Beruflich Dokumente
Kultur Dokumente
Praneet Sharma
Student ID: S3701201
A Minor Thesis Report Submitted in Partial Fulfillment of the Requirements for the
Award of the Degree of
2
ABSTRACT
3
TABLE OF CONTENTS
1. INTRODUCTION .......................................................................................................... 6
Motivation: .......................................................................................................................... 6
1.1 Introduction To Bluetooth Technology .................................................................... 6
1.2 Bluetooth Protocol Stack .......................................................................................... 7
1.3 What Is Security? .................................................................................................... 11
1.4 Bluetooth Security Issues........................................................................................ 13
1.5 Weaknesses In Security Procedures........................................................................ 15
4
3.6 Improved guess-and-determine attack, C. De Cannière, T. Johansson, B. Preneel
................................................................................................................................... 42
3.7 FBDD-attack, M. Krause .................................................................................... 42
3.8 Algebraic attack, F. Armknecht .......................................................................... 43
3.9 Fast Algebraic attack, N. Courtois and F. Armknecht ........................................ 47
5. CONCLUSION ............................................................................................................. 53
5.1 Analysis And Conclusion ....................................................................................... 53
References ......................................................................................................................... 55
5
Chapter 1
1. INTRODUCTION
Motivation:
There are a number of possible attacks on the Bluetooth Technology, We found that most
of the attacks are caused by the Malfunctioning of implementation of a particular
protocol. We have given the overview of all these kinds of attacks. But the main Focus of
this minor thesis is finding out and discussing the “Attacks on certain cryptographic
algorithms used”.
In the year 1994 Ericsson Mobile communication initiated a study to investigate the
feasibility of a low-power low-cost radio interface between phones and their accessories.
Later in Feb 1998, five companies Ericsson, Nokia, IBM, Toshiba and Intel formed a
special interest Group (SIG). The group contained the necessary business sector members
– two market leaders in mobile telephony, two market leaders in laptop computing and a
6
market leader in digital signal processing technology. By the end of December 1999,
3Com, Microsoft and Motorola had joined the promoter group- the folks that were
willing to spend money hype the standard- and in the neighborhood 1200 other
companies had joined the SIG. At present SIG is composed of over 6,000 members who
are leaders in the telecommunications, computing, automotive, music, apparel, industrial
automation, and network industries, and a small group of dedicated staff in Hong Kong,
Sweden, and the USA.
Bluetooth is a wireless protocol that requires less bandwidth and a shorter transmission
range then typical wireless LAN applications. Bluetooth operates in the same crowded
2.4 GHz ISM(Industrial scientific Medical) License-free frequency band as Wi-Fi
networks, cordless phones and many emergency service communication systems
transmission is at low energy hopping at a rate of 1600 times per second between 79 one-
MHz sub-bands of the permitted frequency band. It uses adaptive frequency hopping
algorithm to avoid service interruption due to other equipment using the same frequencies
and also to avoid interference to other equipment as well. However this hopping does not
add any security to the Bluetooth link because the hopping sequence is broadcasted in
clear at the initial connection procedure.
Bluetooth devices can have variable signal length. The output power of normal Bluetooth
devices is 1 milliwatt giving coverage of only 10 meters and 100 milliwatt devices with a
range of up to 100meters are permitted for applications such as home networks.
The architecture used for Bluetooth consists of Bluetooth specific protocols combined
with adopted protocols such as WAP, WAE, TCP/UDP/IP, PPP, vCard and IrMC.
Bluetooth also supports cable replacement protocols as RFCOMM and telephony adapter
protocols as AT-commands. The reason for this mixed architecture of Bluetooth specific
and adopted protocols is that it allows integration of Bluetooth directly into existing
application and transport protocols, without having to build up an entirely separate and
parallel architecture. This also allows application specific security controls to be
7
implemented that would be transparent to the lower layer security controls (Data Link
Layer) at which Bluetooth operates.
UDP TCP
IP
PPP
Audio
RFCOMM
L2CAP
Baseband
Bluetooth Radio
According to Bluetooth SIG Bluetooth protocol stack can be divided in to four layers in
accordance to their purpose. The protocols belong into the layers are explained with the
table shown below.
8
As shown in fig1 in addition to the protocol layers there is host controller interface (HCI)
which is providing command interface to the baseband controller.
1.2.1 Baseband
We can visualise in the protocol stack shown above baseband and link Control layer
enables the physical RF link between Bluetooth units forming a Piconet. As mentioned
earlier the Bluetooth RF system uses a Frequency-Hopping-Spread-Spectrum system in
which packets are transmitted in defined time slots on defined frequencies, this layer uses
inquiry and paging procedures to synchronize the transmission hopping frequency and
clock of different Bluetooth devices.
It provides 2 different kind of physical links with their corresponding baseband packets,
Synchronous Connection-Oriented (SCO) and Asynchronous Connectionless (ACL)
which can be transmitted in a multiplexing manner on the same RF link. Asynchronous
Connectionless packets are used for data only, while the Synchronous Connection-
Oriented packet can contain audio only or a combination of audio and data. All audio and
data packets can be provided with different levels of FEC or CRC error correction and
can be encrypted. Furthermore, the different data types, including link management and
9
control messages, are each allocated a special channel. Baseband packet format is shown
below.
Link manager protocol is responsible for link set-up between Bluetooth devices. This
includes security aspects like authentication and encryption by generating, exchanging
and checking of link and encryption keys and the control and negotiation of baseband
packet sizes.
This protocol adapts upper layer protocols over the baseband. As per specification it is
stated that it work in parallel with LMP in difference that L2CAP provides services to the
upper layer when the payload data is never sent at LMP messages. This protocol provides
connection-oriented and connectionless data services to the upper layer protocols with
protocol multiplexing capability, segmentation and reassembly operation, and group
abstractions. In addition to that it permits higher level protocols and applications to
transmit and receive L2CAP data packets up to 64 kilobytes in length. Although the
Baseband protocol provides the Synchronous Connection-Oriented and Asynchronous
Connectionless link types, L2CAP is defined only for Asynchronous Connectionless
links and no support for Synchronous Connection-Oriented links is specified in Bluetooth
Specification 1.0.
10
1.2.4 Service Discovery Protocol (SDP)
For every Bluetooth framework Discovery of services is a very crucial part. These
services provide the basis for all the usage models. Using SDP, device information,
services and the characteristics of the services can be queried and after that, a connection
between two or more Bluetooth devices can be established.
To define the notion of security, it is necessary to introduce a third party that has access
to all public information and tries to derive private secret information. Such a third party
is denoted as an attacker or cryptanalyst. The notion of security can then be defined as:
"A system is secure if an attacker is unable to derive the private secret information".
It is not possible to break a perfectly secure encryption scheme and such schemes do
exist. However, a perfectly secure scheme needs a key with length no smaller than the
entropy of the message that is to be encrypted and this key may never be reused. If the
key is smaller than the entropy of the message, there will always be a correlation between
the input and output. An example of a perfectly secure encryption scheme is the One-time
pad or Vernam cipher.
Risks are inherent to any wireless technology. Some of these risks are similar to those of
wired networks; some are exacerbated by wireless connectivity; others are new. Perhaps
the most significant source of risks in wireless networks is that the technology’s
underlying communications medium, the airwave, is open to intruders, making it the
logical equivalent of an Ethernet port in the parking lot.
