environ-
ment on which they can build applications and services. .
WAP Wireless Application Protocol. Specification that allows users to
access the Internet from wireless devices. .
WLAN Wireless Local Area Network.
120
Remove page [Vernam26] [SIG03] [Forum01] [Muller99] [Shannon48] [Shannon49] [Proctor85]
[Miller01] [Daemen95] [Laboratories00] [Robshaw95] [Coppersmith94] [Koç95] [Karygiannis02a]
[vT88] [Golomb67] [Massey69] [Siegenthaler84] [Siegenthaler85] [Meier89] [Meier02]
[Meier94] [Rueppel86] [Johansson00] [Kipnis99] [Kocher99] [Lano] [Hermelin00a] [Hermelin00b]
[Dasgupta05] [Krause01] [Herfurt05] [Shaked05][Cover91] [Brassard88] [KZ98] [Golic02]
[Armknecht02] [Feistel73] [Rijmen01] [Armknecht04c] [Song04] [Courtois03b] [Courtois04]
[Courtois03a] [Hawkes04] [Fluhrer01] [Lu04] [Neyman33] [Smeets98] [Stamp93] [Kiviharju04]
[Howe05] [Coppersmith90] [Rueppel89] [Quisquarter02] [Kuhn98] [Kerckhoffs83] [Rueppel92]
[Massey89] [Armknecht05b] [Zenner04] [Maurer90] [Karygiannis02b] [Anand01] [Ekdahl03]
[Ekdahl00] [Mihaljevic03] [Cannière01] [WaveWireless00] [Vainio00] [Jakobsson03] [Gehrmann02]
[Candolin00] [Kitsos03] [Paulraj02] [Gehrmann04] [Chepyzhov03] [Davenport58] [Ltd04]
[Comer88] [Association69] [Rechberger04] [Sieling95] [Gergov94] [Wikipedia05] [Grimaldi99]
[Cormen90] [Whitehouse03a] [Saarinen00] [Rousseau01] [Heys01] [Levy05] [Yang04] [Armknecht04b]
[Armknecht05a] [Träskbäck00] [Blewitt97] [Biryukov04] [Herfurt04] [Kammer02] [Ollikainen]
[Kardach98] [Abdelhameed01] [Muller00] [Roberts04] [Hopkins03] [Laurie04] [Miller00]
[Rowe04a] [Rowe04b] [Biryukov03] [Preneel05] [Sun02] [Armknecht04e] [Menezes96]
[Haartsen99] [Flurher02] [Gauthier02] [BE03] [Long03] [Singelée03] [Aissi04] [Anderson94]
[Xydis02] [Seys04] [Singelée04] [Whitehouse03b] [Armknecht04a] [Tanenbaum03] [Käsper04]
[Courtois00] [Mceliece02] [Laurie03] [Group03] [Courtois02] [Armknecht04d]
121