Secure Device to Device Communication

58  Download (0)

Full text


Secure Device to Device Communication


Master’s Degree Project

Stockholm, Sweden June 2014



Since wireless communication has become a standard fea- ture in the daily life, smartphones and tablets among other things are integrated with the Bluetooth technology. While in some parts of the day wireless communication can be used for searching the internet and share information on social networks without the need of having a secure con- nection, there are some other parts where security might become of high importance. When the technology gets in- tegrated in companies the security problem becomes more important. This is because when the radio signals spread in the medium they can be accessed by anyone that is in reach of the network and the information that was sent may not be intended for everyone. To secure the network from un- intended users becomes important when handling sensitive information, which companies may deal with daily.

This thesis provides a survey of security features and techniques that already exist in some personal area net- works. From this it has been clear that a security feature could be implemented on the physical layer of Bluetooth to increase the secrecy during the transmission since at the moment security is only implemented on higher layers using encryption algorithms.

This thesis proposes a conceptual idea of improving the secrecy in the network by using a wiretap code that is im- plemented before the error-correction coding in the Blue- tooth’s baseband. By disabling the ARQ scheme in Blue- tooth one can modulate the channel as a Packet Erasure Channel that will lose packets with a certain probability.

By using a nested code structure, the message can then be securely sent by using a higher rate than what the eaves- dropper can recover due to the amount of errors the re- ceived signal will have. The performance of the concept is evaluated with the secrecy throughput, secrecy outage probability and the leakage.


Eftersom trådlös kommunikation har blivit ett stående in- slag i det dagliga livet, så har smartphones och surfplattor med flera integrerats med Bluetooth. Även då man kan an- vända trådlös kommunikation vissa delar av dagen för att söka på internet och dela information på sociala nätverk utan behovet av en riktigt säker anslutning, finns det någ- ra andra delar då säkerheten kan ha stor betydelse. När tekniken integreras i företag blir säkerhetsproblemen mer uppenbara eftersom att radiosignalerna sprids i mediet och kan nås av vem som helst som är inom räckhåll och den in- formation som skickas är nödvändigtvis inte avsedd för alla.

Att säkra nätverket från oavsiktliga användare blir viktigt vid hanteringen av ömtåliga uppgifter som företagen kan handskas med.

Denna rapport ger en introduktion om vilka säkerhets- funktioner och tekniker som redan finns i några av de ex- isterande personliga nätverken. Från detta har det blivit uppenbart att en säkerhetsfunktion kan implementeras på basbandslagret av Bluetooth för att öka säkerheten under överföringen eftersom att det just nu endast finns säkerhets- protokoll på de högre lagren som använder krypteringsal- goritmer.

Denna rapport föreslår en konceptuell idé om att för- bättra säkerheten i nätverket med hjälp av en Wiretap kod som implementeras innan felkorrigerings koden i Bluetooths basband. Genom att inaktivera ARQ schemat i Bluetooth kan man modulera den kanalen som en Packet Erasure ka- nal som kommer att förlora paket med en viss sannolikhet.

Genom att använda en nestad kodstruktur, kan meddelan- det sändas säkert med användningen av en högre hastig- het än vad avlyssnaren kan klara av på grund utav den mängd fel som den mottagna signalen kommer att inne- hålla. Prestandan av konceptet utvärderas med hur mycket genomströmning som kan ske säkert, säkerhetsranden och hur mycket information som läcks ut till avlyssnaren.



I would like to acknowledge a few people that have made the completion of this thesis possible. First I would like to give my warm thanks to my supervisor and examiner Ragnar Thobaben for his incredible help and patience with the theory of the concept and with me. Without his help this thesis would never have been made. Second I would like to express my gratitude to Frédéric Gilbert Gabry for his help with understanding the basic concepts of a Galois field. Last I would like to thank Nima Najari Moghadam who help out with some experimental measurements.


List of Figures List of Tables

1 Introduction 1

1.1 Problem description . . . 1

1.2 Aim of the thesis . . . 2

1.3 Organization of the thesis . . . 2

2 Information Theoretic Security and Cryptology 5 2.1 Information Theoretic Security . . . 6

2.1.1 The Wiretap Channel . . . 7

2.1.2 The Wiretap Channel II . . . 8

2.1.3 Ahlswede’s Secret sharing protocol . . . 9

2.2 Cryptology . . . 10

2.2.1 Shamir’s secret sharing . . . 10

2.2.2 Public key encryption . . . 11

2.2.3 Secret key encryption . . . 13

3 Standards 15 3.1 ZigBee . . . 15

3.1.1 Security architecture . . . 16

3.1.2 Security procedures . . . 17

3.1.3 Security problems . . . 17

3.2 Bluetooth . . . 18

3.2.1 Pairing and bonding . . . 18

3.2.2 Key Management . . . 21

3.2.3 Security problems . . . 24

3.3 Discussion . . . 24

4 Method 27 4.1 Methodology . . . 27

4.2 Case description . . . 27

4.3 Related work . . . 28


4.4 Theory . . . 28

4.4.1 Polynomial and Cyclic codes . . . 29

4.4.2 BCH and Reed-Solomon codes . . . 31

4.4.3 Nested code structure . . . 32

4.5 Model . . . 34

4.6 Results . . . 36

4.7 Discussion . . . 38

4.8 Future work . . . 39

5 Business Benefits 41 5.1 Strengths . . . 41

5.2 Weaknesses . . . 42

5.3 Opportunities . . . 43

5.4 Threats . . . 43

5.5 Discussion . . . 44

6 Ethical Aspects 45 6.1 Privacy . . . 45

6.2 Dissemination and use of information . . . 45

6.3 Financially . . . 46

6.4 Socially . . . 46

6.5 Ecologically sustainable development . . . 46

7 Final conclusion 47 Bibliography 49

List of Figures

2.1 An illustration of encryption with channel coding. Source: [1] . . . . 6

2.2 An illustration of the wiretap model Source: [1] . . . . 7

2.3 The linear system needed to solve for the adversary . . . 9

4.1 The non-systematic form of G . . . 30

4.2 The check matrix for a cyclic code . . . 30

4.3 The check matrix for a BCH code . . . 31

4.4 Illustration of the codes . . . 33

4.5 The H0 check matrix . . . 33


4.8 The error probability distribution for Bob with different SNR . . . 36 4.9 The error probability distribution for Eve with different SNR . . . 37 4.10 The error probability distribution for Eve when SNR is 0 dB . . . 37

List of Tables

4.1 The secrecy parameter result where KEve = 1 . . . 38


Chapter 1


Since the technology of today is continuously growing, wireless communication has become a standard in every person’s daily life. You are always able to be on the go with the new technology. The increase of mobile devices such as smartphones has increased the daily data traffic tremendously. While in some parts of the day mobile traffic can be used for searching the internet and share information on social networks without the need of having a secure connection, there are some other parts where a lack of privacy can be a problem.

