Attribution Non-Commercial (BY-NC)

279 vues

Attribution Non-Commercial (BY-NC)

- Device Information Service
- 20061123081927156 SGH-E250 UG EU Eng Rev 1 0 061116
- p171 Bluetooth
- Avnet Memec RF and Wireless Solutions Oct 2010
- Toshiba Sat SatPro C40 C50 C70 a Series GMAD00381010
- UT Dallas Syllabus for cs4396.001.09s taught by Kamil Sarac (kxs028100)
- TecraM4_PMAD00040010_05Mar24
- JBL Flip 4 Spec Sheet English
- HRP_V10
- samsung hf1700
- Industrial Design Portfolio
- GMAD00423012_SatSat-Pro-CL40-C40-C50-C70_C-Series_15Sept10
- BT3030
- UT Dallas Syllabus for cs4396.001.10s taught by Kamil Sarac (kxs028100)
- Bluetooth Standards
- Userguide
- Introduction to Blue Tooth Networking
- A_Model_for_Network_Security.pdf
- GAP_definitionsBluetooth Core v1
- Bluetooth

Vous êtes sur la page 1sur 57

Praneet Sharma

Student ID: S3701201

A Minor Thesis Report Submitted in Partial Fulfillment of the Requirements for the

Award of the Degree of

Victoria University of Technology

November 2006

Acknowledgements

Xun Yi for his support and constant guidance throughout my research on the minor-

thesis. I will remain ever grateful to him for his constructive criticism in the preparation

of the manuscript and bringing it into its final shape. I am also thankful to the staff of

department of computer science and mathematics of Victoria University for providing me

access to the resources to develop this manuscript.

2

ABSTRACT

medium. Bluetooth technology is using radio waves to transfer information so it’s very

susceptible to attacks. In the present world of computerization and communication this

technology became a part of our day today life and the applications include Mobile

telephones, PDA’s Laptops and other electronic gadgets. This Document mainly deals

with the security of the Bluetooth technology. In particular this thesis focuses on the low

level security aspects of Bluetooth Technology. We have tried to cover almost all the

security features in this thesis but due to certain limitations only few are discussed in

detail. Technology is introduced with strong and weak points of the specifications,

security architecture is discussed and many of the recently discovered attacks are also

covered.

management has been elaborated with Emphasis on Stream ciphers, Working of E0

Stream cipher is discussed in details. Detailed discussion of the recent attacks on the E0

Stream cipher has been performed. This includes a thorough discussion of the most recent

Fast correlation attack, guess and determine attack, fast algebraic attack etc. although a

few attacks are caused by the manufacturers because of the malfunctioning of the

specification implementation this kind of attacks are just overviewed. In the penultimate

chapter we have discussed the affect of all kinds of ciphers attacks on Bluetooth security

mechanism specifically Bluetooth Encryption process. The thesis ends with the

conclusion made on the basis of the analysis of the potential attacks on the E0 Stream

cipher and with the discussion of Preventive security measures.

3

TABLE OF CONTENTS

1. INTRODUCTION .......................................................................................................... 6

Motivation: .......................................................................................................................... 6

1.1 Introduction To Bluetooth Technology .................................................................... 6

1.2 Bluetooth Protocol Stack .......................................................................................... 7

1.3 What Is Security? .................................................................................................... 11

1.4 Bluetooth Security Issues........................................................................................ 13

1.5 Weaknesses In Security Procedures........................................................................ 15

2.1 Bluetooth Security Architecture ............................................................................. 17

2.1.1 Authentication .................................................................................................. 18

2.1.2 LMP-Authentication ........................................................................................ 19

2.1.3 Authorization ................................................................................................... 20

2.1.4 Encryption ........................................................................................................ 21

2.1.5 Implementation ................................................................................................ 23

2.2 Key Management .................................................................................................... 24

2.2.1 Key Database ................................................................................................... 24

2.2.2 Corrupted Database.......................................................................................... 25

2.3 Service Security Levels........................................................................................... 25

2.4 Stream Ciphers ........................................................................................................ 26

2.4.1 E0 Stream Cipher ............................................................................................. 27

2.4.2 Working Of The E0 Stream Cipher Algorithm................................................ 27

3.1 Divide-and-conquer, Correlation attack, Hermelin and Nyberg ......................... 35

3.2 Divide-and-conquer attack, Correlation attack, Ekdahl and Johansson ............. 36

3.3 Faster correlation attack, Y. Lu and S. Vaudenay .............................................. 40

3.4 Guess-and-determine attack, M. O. Saarinen ..................................................... 40

3.5 Guess-and-determine attack, S.R. Fluhrer and S. Lucks .................................... 41

4

3.6 Improved guess-and-determine attack, C. De Cannière, T. Johansson, B. Preneel

................................................................................................................................... 42

3.7 FBDD-attack, M. Krause .................................................................................... 42

3.8 Algebraic attack, F. Armknecht .......................................................................... 43

3.9 Fast Algebraic attack, N. Courtois and F. Armknecht ........................................ 47

4.1 Encryption Revisited:.............................................................................................. 48

4.2 Problems with Encryption: ..................................................................................... 49

4.3 Affect Of Divide-and-conquer, Correlation attack ................................................. 49

4.4 Affect Of Faster Correlation Attack ....................................................................... 50

4.5 Affect Of Guess-And-Determine Attack ................................................................ 51

4.6 Affect Of Algebraic Attack ..................................................................................... 51

5. CONCLUSION ............................................................................................................. 53

5.1 Analysis And Conclusion ....................................................................................... 53

References ......................................................................................................................... 55

5

Chapter 1

1. INTRODUCTION

Motivation:

There are a number of possible attacks on the Bluetooth Technology, We found that most

of the attacks are caused by the Malfunctioning of implementation of a particular

protocol. We have given the overview of all these kinds of attacks. But the main Focus of

this minor thesis is finding out and discussing the “Attacks on certain cryptographic

algorithms used”.

between similar kinds of devices. But where does the name come from? Herald I

Bluetooth (Danish Harald Blatand) was the king of Denmark between 940 and 985 AD.

The wireless technology is believed to be named on the name of the great king. Old

Harald Bluetooth United Denmark and Norway, Bluetooth today unites worlds of

computers and telecom supports that the name suggested is suitable. The sole motive of

developing this technology is to make users to connect a range of computing and

telecommunication devices in an easy and simple way without using a mesh of cables. It

delivers opportunities for rapid ad hoc connections. It will virtually eliminate the need to

purchase additional or proprietary cabling to connect individual devices. [14]

In the year 1994 Ericsson Mobile communication initiated a study to investigate the

feasibility of a low-power low-cost radio interface between phones and their accessories.

Later in Feb 1998, five companies Ericsson, Nokia, IBM, Toshiba and Intel formed a

special interest Group (SIG). The group contained the necessary business sector members

– two market leaders in mobile telephony, two market leaders in laptop computing and a

6

market leader in digital signal processing technology. By the end of December 1999,

3Com, Microsoft and Motorola had joined the promoter group- the folks that were

willing to spend money hype the standard- and in the neighborhood 1200 other

companies had joined the SIG. At present SIG is composed of over 6,000 members who

are leaders in the telecommunications, computing, automotive, music, apparel, industrial

automation, and network industries, and a small group of dedicated staff in Hong Kong,

Sweden, and the USA.

Bluetooth is a wireless protocol that requires less bandwidth and a shorter transmission

range then typical wireless LAN applications. Bluetooth operates in the same crowded

2.4 GHz ISM(Industrial scientific Medical) License-free frequency band as Wi-Fi

networks, cordless phones and many emergency service communication systems

transmission is at low energy hopping at a rate of 1600 times per second between 79 one-

MHz sub-bands of the permitted frequency band. It uses adaptive frequency hopping

algorithm to avoid service interruption due to other equipment using the same frequencies

and also to avoid interference to other equipment as well. However this hopping does not

add any security to the Bluetooth link because the hopping sequence is broadcasted in

clear at the initial connection procedure.

Bluetooth devices can have variable signal length. The output power of normal Bluetooth

devices is 1 milliwatt giving coverage of only 10 meters and 100 milliwatt devices with a

range of up to 100meters are permitted for applications such as home networks.

The architecture used for Bluetooth consists of Bluetooth specific protocols combined

with adopted protocols such as WAP, WAE, TCP/UDP/IP, PPP, vCard and IrMC.

Bluetooth also supports cable replacement protocols as RFCOMM and telephony adapter

protocols as AT-commands. The reason for this mixed architecture of Bluetooth specific

and adopted protocols is that it allows integration of Bluetooth directly into existing

application and transport protocols, without having to build up an entirely separate and

parallel architecture. This also allows application specific security controls to be

7

implemented that would be transparent to the lower layer security controls (Data Link

Layer) at which Bluetooth operates.

Commands BIN TCS SDP

OBEX WAP

UDP TCP

IP

PPP

Audio

RFCOMM

L2CAP

LMP

Baseband

Bluetooth Radio

According to Bluetooth SIG Bluetooth protocol stack can be divided in to four layers in

accordance to their purpose. The protocols belong into the layers are explained with the

table shown below.

Cable Replacement Protocol RFCOMM

Telephony Control Protocols TCS Binary , AT-commands

Adopted Protocols PPP , UDP/TCP/IP , OBEX , WAP ,vCard ,

vCal , IrMC1 , WAE

8

As shown in fig1 in addition to the protocol layers there is host controller interface (HCI)

which is providing command interface to the baseband controller.

the Bluetooth SIG. The Bluetooth core protocols including the Bluetooth radio are the

required by most of Bluetooth devices, while the other protocols are used as per

requirement. Cable Replacement layer, the telephony control layer together with adopted

protocol layer form application-oriented protocols enabling the applications to run over

the Bluetooth core protocols. As stated earlier, the Bluetooth Specification is open and

we can use additional protocols (e.g., HTTP, FTP, etc.) can be accommodated in an

interoperable fashion on top of the Bluetooth-specific transport protocols or on top of the

application-oriented protocols shown in Figure 1.1.