11
Specific threats and vulnerabilities to wireless networks and handheld devices include the
following:
All vulnerabilities that exist in a conventional wired network apply to wireless
technologies.
Malicious entities may gain unauthorized access to a (company’s) computer
network through wireless connections, bypassing any firewall protections. For
example by using special long distance antenna’s which can connect to internal
private unprotected or weakly protected wireless access points.
Sensitive information that is not encrypted (or that is encrypted with poor
cryptographic techniques) and that is transmitted between two wireless devices
may be intercepted and disclosed. Several applications exist to "sniff" all the data
that is transmitted wirelessly in some area and recover encrypted passwords.
DoS attacks may be directed at wireless connections or devices. Such a Denial of
Service attack can take down the functionality of devices that is make them
unstable, make them lose data make them consume a lot of power (drain batteries)
or it can be used as a method to make other attacks possible.
Malicious entities may steal the identity of legitimate users and masquerade as
them on internal or external corporate networks. Since wireless connections may
allow invisible (or less visible) connections, masquerade and legitimation can be
easier.
Sensitive data may be corrupted during improper synchronization. For example
by "sniffing" and inserting or disturbing wireless data connections.
Malicious entities may be able to violate the privacy of legitimate users and be
able to track their movements. Since data connections need identification, this
identification can be tracked easily on most wireless networks.
Malicious entities may deploy unauthorized equipment (e.g. client devices and
access points) to surreptitiously gain access to sensitive information. A well
known example of this attack is the so called "Evil Twins", fake clones of
wireless hotspots managed by hackers to intercept sensitive data.
12
Handheld devices are easily stolen and can reveal sensitive information.
Data may be extracted without detection from improperly configured devices.
Viruses or other malicious code may corrupt data on a wireless device and
subsequently be introduced to a wired network connection.
Malicious entities may, through wireless connections, connect to other agencies or
organizations for the purposes of launching attacks and concealing their activities.
Intruders, from inside or out, may be able to gain connectivity to network
management controls and thereby disable or disrupt operations.
Malicious entities may use third-party, suspicious wireless network services to
gain access to an agency’s or other organization’s network resources.
Internal attacks may be possible via ad hoc transmissions.
It should be clear that maintaining secure wireless networks is a process that requires
greater effort than that required for other networks and systems. It is much harder to gain
a certain guarantee of security within the deployment of wireless networks. Routine
security tests, assessments and evaluations of the system security are important. The
National Institute of Standards and Technology (NIST) recommends agencies not to
undertake wireless deployment for essential operations, until they have examined and can
acceptably manage and mitigate the risks of their information, system operations and
continuity of essential operations.[23]
13
In reference to the SIG (special interested group) a Bluetooth wireless technology system
contains a set of profiles. A profile defines a selection of messages and procedures
(generally termed capabilities) from the Bluetooth specifications. This gives an
unambiguous description of the air interface for specified services and use cases.
Working groups with in the Bluetooth SIG defines these profiles.
Security can be defined in terms of four basic elements: availability, access, integrity and
confidentiality. The current Bluetooth specification defines the security at link level
application level security is not specified.
In the present scenario there are few general shortcomings in the Bluetooth security
concept on the basis of those shortcomings Bluetooth SIG issued two general
recommendations.
Blue jacking: in this technique the Bluetooth paring protocol is abused and is
used to pass a message during the initial handshake phase. In this phase the name
of the initiator is displayed on the target device. Hence the bluejacker can send
some funny messages unnoticed and if the paring goes to the end the bluejacker
can then intrude on the targets device and become a trusted device and may be
having access to targets data.
14
flow is due to mistake in the implementation of OBEX profile, where
authentication has been omitted.
Bluebug: is similar to bluesnarfing ,it is based on the serial profile and this
enables the use of most AT commands, This gives the attacker full access to
resources shared by the device over serial. For example, a mobile phone can be
used to make phone calls using the AT command set or a laptop computer could
have your PDA’s data stolen onto an empty PDA owned by the attacker.[19]
Like computers there is a risk of worms and viruses on the Bluetooth devices one such
worm is cabir worm which try to get paired with any other device in the vicinity and once
paired it will install itself on the paired device it will try to do the same procedure with
the other devices and the worm will drain the battery by scanning for the enabled
Bluetooth devices.
15
Weak PINs can be guessed:
If a weak PIN is used during device pairing, an attacker can guess the PIN and use it
to calculate the link key resulting from the pairing. To do this, the attacker only has to
eavesdrop on the pairing and the subsequent authentication. Using transcripts of
intercepted protocols, the attacker can check whether he has correctly guessed the
PIN. In this way it is possible to guess short or trivial PINs (e.g."1234567890"). The
fact that PINs are the only secret parameters link keys should be viewed as a serious
security weakness. Experience shows that it is extremely difficult to break the
practice, widespread among users, of choosing weak PINs.
16
Chapter 2
The way that the Bluetooth security radio system is used in mobile devices and the type
of data carried on these devices makes security an extremely important factor. While
most wireless systems will claim that being a spread spectrum radio provides security, the
volumes projected for Bluetooth radio eliminates these barrier. As such, link layer and
application layer security are part of the basic Bluetooth radio requirements. At link
layer, the Bluetooth radio systems provides authentication, encryption and key
management of the various keys involved.
The Bluetooth device address is the first and the most important unique parameter
basically it is a unique 48 bit address of a Bluetooth device. However at the user interface
level it is represented as 12 hexadecimal characters. Another parameter is the Bluetooth
device user name which is a user friendly name can be chosen by the device owner. It can
be 248 bytes long, although a generic device is not expected to handle names more than
40 characters in length. In general most of the devices have limited capabilities and they
may handle only up to 20 characters. Among all the parameters used in the Bluetooth
security architecture Bluetooth passkey (PIN) is the most important in terms of security
prospective it is used to authenticate two Bluetooth devices which have not exchanged
link keys ever before. The important feature of this parameter is that it is having different
representations in the different levels. Bluetooth device class is another parameter used to
identify the type of device and services supported by the device. [20]
17
2.1.1 Authentication
Like other wireless technologies Bluetooth also uses authentication mechanism using a
secret key known as link key. In the previous versions of technology only unit keys were
used but just to make the authentication procedure a bit more secure now a days
combination keys are widely used. Moreover combination key is specific to a pair of
devices on the hand a device is having a single unit key for all the connections. There are
two ways of generating link keys either dynamically or through a process called pairing.
But when a device is configured to generate link keys dynamically, it requires the user to
enter the pass key each time a connection is established. Pairing on the other generates a
long-term, stored link key that allows for the simple automated connections that are the
hallmark of the Bluetooth specification. In order to pair two devices, the user will set
both devices in pairing mode and will then enter a shared passkey. This passkey is then
used to generate an initialization key. The initialization key is based on the Bluetooth
address of the devices, a random number and the passkey. This initialization key is then
used to authenticate each device as well as in the creation of the link key. Finally, the link
key is stored locally on each device for the future authentication. After the pairing
process has completed, the devices will automatically and transparently authenticate and
perform encryption of the link.