As the technology develops our daily life it also affects the business use. One has been introduced to the simplicity and flexibility of wireless communication by having the ability to take the work with you. Because of that the businesses today integrate new technology in their everyday work to manage a more technical working structure as well as a more flexible structure. The use of smartphones and tablets are becoming more common these days in ones everyday work. Most of the work in a company is already integrated to computers and systems and with new technology equipments one integrate these as well.

This however, faces important issues such as security and privacy problems.

Since the use of the broadcast medium becomes evident when using wireless com- munication, one has to consider the problems in how these transmissions are spread.

The radio signals spread in the medium can be accessed by anyone that is in reach in the network while the information sent may not be intended for everyone. To secure the network from unintended users becomes more evident when handling sensitive information, which companies may deal with.

1.1 Problem description

At work one may want to share information in an efficient way, for example during meetings. Instead of having shared folders or email the information to each other, one could use device to device communication to create a personal area network.

Even though this technique could make the meeting more efficient, the problem evolves into keeping unintended users unaware of the transmission and how to keep


the information secret.

Since the information in a company may be confidential it is important to keep it safe from unintended users such as eavesdroppers. To have a complete trust in the security of the wireless communication is of importance if the new technology is implemented as a standard working approach. One faces the problems with passive eavesdropping, that a person may be listening in to the wireless conversation to gain valuable information. Or there may be active eavesdropping that may want to modify the content before reaching the receiver as a man-in-the-middle of the communication.

These problems are all because of the wireless medium that brings the open nature of the network. So the problem becomes to be able to keep the information secure even though the adversary hears the transmission.

Apart from a secure transmission, one would also want the transmission to be fast in initiating, have a high transfer performance and with a low packet loss. This puts the security algorithms at pressure to provide not only a secure communication but also to be fast and reliable.

1.2 Aim of the thesis

Today there are already existing standards of personal area networks, such as Blue- tooth and ZigBee. These have mainly been focused on reliable and fast communi- cation but have been developed to provide more safety during the years.

To be able to deal with the concerns of a secure transmission for business users, there will be some research on how one can improve the already existing standards.

The thesis will provide a scenario where some security parameters are in focus and provide a concept of a security feature to complement the security in the personal area network. The concept will be analysed to see how it will provide higher security and if it is worth being implemented in the existing standard.

As a complement to the technical implementation there will be a discussion of the business benefit for this kind of network. The advantages for this technique will be discussed and to see if there is any interest in implementing these new features to secure the personal area network further. There will be an analysis of how the solution can be used and should be used to improve the work in companies.

1.3 Organization of the thesis

To be able to understand how the security is developed for a secure communication there will first be a review of some existing information theoretic security models in Chapters 2, such as Wyner’s wiretap channel. Some cryptographic algorithms will also be considered, for example the public key encryption and the secret key encryption. This is provided to give a better understanding of the security methods that already exists in the current standards and also how these can be improved.



Chapter 3 provides an overview of the security in two personal area networks, Bluetooth and ZigBee, to provide an understanding of the features implemented and what problems exist. Some more details will be described for Bluetooth that is chosen to be analysed further in the thesis.

In chapter 4 the theory of the concept is brought up and how the development on the security concept is supposed to be analysed. The results of the performance are displayed and discussed together with future work for improvements.

Chapter 5 provides the business benefits in form of a S.W.O.T analysis. From this, one can use it as a valuable asset for decision making for future implementation in a company environment.


Chapter 2

Information Theoretic Security and Cryptology

When today’s society becomes more technical, the standards become more flexible and by that more wireless. One should always be on the go and be able to take the technology with you. By becoming more wireless more focus has been put on the security and the security issues that the communication brings [1]. However, when talking about security it is viewed to be an independent feature implemented above the physical layer [2]. Now-days there exist both theoretical and practical implementations for building security into the physical layer.

When talking about security, one is concerned about confidentiality, that only the intended recipient should be able to obtain the information while eavesdroppers will gain no information of importance. Another thing of importance is integrity, that the information received is what was sent and not a modified version from a malicious attacker. And finally, focus on authentication so one knows who the sender was.

Techniques that have been taken forth to handle these issues are mainly based on cryptographic encryption [1]. This can easily be explained by a picture, Fig- ure 2.1, where the transmitted data is encrypted by a key. The receiver then uses a key to decrypt the information. Since the transmitted data has been changed from plaintext to chipertext, an eavesdropper cannot read the data if the information is collected during the transmission, without knowing the key. However, an eavesdrop- per can make attempts to crack the key but it would take a lot of computational power to succeed in a limited time [1].

The introduction of information theoretic security techniques was a starting point for handling other types of issues in the security of wireless communication networks. These issues involved the open nature of the wireless medium [1], that others than the intended receiver will receive the radio signals. The main issue was how to be able to distribute keys in a secure way, both caused by the interception by others in the medium as well as the lack of infrastructure in a wireless network [1].

The first approach for this technique was made by Wyner [3] who showed that it


Figure 2.1: An illustration of encryption with channel coding. Source: [1]

would be possible to send a message perfectly secure without using an encryption key for the message.

2.1 Information Theoretic Security

The idea of information theoretic security is to work with statistical properties of the channels, from transmitter to receiver and from transmitter to eavesdropper.

As long as the channel to the receiver is statistically better than to the eavesdropper one will have a secure link to communicate on [2].

The subject of information theoretic security was first studied by Shannon [4]

who proved that a system could be perfectly secure only because the eavesdropper had too little information to be able to break the encryption.