1.2.1 Baseband

We can visualise in the protocol stack shown above baseband and link Control layer

enables the physical RF link between Bluetooth units forming a Piconet. As mentioned

earlier the Bluetooth RF system uses a Frequency-Hopping-Spread-Spectrum system in

which packets are transmitted in defined time slots on defined frequencies, this layer uses

inquiry and paging procedures to synchronize the transmission hopping frequency and

clock of different Bluetooth devices.

It provides 2 different kind of physical links with their corresponding baseband packets,

Synchronous Connection-Oriented (SCO) and Asynchronous Connectionless (ACL)

which can be transmitted in a multiplexing manner on the same RF link. Asynchronous

Connectionless packets are used for data only, while the Synchronous Connection-

Oriented packet can contain audio only or a combination of audio and data. All audio and

data packets can be provided with different levels of FEC or CRC error correction and

can be encrypted. Furthermore, the different data types, including link management and

9

control messages, are each allocated a special channel. Baseband packet format is shown

below.

Link manager protocol is responsible for link set-up between Bluetooth devices. This

includes security aspects like authentication and encryption by generating, exchanging

and checking of link and encryption keys and the control and negotiation of baseband

packet sizes.

This protocol adapts upper layer protocols over the baseband. As per specification it is

stated that it work in parallel with LMP in difference that L2CAP provides services to the

upper layer when the payload data is never sent at LMP messages. This protocol provides

connection-oriented and connectionless data services to the upper layer protocols with

protocol multiplexing capability, segmentation and reassembly operation, and group

abstractions. In addition to that it permits higher level protocols and applications to

transmit and receive L2CAP data packets up to 64 kilobytes in length. Although the

Baseband protocol provides the Synchronous Connection-Oriented and Asynchronous

Connectionless link types, L2CAP is defined only for Asynchronous Connectionless

links and no support for Synchronous Connection-Oriented links is specified in Bluetooth

Specification 1.0.

10

1.2.4 Service Discovery Protocol (SDP)

For every Bluetooth framework Discovery of services is a very crucial part. These

services provide the basis for all the usage models. Using SDP, device information,

services and the characteristics of the services can be queried and after that, a connection

between two or more Bluetooth devices can be established.

To define the notion of security, it is necessary to introduce a third party that has access

to all public information and tries to derive private secret information. Such a third party

is denoted as an attacker or cryptanalyst. The notion of security can then be defined as:

"A system is secure if an attacker is unable to derive the private secret information".

It is not possible to break a perfectly secure encryption scheme and such schemes do

exist. However, a perfectly secure scheme needs a key with length no smaller than the

entropy of the message that is to be encrypted and this key may never be reused. If the

key is smaller than the entropy of the message, there will always be a correlation between

the input and output. An example of a perfectly secure encryption scheme is the One-time

pad or Vernam cipher.

Risks are inherent to any wireless technology. Some of these risks are similar to those of

wired networks; some are exacerbated by wireless connectivity; others are new. Perhaps

the most significant source of risks in wireless networks is that the technology’s

underlying communications medium, the airwave, is open to intruders, making it the

logical equivalent of an Ethernet port in the parking lot.

11

Specific threats and vulnerabilities to wireless networks and handheld devices include the

following:

All vulnerabilities that exist in a conventional wired network apply to wireless

technologies.

Malicious entities may gain unauthorized access to a (company’s) computer

network through wireless connections, bypassing any firewall protections. For

example by using special long distance antenna’s which can connect to internal

private unprotected or weakly protected wireless access points.

Sensitive information that is not encrypted (or that is encrypted with poor

cryptographic techniques) and that is transmitted between two wireless devices

may be intercepted and disclosed. Several applications exist to "sniff" all the data

that is transmitted wirelessly in some area and recover encrypted passwords.

DoS attacks may be directed at wireless connections or devices. Such a Denial of

Service attack can take down the functionality of devices that is make them

unstable, make them lose data make them consume a lot of power (drain batteries)

or it can be used as a method to make other attacks possible.

Malicious entities may steal the identity of legitimate users and masquerade as

them on internal or external corporate networks. Since wireless connections may

allow invisible (or less visible) connections, masquerade and legitimation can be

easier.

Sensitive data may be corrupted during improper synchronization. For example

by "sniffing" and inserting or disturbing wireless data connections.

Malicious entities may be able to violate the privacy of legitimate users and be

able to track their movements. Since data connections need identification, this

identification can be tracked easily on most wireless networks.

Malicious entities may deploy unauthorized equipment (e.g. client devices and

access points) to surreptitiously gain access to sensitive information. A well

known example of this attack is the so called "Evil Twins", fake clones of

wireless hotspots managed by hackers to intercept sensitive data.

12

Handheld devices are easily stolen and can reveal sensitive information.

Data may be extracted without detection from improperly configured devices.

Viruses or other malicious code may corrupt data on a wireless device and

subsequently be introduced to a wired network connection.

Malicious entities may, through wireless connections, connect to other agencies or

organizations for the purposes of launching attacks and concealing their activities.

Intruders, from inside or out, may be able to gain connectivity to network

management controls and thereby disable or disrupt operations.

Malicious entities may use third-party, suspicious wireless network services to

gain access to an agency’s or other organization’s network resources.

Internal attacks may be possible via ad hoc transmissions.

It should be clear that maintaining secure wireless networks is a process that requires

greater effort than that required for other networks and systems. It is much harder to gain

a certain guarantee of security within the deployment of wireless networks. Routine

security tests, assessments and evaluations of the system security are important. The

National Institute of Standards and Technology (NIST) recommends agencies not to

undertake wireless deployment for essential operations, until they have examined and can

acceptably manage and mitigate the risks of their information, system operations and

continuity of essential operations.[23]

information involved the correct market trends and on the needs of the application user.

There exist some applications that do not require any security while the others require

extremely high level of security. But before we start developing any application it is

required to conduct sufficient trade studies and analysis of risk involved.

13

In reference to the SIG (special interested group) a Bluetooth wireless technology system

contains a set of profiles. A profile defines a selection of messages and procedures

(generally termed capabilities) from the Bluetooth specifications. This gives an

unambiguous description of the air interface for specified services and use cases.

Working groups with in the Bluetooth SIG defines these profiles.

Security can be defined in terms of four basic elements: availability, access, integrity and

confidentiality. The current Bluetooth specification defines the security at link level

application level security is not specified.

In the present scenario there are few general shortcomings in the Bluetooth security

concept on the basis of those shortcomings Bluetooth SIG issued two general

recommendations.

2. Perform bonding in an environment that is as secure as possible against

eavesdroppers, and use long random passkeys.

Blue jacking: in this technique the Bluetooth paring protocol is abused and is

used to pass a message during the initial handshake phase. In this phase the name

of the initiator is displayed on the target device. Hence the bluejacker can send

some funny messages unnoticed and if the paring goes to the end the bluejacker

can then intrude on the targets device and become a trusted device and may be

having access to targets data.

important portions of the data started on the phone including phone book,

calendar, business card and (international mobile equipment identity ) IMEI this

14

flow is due to mistake in the implementation of OBEX profile, where

authentication has been omitted.

Bluebug: is similar to bluesnarfing ,it is based on the serial profile and this

enables the use of most AT commands, This gives the attacker full access to

resources shared by the device over serial. For example, a mobile phone can be

used to make phone calls using the AT command set or a laptop computer could

have your PDA’s data stolen onto an empty PDA owned by the attacker.[19]

Like computers there is a risk of worms and viruses on the Bluetooth devices one such

worm is cabir worm which try to get paired with any other device in the vicinity and once

paired it will install itself on the paired device it will try to do the same procedure with

the other devices and the worm will drain the battery by scanning for the enabled

Bluetooth devices.

Irrespective of the security mode encryption of the data transmitted is optional. It has

to be explicitly requested by the application.

Insecure Default settings:

It is noticed that often the default configuration settings of the devices are not secure

if we consider an example security functions like authentication and encryption are

disabled and PINs are set to “0000”. In the devices like headset it is almost

impossible to alter the preconfigured settings.

15

Weak PINs can be guessed:

If a weak PIN is used during device pairing, an attacker can guess the PIN and use it

to calculate the link key resulting from the pairing. To do this, the attacker only has to

eavesdrop on the pairing and the subsequent authentication. Using transcripts of

intercepted protocols, the attacker can check whether he has correctly guessed the

PIN. In this way it is possible to guess short or trivial PINs (e.g."1234567890"). The

fact that PINs are the only secret parameters link keys should be viewed as a serious

security weakness. Experience shows that it is extremely difficult to break the

practice, widespread among users, of choosing weak PINs.

When a device uses unit keys as link keys, the same key is used for every connection

with that device. If the attacker succeeds in establishing a connection with this device,

he is then in a position to impersonate that device or to intercept every

communication made with it.

A cyclic redundancy check (CRC), an encoding method used to identify transmission

errors, is used to protect the integrity of the data. Although a CRC is highly likely to

detect random errors during the transmission of data packets, it does not provide

adequate protection against deliberate tampering with data packets.

The Bluetooth standard does not specify any particular mechanisms to be used to

generate the random numbers. Experience suggests that the quality of random number

generators varies widely from manufacturer to manufacturer and from

implementation to implementation. [16][18]

16

Chapter 2

The way that the Bluetooth security radio system is used in mobile devices and the type

of data carried on these devices makes security an extremely important factor. While

most wireless systems will claim that being a spread spectrum radio provides security, the

volumes projected for Bluetooth radio eliminates these barrier. As such, link layer and

application layer security are part of the basic Bluetooth radio requirements. At link

layer, the Bluetooth radio systems provides authentication, encryption and key

management of the various keys involved.

The Bluetooth device address is the first and the most important unique parameter

basically it is a unique 48 bit address of a Bluetooth device. However at the user interface

level it is represented as 12 hexadecimal characters. Another parameter is the Bluetooth

device user name which is a user friendly name can be chosen by the device owner. It can

be 248 bytes long, although a generic device is not expected to handle names more than

40 characters in length. In general most of the devices have limited capabilities and they

may handle only up to 20 characters. Among all the parameters used in the Bluetooth

security architecture Bluetooth passkey (PIN) is the most important in terms of security

prospective it is used to authenticate two Bluetooth devices which have not exchanged

link keys ever before. The important feature of this parameter is that it is having different

representations in the different levels. Bluetooth device class is another parameter used to

identify the type of device and services supported by the device. [20]

17

2.1.1 Authentication

Like other wireless technologies Bluetooth also uses authentication mechanism using a

secret key known as link key. In the previous versions of technology only unit keys were

used but just to make the authentication procedure a bit more secure now a days

combination keys are widely used. Moreover combination key is specific to a pair of

devices on the hand a device is having a single unit key for all the connections. There are

two ways of generating link keys either dynamically or through a process called pairing.