18
match, the connection is refused. Once the authentication process has completed, device
second will generate new random number for its next authentication session. [17][13]
2.1.2 LMP-Authentication
Verifier Claimant
(Initiator)
Init_pairing
Generate
Random number
LMP in rand
PIN
PIN
LMP accepted
Calculate Calculate
Kinit Kinit
Imp -authentication
Link key Link key
Create link key
19
key and the BD-ADDR of the non-initiating device. The secret key can be previously
exchanged link key or an initialization key created based on a pin as used in pairing
procedure.[15][13]
Verifier Claimant
(Initiator)
Init_Authentication
Secret key
Secret Key
Generate
Random number
Imp_au_rand
Calculate Calculate
Challenge Response
Imp_sres
Compare
Result
2.1.3 Authorization
20
important Bluetooth security concepts, trust relationships and service security levels.
Authorisation is dependent on authentication as the authentication process establishes the
device identity that is used to determine access. The Bluetooth specification allows three
different levels of trust between devices, trusted, untrusted, and unknown. If device A has
a trusted relationship with device B, then device B is allowed unrestricted access to
device A. If device B is untrusted, then device B has been previously authenticated, but
its access to services on device A is restricted by service security levels. An unknown
device that has not been authenticated is considered untrusted.
Service security levels control access to a devices service on a per service basis. The first
security service level requires both authentication and authorisation in order to grant
access to a service. In other words, the identity of the requesting device has to be
confirmed and the requesting device has to be granted specific permission to access the
service. The second level of service security requires authentication only. At this security
level, the identity of the requesting device need only be judged genuine in order to be
granted access to the service. The third level requires encryption only. At this level,
access to the service will be granted to any device that is encrypting its communications.
The last level is open to all devices. An example of a use for this security level would be
if a user wanted to grant unrestricted access to a business card stored on the device while
restricting access to other, more sensitive services.
2.1.4 Encryption
21
help to ensure confidentiality by reducing the possibility of eavesdropping. The use of
fast frequency hopping, at 1600 hops per second over 79 different channels, represents an
important barrier to interception. Since the transmitter only dwells on a specific
frequency for 625 microseconds, it is difficult to even detect the presence of a Bluetooth
device unless it is in the process of actively paging another device. Key Generation
overview the encryption key is derived from the authentication key and is used for
enciphering the data for transmission. This will increase the life time of the authentication
key. The authentication key is also referred as link key to emphasize the importance of
this key to a specific Bluetooth link. The authentication procedure needs that the both end
devices of a link know the present link key. Since the link keys are to be kept secret, they
cannot be obtained through any inquiry routines. There has to be an initialisation phase
carried out separately for each two units that want to implement authentication and
encryption. The steps in initialization are as follows:
1. Generate an initialisation key, Kinit, and use it as link key. This key is derived from
three entities: device address, a random number issued by verifier and a PIN code. The
PIN can be a fixed number provided with the Bluetooth unit (for example, devices with
no user interface). Alternatively, the PIN can be selected arbitrarily by the user, and then
entered in both units that have to be matched. Authentication of devices to each other
using Kinit.
4. Once the initial authentication is over, the devices decide on a new link key for future.
Each device has a unit key, denoted by Ka, which is generated when that device is in
operation for first time. So the devices can decide on using one of the unit keys as link in
future or can derive a combination key, denoted as Kab. Sometimes, same information
may need to be distributed securely to several recipients in which case the serving device
22
decides a single common link key for all links to recipients. This key is known as master
key and is denoted by Kmaster.
5. Exchange K securely using encryption key derived from Kinit. The agreed upon future
link key is exchanged between the devices.
7. For transmitting data, a new encryption key is generated at each end based on chosen
K. A new encryption key is generated for every new session. [13]
2.1.5 Implementation
23
2.2 Key Management
24
2.2.2 Corrupted Database
The link key database for some reason might become corrupted. The probability of
having corrupted databases depends on the type of storage medium and the storage
protection mechanisms. If a device address held is damaged, it might result in key lookup
error. If the corrupted key entry is detected when the unit is about to send an
authentication (acting as verifier), the error can be handled internally by the unit. In this
case, it should be possible for the user (if desired) to demand a new pairing and derive a
new link key and the device will initiate a new pairing.
2. Security Mode 2 (service level security): Security procedures initiated after channel
establishment request has been received at L2CAP level. Whether security procedure is
initiated or not depends on the service type. Service (or application) level security
implementation allows different access policies for different applications which may run
in parallel.
3. Security Mode 3 (link level security): Security procedures are performed and
authenticated at the LMP level before a channel is created for communication. A
25
Bluetooth device in security mode 3 may reject a host connection request best on host
settings.
While automatic access is only granted to trusted devices, all other devices if need
manual authorization. A link may be changed to encrypted mode if required by the
service or application.
Stream ciphers are an important class of encryption algorithms. They encrypt individual
characters (usually binary digits) of a plaintext message one at a time, using an
encryption transformation which varies with time. By contrast, block ciphers tend to
simultaneously encrypt groups of characters of a plaintext message using a fixed
encryption transformation. Stream ciphers are generally faster than block ciphers in
hardware, and have less complex hardware circuitry. They are also more appropriate, and
in some cases mandatory for example in some telecommunications applications when
buffering is limited or when characters must be individually processed as they are
received. Because they have limited or no error propagation, stream ciphers may also be
advantageous in situations where transmission errors are highly probable. There is a vast
body of theoretical knowledge on stream ciphers, and various design principles for
stream ciphers have been proposed and extensively analysed. However, there are
relatively few fully-specified stream cipher algorithms in the open literature. This
unfortunate state of affairs can partially be explained by the fact that most stream ciphers
used in practice tend to be proprietary and confidential. By contrast, numerous concrete
block cipher proposals have been published, some of which have been standardized or
placed in the public domain. Nevertheless, because of their significant advantages, stream
26
ciphers are widely used today, and one can expect increasingly more concrete proposals
in the coming years.
E0 is a so-called autonomous finite state machine. Loaded with an initial state, it will
move to a new state and produce one single output bit of the key stream on every clock
cycle.
The Bluetooth specification defines the stream cipher algorithm E0 to be used for point-
to point encryption of the packet payload, the access code and the packet headers shall
never be encrypted. The E0 additive stream cipher was designed to provide the wireless
connections with a strong protection against eavesdropping. It is based on a direct design
and uses a Bluetooth proprietary algorithm that is inspired by Massey and Rueppel’s [27]
summation combiner stream cipher. The core of E0 is built around four independent
linear feedback registers (LFSR) and a finite state machine (FSM) as a combining
circuitry.
Studies shows that E0 stream cipher is weaker than supposed at its design. But the
frequent rekeying in Bluetooth and the rather short generated key streams keep the
system safe for most of the attacks.
In the E0 stream cipher algorithm bits are bit-wise modulo-2 (XOR) added to the data
stream to be sent over the air interface. All units in the piconet must be able to read the
packet header to see if the message is for them or not. Therefore, it is only the payload of
each packet that is ciphered separately by the cipher algorithm E0. The payload data is
ciphered after the CRC bits are appended, but before the optional Forward Error
Correction (FEC) encoding.
27
The E0 stream ciphering process consists of three parts: (see Figure 2.3)
a) Initialization: payload key generation.
The payload key generator combines the input bits in an appropriate order and shifts them
into four LFSRs of the key stream generator.
b) Main part: Key stream bits generation.
c) Encryption and decryption.