Shannon studied the so called One-time pads that were information-theoretically secure because of that the encrypted message did not provide any information of the original [4]. Even if an adversary had unlimited computational power the message would be secure with one-time pads. It was during this study that Shannon defined the term perfect secrecy by using only information theory. Perfect secrecy means that a chipertext C does not provide any information about the plaintext M [4].

This was because one used a truly random key that only was used once, which means that a chipertext can be translated into any plaintext of the same length with the same probability [4]. In mathematical terms this can be expressed as:

H(M) = H(M|C) (2.1)

which means that the entropy of the plaintext message M is the same as the con- ditional entropy of the plaintext when one knows the chipertext C [1].

Perfect secrecy is very rarely used since one would need as many different keys as the largest number of messages [1]. Instead the term information theoretic secu- rity was implemented which means that some information may be leaked but still maintains its security against an adversary with unlimited computational resources.

The basic approach for information theoretic security is to transmit the message, without needing to use encryption keys, by using the randomness in the physical medium due to noise and the fading of the channel [1]. One utilizes the differences in the channels between the transmitter and the receiver and from transmitter to



Figure 2.2: An illustration of the wiretap model Source: [1]

the eavesdropper. The transmitter can in that way add randomness to prevent eavesdroppers to gain valuable information and one also gain the advantage of eliminating the key management between the users [1]. This will in turn lower the computational complexity of the system as well as having less vulnerability against attacks, such as man-in-the-middle and passive eavesdropping.

2.1.1 The Wiretap Channel

The wiretap channel model was introduced by Wyner [3] as the most basic informa- tion theoretic security model which is based on the physical layer [1]. The model is displayed in Figure 2.2. The transmitted message W is assumed to be random and uniformly distributed over a message set W. W is the confidential message that should be kept secret [1]. The encoder is stochastic, f : W → Xn, and maps each message w ∈ W into a codeword xn ∈ Xn. The channel input xn is trans- mitted over a discrete memoryless channel that has the transition probability of PY Z|X(·|·) [1]. The output from the channel is yn for the intended receiver and zn for the eavesdropper.

At the receiving side there is a decoder g : Yn → W that maps the received channel output yn∈ Yn to an estimate of the transmitted message, ˆw ∈ W. In the work of Wyner [3] the channel of the eavesdropper is assumed to be degraded from the receivers channel. However in [1] they generalize the model to be able to handle the case if they are equally noisy or if the eavesdroppers channel is even better than the main channel.

When looking at the two channels, one is interested in the performance of reli- ability and security [1]. The reliability is measured by the probability of error for the average block:

Pe(n)= P r{ ˆW 6= W } = 1





P r{w 6ˆ = w} (2.2) while the security is measured by the equivocation rate:

R(n)e = 1

nH(W |Zn) (2.3)


From this equivocation rate one can see how uncertain the eavesdropper is about the message W when given the channel output Zn. The higher the rate, the higher the level of security [1].

If one would have perfect secrecy it would mean that R = Re, where R is the confidential rate received at a certain secrecy level Re. One can then define a secrecy capacity Cs, that is the largest rate achievable in perfect secrecy:

Cs= max

(R,R)∈CR (2.4)

The secrecy capacity of the wiretap channel is however given by:

Cs= max

PU XPY Z|X[I(U; Y ) − I(U; Z)] (2.5) where U is the source message. As long as the channel to the receiver is less noisy than the channel to the eavesdropper this value will be positive.

The secrecy capacity characterizes the maximum rate at which the message W can be transmitted while still keeping perfectly secret from an eavesdropper.

2.1.2 The Wiretap Channel II

Wyner together with Ozarow proposed the Wiretap channel II [22] that was based on Wyner’s earlier model. In this model there are assumed to be k symbols in the secret data that is encoded to the length of n where n > k and transmitted over a noiseless channel. An adversary on the wiretap channel observes any µ < n symbols from a subset of the data which he will gain no information from. The wiretap code that is constructed in [22] is a [n, k, µ] linear code C constructed from a k × n systematic parity-check matrix, on the form H = [I P ], each of whose k ×(n − µ) sub-matrix has rank k [21].

For the encoding, n − k symbols are used to encode a codeword c with length n from the codebook C. The k information symbols are put in a row vector a = [a1, a2, . . . , ak] and added to the codeword to obtain the encoded vector

v= c + [a1, a2, . . . , ak,0, . . . , 0

| {z }


] (2.6)

For the decoding, the receiver recovers the message by calculating HvT = HcT + H[a1, a1, . . . , , ak,0, . . . , 0

| {z }


]T = 0T + aT (2.7)

while the wiretapper only knows µ symbols from v and cannot obtain any data if the sub-matrices are of rank k. The wiretapper has to solve a linear system of the form displayed in Figure 2.3 [21] where [vi1, vi2, . . . , vin−µ] is not known to the adversary. Since any set of coordinates {i1, i2, . . . , in−µ} corresponds to a sub- matrix, the system can have a solution for any vector aT which means that the adversary gains no information.



| | |

hi1 hi2 · · · hin−µ

| | |


vi2 ...


=aT + sT

Figure 2.3: The linear system needed to solve for the adversary

2.1.3 Ahlswede’s Secret sharing protocol

Another model that utilizes the randomness in the channel is Ahlswede’s Secret Sharing Protocol. This model is however based on the wiretap model both developed by Wyner [3] and Csiszár and Körner [5]. In this model the common randomness between a sender and a receiver is used for transmitting information with random codes [6]. For secret sharing one generates a random message and transmits it over a secure channel. One can also in more complex way use side information in a public channel to achieve secret sharing. Once this has been established one can keep on with the communication using encryption as the security means [6].

In the article of Ahlswede and Csiszár [6] they have provided two methods for secret sharing, one without the eavesdroppers knowledge of side information and another with side information. In this section more focus lies on the second method.

In this model the eavesdropper has access to more information than what is transmitted over the public channel. The channel is a discrete memoryless channel (DMC) where the senders input to the channel is Xn = (X1, ...Xn), the receiver observes the output Yn= (Y1, ...Yn) and the eavesdropper observes Zn= (Z1, ...Zn).