But when a device is configured to generate link keys dynamically, it requires the user to

enter the pass key each time a connection is established. Pairing on the other generates a

long-term, stored link key that allows for the simple automated connections that are the

hallmark of the Bluetooth specification. In order to pair two devices, the user will set

both devices in pairing mode and will then enter a shared passkey. This passkey is then

used to generate an initialization key. The initialization key is based on the Bluetooth

address of the devices, a random number and the passkey. This initialization key is then

used to authenticate each device as well as in the creation of the link key. Finally, the link

key is stored locally on each device for the future authentication. After the pairing

process has completed, the devices will automatically and transparently authenticate and

perform encryption of the link.

unidirectional and mutual. The authentication process uses the E1 algorithm that is based

on the SAFER+ block cipher. The communication between any two devices starts when

first device sends its 48 bit (BD-ADDRESS) to second device. At this point the second

device will send a 128 bit random number-based challenge to the first device. Now both

the devices will compute an authentication response which is a function of algorithm E1

and is based on the device first’s address, the random number challenge issued by device

second, and the previously established link key. Device first will then transmit its

authentication response and device second will compare it with its own calculations. If

the two agree, then the device is authenticated. If the authentication response does not

18

match, the connection is refused. Once the authentication process has completed, device

second will generate new random number for its next authentication session. [17][13]

2.1.2 LMP-Authentication

subsequently creates a common link key that is used as the basis for a trusted relationship

or a secure connection. This procedure consists of the steps, LMP-authentication is based

on the initialization key and creation of the common link key.

Verifier Claimant

(Initiator)

Init_pairing

Generate

Random number

LMP in rand

PIN

PIN

LMP accepted

Calculate Calculate

Kinit Kinit

Imp -authentication

Link key Link key

Create link key

procedure is based on a challenge response mechanism using a random number, a secret

19

key and the BD-ADDR of the non-initiating device. The secret key can be previously

exchanged link key or an initialization key created based on a pin as used in pairing

procedure.[15][13]

Verifier Claimant

(Initiator)

Init_Authentication

Secret key

Secret Key

Generate

Random number

Imp_au_rand

Calculate Calculate

Challenge Response

Imp_sres

Compare

Result

2.1.3 Authorization

device is allowed access to a particular service. Basically authorisation incorporates two

20

important Bluetooth security concepts, trust relationships and service security levels.

Authorisation is dependent on authentication as the authentication process establishes the

device identity that is used to determine access. The Bluetooth specification allows three

different levels of trust between devices, trusted, untrusted, and unknown. If device A has

a trusted relationship with device B, then device B is allowed unrestricted access to

device A. If device B is untrusted, then device B has been previously authenticated, but

its access to services on device A is restricted by service security levels. An unknown

device that has not been authenticated is considered untrusted.

Service security levels control access to a devices service on a per service basis. The first

security service level requires both authentication and authorisation in order to grant

access to a service. In other words, the identity of the requesting device has to be

confirmed and the requesting device has to be granted specific permission to access the

service. The second level of service security requires authentication only. At this security

level, the identity of the requesting device need only be judged genuine in order to be

granted access to the service. The third level requires encryption only. At this level,

access to the service will be granted to any device that is encrypting its communications.

The last level is open to all devices. An example of a use for this security level would be

if a user wanted to grant unrestricted access to a business card stored on the device while

restricting access to other, more sensitive services.

2.1.4 Encryption

encrypting its transmissions, a Bluetooth device ensures that only a recipient with the

proper decryption key can view the data. Bluetooth’s encryption uses an algorithm called

E0. A devices encryption key is based on its link key. This simplifies the key generation

process as both the sender and receiver have shared secret information upon which to key

their encryption. Bluetooth’s encryption service has three different modes. In mode 1, no

encryption is performed. In mode 2, communication with individual devices is encrypted,

but broadcast traffic is not. In mode 3, all communications are encrypted. In addition to

reducing interference, Bluetooth’s limited range and spread spectrum frequency hopping

21

help to ensure confidentiality by reducing the possibility of eavesdropping. The use of

fast frequency hopping, at 1600 hops per second over 79 different channels, represents an

important barrier to interception. Since the transmitter only dwells on a specific

frequency for 625 microseconds, it is difficult to even detect the presence of a Bluetooth

device unless it is in the process of actively paging another device. Key Generation

overview the encryption key is derived from the authentication key and is used for

enciphering the data for transmission. This will increase the life time of the authentication

key. The authentication key is also referred as link key to emphasize the importance of

this key to a specific Bluetooth link. The authentication procedure needs that the both end

devices of a link know the present link key. Since the link keys are to be kept secret, they

cannot be obtained through any inquiry routines. There has to be an initialisation phase

carried out separately for each two units that want to implement authentication and

encryption. The steps in initialization are as follows:

1. Generate an initialisation key, Kinit, and use it as link key. This key is derived from

three entities: device address, a random number issued by verifier and a PIN code. The

PIN can be a fixed number provided with the Bluetooth unit (for example, devices with

no user interface). Alternatively, the PIN can be selected arbitrarily by the user, and then

entered in both units that have to be matched. Authentication of devices to each other

using Kinit.

knowledge of secret key is checked using symmetric secret keys.

4. Once the initial authentication is over, the devices decide on a new link key for future.

Each device has a unit key, denoted by Ka, which is generated when that device is in

operation for first time. So the devices can decide on using one of the unit keys as link in

future or can derive a combination key, denoted as Kab. Sometimes, same information

may need to be distributed securely to several recipients in which case the serving device

22

decides a single common link key for all links to recipients. This key is known as master

key and is denoted by Kmaster.

5. Exchange K securely using encryption key derived from Kinit. The agreed upon future

link key is exchanged between the devices.

7. For transmitting data, a new encryption key is generated at each end based on chosen

K. A new encryption key is generated for every new session. [13]

2.1.5 Implementation

passkey (PIN) as the secret key. The Security Manager (key unit) performs the following

tasks: _ Stores security related information for all services (Service Database); _ Stores

security related information for available devices in range (Device Database); _ Processes

access requests by protocol implementations or applications (grants access or denies

connection); _ Enforces authentication and/or encryption before connection can be

established;_ Initiates and processes input from a device user (called External Security

Control Entity (ESCE) - a human operating a device) to setup trusted relationship; _

Initiates pairing and queries PIN (PIN entry may be done by an ESCE or an application).

For connection-oriented L2CAP data (setup to connect to the next higher protocol or

application) security check is performed at the onset of the request while for

connectionless data packets the Security Manager checks the Service Database (for

services that does not allow connectionless packets) to decide whether the packet will be

allowed or denied.

23

2.2 Key Management

To retrieve the correct key upon request from the host or unit, the semipermanent link

keys must be stored in a database. If we use a simple database as shown in the table, no

information is given of the semi permanent key type that is used (i.e unit or

combination).However, a key in the table might be a unit key. Since a unit key is not as

secure as a combination key we might want to enforce a more restricted security policy.

10FA487DE52 1B4D5698AE374FDE8390912463DFE3AB

047F6BB427EA FE729425BC9A95D39132BDE275917823

Now we show the information of the table with the type of the key (i.e unit or

combinational).In addition to this it is also good to add some redundancy to the database

entries so that errors can be detected. [20]

The example table with the type-of-key information is:

Here U = Unit Key and C = Combination Key

10FA487DE52 1B4D5698AE374FDE8390912463DFE3AB C

047F6BB427EA FE729425BC9A95D39132BDE275917823 C

A5EE29667190 091827AD41D4E48D29CB8E82615D1849 U

24

2.2.2 Corrupted Database

The link key database for some reason might become corrupted. The probability of

having corrupted databases depends on the type of storage medium and the storage

protection mechanisms. If a device address held is damaged, it might result in key lookup

error. If the corrupted key entry is detected when the unit is about to send an

authentication (acting as verifier), the error can be handled internally by the unit. In this

case, it should be possible for the user (if desired) to demand a new pairing and derive a

new link key and the device will initiate a new pairing.

services at the link level using the Link Manager Protocol (LMP). Authentication

between a pair of devices is based on a secret link key that is generated by a pairing

procedure when the two devices communicate for the first time.

1. Security Mode 1 (non-secure): No security procedures are performed;

2. Security Mode 2 (service level security): Security procedures initiated after channel

establishment request has been received at L2CAP level. Whether security procedure is

initiated or not depends on the service type. Service (or application) level security

implementation allows different access policies for different applications which may run

in parallel.

3. Security Mode 3 (link level security): Security procedures are performed and

authenticated at the LMP level before a channel is created for communication. A

25

Bluetooth device in security mode 3 may reject a host connection request best on host

settings.

(2) Services that require authentication only

(3) Services that require both authentication and authorization.

While automatic access is only granted to trusted devices, all other devices if need

manual authorization. A link may be changed to encrypted mode if required by the

service or application.

Stream ciphers are an important class of encryption algorithms. They encrypt individual

characters (usually binary digits) of a plaintext message one at a time, using an

encryption transformation which varies with time. By contrast, block ciphers tend to

simultaneously encrypt groups of characters of a plaintext message using a fixed

encryption transformation. Stream ciphers are generally faster than block ciphers in

hardware, and have less complex hardware circuitry. They are also more appropriate, and

in some cases mandatory for example in some telecommunications applications when

buffering is limited or when characters must be individually processed as they are

received. Because they have limited or no error propagation, stream ciphers may also be

advantageous in situations where transmission errors are highly probable. There is a vast

body of theoretical knowledge on stream ciphers, and various design principles for

stream ciphers have been proposed and extensively analysed. However, there are

relatively few fully-specified stream cipher algorithms in the open literature. This

unfortunate state of affairs can partially be explained by the fact that most stream ciphers

used in practice tend to be proprietary and confidential. By contrast, numerous concrete

block cipher proposals have been published, some of which have been standardized or

placed in the public domain. Nevertheless, because of their significant advantages, stream

26

ciphers are widely used today, and one can expect increasingly more concrete proposals

in the coming years.