Kc
BD_ADDR
1. Initialization Transform Kc to K`c
EN_RAND payload key load K`c, BD_ADDR
Generation and 6bit constant
CLK 111000
Payload key
Key Stream
generator
28
The cipher algorithm E0 uses as input the 48 bits of the master Bluetooth device address
(BD_ADDR), 26 bits of the master real-time clock, CLK, and an encryption key KC. By
using the 26 bits of the master clock, which toggles every 625µs, and a reinitialization of
the E0 algorithm after each (multi-)packet, frequent changes of the starting state of the
key stream generator are assured, which forms a key factor in the resistance to security
attacks. E0 generates a binary keystream Kcipher which will be modulo-2 (XOR) added to
the data to be encrypted. The cipher is symmetric; decryption shall be performed in
exactly the same way using the same key as used for encryption.
The private encryption key (KC) is derived by algorithm E3 from the current link key, a
96- bit Ciphering Offset number (COF), and a 128-bit random number EN_RAND. COF
is set to the concatenation of the master BD_ADDR if the current link key is a master
key. Else COF it is set to the value of Authenticated Ciphering Offset (ACO) as
computed during the authentication procedure.
The Bluetooth system is said to be a two level operation. The first level consists of the
initialization and the second level performs the actual keystream generation.
Within the first level, the initialization of the E0 algorithm, the encryption key KC is
transformed to an intermediate constraint key K`C :
Where deg (g1(L) (x)) = 8L and deg (g2(L) (x)) <= 128 - 8L. The values for the polynomials
g1(L) and g2(L) are collected in a table[28]. The maximum effective size of this key shall be
factory preset and may be set to any multiple of eight between one an sixteen (8-128bits).
29
This constraint key K`C is used together with the BD_ADDR and the clock CLK to load
the initial values of the four LFSRs (128 bits) and the four memory bits c0 and c-1. At the
end of the first level, the generator will generate 200 stream cipher bits, of which the last
128 bits are fed back into the key stream generator as the initial values of the four LFSRs
of the second level. The values of the memory bits c0 and c-1 are kept as the initial values
for the second level. Further details of the complex initialization and the premixing of the
initially loaded key material can be found in the Bluetooth specification document. [28]
After the initialization steps of first level and the initialization of the second level, a loop
is started (step 2 and 3 in Figure 2.3), until the maximum number of plaintext bits are
encrypted and the generator must be re-initialized to disable various kinds of statistical
analysis attacks.
The core of the E0 keystream generator consists of four Linear Feedback Shift Registers
(LFSR), with a key of at most 128 bits, and a 4 bit finite state machine, feeding a
Summation Combiner Logic (combining circuitry).
Studies shows that LFSR is not cryptographically secure, since it is linear. In [26] the use
of memory in the combination generator was proposed to achieve nonlinearity in an
LFSR system. The finite state machine is used in the Bluetooth system to introduce
sufficient nonlinearity to make it difficult to recompute the initial state from observed key
stream data.
As we know that LFSRs can be described with feedback polynomials. The feedback
polynomials of the four LFSRs used within E0 are all primitive maximum length
polynomials. This ensures that the period of a LFSR with degree n is 2n - 1. The smallest
period of all the Bluetooth LFSRs is the product of the four periods: P = (P1P2P3P4)/7 =
(225 - 1)(231 - 1)(233 - 1)(239 - 1) / 7 ≈ 2125.2. The period is divided by 7 since P3 and P4
have 7 as their greatest common divisor. This entire period is never generated by the
Bluetooth generator, since it is re-initialized after a maximum of 2745 bits. The total
length of the registers is 128. The Hamming weight( which shows the number of “1” bits
30
in binary sequence) of all the feedback polynomials is chosen to be five - a reasonable
trade-off between reducing the number of required XOR gates in the hardware
implementation and obtaining good statistical properties of the generated sequences.
The polynomials are in fact maximum length windmill polynomials [30]. This can be
exploited in a hardware or software realization of the LFSR. The windmill polynomials
have the property that one can construct a linear sequential machine that, provided it is
correctly initialized, for each clock cycle generates four consecutive symbols of the
sequence that the normal LFSR would generate.
For each bit output, each LFSR is clocked once, and the output of all four LFSRs and the
output of the finite state machine is exclusive-or’ed together to form the keystream
output. Then, the 4 LFFSR outputs are summed together to form a 3 bit output. The upper
2 bits of that sum are used to update the state of the finite state machine (FSM). The least
significant bit (LSB) of the sum of the four LFSRs is their bit-wise XOR.
During the encryption loop, the following steps are walked through:
a) Output xt for the four LFSRs
b) Calculate the keystream zt = f0(xt, ct)
c) Calculate the encrypted message bit et = zt (+) mt, where mt is the corresponding
message bit
d) Calculate St+1 = f1(xt, ct)
e) Calculate next FSM state ct+1 = T (St+1, ct)
31
f) Put memory bits ct = ct+1 of FSM.
During decryption, the same loop is walked through, but in the third step, the calculation
is mt = zt (+) et, where et is the corresponding received encrypted bit.
The combination generator process is represented in Figure 2.4, where the z-1 labeled
boxes denote delay elements holding two bits each and the small numbers under the
nodes indicate the number of bits passing.
The function f0, called summation combiner, produces an output sequence of 200 bits z1,
z2, …….. , where zt 2 GF (2). It computes these zt of the modulo two sum of the xt vector
and the first bit c0t of the current contents of the memory. xit denotes the output from
LFRSi at time t. The output from the LFRS is taken from the shift register taps given in
Table 2.3.
zt = f0(xt, c0t )
= x1t (+) x2t (+) x3t (+) x4t (+) (c0t mod 2) Є {0, 1}
32
The nonlinear function f1 also takes the vector xt as input, but combined with the latest
memory update vector ct. f1 has a 2-bit vector St+1 as output. It is nonlinear since integer
addition is nonlinear in GF (2)
33
Chapter 3
We will be discussing different types of attacks possible on the E0. The attacks will be
described in this section. Although, it will be difficult to discuss all the attacks in full
detail under the scope of this minor thesis, but we will describe each type of attack. Some
parts of the attacks that are reviewed are implemented besides the E0 simulator, as a way
to get better understanding in the working of the attack.
For most attacks it is needed to remodel the cipher in such a way that the nonlinear part is
replaced with a sequence of random variables with some correlation probability. Most of
the theoretical attacks on the Bluetooth E0 stream cipher require a far larger amount of
consecutive keystream output than available in a practical environment. By Kerckhoffs’
principle, they assume the keystream generator and some key stream bit Zt are known
and they try to recover the initial state of the LFSRs.[23]
The inner product "." between two vectors v = (v1, v2, ……. , vn) and w = (w1,w2,…. ,wn)
of the space GF(2n) is defined as:
v . w = v1w1 (+) v2w2 (+)………(+) vnwn
The linear function Lu(x) is then Lu(x) = u . x, u Є GF(2n).
34
DEFINITION 1. We say a function L: GF (2n) → GF (2n) is linear if for any vectors v
and w in GF (2n):
L (v + w) = L (v) + L (w)
n
and for any vector x in GF (2 ) and scalar a,
L (av) = a L (v)
An affine function is just a linear function plus a translation.