The communication over the channel can be viewed as an exchange of messages or codewords Φi [6] generated by the sender and Ψi for the receiver. The n symbols sent over the DMC are transmitted at i1 < i2 < ... < in and the public channel is used for the remaining instants [6] i ∈ {1, ..., k} \ {i1,}. The sender generates a random variable MX and the receiver MY where they are independent to each other. For the creation of the secret sharing the strategy is as follows [6]:

Step 0 Generation of the random variables MX and MY

Step i,0 < i < i1 Exchange of messages Φi and Ψi over the public channel where Φi= Φi(MX,Ψi−1) and Ψi= Ψi(MY,Φi−1)

Step i= ij,1 ≤ j ≤ n The transmitter determines the jth input Xj to the DMC, Xj = Xj(MX,Ψij−1) and the receiver observes Yj

Step i, ij < i < ij+1,1 ≤ j ≤ n The user exchange Φi and Ψiover the public chan- nel Φi = Φi(MX,Ψi−1), Ψi = Ψi(MY, Yj−1,Φi−1) (2.8)

Final step The key is established at the both users as a function of information shared:

K = K(MX,Ψk), L = L(MY, Yn,Φk) (2.9)


To be able to call the K and L a successful secret sharing there are certain conditions that has to be fulfilled.

P r{K 6= L} <  (2.10)

which means that the users has established a common key with a small probability of error.


nIk,Ψk, Zn∧ K) <  (2.11) means that this is a secret key and during the exchange no information has been given away.

One can define a number H called the achievable key rate if for every  > 0 and nis large and a secret sharing strategy exists [6].


nH(K) > H −  (2.12)


nlog|K| < 1

nH(K) +  (2.13)

Equation (2.13) means that the distribution of the key is nearly uniform in an entropy sense which is attractive for encryption [6].

With this strategy the key-capacity from the sender is equal to the wiretap channel secrecy capacity:


nH(M) (2.14)

and this is the upper-bound of the maximum achievable key rate.

2.2 Cryptology

Cryptology is an algorithm based subject which is different from information the- oretic security in the sense that cryptology algorithms may be able to be cracked in theory. However, in practice for an adversary it is computationally very difficult to break. Cryptology is a synonym to encryption and is the process in encoding a message so that an unauthorized person cannot read the information.

In the following subsections some different cryptology techniques are presented.

2.2.1 Shamir’s secret sharing

This method created by Shamir uses polynomial interpolation [7]. The idea of this scheme is to divide the data D into n pieces where one can reconstruct the data with k pieces but be completely unaware of the data with the knowledge of k − 1 pieces. This scheme is called a (k, n) threshold scheme. It is used for its simplicity which gives a robust key management scheme [7] that is both secure and reliable.

Step 1: Choose a polynomial q(x) with the degree of k − 1, q(x) = a0+ a1x+ ... + ak−1xk−1. The coefficients can be chosen at random except from a0 that is defined as a0 = D. There are now k points which exists in the 2-dimensional plane (x1, y1), ..., (xk, yk) and satisfy q(xi) = yi for all i.



Step 2: Divide the data D into n pieces.

Step 3: Evaluate the data pieces D1 = q(1),...,Dn = q(n) and distribute them to the users.

The reconstruction of the data from any subset of k pieces is done by interpo- lation [7]:

Step 1: Choose k pieces, for example (x1, y1), ..., (xk, yk) Step 2: Use the Lagrange basis polynomials:

lj(x) = Y


x − xm

xj − xm (2.15)

which then provides the interpolated polynomial as:

L(x) =Xk


yjlj(x) (2.16)

One can now evaluate D = q(0) to collect the data. By only using k − 1 pieces of the data is not sufficient to calculate D which provides a secure threshold scheme.

2.2.2 Public key encryption

Encryption can be performed by different kind of algorithms. There are secret-key encryption also called symmetric key encryption and public-key encryption, called asymmetric key encryption [1]. With symmetric key encryption the two involved in the data exchange have to share a common key so that they can encrypt and decrypt the chipertext transmitted over the channel. In public key encryption the parties has its own keys, where the transmitter encrypts the information with a public key and the receiver maintains a private key that corresponds to the public key [1]. However, the eavesdropper may know about this public key but still have a mathematical difficulty in deriving the information without knowing the receivers private key.

These two algorithms have different advantages and disadvantages. The sym- metric key is more computational efficient and will have a higher throughput, which is why it is used for Bluetooth version 3, section 3.2, but have a larger challenge in its key management for storing and distribution [1]. Public key encryption presents a simpler algorithm for key management but needs more computation to be se- cure. This algorithm is used for Bluetooth version 4, which will be presented in section 3.2, since the storage of keys will take less power from the devices.

There has been several algorithms developed for public key encryption and they all work in a similar way.

One algorithm for public key encryption and decryption was developed by Rivest, Shamir and Adleman. This algorithm got the name RSA algorithm [8]

and is a successor of the concept invented by W.Diffie and M.Hellman [9].


RSA Algorithm

For this algorithm three steps are included. First there is the key generation which is made by each user to create their own public and private key [8].

Step 1: First one creates two large random prime numbers, p and q. These are supposed to stay hidden for other users.

Step 2: Calculate the product of the two primes:

n= p ∗ q (2.17)

Step 3: Compute the Euler Totient Function φ(n):

φ(n) = φ(p)φ(q) = (p − 1)(q − 1) (2.18) Step 4: Choose an integer e as the co-prime to φ(n), that means 1 < e < φ(n) and

gcd(e, φ(n)) = 1 (gcd=greatest common divisor) Step 5: Determine d, the multiplicative inverse of e, as:

d ≡ e−1mod(φ(n)) (2.19)

In this key generation (e, n) are sent in a public file as the public key of the user while (d, n) is kept private as its private key to be able to decrypt the information sent to him [8].

For the second step in the algorithm there is the encryption of a message sent to a specific user. The transmitter has to have the public key of the receiver, (e, n).

Step 1: Turn the message M into an integer m between 0 and n − 1 by using for example a standard representation [8] for turning a message into a number Step 2: Compute the chipertext c and transmit it to the receiver:

c ≡ memod(n) (2.20)

Finally, the receiver decrypts the message using their own private key. The chipertext received is decrypted by the private key, the resulting number m is then mapped with the representation used in the encryption to get the message sent by the transmitter, M.

m ≡ cdmod(n) (2.21)

To have a secure algorithm one should have large prime numbers in the gen- eration of the key to make the factoring, (Equation (2.17)), hard to break. It is advised to use 100-digit prime numbers that will give n as a 200-digit number [8].