E0 is a so-called autonomous finite state machine. Loaded with an initial state, it will

move to a new state and produce one single output bit of the key stream on every clock

cycle.

The Bluetooth specification defines the stream cipher algorithm E0 to be used for point-

to point encryption of the packet payload, the access code and the packet headers shall

never be encrypted. The E0 additive stream cipher was designed to provide the wireless

connections with a strong protection against eavesdropping. It is based on a direct design

and uses a Bluetooth proprietary algorithm that is inspired by Massey and Rueppel’s [27]

summation combiner stream cipher. The core of E0 is built around four independent

linear feedback registers (LFSR) and a finite state machine (FSM) as a combining

circuitry.

Studies shows that E0 stream cipher is weaker than supposed at its design. But the

frequent rekeying in Bluetooth and the rather short generated key streams keep the

system safe for most of the attacks.

In the E0 stream cipher algorithm bits are bit-wise modulo-2 (XOR) added to the data

stream to be sent over the air interface. All units in the piconet must be able to read the

packet header to see if the message is for them or not. Therefore, it is only the payload of

each packet that is ciphered separately by the cipher algorithm E0. The payload data is

ciphered after the CRC bits are appended, but before the optional Forward Error

Correction (FEC) encoding.

27

The E0 stream ciphering process consists of three parts: (see Figure 2.3)

a) Initialization: payload key generation.

The payload key generator combines the input bits in an appropriate order and shifts them

into four LFSRs of the key stream generator.

b) Main part: Key stream bits generation.

c) Encryption and decryption.

Kc

BD_ADDR

1. Initialization Transform Kc to K`c

EN_RAND payload key load K`c, BD_ADDR

Generation and 6bit constant

CLK 111000

Payload key

Key Stream

generator

Encryption and

decryption

28

The cipher algorithm E0 uses as input the 48 bits of the master Bluetooth device address

(BD_ADDR), 26 bits of the master real-time clock, CLK, and an encryption key KC. By

using the 26 bits of the master clock, which toggles every 625µs, and a reinitialization of

the E0 algorithm after each (multi-)packet, frequent changes of the starting state of the

key stream generator are assured, which forms a key factor in the resistance to security

attacks. E0 generates a binary keystream Kcipher which will be modulo-2 (XOR) added to

the data to be encrypted. The cipher is symmetric; decryption shall be performed in

exactly the same way using the same key as used for encryption.

The private encryption key (KC) is derived by algorithm E3 from the current link key, a

96- bit Ciphering Offset number (COF), and a 128-bit random number EN_RAND. COF

is set to the concatenation of the master BD_ADDR if the current link key is a master

key. Else COF it is set to the value of Authenticated Ciphering Offset (ACO) as

computed during the authentication procedure.

The Bluetooth system is said to be a two level operation. The first level consists of the

initialization and the second level performs the actual keystream generation.

Within the first level, the initialization of the E0 algorithm, the encryption key KC is

transformed to an intermediate constraint key K`C :

Where deg (g1(L) (x)) = 8L and deg (g2(L) (x)) <= 128 - 8L. The values for the polynomials

g1(L) and g2(L) are collected in a table[28]. The maximum effective size of this key shall be

factory preset and may be set to any multiple of eight between one an sixteen (8-128bits).

29

This constraint key K`C is used together with the BD_ADDR and the clock CLK to load

the initial values of the four LFSRs (128 bits) and the four memory bits c0 and c-1. At the

end of the first level, the generator will generate 200 stream cipher bits, of which the last

128 bits are fed back into the key stream generator as the initial values of the four LFSRs

of the second level. The values of the memory bits c0 and c-1 are kept as the initial values

for the second level. Further details of the complex initialization and the premixing of the

initially loaded key material can be found in the Bluetooth specification document. [28]

After the initialization steps of first level and the initialization of the second level, a loop

is started (step 2 and 3 in Figure 2.3), until the maximum number of plaintext bits are

encrypted and the generator must be re-initialized to disable various kinds of statistical

analysis attacks.

The core of the E0 keystream generator consists of four Linear Feedback Shift Registers

(LFSR), with a key of at most 128 bits, and a 4 bit finite state machine, feeding a

Summation Combiner Logic (combining circuitry).

Studies shows that LFSR is not cryptographically secure, since it is linear. In [26] the use

of memory in the combination generator was proposed to achieve nonlinearity in an

LFSR system. The finite state machine is used in the Bluetooth system to introduce

sufficient nonlinearity to make it difficult to recompute the initial state from observed key

stream data.

As we know that LFSRs can be described with feedback polynomials. The feedback

polynomials of the four LFSRs used within E0 are all primitive maximum length

polynomials. This ensures that the period of a LFSR with degree n is 2n - 1. The smallest

period of all the Bluetooth LFSRs is the product of the four periods: P = (P1P2P3P4)/7 =

(225 - 1)(231 - 1)(233 - 1)(239 - 1) / 7 ≈ 2125.2. The period is divided by 7 since P3 and P4

have 7 as their greatest common divisor. This entire period is never generated by the

Bluetooth generator, since it is re-initialized after a maximum of 2745 bits. The total

length of the registers is 128. The Hamming weight( which shows the number of “1” bits

30

in binary sequence) of all the feedback polynomials is chosen to be five - a reasonable

trade-off between reducing the number of required XOR gates in the hardware

implementation and obtaining good statistical properties of the generated sequences.

LFSR1 25 t25 + t20 + t12 + t8 + 1 24 225 - 1

LFSR2 31 t31 + t24 + t16 + t12 + 1 24 231 -1

LFSR3 33 t33 + t28 + t24 + t4 + 1 32 233 -1

LFSR4 39 t39 + t36 + t28 + t4 + 1 32 239 -1

The polynomials are in fact maximum length windmill polynomials [30]. This can be

exploited in a hardware or software realization of the LFSR. The windmill polynomials

have the property that one can construct a linear sequential machine that, provided it is

correctly initialized, for each clock cycle generates four consecutive symbols of the

sequence that the normal LFSR would generate.

For each bit output, each LFSR is clocked once, and the output of all four LFSRs and the

output of the finite state machine is exclusive-or’ed together to form the keystream

output. Then, the 4 LFFSR outputs are summed together to form a 3 bit output. The upper

2 bits of that sum are used to update the state of the finite state machine (FSM). The least

significant bit (LSB) of the sum of the four LFSRs is their bit-wise XOR.

During the encryption loop, the following steps are walked through:

a) Output xt for the four LFSRs

b) Calculate the keystream zt = f0(xt, ct)

c) Calculate the encrypted message bit et = zt (+) mt, where mt is the corresponding

message bit

d) Calculate St+1 = f1(xt, ct)

e) Calculate next FSM state ct+1 = T (St+1, ct)

31

f) Put memory bits ct = ct+1 of FSM.

During decryption, the same loop is walked through, but in the third step, the calculation

is mt = zt (+) et, where et is the corresponding received encrypted bit.

The combination generator process is represented in Figure 2.4, where the z-1 labeled

boxes denote delay elements holding two bits each and the small numbers under the

nodes indicate the number of bits passing.

The function f0, called summation combiner, produces an output sequence of 200 bits z1,

z2, …….. , where zt 2 GF (2). It computes these zt of the modulo two sum of the xt vector

and the first bit c0t of the current contents of the memory. xit denotes the output from

LFRSi at time t. The output from the LFRS is taken from the shift register taps given in

Table 2.3.

zt = f0(xt, c0t )

= x1t (+) x2t (+) x3t (+) x4t (+) (c0t mod 2) Є {0, 1}

32

The nonlinear function f1 also takes the vector xt as input, but combined with the latest

memory update vector ct. f1 has a 2-bit vector St+1 as output. It is nonlinear since integer

addition is nonlinear in GF (2)

= f1(xt, ct)

= [(yt + 2c1t + c0t )/2] Є {0, 1, 2, 3}

yt = x1t + x2t + x3t + x4t Є {0, 1, 2, 3, 4}

The state of the FSM is determined by 4 bits, which are stored in a pair of 2-bit delay

elements. At each time t, the lower delay element stores the previous value of the upper

element and we can therefore refer to these 2-bit values as ct and ct+1 respectively. The

function T is used to mix these carry-bits. It takes the 4 memory bits and st+1 as input. It

produces the 2-bit vector ct+1 to be put in the memory. The new content ct+1 of the

upper delay element is computed as follows:

ct+1 = (c1t+1, c0t+1)

= T (St+1, ct, ct-1)

= T0 (St+1) (+) T1 (ct) (+) T2 (ct-1)

ct+1 defines a linear infinite impulse response (IIR) filter that lowers the correlation factor,

an important parameter in the correlation attack. T1 and T2 are two different linear

bijections over GF (4), (x1, x0) → (y1, y0), where T0 = T1 : (x1, x0) → (x1, x0) and T2 : (x1,

x0) → (x0, x1 (+) x0).

This concludes the description process within the E0 keystream generator.

33

Chapter 3

We will be discussing different types of attacks possible on the E0. The attacks will be

described in this section. Although, it will be difficult to discuss all the attacks in full

detail under the scope of this minor thesis, but we will describe each type of attack. Some

parts of the attacks that are reviewed are implemented besides the E0 simulator, as a way

to get better understanding in the working of the attack.

For most attacks it is needed to remodel the cipher in such a way that the nonlinear part is

replaced with a sequence of random variables with some correlation probability. Most of

the theoretical attacks on the Bluetooth E0 stream cipher require a far larger amount of

consecutive keystream output than available in a practical environment. By Kerckhoffs’

principle, they assume the keystream generator and some key stream bit Zt are known

and they try to recover the initial state of the LFSRs.[23]

and terms which are used throughout the chapter we shall consider the field GF(2n) as a

linear space with a given fixed basis. Xt denotes an n-dimensional vector in GF(2n) as

Xt = (X1t , X2t ,…… , Xnt).