DEFINITION 2. We say a function A: GF(2m) → GF(2n) is affine if there is a linear
function L : GF(2m) → GF(2n) and a vector b in GF(2n) such that:
A(x) = L(x) + b
For all x in GF (2m)
In [26] Hermelin and Nyberg published a theoretical attack to recover the keystream
generators initial state with a time complexity of O (264) given O (264) known keystream
bits (≈2.097.152 TB).
The attack is based on a weak linear correlation between the output of the LFSRs
Vt = X1t (+) X2t (+) X3t (+) X4t and the keystream output Zt, to verify the accuracy of
one of the LFSRs. The sequence Vt is generated by a fictive LFSR, based on the product
of the four feedback polynomials form the LFSRs in E0, that is, a feedback polynomial Gt
with degree 128, Gt = f1(t)f2(t)f3(t)f4(t). If the attack is successful, the attacker will
discover the initial state of this fictive LFSR, from which the initial state of the four
original LFSRs of E0 can be computed by solving a set of linear equations in 128
unknown variables.
Hermelin and Nyberg discovered the following correlation in the Bluetooth E0 stream
cipher:
C (Zt (+) Zt-1 (+) Zt-3, Vt (+) Vt-1 (+) Vt-3) = -1/16
35
Since the attack of Ekdahl and Johansson is based on the same principles of this attack,
but with better computational complexities, we will not analyse this attack in further
detail.
A theoretical attack by Ekdahl and Johansson [1] describes how the initial state of the
keystream generator can be extracted given O(234) known keystream bits (≈2 GB) and a
computational complexity of O(263). This attack is also based on a weak linear correlation
between the LFSRs output and the keystream output to verify if a guess on one of the
LFSRs is accurate. This attack remodels the cipher in such a way that the nonlinear part
is replaced with a sequence of random variables with some correlation probability. The
nonlinear part of the keystream can be found in the memory block Ct.
Fluhrer and Lucks [2] discovered the following correlation for Ct:
P (Ct (+) Ct-5 = 0) = 1/2 + 0.04883
Now we can remodel E0 into a simplified system as showed in Figure 8.3. With this
model, we need to guess the initial state of LFSR1 and add this, x0 it, to zt. If the guess
is correct, we can write the resulting sequence as:
V t = Z t + X t = U t + C t0 (1)
36
LFSR1 x t1
zt vt
Test
x’t
Equivalent LFSR
ut
0
Ct Assumed LFSR1
From the equivalent LFSR of LFSR2, LFSR3 and LFSR4, we will get a sequence u0,
u1,………uN-1 which is a linear (N, l)-block code C5. In this block code C, there are l
information symbols, which is equal to the length of the equivalent shift register, the sum
of the length of LFSR2, LFRS3 and LFSR4. The sequence ut can be rewritten as a row
vector u = (u0, u1… uN-1).
And this row vector can then be written as u = u0G, where u0 is the initial state of the
equivalent shift register and G the generator matrix. If we suppose we can find k columns
in G such that
Gi1 + Gi2 + …+ Gik = 0, (2)
then we must have ui1 +ui2 +…+uik = 0 for the sequence ut. Since the block code is cyclic,
we can write
∑ ut+1 = 0, (3)
iЄI
37
for any time index t >=0, where I is the set of indices in Equation (2).
By summing over the indices in I, indicated by Equation (3), it possible to remove the
influence of ut in vt (Equation (1)) and go towards the correlation Equation ().
vt = ut + ct (4)
∑ vt+i + vt+i-5 = 0 + ∑ ct+i + ct+i-5 (5)
iЄI i ЄI
38
To estimate the second parameter, the needed number of samples m. From this section we
know we can separate the uniform distribution PU(X = 0) = 1/2 from the indicator
distribution PE0(X = 0) = 1/2 + 2k-1 Єk using approximately 1/(2k-1Єk)2 samples. With
increasing k, PE0(X = 0) gets closer to 1/2 and the Chernoff information says regarding
the (distance) between two probability densities. Relatively large Chernoff information
means low error probability. C (PU, PE0) is decreasing. So the required number of
samples, m, increases when k increase for a fixed error probability. The total number of
columns w ≈ 2l/(k-1) in G required to find k columns that add to the all-zero column
decreases if k increases. The total number of required keystream bits to observe, N, is the
sum N = m + w, so we need to chose k such that we minimize N.
When performing the attack, we count the number of times Equation (6) equals to zero,
n0, and the number of times it equals to 1, n1. Thus, the number of samples needed, m,
equals to m = n0 + n1. To simplify the application of the Lemma of Neyman-Pearson we
replace 2k-1Єk with Є .We can now easily write PE0 = 1/2 + Є . According to the Lemma,
we can test between the two hypotheses H0 : PU and H1 : PE0 :
For this attack, it is desired to use an unsymmetrical threshold and decrease PF at the
expense of PM. We would like to have PF << PM. In [3] an unsymmetrical threshold of
T = 25 was chosen, resulting in a threshold of PM ≈2-4 and a threshold of PF ≈ 2-10. It is
shown that the value for the parameter k = 4 is the best choice for attacking LFSR1, since
the value of N will then be minimized to 234.6.
39
3.3 Faster correlation attack, Y. Lu and S. Vaudenay
Although the faster correlation attack proposed by Yi Lu and Serge Vaudenay in[12], has
the best known time complexity O(239) after O(237) it still requires 239 consecutive
keystream bits (≈ 64GB). The attack recovers the LFSR1 with a new Maximum
Likelihood Decoding (MLD) algorithm, by means of Fast Walsh Transform. This
algorithm can speed up a fast correlation attack. The attack applies the concept of
convolution to the analysis of the distinguisher based on all known correlations. This
allows building an efficient distinguisher that halves the data complexity of the basic uni-
bias-based distinguisher.
The approach is similar as the Divide-and-conquer attack from Ekdahl and Johansson 3.2,
but with a decreased time complexity. The correlations used for this attack are:
40
3.5 Guess-and-determine attack, S.R. Fluhrer and S. Lucks
Scott R. Fluhrer and Stefan Lucks refined the attack of M.O. Saarinen in [2]. This attack
recovers the initial state of the shift register (level 2 of the keystream generator) and
reverses the premixing step to recover the session key KC (level 1 of the keystream
generator). The time complexity of the attack has the order of O(284) when 132 keystream
bits are available. The time complexity required to reconstruct the level 2 keystream
generator (LFSRs initial states) is expected to be between O(272) and O(284), depending
on the amount known keystream bits. The work effort to reconstruct the level 1
keystream generator is expected to take between O(281) and O(251). The algorithm allows
the key stream bits to be spread over 83 multiple data packets, unlike correlation attack.
The computational complexity can then be improved to the order between O(276) and
(284), depending on the amount of keystream bits available.
The basic approach of guessing the initial states of parts of the cipher and checking
consistency stays the same as in Saarinen’s attack. But this attack takes advantage of
additional relationships within E0 to gain performance. Instead of guessing the three
LFSRs as in the attack of Saarinen, this attack guesses the initial state of the FSM and the
contents of the two shortest LFSRs. A set of linear equations is build up and checked for
inconsistencies. The guess will be rejected as soon an inconsistency can be found. The
idea behind the algorithm used in this attack, is that the next state function for the FSM
depends only on the number of LFSRs that output a one. Instead of computing the exact
value of the two longest LFSRs, we just have to decide if their output will differ or not.