With such a large number it is derived that it would take 3.8 ∗ 109 years to com- pute the factoring by only knowing n. This will give a safety margin against future development [8] as well as providing a secure encryption scheme.



Elliptic curve Diffie-Hellman

This method of key agreement protocol uses public-key encryption with elliptic curves to decide upon a shared secret for secure communication. It is similar to what was the precursor of the RSA algorithm [10] developed by Diffie and Hellman.

An elliptic curve has some definition that should be mentioned before describing the key generation and exchange of the shared secret.

The elliptic curve used in this method is denoted by E and is defined by an equation:

y2= x3+ ax + b (2.22)

where a, b ∈ Fp, Fp = {0, 1, 2, ..., p − 1}. Fp denotes a set of integers modulo p and is called a finite field [10] where p is a prime number. (x, y) ∈ Fp is a point on the elliptic curve, if it satisfy the Equation (2.22). The set of all points on the elliptic curve E is denoted E(Fp) [10].

For the key generation one has the elliptic curve as well as a point P that is in E(Fp) and has the prime order of n [10], meaning that hP i = {∞, P, 2P, 3P, . . . , (n − 1)P }. The so called domain parameters that have to be shared before the establishment of the shared secret are the prime number p, the elliptic curve E and the point P with its order n. For the shared secret there is a creation of a public and a private key. The private key d is a random integer in the interval [1, n − 1]

which creates the public key, Q = dP . The public key is shared to everyone and one needs the receiver’s public key to be able to encrypt and decrypt the message, as in the RSA algorithm.

For the establishment of the shared secret the sender calculates a point (xk, yk) = dAQB where the dA is the senders private key and QB is the receivers public key.

The receiver computes the similar, (xk, yk) = dBQa [11]. The shared secret is then decided to be the xk coordinate.

2.2.3 Secret key encryption

In the secret key encryption the users communicating shares a common secret key k. This key is used during the encryption and decryption at each side. The message m is encrypted at the transmitter using an encryption algorithm E together with the key [12] to create the transmitted chipertext c.

c= E(k, m) (2.23)

The receiver decrypts the chipertext with the decryption algorithm D = E−1 to- gether with the key.

m= D(k, c) (2.24)

The problem in secret key encryption is how to share the common key, this has to be done in a secure way. There are some different ways of handling this but one of the most common way is to use public-key exchange [12], Section 2.2.2. Another example is to use a common PIN-code that is agreed upon in advance, however, in


a communication were the user is either far away or not able to communicate in ad- vance this becomes a problem. This is why public-key exchange was a revolutionary way of solving this problem.

The advantage of using secret key encryption is the fast implementation in hardware and software [12], while only using public key encryption would be less efficient for large amount of data.

AES algorithm

An example of a symmetric key encryption scheme is the 128-AES algorithm that is used in several applications such as ZigBee [15] and Bluetooth [18]. The algorithm supports a block size of 128 bits and the key sizes of 128, 192 and 256 bits [13]. The algorithm is a key-iterated block chiper that consists of a repeated application of a round transformation of the state [13]. A state is a matrix of bytes which is 4 × 4 in AES. At each round the transformation converts the input to plaintext to the output of chipertext [13]. The number of rounds depends on the block length and key length and is denoted as Nr. For a key-length of 128 bits there are 10 rounds.

In each round there are four transformations, called steps [13]. SubBytes, ShiftRows, MixColumns and AddRoundKey which will briefly be explained here but for more details one is referred to [13].

The SubBytes step: SubBytes is a non-linear transformation where each byte in the state matrix is replaced by a bricklayer permutation. This is called an S-box, SRD(ai,j) [13]. For the decryption the inverse of the S-box is applied.

The ShiftRows step: In this step the rows are cyclically shifted with different offsets Ci [13]. The byte in position j in row i is moved to position (j − Ci)mod(Nb) where Nb is the number of columns in each state. For AES the offsets are taken to 0, 1, 2 and 3 while for a longer block length the offsets can be chosen differently. This is done to avoid linearity independence [13]. The inverse operation during decryption is a cyclic shift of the three bottom rows so that the byte at position j in row i is moved to position (j + Ci)mod(Nb).

The MixColumns step: An operation is made on each column by an invertible linear transformation that takes the four byte column as input and provides a four byte output [13]. Each column is multiplied by a polynomial c(x) to create the output column.

The AddRoundKey step: This step is also called key addition. The state is combined with a round key using XOR. The round keys are derived from a key schedule [13]. The length of this key is equal to the block length.

When all of the states have been transformed to chipertext it is transmitted to the receiver that starts decrypting the information to be able to evaluate the plaintext.


Chapter 3


For Wireless Personal Area Networks, WPAN, there exist three different standards that are all built on IEEE 802.15 [14]. In this discussion the only standards con- sidered are Bluetooth, IEEE 802.15.1, and ZigBee, that is implemented on top of IEEE 802.15.4.

Bluetooth has been around for several years and has been widely accepted by the people. Bluetooth has been integrated in many technologies such as phones, tablet, computers and headsets. Almost every person owns a unit that Bluetooth is included in. Because of this it is easy to find in any new technology developed for communication. ZigBee however has not been spread as much and is not as common in a normal person’s daily life as Bluetooth has become. ZigBee is more used in sensor networks and not in cell phones. Since ZigBee uses small digital radios one has to set up the sensor network before using it which makes it not as flexible as the Bluetooth solution. Because of this, Bluetooth will be the technology that is chosen to find a concept for and improve the security in. However, ZigBee is similar in several ways which is why its security features will be briefly explained. In this way one will get an understanding of how the security works in ZigBee-networks as well.

3.1 ZigBee

ZigBee is a specification build for high level communication protocols with the purpose of creating a secure personal area network with small, low-power radios. It is a low data rate solution, of about 250 kbit/s with low complexity [14]. ZigBee shares the 2.4 GHz band together with for example Bluetooth and WiFi.