The inner product "." between two vectors v = (v1, v2, ……. , vn) and w = (w1,w2,…. ,wn)

of the space GF(2n) is defined as:

v . w = v1w1 (+) v2w2 (+)………(+) vnwn

The linear function Lu(x) is then Lu(x) = u . x, u Є GF(2n).

34

DEFINITION 1. We say a function L: GF (2n) → GF (2n) is linear if for any vectors v

and w in GF (2n):

L (v + w) = L (v) + L (w)

n

and for any vector x in GF (2 ) and scalar a,

L (av) = a L (v)

An affine function is just a linear function plus a translation.

DEFINITION 2. We say a function A: GF(2m) → GF(2n) is affine if there is a linear

function L : GF(2m) → GF(2n) and a vector b in GF(2n) such that:

A(x) = L(x) + b

For all x in GF (2m)

In [26] Hermelin and Nyberg published a theoretical attack to recover the keystream

generators initial state with a time complexity of O (264) given O (264) known keystream

bits (≈2.097.152 TB).

The attack is based on a weak linear correlation between the output of the LFSRs

Vt = X1t (+) X2t (+) X3t (+) X4t and the keystream output Zt, to verify the accuracy of

one of the LFSRs. The sequence Vt is generated by a fictive LFSR, based on the product

of the four feedback polynomials form the LFSRs in E0, that is, a feedback polynomial Gt

with degree 128, Gt = f1(t)f2(t)f3(t)f4(t). If the attack is successful, the attacker will

discover the initial state of this fictive LFSR, from which the initial state of the four

original LFSRs of E0 can be computed by solving a set of linear equations in 128

unknown variables.

Hermelin and Nyberg discovered the following correlation in the Bluetooth E0 stream

cipher:

C (Zt (+) Zt-1 (+) Zt-3, Vt (+) Vt-1 (+) Vt-3) = -1/16

35

Since the attack of Ekdahl and Johansson is based on the same principles of this attack,

but with better computational complexities, we will not analyse this attack in further

detail.

A theoretical attack by Ekdahl and Johansson [1] describes how the initial state of the

keystream generator can be extracted given O(234) known keystream bits (≈2 GB) and a

computational complexity of O(263). This attack is also based on a weak linear correlation

between the LFSRs output and the keystream output to verify if a guess on one of the

LFSRs is accurate. This attack remodels the cipher in such a way that the nonlinear part

is replaced with a sequence of random variables with some correlation probability. The

nonlinear part of the keystream can be found in the memory block Ct.

Fluhrer and Lucks [2] discovered the following correlation for Ct:

P (Ct (+) Ct-5 = 0) = 1/2 + 0.04883

The attacker observes a keystream Zt of length N. The attack will primarily target the

initial state of the first LFSR, LFSR1. The other three LFSRs can be combined into a

single equivalent LFSR. The output from this equivalent LFSR is a sequence Ut,

0 <= t <= (N - 1).

P (Ct (+) Ct-5 = 0) = 1/2 +0.04883

Now we can remodel E0 into a simplified system as showed in Figure 8.3. With this

model, we need to guess the initial state of LFSR1 and add this, x0 it, to zt. If the guess

is correct, we can write the resulting sequence as:

V t = Z t + X t = U t + C t0 (1)

36

LFSR1 x t1

zt vt

Test

x’t

Equivalent LFSR

ut

0

Ct Assumed LFSR1

From the equivalent LFSR of LFSR2, LFSR3 and LFSR4, we will get a sequence u0,

u1,………uN-1 which is a linear (N, l)-block code C5. In this block code C, there are l

information symbols, which is equal to the length of the equivalent shift register, the sum

of the length of LFSR2, LFRS3 and LFSR4. The sequence ut can be rewritten as a row

vector u = (u0, u1… uN-1).

And this row vector can then be written as u = u0G, where u0 is the initial state of the

equivalent shift register and G the generator matrix. If we suppose we can find k columns

in G such that

Gi1 + Gi2 + …+ Gik = 0, (2)

then we must have ui1 +ui2 +…+uik = 0 for the sequence ut. Since the block code is cyclic,

we can write

∑ ut+1 = 0, (3)

iЄI

37

for any time index t >=0, where I is the set of indices in Equation (2).

By summing over the indices in I, indicated by Equation (3), it possible to remove the

influence of ut in vt (Equation (1)) and go towards the correlation Equation ().

vt = ut + ct (4)

∑ vt+i + vt+i-5 = 0 + ∑ ct+i + ct+i-5 (5)

iЄI i ЄI

iЄI

iЄI

depending on the magnitude Є in Equation (8), it is possible to get statistical significance

if the assumption on the initial state of LFSR1 was good. If LFSR1 was guessed

correctly, the correlation in Equation (8) can be detected, else the correlation will not be

detectable, since more noise will have been added to the sequence vt and the sum of

Equation (6) will tend to 1/2.

The attack requires a length, N, of the received sequence zt which depends on two

parameters, the value of the highest index in I for Equation (3) and the number of shifts in

time, m, in Equation (6).

An estimate for the highest index in I is needed since we need to search for a span of zt

such that the indices can be found that satisfy Equation (3). A good estimation of the

required length of the received sequence in order to find k columns that add up to the all-

zero column in the generator matrix from Equation (2) can be made using Theorem 14.

matrix G of a cyclic code C, to find k columns that add to the all-zero column, where l is

the number of rows in G

38

To estimate the second parameter, the needed number of samples m. From this section we

know we can separate the uniform distribution PU(X = 0) = 1/2 from the indicator

distribution PE0(X = 0) = 1/2 + 2k-1 Єk using approximately 1/(2k-1Єk)2 samples. With

increasing k, PE0(X = 0) gets closer to 1/2 and the Chernoff information says regarding

the (distance) between two probability densities. Relatively large Chernoff information

means low error probability. C (PU, PE0) is decreasing. So the required number of

samples, m, increases when k increase for a fixed error probability. The total number of

columns w ≈ 2l/(k-1) in G required to find k columns that add to the all-zero column

decreases if k increases. The total number of required keystream bits to observe, N, is the

sum N = m + w, so we need to chose k such that we minimize N.

When performing the attack, we count the number of times Equation (6) equals to zero,

n0, and the number of times it equals to 1, n1. Thus, the number of samples needed, m,

equals to m = n0 + n1. To simplify the application of the Lemma of Neyman-Pearson we

replace 2k-1Єk with Є .We can now easily write PE0 = 1/2 + Є . According to the Lemma,

we can test between the two hypotheses H0 : PU and H1 : PE0 :

For this attack, it is desired to use an unsymmetrical threshold and decrease PF at the

expense of PM. We would like to have PF << PM. In [3] an unsymmetrical threshold of

T = 25 was chosen, resulting in a threshold of PM ≈2-4 and a threshold of PF ≈ 2-10. It is

shown that the value for the parameter k = 4 is the best choice for attacking LFSR1, since

the value of N will then be minimized to 234.6.

39

3.3 Faster correlation attack, Y. Lu and S. Vaudenay

Although the faster correlation attack proposed by Yi Lu and Serge Vaudenay in[12], has

the best known time complexity O(239) after O(237) it still requires 239 consecutive

keystream bits (≈ 64GB). The attack recovers the LFSR1 with a new Maximum

Likelihood Decoding (MLD) algorithm, by means of Fast Walsh Transform. This

algorithm can speed up a fast correlation attack. The attack applies the concept of

convolution to the analysis of the distinguisher based on all known correlations. This

allows building an efficient distinguisher that halves the data complexity of the basic uni-

bias-based distinguisher.

The approach is similar as the Divide-and-conquer attack from Ekdahl and Johansson 3.2,

but with a decreased time complexity. The correlations used for this attack are:

P(c0t (+) c0t+5 = 0) =1/2+λ/2, (11)

where λ = 25/256

Markku-Juhani O. Saarinen showed in [4] the first guess-and-determine attack on the

Bluetooth keystream generator. This attack consists of guessing the states of the 3

smallest LFSRs and the Final State Machine to derive the contents of remaining fourth

LFSR. Using the observed keystream, the consistency of the assumption is checked with

the output from LFSR4. The complexity of this attack is expected to be close to O(293).

We will not treat the attack of Saarinen in further details, since the improved versions of

this attack are analysed below.

40

3.5 Guess-and-determine attack, S.R. Fluhrer and S. Lucks

Scott R. Fluhrer and Stefan Lucks refined the attack of M.O. Saarinen in [2]. This attack

recovers the initial state of the shift register (level 2 of the keystream generator) and

reverses the premixing step to recover the session key KC (level 1 of the keystream

generator). The time complexity of the attack has the order of O(284) when 132 keystream

bits are available. The time complexity required to reconstruct the level 2 keystream

generator (LFSRs initial states) is expected to be between O(272) and O(284), depending

on the amount known keystream bits. The work effort to reconstruct the level 1

keystream generator is expected to take between O(281) and O(251). The algorithm allows

the key stream bits to be spread over 83 multiple data packets, unlike correlation attack.

The computational complexity can then be improved to the order between O(276) and

(284), depending on the amount of keystream bits available.

The basic approach of guessing the initial states of parts of the cipher and checking

consistency stays the same as in Saarinen’s attack. But this attack takes advantage of

additional relationships within E0 to gain performance. Instead of guessing the three

LFSRs as in the attack of Saarinen, this attack guesses the initial state of the FSM and the

contents of the two shortest LFSRs. A set of linear equations is build up and checked for

inconsistencies. The guess will be rejected as soon an inconsistency can be found. The

idea behind the algorithm used in this attack, is that the next state function for the FSM

depends only on the number of LFSRs that output a one. Instead of computing the exact

value of the two longest LFSRs, we just have to decide if their output will differ or not.

The algorithm will also take advantage of the fact that we can efficiently find

contradictions in GF(2). The attack will derive the initial LFSRs settings given 132 bit of

the keystream output. The initial settings for the FSM contents and LFSR1 and LFSR2

are guessed. By observing the keystream, it is possible to decide whether the XOR of the

outputs of LFRS3 and LFSR4 is one or zero, and a set L of linear equations on the

LFRS3 and LFSR4 output bits is constructed in a search tree. When enough keystream

bits are analysed, the linear equations implied by the LFSR3 and LFSR4 tap equations

41

can be added to the set L of linear equations. As long as the equations in the set L stay

consistent, we can continue to analyse the keystream. If an inconsistency appears, we can

backtrack in the tree and try another guess in the different steps.