The algorithm will also take advantage of the fact that we can efficiently find
contradictions in GF(2). The attack will derive the initial LFSRs settings given 132 bit of
the keystream output. The initial settings for the FSM contents and LFSR1 and LFSR2
are guessed. By observing the keystream, it is possible to decide whether the XOR of the
outputs of LFRS3 and LFSR4 is one or zero, and a set L of linear equations on the
LFRS3 and LFSR4 output bits is constructed in a search tree. When enough keystream
bits are analysed, the linear equations implied by the LFSR3 and LFSR4 tap equations
41
can be added to the set L of linear equations. As long as the equations in the set L stay
consistent, we can continue to analyse the keystream. If an inconsistency appears, we can
backtrack in the tree and try another guess in the different steps.
The theoretical attack presented by Christophe De Cannière, Thomas Johansson and Bart
Preneel in [5] is based on the attack of Scott Fluhrer [2] described in the precedent
section. The time complexity of the attack is in the order O(276) when 1 Mbit of
keystream data is available.
The approach for this attack is similar to the attack of Fluhrer and Lucks. But instead of
guessing two of the LFSRs contents and the FSM, only the shortest LFSR and the initial
state of the FSM will be guessed.
Free Binary Decision Diagrams (FBDD) are data structures for representing and
manipulating Boolean functions [7] [8]. An FBDD-attack is a short-keystream attack,
where the number of key bits needed for computing the secret initial state, x Є {0, 1}n is
at most cn for some constant c >=1.
The attack exploits that many LFSR-based stream ciphers produce keystream according
to the rule z = C(L(x)), where L(x) denotes an internal linear bit stream generated by a
small number of parallel LFSRs and C denotes some nonlinear compression function.
The weakness of LFSR-based keystream generators is that the compressor C has to
produce the keystream in an online manner and at high speed. To achieve this, C uses
42
only a small memory and consumes only a few new internal bits for producing the next
output bit. These requirements imply that the decision if an internal bitstream z generates
a prefix of a given keystream y via C can be computed by small FBDDs. This allows to
compute dynamically a sequence of FBDDs Pm, m >= n, which test a given initial state
x Є{ 0, 1}n whether C(L<=m(x)) is prefix of y, where L<=m(x) denotes the first m bits of the
internal linear bitstream generated via L on the secret initial state x.
Theorem 2 makes up the basis of the algebraic attack on the combiner with memory.
THEOREM 2: (Krause, Armknecht, 2003). For each combiner C with k LFSRs and l
memory bits, a nontrivial relation FC of degree [k(l + 1)/2] with
0 = FC ( Xt , …,Xt+l, zt,…, zt+l )
can be constructed.
Basically, we are able to transform some equations z based on the LFSRs output bits x
and memory bits c to a system of linear equations which depends not on the memory bits
and can be used to find the initial values of the LFSRs.
zt = F(x1t ,..., x4t , c1t ,..., c4t )
zt = F( (x1t ,....... x4t , Ct(x11,…….. x4t-1, c11,……., c41 ) )
zt = Ft(x1, … ,xn,c11, ….., c41
43
0 = F’(x1t,...., x4t ,x1t+1,......, x4t+1,x1t+2, …. x4t+2 , x1t+3,...., x4t+3, zt, zt+1, zt+2, zt+3)
0 = F’(x1,......, xn, zt, zt+1, zt+2, zt+3)
For each clock t, the new key stream output zt is produced and the next memory bits
c0t+1 and c1t+1 are computed. We will reformulate this equation to have the functions for
the individual memory bits c0t+1 and c1t+1:
ct+1 = (c1t+1, c0t+1) (12)
= T0(st+1) (+) T1(ct) (+) T2(ct-1) (13)
= (s1t+1 (+) c1t (+) c0t-1 , s0t+1 (+) c0t (+) c1t-1 (+) c0t-1). (14)
In this equation we can reformulate s1t+1 and s0t+1 from Equation which says
yt = x1t + x2t + x3t + x4t as stated by F. Armknecht, A Linearisation Attack on the
Bluetooth Key Stream Generator, 2002:
st+1 = (s1t+1, s0t+1) (15)
= [x1t + x2t + x3t + x4t + 2c1t + c0t ] / 2 (16)
s1t+1 = ∏4(t) (+) ∏3(t)c0t (+) ∏2(t)c1t (+) ∏1(t)c0t c1t (17)
s0t+1 = ∏2(t) (+) ∏1(t)c0t (+) c1t (18)
Where ∏i(t) is the XOR over all possible products in {x1t , x2t , x3t , x4t } of degree i:
∏1(t) = x1t (+) x2t (+) x3t (+) x4t
∏2(t) = x1t x2t (+) x1t x3t (+) x1t x4t (+) x2t x3t (+) x2t x4t (+) x3t x4t
∏3(t) = x1t x2t x3t (+) x1t x2t x4t (+) x1t x3t x4t (+) x2t x3t x4t
∏4(t) = x1t x2t x3t x4t
which leads to the following equations for the individual bits c1t+1 and c0t+1 (from
Equation(14)):
c1t+1 = s1t+1 (+) c1t (+) c0t-1 (19)
= ∏4(t) (+) ∏3(t)c0t (+) ∏2(t)c1t (+) ∏1(t)c0t c1t (+) c1t (+) c0t-1 (20)
c0t+1 = s0t+1 (+) c0t (+) c1t-1 (+) c0t-1 (21)
= ∏2(t) (+) ∏1(t)c0t (+) c1t (+)c1t-1 (+) c0t (+) c0t-1 (72)
44
Now we can define the additional variables A(t) and B(t):
A(t) = ∏4(t) (+) ∏3(t)c0t (+) c0t-1
B(t) = ∏2(t) (+) ∏1(t)c0t (+)1
so that the Equations (20) and (22) can be simplified to (using the fact that for Boolean
variables x2 = x):
c1t+1 = A(t) (+) B(t)c1t (23)
1 1
c t+1 B(t) = A(t)B(t) (+) B(t)c t (24)
0 = B(t) (A(t) (+) c1t (+) c1t+1 (25)
and
c0t+1 = B(t) (+) 1 (+) c0t-1 (+) c0t (+) c1t (+) c1t-1 (26)
c1t (+) c1t-1 = B(t) (+) 1 (+) c0t-1 (+) c1t (+) c0t+1 (27)
By inserting Equation (27) into (25) with index t+1 instead of t we get the following
equation:
0 = B(t)(A(t) (+) B(t + 1) (+) 1 (+) c0t (+) c0t+1 (+) c0t+2) (28)
In this equation, we can eliminate all unknown memory bits c0t by using the observed
keystream zt and by knowing in X2 = X and X (+) X = 0 in GF(2):
zt = x1t (+) x2t (+) x3t (+) x4t (+) c0t
c0t = x1t (+) x2t (+) x3t (+) x4t (+) zt
= ∏1(t) (+) zt
B(t) = ∏2(t) (+) ∏1(t)c0t (+) 1
= ∏2(t) (+) ∏1(t) (+) ∏1(t)zt (+) 1
A(t) = ∏4(t) (+) ∏3(t)c0t (+) c0t-1
= ∏4(t) (+) ∏3(t)∏1(t) (+) ∏3(t)zt (+) ∏1(t - 1) (+) zt-1
0 = B(t)(A(t) (+) B(t + 1) (+) 1 (+) c0t (+) c0t+1 (+) c0t+2 )
= ∏2(t) (+) ∏1(t) (+) ∏1(t)zt (+) 1( ∏4(t) (+) ∏3(t)∏1(t) (+) ∏3(t)zt (+) ∏1(t - 1) (+) zt-1 (+)
∏2(t + 1) (+) ∏1(t + 1) (+) ∏1(t + 1)zt+1 (+) 1 (+) 1 (+) ∏1(t) (+) zt (+) ∏1(t + 1) (+) zt+1
(+) ∏1(t + 2) (+) zt+2 )
= 1 (+) zt-1 (+) zt (+) zt+1 (+) zt+2
45
(+) ∏1(t)(ztzt+2 (+) ztzt+1 (+) ztzt-1 (+) zt-1 (+) zt+1 (+) zt+2 (+) 1)
(+) ∏2(t)(1 (+) zt-1 (+) zt (+) zt+1 (+) zt+2) (+) ∏3(t)zt (+) ∏4(t)
(+)∏1(t -1) (+) ∏1(t - 1)∏1(t)(1 (+) zt) (+) ∏1(t - 1)∏2(t)