The network is secured by a 128-bit symmetric encryption key, created by the Advanced Encryption Standard (AES) algorithm and with the CCM* Mode oper- ation [15]. In ZigBee the most important security function is the key distribution in the network. Especially the master key initiated from the beginning has to be distributed through a secure medium since the whole network security is dependent on this key. The security level is dependent on the safekeeping of the symmet-


ric keys. The trust in the security goes down to trust in the secure initialization and installation of the keys. The keys can be associated to a network or a link through pre-installations, key-agreements or key-transports. One also has to trust the random number generator in each device to operate with high entropy for the generation of keys to improve the randomness in each device. There is a brief mo- ment of vulnerability in the security when a device that has not been pre-configured joins the network. Then a single key has to be transmitted and this may be in an unprotected way [15].

ZigBee has an open trust in the different layers of the communication, such that the network layers are not cryptographically separated. This can however have serious consequences in security aspects since it re-uses the same keying among the layers. The keys established in a network are the network key and the link key. The link key is based on the master key, which controls the link correspondence [15] and can be of two different types; standard key or high-security key. With high-security keys one does not re-use keys across different security services which then prevent the open trust model and make it more secure. These keys are derived from the link key using a one-way function. The keys are uncorrelated to each other which ensures logical separations of different security protocols [15].

In each ZigBee network, there is one device acting as the Trust Center (TC). This device is trusted by all other devices to distribute keys and keys are only accepted by the devices if they originate from the TC, except for the initial master key. For high-security networks the address of the TC should be pre-installed together with the initial master key. This prevents eavesdroppers to obtain the master key which is of high importance for security purpose. The TC maintains a list of all connected devices together with the master key, link keys and network keys in order to control and enforce the policies of the network key updates and network admittance [15].

3.1.1 Security architecture

In the architecture of ZigBee there are two layers that manages the security mecha- nism [15], the Network layer (NWK) and the Application Support Sublayer (APS).

These layers are responsible for securing the transport of their respective frames [15].

For both NWK and APS the frame security can be based on the network key and for APS one can also use the link key.

By using the key establishment service in the APS layer a device can derive a shared secret key, the link key. For establishing a secure transmission, the link key has to be negotiated. This starts off by using common trust information, such as the master key between the two devices that wants to communicate. This key may have been pre-installed, initiated by the trust center or be based on user-entered data, such as a PIN-code. The protocol then involves the exchange of ephemeral data to derive the link key and a confirmation that the key was correctly computed by the two devices [15]. Both the NWK and APS uses AES-CCM* to secure the content of the keys in form of authentication and encryption.



3.1.2 Security procedures

When a device wants to join a new network or re-join an old one, it starts by sending out a discovery request. When the network routers receive this message they answer with a message-beacon of confirmation. The joining device then decides which network to join and requests to join that specific network. Together with this request it adds information if the device already has the network key or not. If it does not have the network key, the request causes an association request to be sent to the router [15]. The router then confirms the joining of the device and the authentication starts when the router has the joining device address. The router forwards the address in a secure way to the TC where the authentication decision is made.

When working in the high-security mode and the joining device does not have the master key pre-installed, the TC has to send a master key or a link key to the device.

This may be done in an unsecured way, from the router to the device since there is no established encryption link between them. To still keep the communication as secure as possible the key is sent only once and at low power. When the master key has been transmitted, the TC establishes a link key to the device. When a confirmation has been received, the TC sends out the network key to the newly joined device which then can start operate normally in a high-security mode.

3.1.3 Security problems

Even though the communication take place with cryptographic encoding and secure key distribution, a malicious attacker can capture secure information in several different ways. Since for security reason it is safer to pre-install the initial master key on the devices, the devices keep the key in their memory. If an attacker has access to the device or make physical access to it, the attacker is able to obtain this master key [16]. In this case the attacker can be involved from the beginning of the initialization of the link connection and gain valuable information.

Another chance for attackers to gain access is to be part during the key distribu- tion in the wireless transmissions. Since the whole security in ZigBee is dependent on keys there would be a disaster if an eavesdropper obtained the keys. By col- lecting the packets between the parties the attacker can decrypt and analyse the information [16] and in that turn be able to get hold of keys used for encryption or by reading the information directly. By using antennas, attackers may even be in far distance from where the transmission takes place, still collecting the valuable data. These attacks can be what are called passive eavesdropping.

The third alternative discussed here is if an attacker may not have the skills to decrypt the information. The attacker however, may have the insight in how the information works and what process the information triggers. Since many control systems are using ZigBee this could be a case how an attacker may use this. By collecting a signal from one transmission the attacker can forward the information to other sensors in the network, and in that way trigger and control the process.


3.2 Bluetooth

Bluetooth is designed for supporting communication between devices in a short- range wireless personal area network. Bluetooth has a transmission speed of up to 24 Mbit/s in the third version which is introduced for its high-speed communication.

Bluetooth is operating in the unlicensed spectrum band of 2.4 GHz, from 2 400-2 483.5 MHz where there are 79 different transmission channels in versions 1-3 and 40 channels for version 4 [17]. Each of the channels has a bandwidth of 1 MHz for older versions and 2 MHz in v4.0. The data is allocated into different packages and is transmitted with the spread-spectrum technique of Frequency Hopping (FHSS) using the multiple access scheme of Time division multiple access (TDMA).

Each Bluetooth network, called piconets, can serve up to eight devices were one device acts as a master and the others as slaves [14]. In the connection mode the master and the slave can send data packets to each other. The piconet that is established is using the same specific frequency hopping pattern, determined by the pseudo-random number sequence (PN sequence) generated by the master. This sequence has been sent in a field of the frame in the request from the initiator. The information also contains the hop interval. This sequence is specific to each master which makes the co-existence of several piconets in the same area possible without interference.

3.2.1 Pairing and bonding

In Bluetooth there are five distinct security model features; pairing, bonding, device authentication, encryption and message integrity [18]. The pairing is the process where the shared secret, the link key, is established. Bonding is the storage of this key for future use to create a trusted device pair. The device authentication is verification that the link key is the same at both devices. Encryption is used to send confidential messages, and finally, message integrity is insurance, a protection, that the messages are not falsified.

Secure Simple Pairing

For the pairing procedure, the Secure Simple Pairing (SSP) has been developed for the third version. The primary goal was to simplify the process for the user while still maintain and improve the security in Bluetooth. SSP has protection against passive eavesdropping as well as active eavesdropping; man-in-the-middle attacks (MITM attacks).

To prevent passive eavesdropping a strong key with a strong encryption algo- rithm is necessary [18]. The strength of the link key is dependent on its entropy.