Preneel

The theoretical attack presented by Christophe De Cannière, Thomas Johansson and Bart

Preneel in [5] is based on the attack of Scott Fluhrer [2] described in the precedent

section. The time complexity of the attack is in the order O(276) when 1 Mbit of

keystream data is available.

The approach for this attack is similar to the attack of Fluhrer and Lucks. But instead of

guessing two of the LFSRs contents and the FSM, only the shortest LFSR and the initial

state of the FSM will be guessed.

This attack has a time complexity of O (277) while requiring only 128 known keystream

bits.

Free Binary Decision Diagrams (FBDD) are data structures for representing and

manipulating Boolean functions [7] [8]. An FBDD-attack is a short-keystream attack,

where the number of key bits needed for computing the secret initial state, x Є {0, 1}n is

at most cn for some constant c >=1.

The attack exploits that many LFSR-based stream ciphers produce keystream according

to the rule z = C(L(x)), where L(x) denotes an internal linear bit stream generated by a

small number of parallel LFSRs and C denotes some nonlinear compression function.

The weakness of LFSR-based keystream generators is that the compressor C has to

produce the keystream in an online manner and at high speed. To achieve this, C uses

42

only a small memory and consumes only a few new internal bits for producing the next

output bit. These requirements imply that the decision if an internal bitstream z generates

a prefix of a given keystream y via C can be computed by small FBDDs. This allows to

compute dynamically a sequence of FBDDs Pm, m >= n, which test a given initial state

x Є{ 0, 1}n whether C(L<=m(x)) is prefix of y, where L<=m(x) denotes the first m bits of the

internal linear bitstream generated via L on the secret initial state x.

Frederik Armknecht proposed an algebraic attack to reconstruct the initial state of E0 in

[9]. This attack is based on a system of nonlinear equations of degree 4, which holds with

probability 1 at each clocking. By linearization, the system becomes solvable, assuming

that enough independent equations can be collected. The number of possible terms in the

linearized system is T ≈ 224.056 and by employing Strassen’s algorithm for solving the

system of linear equations, the complexity of this approach is concluded to be about O

(267.58). In order to get enough independent linear equations, the number of observed

keystream bits must be approximately 224.056 (≈16MB). We will explore this attack in

more detail.

Theorem 2 makes up the basis of the algebraic attack on the combiner with memory.

THEOREM 2: (Krause, Armknecht, 2003). For each combiner C with k LFSRs and l

memory bits, a nontrivial relation FC of degree [k(l + 1)/2] with

0 = FC ( Xt , …,Xt+l, zt,…, zt+l )

can be constructed.

Basically, we are able to transform some equations z based on the LFSRs output bits x

and memory bits c to a system of linear equations which depends not on the memory bits

and can be used to find the initial values of the LFSRs.

zt = F(x1t ,..., x4t , c1t ,..., c4t )

zt = F( (x1t ,....... x4t , Ct(x11,…….. x4t-1, c11,……., c41 ) )

zt = Ft(x1, … ,xn,c11, ….., c41

43

0 = F’(x1t,...., x4t ,x1t+1,......, x4t+1,x1t+2, …. x4t+2 , x1t+3,...., x4t+3, zt, zt+1, zt+2, zt+3)

0 = F’(x1,......, xn, zt, zt+1, zt+2, zt+3)

For each clock t, the new key stream output zt is produced and the next memory bits

c0t+1 and c1t+1 are computed. We will reformulate this equation to have the functions for

the individual memory bits c0t+1 and c1t+1:

ct+1 = (c1t+1, c0t+1) (12)

= T0(st+1) (+) T1(ct) (+) T2(ct-1) (13)

= (s1t+1 (+) c1t (+) c0t-1 , s0t+1 (+) c0t (+) c1t-1 (+) c0t-1). (14)

In this equation we can reformulate s1t+1 and s0t+1 from Equation which says

yt = x1t + x2t + x3t + x4t as stated by F. Armknecht, A Linearisation Attack on the

Bluetooth Key Stream Generator, 2002:

st+1 = (s1t+1, s0t+1) (15)

= [x1t + x2t + x3t + x4t + 2c1t + c0t ] / 2 (16)

s1t+1 = ∏4(t) (+) ∏3(t)c0t (+) ∏2(t)c1t (+) ∏1(t)c0t c1t (17)

s0t+1 = ∏2(t) (+) ∏1(t)c0t (+) c1t (18)

Where ∏i(t) is the XOR over all possible products in {x1t , x2t , x3t , x4t } of degree i:

∏1(t) = x1t (+) x2t (+) x3t (+) x4t

∏2(t) = x1t x2t (+) x1t x3t (+) x1t x4t (+) x2t x3t (+) x2t x4t (+) x3t x4t

∏3(t) = x1t x2t x3t (+) x1t x2t x4t (+) x1t x3t x4t (+) x2t x3t x4t

∏4(t) = x1t x2t x3t x4t

which leads to the following equations for the individual bits c1t+1 and c0t+1 (from

Equation(14)):

c1t+1 = s1t+1 (+) c1t (+) c0t-1 (19)

= ∏4(t) (+) ∏3(t)c0t (+) ∏2(t)c1t (+) ∏1(t)c0t c1t (+) c1t (+) c0t-1 (20)

c0t+1 = s0t+1 (+) c0t (+) c1t-1 (+) c0t-1 (21)

= ∏2(t) (+) ∏1(t)c0t (+) c1t (+)c1t-1 (+) c0t (+) c0t-1 (72)

44

Now we can define the additional variables A(t) and B(t):

A(t) = ∏4(t) (+) ∏3(t)c0t (+) c0t-1

B(t) = ∏2(t) (+) ∏1(t)c0t (+)1

so that the Equations (20) and (22) can be simplified to (using the fact that for Boolean

variables x2 = x):

c1t+1 = A(t) (+) B(t)c1t (23)

1 1

c t+1 B(t) = A(t)B(t) (+) B(t)c t (24)

0 = B(t) (A(t) (+) c1t (+) c1t+1 (25)

and

c0t+1 = B(t) (+) 1 (+) c0t-1 (+) c0t (+) c1t (+) c1t-1 (26)

c1t (+) c1t-1 = B(t) (+) 1 (+) c0t-1 (+) c1t (+) c0t+1 (27)

By inserting Equation (27) into (25) with index t+1 instead of t we get the following

equation:

0 = B(t)(A(t) (+) B(t + 1) (+) 1 (+) c0t (+) c0t+1 (+) c0t+2) (28)

In this equation, we can eliminate all unknown memory bits c0t by using the observed

keystream zt and by knowing in X2 = X and X (+) X = 0 in GF(2):

zt = x1t (+) x2t (+) x3t (+) x4t (+) c0t

c0t = x1t (+) x2t (+) x3t (+) x4t (+) zt

= ∏1(t) (+) zt

B(t) = ∏2(t) (+) ∏1(t)c0t (+) 1

= ∏2(t) (+) ∏1(t) (+) ∏1(t)zt (+) 1

A(t) = ∏4(t) (+) ∏3(t)c0t (+) c0t-1

= ∏4(t) (+) ∏3(t)∏1(t) (+) ∏3(t)zt (+) ∏1(t - 1) (+) zt-1

0 = B(t)(A(t) (+) B(t + 1) (+) 1 (+) c0t (+) c0t+1 (+) c0t+2 )

= ∏2(t) (+) ∏1(t) (+) ∏1(t)zt (+) 1( ∏4(t) (+) ∏3(t)∏1(t) (+) ∏3(t)zt (+) ∏1(t - 1) (+) zt-1 (+)

∏2(t + 1) (+) ∏1(t + 1) (+) ∏1(t + 1)zt+1 (+) 1 (+) 1 (+) ∏1(t) (+) zt (+) ∏1(t + 1) (+) zt+1

(+) ∏1(t + 2) (+) zt+2 )

= 1 (+) zt-1 (+) zt (+) zt+1 (+) zt+2

45

(+) ∏1(t)(ztzt+2 (+) ztzt+1 (+) ztzt-1 (+) zt-1 (+) zt+1 (+) zt+2 (+) 1)

(+) ∏2(t)(1 (+) zt-1 (+) zt (+) zt+1 (+) zt+2) (+) ∏3(t)zt (+) ∏4(t)

(+)∏1(t -1) (+) ∏1(t - 1)∏1(t)(1 (+) zt) (+) ∏1(t - 1)∏2(t)

(+)∏1(t + 1)zt+1 (+) ∏1(t + 1) ∏1(t)zt+1(1 (+) zt) (+) ∏1(t + 1)∏2(t)zt+1

(+)∏2(t + 1) (+) ∏2(t + 1)∏1(t)(1 (+) zt) (+) ∏2(t + 1)∏2(t)

(+)∏1(t + 2) (+) ∏1(t + 2)∏1(t)(1 (+) zt) (+) ∏1(t + 2)∏2(t)

This equation has terms of degree of at most 4 in the variables {x1t, x2t, x3t, x4t} (in ∏) and

holds for any t. By iterating this equation we can build a system of nonlinear equations

(SNE) of degree 4, with the initial value of the four LFSRs unknown. These initial states

of the LFSRs have length 25, 31, 33 and 39, so the key to recover with the attack has the

form:

K0 = (a0,….., a24, b0,……., b30, c0,……., c32, d0,……, d38)

= (k0, k1,…….., k127)

Although the long Equation (29) uses the output bits of the LFSRs at clock t, we are able

to rewrite the equation in terms of the initial state bits. This is possible since we can

construct a linear function L: GF(2)n → GF(2)n, where n is the length of the LFSR, which

linearly maps the state Kt to Kt+1 : Kt+1 = L(Kt), for each clock t:

K1 = L(k0,k1,…………., k127) = L(K0)

K2 = L(k1, k2,…………, k128) = L(L(k0, k1,……., k127)) = L2(K0)

...