(+)∏1(t + 1)zt+1 (+) ∏1(t + 1) ∏1(t)zt+1(1 (+) zt) (+) ∏1(t + 1)∏2(t)zt+1
(+)∏2(t + 1) (+) ∏2(t + 1)∏1(t)(1 (+) zt) (+) ∏2(t + 1)∏2(t)
(+)∏1(t + 2) (+) ∏1(t + 2)∏1(t)(1 (+) zt) (+) ∏1(t + 2)∏2(t)
This equation has terms of degree of at most 4 in the variables {x1t, x2t, x3t, x4t} (in ∏) and
holds for any t. By iterating this equation we can build a system of nonlinear equations
(SNE) of degree 4, with the initial value of the four LFSRs unknown. These initial states
of the LFSRs have length 25, 31, 33 and 39, so the key to recover with the attack has the
form:
K0 = (a0,….., a24, b0,……., b30, c0,……., c32, d0,……, d38)
= (k0, k1,…….., k127)
Although the long Equation (29) uses the output bits of the LFSRs at clock t, we are able
to rewrite the equation in terms of the initial state bits. This is possible since we can
construct a linear function L: GF(2)n → GF(2)n, where n is the length of the LFSR, which
linearly maps the state Kt to Kt+1 : Kt+1 = L(Kt), for each clock t:
K1 = L(k0,k1,…………., k127) = L(K0)
K2 = L(k1, k2,…………, k128) = L(L(k0, k1,……., k127)) = L2(K0)
...
Kt = L(kt-1, kt,.........., kt+126) = Lt(K0)
So we can rewrite Equation (29), following the notation of Theorem 2, as:
0 = F(K0,………., L3(K0), z0, z1, z2, z3)
0 = F(L(K0),……., L4(K0), z1, …….., z4)
0 = F(L2(K0),………., L5(K0), z2,……, z5)
0 = F(L3(K0),………, L6(K0), z3,…….., z6)
...
0 = F(Lt(K0),........., Lt+3(K0), zt,.........., zt+3)
where F is a multivariate relation of degree 4 (at most).
Since the LFSRs output bits {x1t, x2t , x3t , x4t} g can be expressed as a linear equation of
the initial state bits, only a finite number of different terms can occur. Armknecht found
46
that this limit is T = 17,440,047 ≈ 224.056.This means that we will get a system of
nonlinear equations with T unknown. To solve this system we will thus need at least T
equations by clocking the system that many times. The system can be solved with the
Strassen algorithm in O(7Tlog27) or with the Coppersmith-Winograd algorithm[24] in
O(Tw), w <=2.376 through linearization
47
Chapter 4
Encryption can optionally be used once at least one of the two communicating devices
has authenticated itself to the other. Either the master or the slave can request encryption.
However, encryption itself is always initiated by the master after it has negotiated the
necessary parameters with the slave. For this purpose the two devices first of all agree the
length of the key to be used. The master then initiates the encryption process by sending a
random number to the slave. The cipher key is computed from the link key, a cipher
offset and the random number. Encryption can operate in two ways, point-to-point and
point-to-multipoint. Under point-to-point encryption, the authenticated cipher offset of
the authentication protocol is used as cipher offset. Under point-to-multipoint encryption,
on the other hand, the device address of the master is used as cipher offset. The link key
must then be replaced by a master key before encryption can be initiated. A stream cipher
is used for encryption (in the standard this is designated E0). For each data packet a
new initialisation vector (the message key) is computed from the device address and the
Bluetooth clock of the master. The data is only encrypted during transportation by radio.
Prior to transmission and after receipt the data is held unencrypted in the two devices.
Encryption is thus not end-to-end (i.e. the data is not encrypted from input into device A
up until output or processing in device B).
48
4.2 Problems with Encryption:
In a Divide and Conquer attack, a part of the key is guessed and this constraint on the
keystream may make it possible to determine the rest of the key faster and hence is a
challenge to the Bluetooth Encryption. This attack is mostly combined with a correlation
attack to determine the rest of the key. A correlation attack is a widely applicable type of
attack which might be used with success on generators which attempt to combine the
output from several (cryptographically weak) keystream generators.
A correlation attack exploits the weakness in some combining function which allows
information about individual input sequences to be observed in the output sequence. In
such a case, there is a correlation between the output sequence and one of the (internal)
input sequences.
49
This correlation can be used to extract information about the correlated input sequences.
In the simplest case, a correlation means that the output is equal to one of the input
variables with a probability not equal to 0.5. Siegenthaler showed in his paper [31] that a
smaller linear complexity of the output sequence means greater correlation immunity.
As a protection against these correlation attacks, Rueppel introduced in [27] the idea of a
combining function with memory that makes it possible to attain maximum-order
correlation and maximum linear complexity simultaneously making a separation to the
ideas of correlation immunity and linear complexity.
The fast correlation attack is based on using certain parity check equations created from
the feedback polynomial of the LFSR. The attack assumes that there is a correlation
between one shift register of the LFSR and the output keystream zt,: P(s1t = zt) = p = 1 /2
+ ε, t >= 0. Meier and Staffelbach saw this as if the sequence from LFSR1 was
transmitted over a Binary Symmetric Channel (BSC), with crossover probability 1 - p,
i.e. the BSC transmits the symbol correctly with a probability p. The combined effect of
the other shift registers and the nonlinear combiner is modelled as the BSC. Since the
feedback polynomial of LFSR1 is linear, each st for different t must satisfy a number of
linear equations, based on how many taps the feedback polynomial has, and where the
taps are located. If the correlation between st and zt is high enough, most of the
corresponding symbols in the keystream zt must also fulfil these linear equations. So, by
attempting to slightly modify the sequence zt to compensate for a possible crossover in
the BSC model, Meier and Staffelbach showed that the sequence s = s01, s11…sN1 can be
recovered and thus the initial state of the shift register. This is again a risk for the
Bluetooth Encryption process.