Instead of using the legacy pairing as in old versions were only a four digit PIN code was used as the source of entropy, the Secure Simple Pairing uses Elliptic Curve Diffie Hellman (ECDH) public key cryptography. This provides a very high degree of secrecy against passive eavesdropping [18]. For a eavesdropper to succeed with



an attack he must solve a hard problem in public key cryptography to derive the key from the recorded information.

For security against MITM attacks, SSP offers two numerical methods; numer- ical comparison or passkey entry. The chance for an attacker to succeed inserting its own link key is 1 in 1016, which is a very low probability [18].

The four association models that are used in SSP are: Numerical comparison, Just work, Out of Band and Passkey entry.

• Numerical comparison is used when both devices can display a six digit num- ber and they are capable to enter "yes/no". The pairing is successful if "yes" is entered at both devices. The advantages of Numerical comparison compared to the Bluetooth security model in old versions, is that the six digit number is an artifact of the algorithm and there is no benefit of decrypting the encoded data exchanged by the devices [18].

• The Just work association model uses the same protocol as numerical com- parison but there are no displays of numbers. This can be the case when one of the devices is not capable of displaying anything. The user may have to accept the connection in one of the devices if it is able to do so. This associa- tion model is protected against passive eavesdropping but not against MITM attacks [18].

• The Out of Band model is often used when there is both a discovery of the device as well as exchange or transfer of cryptographic numbers in the pairing process [18]. This model is resistant to MITM attacks. This model works however in a different way from the others. For example it is used with a Near Field Communication solution. They pair with each other when they touch. During the first exchange the discovery information and cryptographic information is exchanged.

• The last association model is the Passkey entry which is used when only one of the devices has the ability to display a number and the other device is able to enter the number. The passkey is 6 digits long and is entered by the user.

The user also has to confirm that the passkey received at the other device is correct. The pairing is successful if the numbers are correct. As same with the Numerical comparison, knowing the entered data is of no benefit in decrypting the encoded data [18].

Security Manager

For the fourth version of Bluetooth the pairing mechanism and key distribution has been developed in the Security Manager. This is designed to lower the memory and processing needed in the receiving device [18]. By doing this the power consumption by the devices will be lower which is of importance in the forth version which is known as Bluetooth Low Energy. For Bluetooth low energy, key transport is


used instead of key agreement when two or more devices are paired together. The strength of the keys distributed are decided by the algorithm in each device [18].

Pairing is made in a three-phase process and when this is performed an encrypted link can be used by the keys established between the devices. For future use, the keys can be distributed to each other by the transport specific key distribution in the optional third phase [18].

• Phase 1: Pairing Feature Exchange - During this first phase the IO capabilities of the devices are exchanged. The device that initiates the pairing sends a pairing request to a device it wishes to pair with and that device sends back a pairing response. The IO capabilities determine the pairing methods, which method of Short Term Key Generation that will be used in the second phase. [18].

• Phase 2: Short Term Key (STK) Generation - The second phase of the pairing process is used to generate the STK. There are three different methods that can be used which offer different levels of security for MITM attacks. However none of the pairing methods are protected against passive eavesdropping caused by the Temporary Key, TK, generated [18]. The meth- ods are further explained in Section 3.2.1.

The most secure method is the Out of Band pairing method. In this method the devices generate a 128-bit TK that is transported from one device to the other using the Out of Band technology. The TK is then used to generate the STK. Because of that the Out of Band technology is used in the pairing process it results in an authenticated Long Term Key, LTK, in the third phase [18].

The second method is Passkey Entry. The passkey is used to generate the TK which then generates the STK. Because the passkey has to be authenticated at both devices it results in an authenticated LTK in phase 3. The STK generated offers however a limited protection against eavesdroppers since the TK only used a limited range of input values.

The least secure method is the Just Works pairing method. The just works method is used if there is no common Out of Band technology or if one or both of the devices lack the IO capabilities of the Passkey Entry method. In this method a TK value of zero is used to generate the STK. This method is the least secure because it offers no authentication of the other device and results in an unauthenticated LTK in phase 3 [18] which is not protected against passive or active eavesdropping.

• Phase 3: Transport Specific Key Distribution - Regardless of the pair- ing method used in the second phase, the link is encrypted with the STK. In the third phase the devices exchange secret keys such as the Long Term Key (LTK), Identity Resolving Key (IRK) and the Connection Signature Resolv- ing Key (CSRK) through the encrypted channel using the STK [18]. The IRK is a 128-bit key used to generate and resolve random addresses, the CIRK is



a 128-bit key used to sign date and verify signatures in the communications and the LTK is a 128-bit key that is used as a session key in future commu- nications [18]. The LTK is also used to encrypt the transmission with the AES-128 block cipher.

3.2.2 Key Management

Similar to the ZigBee specification, the security of Bluetooth v3.0 is dependent on keys, Authentication keys and Encryption keys. There are several keys generated for different purposes but the way the authentication and encryption is implemented is done in the same way [18]. The security in the system is managed both in the application layer and the link layer. For the link layer there are four entities maintaining the security; a Bluetooth device address, two secret keys and a pseudo- random number. The length of the address is 48-bit long while the length of the secret keys can vary. One of the keys is the authentication key, this is always 128 bits long while the encryption key can be negotiated and vary from 8-128 bits.

The random number is 128 bits. The size of the encryption key varies because of two purposes, one is that there may be different requirements in the cryptographic algorithm and the other is to facilitate for future upgrades [18].

Key types

The authentication key is often referred to as the link key, which is more static than the encryption key. Every time the encryption is activated there is a new generated key, while the authentication key often is generated when a new connection has to be established, called a temporary key [18]. However, the link key can be stored and used several times, and is then called a semi-permanent key. The link key is shared between the devices that are communicating. This key is the base for the secure transmission between these devices and is also used when deriving the encryption key. If the communication involves several slaves, point-to-multipoint connection, the link key is called the master key and is temporarily replacing the link key [18].

As mentioned, there are several keys for different purposes. There are four types of link keys which are used for authentication and creation of encryption keys. One of the link keys is called the unit key. This key is generated on a single device and is only generated once at the installation. Then there is a combination key which is derived between a pair of devices and dependent on them both. This key is derived for each new combination of device pairs. As explained above there is a master key which can replace the link key temporarily if the master wants to communicate with several slaves simultaneously. The last link key is used during initialization and is called the initialization key which is used when there has not been an exchange of keys.