Kt = L(kt-1, kt,.........., kt+126) = Lt(K0)

So we can rewrite Equation (29), following the notation of Theorem 2, as:

0 = F(K0,………., L3(K0), z0, z1, z2, z3)

0 = F(L(K0),……., L4(K0), z1, …….., z4)

0 = F(L2(K0),………., L5(K0), z2,……, z5)

0 = F(L3(K0),………, L6(K0), z3,…….., z6)

...

0 = F(Lt(K0),........., Lt+3(K0), zt,.........., zt+3)

where F is a multivariate relation of degree 4 (at most).

Since the LFSRs output bits {x1t, x2t , x3t , x4t} g can be expressed as a linear equation of

the initial state bits, only a finite number of different terms can occur. Armknecht found

46

that this limit is T = 17,440,047 ≈ 224.056.This means that we will get a system of

nonlinear equations with T unknown. To solve this system we will thus need at least T

equations by clocking the system that many times. The system can be solved with the

Strassen algorithm in O(7Tlog27) or with the Coppersmith-Winograd algorithm[24] in

O(Tw), w <=2.376 through linearization

enables us work with equations with a lower degree. By reducing the degree of the

system of equations, the run-time complexity will decrease. The Fast Algebraic attack

was introduced by Nicolas Courtois in [10] and Frederik Armknecht [11]. The attack will

decrease the degree of the system of equations by using linear combinations of equations.

Equation (29) can be written in the form:

0 = F(Lt(K0),......, Lt+3(K0), zt ,........., zt+3)

0 = F1(Lt(K0),........., Lt+3(K0)) + F2(Lt(K0),........., Lt+3(K0), zt,......., zt+3)

where F = (F1, F2) and F1 and F2 are a multivariate relations with high degree d1 for F1

and a lower degree d2 for F2. The linear combination will cancel out the high-degree

monomials of degree {d2 + 1, d2 + 2,………, d1} that occurs in Equation (29). In [25]

another approach has been proposed: by using the Fast Fourier Transform (FFT) the

complexity of substituting the keystream into the equations can be decreased, resulting in

a expected process complexity of O(249). These 249 can be performed in about 35 hours

on a 4GHz machine. The attack requires 223.4 keystream output bits.

47

Chapter 4

BLUETOOTH SECURITY

Encryption can optionally be used once at least one of the two communicating devices

has authenticated itself to the other. Either the master or the slave can request encryption.

However, encryption itself is always initiated by the master after it has negotiated the

necessary parameters with the slave. For this purpose the two devices first of all agree the

length of the key to be used. The master then initiates the encryption process by sending a

random number to the slave. The cipher key is computed from the link key, a cipher

offset and the random number. Encryption can operate in two ways, point-to-point and

point-to-multipoint. Under point-to-point encryption, the authenticated cipher offset of

the authentication protocol is used as cipher offset. Under point-to-multipoint encryption,

on the other hand, the device address of the master is used as cipher offset. The link key

must then be replaced by a master key before encryption can be initiated. A stream cipher

is used for encryption (in the standard this is designated E0). For each data packet a

new initialisation vector (the message key) is computed from the device address and the

Bluetooth clock of the master. The data is only encrypted during transportation by radio.

Prior to transmission and after receipt the data is held unencrypted in the two devices.

Encryption is thus not end-to-end (i.e. the data is not encrypted from input into device A

up until output or processing in device B).

48

4.2 Problems with Encryption:

¾ Security of the stream cipher E0

Although E0 accepts key lengths of 1-16 bytes (8-128 bits), Fluhrer and Lucks have

shown that the maximum key length does not exceed 73 or 84 bits, depending on the

power of the attacker.

¾ The initialisation vector does not depend on the full clock.

Every data packet transmitted is encrypted using a new initialisation vector. This is

computed from the master's clock amongst other things. However, the highest value bit of

the clock is "forgotten", so that even when encryption is used, man in the middle attacks

is possible.

¾ Encrypted data can be manipulated.

Even if strong encryption is used, data can still be manipulated during transmission. The

characteristics of stream ciphers allow the data intercepted in a man in the middle attack

to be deliberately altered as long as some of the encrypted plaintext is known. Thus it is

possible, for example, to deliberately manipulate IP headers.

In a Divide and Conquer attack, a part of the key is guessed and this constraint on the

keystream may make it possible to determine the rest of the key faster and hence is a

challenge to the Bluetooth Encryption. This attack is mostly combined with a correlation

attack to determine the rest of the key. A correlation attack is a widely applicable type of

attack which might be used with success on generators which attempt to combine the

output from several (cryptographically weak) keystream generators.

A correlation attack exploits the weakness in some combining function which allows

information about individual input sequences to be observed in the output sequence. In

such a case, there is a correlation between the output sequence and one of the (internal)

input sequences.

49

This correlation can be used to extract information about the correlated input sequences.

In the simplest case, a correlation means that the output is equal to one of the input

variables with a probability not equal to 0.5. Siegenthaler showed in his paper [31] that a

smaller linear complexity of the output sequence means greater correlation immunity.

As a protection against these correlation attacks, Rueppel introduced in [27] the idea of a

combining function with memory that makes it possible to attain maximum-order

correlation and maximum linear complexity simultaneously making a separation to the

ideas of correlation immunity and linear complexity.

The fast correlation attack is based on using certain parity check equations created from

the feedback polynomial of the LFSR. The attack assumes that there is a correlation

between one shift register of the LFSR and the output keystream zt,: P(s1t = zt) = p = 1 /2

+ ε, t >= 0. Meier and Staffelbach saw this as if the sequence from LFSR1 was

transmitted over a Binary Symmetric Channel (BSC), with crossover probability 1 - p,

i.e. the BSC transmits the symbol correctly with a probability p. The combined effect of

the other shift registers and the nonlinear combiner is modelled as the BSC. Since the

feedback polynomial of LFSR1 is linear, each st for different t must satisfy a number of

linear equations, based on how many taps the feedback polynomial has, and where the

taps are located. If the correlation between st and zt is high enough, most of the

corresponding symbols in the keystream zt must also fulfil these linear equations. So, by

attempting to slightly modify the sequence zt to compensate for a possible crossover in

the BSC model, Meier and Staffelbach showed that the sequence s = s01, s11…sN1 can be

recovered and thus the initial state of the shift register. This is again a risk for the

Bluetooth Encryption process.

The drawback of this algorithm is that it is only successful if the feedback polynomial has

very few terms which corresponds to a LFSR with few taps. The idea of a communication

channel was reconsidered by Johansson and Jönsson in [32] where they identified an

embedded convolution code in the sequences and could apply standard decoding

techniques, e.g. the Viterbi algorithm, to recover the initial state even if the correlation

50

probability was very close to 0.5. Typically, a shift register of length 40 with a correlation

probability of 0.45 can be attacked with modest computational effort. This algorithm is

independent of the number of taps of the feedback polynomial.

In this attack we start by guessing some internal variables of the cipher (e.g. a part of the

LFSR) and then try to determine the other variables based on the observed keystream and

the evolution of the cipher in time. If our guess is correct, we can confirm it by running

the cipher for some time and match the output from our trial generator with the observed

sequence. If our guess is false, we simply make a new guess and start over again. The

time complexity of such an attack is O (2b), where b is the number of bits we have to

guess, since in the worst case we have to try all possible combinations of the guessed bits.

The difficult part of this attack is to discover which part of the state space should be

guessed in order to obtain the rest. In this way in this type of attacks we try to break up

the Bluetooth encryption cycle by guessing the internal variables of cipher that is part of

the LFSR.

and Shamir in [33]. In most cases, the generated keystream can be described by a

complex system of multivariate polynomial equations with the key bits as the in-

determinants.

The general idea behind algebraic attacks is to form (non-linear) equations consisting of

the observable keystreams zt for all clock ticks t, and the initial secret key bits of the

LFSRs as unknowns. The pre-computation of these equations need only to be performed

once, the attacker can use the same equations for attacking different keystream. Once the

equations are set up, the attacker has to observe the keystream and substitutes these

keystream bits into the algebraic equations. Now, the equations will merely depend on

the initial secret LFSR key bits. The equations have to be solved to determine the value

51

of the LFSRs initialization keys. This is possible if sufficient equations can be

constructed from the observed keystream and the equations are of low degree in the bits

of the initialization keys. To solve a system of nonlinear equations, we have to linearize

the equations. This can be done by assigning a new unknown variable to each monomial

term that appears in the system. If the same monomial appears in a distinct equation, the

same variable will be assigned. This results in a system of linear equations, with a large

number of unknown variables.

Since the complexity of the algebraic attacks is exponential in the degree of the

equations, a way of reducing the degree of the equations was needed. Courtois [10]

introduced a method to achieve this in his Fast Algebraic attacks. His method requires an

additional pre-computation step to determine a linear combination of equations in the

initial system of the algebraic attack. This linear combination can cancel out terms of

high degree, making it easier to solve the system of equations. His approach is based on

the fact that we can multiply the multivariate polynomial with another multivariate

polynomial such that the product is of a lower degree in the initial state bit variables.

Courtois proposes to use the Berlekamp-Massey algorithm to determine the linear

combination for the pre-computation step. The algorithm finds the minimal polynomial of

a linear recurrent sequence. So these attacks tries to affect the Bluetooth encryption

process by forming an algebraic equation based on observable keystream Zt.

52

Chapter 5

5. CONCLUSION

5.1 Analysis And Conclusion

We are concluding this thesis by analysing the E0 encryption Algorithm on the basis of

all the possible attacks on E0 stream cipher discussed in the previous chapters. We have

tried to cover the whole low-level security features supported by the Bluetooth

specifications. But still we have kept stream ciphers as the main topic of discussion and

further we have discussed encryption, pairing procedure and authentication in full details.

The study covered an in depth analysis of the E0 encryption algorithm. We did not only

cover the complete functionality of the E0 system, we also analysed many of the recent

attacks. The most important attacks on the E0 encryption system include the correlation

attacks and the algebraic attacks.