The drawback of this algorithm is that it is only successful if the feedback polynomial has
very few terms which corresponds to a LFSR with few taps. The idea of a communication
channel was reconsidered by Johansson and Jönsson in [32] where they identified an
embedded convolution code in the sequences and could apply standard decoding
techniques, e.g. the Viterbi algorithm, to recover the initial state even if the correlation
50
probability was very close to 0.5. Typically, a shift register of length 40 with a correlation
probability of 0.45 can be attacked with modest computational effort. This algorithm is
independent of the number of taps of the feedback polynomial.
In this attack we start by guessing some internal variables of the cipher (e.g. a part of the
LFSR) and then try to determine the other variables based on the observed keystream and
the evolution of the cipher in time. If our guess is correct, we can confirm it by running
the cipher for some time and match the output from our trial generator with the observed
sequence. If our guess is false, we simply make a new guess and start over again. The
time complexity of such an attack is O (2b), where b is the number of bits we have to
guess, since in the worst case we have to try all possible combinations of the guessed bits.
The difficult part of this attack is to discover which part of the state space should be
guessed in order to obtain the rest. In this way in this type of attacks we try to break up
the Bluetooth encryption cycle by guessing the internal variables of cipher that is part of
the LFSR.
The general idea behind algebraic attacks is to form (non-linear) equations consisting of
the observable keystreams zt for all clock ticks t, and the initial secret key bits of the
LFSRs as unknowns. The pre-computation of these equations need only to be performed
once, the attacker can use the same equations for attacking different keystream. Once the
equations are set up, the attacker has to observe the keystream and substitutes these
keystream bits into the algebraic equations. Now, the equations will merely depend on
the initial secret LFSR key bits. The equations have to be solved to determine the value
51
of the LFSRs initialization keys. This is possible if sufficient equations can be
constructed from the observed keystream and the equations are of low degree in the bits
of the initialization keys. To solve a system of nonlinear equations, we have to linearize
the equations. This can be done by assigning a new unknown variable to each monomial
term that appears in the system. If the same monomial appears in a distinct equation, the
same variable will be assigned. This results in a system of linear equations, with a large
number of unknown variables.
Since the complexity of the algebraic attacks is exponential in the degree of the
equations, a way of reducing the degree of the equations was needed. Courtois [10]
introduced a method to achieve this in his Fast Algebraic attacks. His method requires an
additional pre-computation step to determine a linear combination of equations in the
initial system of the algebraic attack. This linear combination can cancel out terms of
high degree, making it easier to solve the system of equations. His approach is based on
the fact that we can multiply the multivariate polynomial with another multivariate
polynomial such that the product is of a lower degree in the initial state bit variables.
Courtois proposes to use the Berlekamp-Massey algorithm to determine the linear
combination for the pre-computation step. The algorithm finds the minimal polynomial of
a linear recurrent sequence. So these attacks tries to affect the Bluetooth encryption
process by forming an algebraic equation based on observable keystream Zt.
52
Chapter 5
5. CONCLUSION
5.1 Analysis And Conclusion
We are concluding this thesis by analysing the E0 encryption Algorithm on the basis of
all the possible attacks on E0 stream cipher discussed in the previous chapters. We have
tried to cover the whole low-level security features supported by the Bluetooth
specifications. But still we have kept stream ciphers as the main topic of discussion and
further we have discussed encryption, pairing procedure and authentication in full details.
The study covered an in depth analysis of the E0 encryption algorithm. We did not only
cover the complete functionality of the E0 system, we also analysed many of the recent
attacks. The most important attacks on the E0 encryption system include the correlation
attacks and the algebraic attacks.
Encryption is one of the most important security mechanisms which deals with the
transfer of data between any two communicating wireless in the present case Bluetooth
devices. Bluetooth uses E0 Encryption Which is discussed in details in the previous
chapters. By taking in to consideration all the possible attacks like the correlation attacks
which are based on a presumed correlation between the input and output bits. The
algebraic attacks exploit the fact that the output bits can be expressed with an algebraic
relation in terms of the initial state bits. The best attacks currently known are the fast
algebraic attack of Armknecht [11] and Courtois [10] and the fast correlation attack of Lu
and Vaudenay [12]. We have seen that this attack can recover the initial state of the
LFSRs and FSM in a known plaintext attack approximately O (239) keystream bits and a
time complexity of approximately O (239) and therefore it became possible for the
intruder to decipher the text and hence breaks the Bluetooth security mechanism. But in
53
the light of present scenario we can say that currently there is no attack known that breaks
the complete encryption procedure and hence the security mechanism of Bluetooth
security architecture with reasonable effort and practical available keystream bits.
However, the security margin is insufficient to feel comfortable about the years to come.
Since the research on the attacks continues actively, future attacks may succeed to reduce
the cryptanalytic workload to a practical level.
After this research we may conclude that there are a lot of security problems with
Bluetooth, the most important are related to encryption which is protected by the E0
Encryption Algorithm. But still, Bluetooth can be seen as a quite safe for the intended
usage. For a practical multifunctional protocol as Bluetooth, many considerations must be
made to find a good balance between functionality, user-friendliness, speed and security.
The active research on this topic will help enhance the Bluetooth system in future
versions.
54
References
[2] S.R.Fluhrer and S. Lucks. Analysis of the E0 encryption system. 2001. pp. 38–48.
[3] P. Ekdahl, "On LFSR based Stream Ciphers - Analysis and Design", Ph.D. Thesis,
Lund University, 2003
[7] J. Gergov and CH. Meinel.” Efficient Boolean function manipulation with OBDDs
can be generalized to FBDDs.” IEEE. Trans. on Computers, Vol. 43, pp. 1197–1209,
1994.
[8] D. Sieling. “Graph driven BDDs - a new data structure for Boolean functions.”
Theoretical computer science 141:1-21-2, 283-310, Elsevier, 1995.
[9] F. Armknecht. A linearization attack on the Bluetooth key stream generator. Posted
on eprint in December 2002.
[11] Frederik Armknecht “On Fast Algebraic Attacks” March 2004. Talk at the 9th
Estonian Winter School in Computer Science, Palmse, Estonia.
55
[15] Cybertrust “Article on Bluetooth security” updated June 2005 available from
http://www.cybertrust.com/media/white_papers/cybertrust_wp_blue.pdf
[25] P. Hawkes and G.G. Rose. “Rewriting Variables: the Complexity of Fast Algebraic
Attacks on Stream Ciphers.” Advances in Cryptology - CRYPTO 2004.
56
[26] M. Hermelin and K. Nyberg. “Correlation properties of the Bluetooth combiner”.
Proceedings of 2nd international Conference on information security and cryptology
pp. 17–29 year 1999.
[27] R.A. Rueppel. “Correlation immunity and the summation combiner”. Generator,
Advances. In Cryptology-Crypto’85, Proceedings, pp. 260-272, Springer-Verlag, 1986
[28] Bluetooth Special Interest Group SIG. “The Bluetooth core specification version
1.2”. November 2003. http://www.bluetooth.org.
[29] S.R.Fluhrer and S.Lucks:” Analysis of the E0 Encryption System, Selected Areas
in. Cryptography - SAC 2001, Lecture Notes in Computer Science”, 2001
http://www.cs.stonybrook.edu/~sion/teaching/sunysb/2006-
Fall/CSE508/slides/class14/Bluetooth.pdf
[33] A. Kipnis and A. Shamir. “Cryptanalysis of the HFE public key cryptosystem.”
1999. pp. 19–30.
57