Key generation and initialization

Before the devices can start communicate with each other they have to establish a link key. The link key cannot be obtain through inquiry as the Bluetooth device addresses can be, this is because the keys has to be kept secret. Instead the exchange take place during the initialization phase which goes through five steps [18].

• Step 1: Generation of initialization key - The initial key, K, is derived using an algorithm called E22 [18]. This algorithm uses a Bluetooth device address, a PIN code, the length of the PIN code and a random number. The length of the key will be 128 bit long. How the PIN code is shared depends on which association mode the device is using, see Section 3.2.1. If one of the devices has a variable PIN code, that device uses his PIN code and a random number as input to the algorithm while the other device uses the first device’s address and another random number.

• Step 2 and 3: Generation and exchange of a link key - To create the combination key, two numbers are generated in the devices, A and B. First the devices have to create a random number and use the algorithm E21 [18]

together with their addresses to create another random number each:

LK_KA= E21(LK_RANDA, BD_ADDRA) (3.1) LK_KB = E21(LK_RANDB, BD_ADDRB) (3.2) Then the first random numbers created, LK_RANDA and LK_RANDB

has to be securely exchanged by using the logical function XOR together with the current link key, the initialization key. Device A sends its random number to device B and vice versa.

K ⊕ LK_RANDA⇔ K ⊕ LK_RANDB (3.3)

When these numbers are exchanged the devices recalculates the Equations (3.1) and (3.2) to obtain the other device’s contribution to the combination key [18]. Since the devices know the other device’s address this is possible so that device A use Equation (3.2) and B use Equation (3.1). The final step in calculating the combined key is now to combine the two random number LK_KAand LK_KBusing XOR and then mutually authenticate the process to confirm the key transaction.

KC = LK_KA⊕ LK_KB (3.4)

• Step 4: Authentication - In secure authentication both the master and the slave uses a challenge-response scheme [18]. Their knowledge of the secret key is checked through a 4-move protocol using symmetric secret keys. In the scheme the master/slave challenge the slave/master to authenticate a random number, AU_RANDm and AU_RANDs, with an authentication code, h4



and h5 and a secret string "btdk". The algorithm uses the link key and the de- vice addresses as inputs to prevent simple reflection attacks. The slave/master returns a resulting number, SRESm and SRESs which is checked against its own calculated number. If the values are the same, a number ACO, is retained by h5 and used in a later stage for encryption.

SRESm||SRESs= h5h4(K, ”btdk”, BD_ADDRm,


• Step 5: Generation of encryption key - To create the encryption key, one uses the E3 algorithm. This is done by using the current link key, a 96-bit ciphering offset number (COF) and a 128-bit random number as input [18].

KE = E3(KC, COF, RAN D) (3.6) Depending on what the current link key is, the COF calculates in two dif- ferent ways. If the link key is a master key, the COF is derived using the master’s device address. Otherwise it uses the ACO value calculated in the authentication step.

To improve the security in the communication there is possible to change the com- bination key each time the link is established [18]. One can then go back to step 2 above and use the current link key KC as K.

The generation of the master key is separated from the steps explained above[18].

To create the 128-bit long master key the master calculates a new link key from two random 128-bit numbers, RAND1 and RAND2, using the E22 algorithm to maintain a high entropy and thereby improve the security of transmission.

Kmaster= E22(RAND1, RAND2, 16) (3.7) Again using the E22 algorithm, the master shall send a new random number together with the current link key as inputs. A calculation on both sides is then performed to calculate an 128-bits overlay which will be the same at the slave and the master.

Overlay= E22(KC, RAN D,16) (3.8) By transmitting the overlay and the new link key with modulo-2 addition (XOR)

C = Overlay ⊕ Kmaster (3.9)

the slave can recalculate the master key.

Kmaster = Overlay ⊕ C (3.10)

In the end an authentication shall be performed to verify the successful trans- mission by using the new link key. In the piconet, each slave that has received


the new link key performs this procedure. In this procedure however, the ACO authentication value should not replace the other one, since this is used in the link key when the master does not broadcast information. Finally, before encryption, the master shall ensure that the random number received in each slave is the same, EN_RAND. All slaves then calculate the encryption key using E3 algorithm.

KE = E3(Kmaster, EN_RAND, COF ) (3.11) 3.2.3 Security problems

Similar to problems with ZigBee, Section 3.1.3, Bluetooth experiences problems with both passive and active eavesdropping for all versions of Bluetooth. In version 3.0 passive eavesdropping can be a problem during the key agreement. If the attacker is able to decrypt the data transmitted during the pairing, the attacker may obtain the keys for link-establishment. In that case the eavesdropper will be able to decrypt the rest of the data if it uses the same algorithm as the Bluetooth devices. However, according to the specification [18] the eavesdropper has to solve a hard problem in public key cryptology to obtain the link key.

Similar problems exist for Bluetooth 4.0 during the pairing process. If an eaves- dropper is present during the key transport the attacker can get hold of the secret keys used in the pairing process. In this way the attacker will be able to decrypt the transmitted information for all coming traffic. Another security concern is the encryption key length, because it can be negotiated between devices. Even though the minimum key size was raised to 56-bit from the 8-bit as it was in older versions of Bluetooth, it does not offer the same security as the maximum 128-bit key size which is highly recommended.

The pairing process for all versions is also vulnerable to man in the middle attack if the JW (Just Works) pairing method is used instead of more secure methods. The JW method can lead to that the attacker can first of all capture the data sent from a trusted device to another, but he could also manipulate the data without the trusted devices knowing. This is because the JW pairing method always uses the same temporary key, all zeroes, instead of generating new each time. It is therefore not recommended to use the JW method except as a last option available. However, MITM attacks can occur in the other methods as well but is a lot harder for the attacker to deal with since the keys are harder to guess.

3.3 Discussion

As explained in the beginning of the chapter, Bluetooth already exists in several applications and has a wide acceptance around the world as opposed to ZigBee which is more unknown. Therefore, it would be of better use to implement a new security feature for a Bluetooth device. This could in that case improve the security for more people than if the security were to be improved in ZigBee. In the case that will be studied in this paper, the existing technology, such as smartphones, tablets




Related subjects :