Encryption is one of the most important security mechanisms which deals with the

transfer of data between any two communicating wireless in the present case Bluetooth

devices. Bluetooth uses E0 Encryption Which is discussed in details in the previous

chapters. By taking in to consideration all the possible attacks like the correlation attacks

which are based on a presumed correlation between the input and output bits. The

algebraic attacks exploit the fact that the output bits can be expressed with an algebraic

relation in terms of the initial state bits. The best attacks currently known are the fast

algebraic attack of Armknecht [11] and Courtois [10] and the fast correlation attack of Lu

and Vaudenay [12]. We have seen that this attack can recover the initial state of the

LFSRs and FSM in a known plaintext attack approximately O (239) keystream bits and a

time complexity of approximately O (239) and therefore it became possible for the

intruder to decipher the text and hence breaks the Bluetooth security mechanism. But in

53

the light of present scenario we can say that currently there is no attack known that breaks

the complete encryption procedure and hence the security mechanism of Bluetooth

security architecture with reasonable effort and practical available keystream bits.

However, the security margin is insufficient to feel comfortable about the years to come.

Since the research on the attacks continues actively, future attacks may succeed to reduce

the cryptanalytic workload to a practical level.

After this research we may conclude that there are a lot of security problems with

Bluetooth, the most important are related to encryption which is protected by the E0

Encryption Algorithm. But still, Bluetooth can be seen as a quite safe for the intended

usage. For a practical multifunctional protocol as Bluetooth, many considerations must be

made to find a good balance between functionality, user-friendliness, speed and security.

The active research on this topic will help enhance the Bluetooth system in future

versions.

54

References

cipher", Abstract, Proceedings of 10th Joint Conference on Communications and

Coding, Obertauern, Austria, 2000

[2] S.R.Fluhrer and S. Lucks. Analysis of the E0 encryption system. 2001. pp. 38–48.

[3] P. Ekdahl, "On LFSR based Stream Ciphers - Analysis and Design", Ph.D. Thesis,

Lund University, 2003

Cipher”, Internal Report, November 2001.

EPrint Archive, Report 2001/092. 2001.

[7] J. Gergov and CH. Meinel.” Efficient Boolean function manipulation with OBDDs

can be generalized to FBDDs.” IEEE. Trans. on Computers, Vol. 43, pp. 1197–1209,

1994.

[8] D. Sieling. “Graph driven BDDs - a new data structure for Boolean functions.”

Theoretical computer science 141:1-21-2, 283-310, Elsevier, 1995.

[9] F. Armknecht. A linearization attack on the Bluetooth key stream generator. Posted

on eprint in December 2002.

Feedback.” In Crypto 2003, LNCS 2729, pp: 177-194, Springer.

[11] Frederik Armknecht “On Fast Algebraic Attacks” March 2004. Talk at the 9th

Estonian Winter School in Computer Science, Palmse, Estonia.

Generator E0” M. Franklin (Ed.): CRYPTO 2004, LNCS 3152, pp. 407–425, 2004.

http://netlab.cs.iitm.ernet.in/cs650/2006/TermPapers/siddeshkarra.pdf

[14] On Bluetooth. Security Nikos Mavrogiannopoulos December 16, 2005 available

from

http://members.hellug.gr/nmav/papers/other/Bluetooth%20security.pdf

55

[15] Cybertrust “Article on Bluetooth security” updated June 2005 available from

http://www.cybertrust.com/media/white_papers/cybertrust_wp_blue.pdf

http://www.netsec.net/content/securitybrief/archive/2005-07_Bluetooth.pdf

wireless Bluetooth applications” available from

http://www.holtmann.org/papers/bluetooth/saimba_english.pdf

threats and security measures “available from

http://www.bsi.de/english/publications/brosch/B05_bluetooth.pdf

http://www.ucs.uwa.edu.au/__data/page/5183/bluetooth_security.pdf

[20]Thomas Muller “Bluetooth Security white paper 1.C.116/1.0 July 99” available

from http://www.bluetooth.com/NR/rdonlyres/C222A81E-D9F9-48CA-91DE-

9C81F5C8B94F/0/Security_Architecture.pdf

http://www.bluetooth.com/NR/rdonlyres/7F6DEA50-05CC-4A8D-B87B-

F5AA02AD78EF/0/Protocol_Architecture.pdf

Core package version 2.0 + edr, 2004. Available from http://www.bluetooth.org.

http://student.vub.ac.be/~sijansse/2e%20lic/BT/Thesis/Thesis.pdf

Advances in Cryptology - Proc. Crypto'93, Lect. Notes Computer. Sci. 773, pp.22–39,

Springer Verlag, 1994.

[25] P. Hawkes and G.G. Rose. “Rewriting Variables: the Complexity of Fast Algebraic

Attacks on Stream Ciphers.” Advances in Cryptology - CRYPTO 2004.

56

[26] M. Hermelin and K. Nyberg. “Correlation properties of the Bluetooth combiner”.

Proceedings of 2nd international Conference on information security and cryptology

pp. 17–29 year 1999.

[27] R.A. Rueppel. “Correlation immunity and the summation combiner”. Generator,

Advances. In Cryptology-Crypto’85, Proceedings, pp. 260-272, Springer-Verlag, 1986

[28] Bluetooth Special Interest Group SIG. “The Bluetooth core specification version

1.2”. November 2003. http://www.bluetooth.org.

[29] S.R.Fluhrer and S.Lucks:” Analysis of the E0 Encryption System, Selected Areas

in. Cryptography - SAC 2001, Lecture Notes in Computer Science”, 2001

http://www.cs.stonybrook.edu/~sion/teaching/sunysb/2006-

Fall/CSE508/slides/class14/Bluetooth.pdf

1998.

cryptographic applications”. September 1984. pp. 776–779.

linear polynomials”. 2000. pp. 300–315.

[33] A. Kipnis and A. Shamir. “Cryptanalysis of the HFE public key cryptosystem.”

1999. pp. 19–30.

57

- Device Information ServiceTransféré parFrankSansC
- 20061123081927156 SGH-E250 UG EU Eng Rev 1 0 061116Transféré par05REEDH
- p171 BluetoothTransféré parjnanesh582
- Avnet Memec RF and Wireless Solutions Oct 2010Transféré paralunw65
- Toshiba Sat SatPro C40 C50 C70 a Series GMAD00381010Transféré parworldbfree
- UT Dallas Syllabus for cs4396.001.09s taught by Kamil Sarac (kxs028100)Transféré parUT Dallas Provost's Technology Group
- TecraM4_PMAD00040010_05Mar24Transféré parChris Matheson
- JBL Flip 4 Spec Sheet EnglishTransféré parRobertoMartínez
- HRP_V10Transféré parSarunkumar Balath
- Industrial Design PortfolioTransféré parDennis Rowan Mann
- GMAD00423012_SatSat-Pro-CL40-C40-C50-C70_C-Series_15Sept10Transféré parGuillermo Martínez Madrigal
- Bluetooth StandardsTransféré parNamrata Dhamal
- samsung hf1700Transféré parluomonero
- BT3030Transféré parluadalume
- UserguideTransféré parShane Loyer
- Introduction to Blue Tooth NetworkingTransféré parvineetasingh24
- UT Dallas Syllabus for cs4396.001.10s taught by Kamil Sarac (kxs028100)Transféré parUT Dallas Provost's Technology Group
- A_Model_for_Network_Security.pdfTransféré parVương Việt
- GAP_definitionsBluetooth Core v1Transféré parTice Harman
- BluetoothTransféré parBobby
- NX ConnectTransféré parsigilum_dei
- Fmb 920 User Manual v 025Transféré paramin
- SIT202 Problem Solving Report 1Transféré parRakesh Kumar
- Ieee-elearning.org Outreach File.php 1345 a Wireless Energy Custodian NetworkTransféré pargauravjoshi1992
- RecommendationsTransféré parJill Morris
- Samstrom Bluetooth Wireless Mouse SMBT17 ManualTransféré parPoppy Cock
- Networking.docTransféré parRichard Coronel
- references4eddyTransféré parAnyama Oscar Uzoma
- 2017 e Series Sync Qrg Version 1 Qg en Us 04 2016Transféré parmfruge7
- Defradar_Personal Data Flow Mapping Tool.xlsxTransféré parJakobović Domagoj

- MSCI Quality Indices MethodologyTransféré parTian-Yu Tan
- Andrew Baldwin, David Bordoli-Handbook for Construction Planning and Scheduling-Wiley (2014)Transféré parAtef Ragab
- API Thread MeasurementTransféré parNaser Khan
- Cbse AIPMT Prelims 2006Transféré parANUZ DUET
- Study on Travel and Living International TravelTransféré parAnonymous izrFWiQ
- Rates QuestionsTransféré parG M Ali Kawsar
- IGCSE Math 0580 y14 SyTransféré parKhyeChing Ong
- Detecting protein–protein interactions by far western blottingTransféré parJinsheng Zhu
- 12 Factors Influencing Friction Force (TM)Transféré parMuhammad Rifqi Rofiuddin
- RMT Unit-1Transféré parSubathra Devi Mourougane
- Hack NetTransféré parYazidSam
- spssTransféré parLeme Asyu
- Windows 7 Keyboard ShortcutsTransféré parAchmad Yahya
- Quantitative Economics BookletTransféré parrichashine
- Pneumatika KatalogusTransféré parpissini-1
- Surfacing of 3.25% Nickel steel with Inconel 625 by the gas metal arc welding-pulsed arc processTransféré parMoses_Jakkala
- SAT / ACT Math ChecklistTransféré paraehsgo2college
- JUNO-DS ParamGuide e01 WTransféré parDenilson Tecladista
- p200413-101Transféré parPrince Zino
- mdpe is 14885Transféré parrudrakr
- additional mathematics project work Kelantan 2/2012Transféré parMuhammad Afif
- MudflapTransféré parmaxbyz
- Employee Payment Management SystemTransféré paranandreddyr
- m13s2561616a elitesemiconductormemorytechnologyTransféré parapi-432313169
- Chapter 7 Final Accounts (1)Transféré parIzhan Abd Rahim
- EEB 516 Assignment 2Transféré parLeo Gee
- Manish K. Gupta- The Quest for Error Correction in BiologyTransféré parJinn679
- msp430 Tutorialv0_1Transféré pardebnathsuman91
- Hardening OracleTransféré parPedro Perez
- How_to_Grok_GREPTransféré parRick Gordon