Simple Bluetooth Security Manager based on the Open Bluetooth stack

Simple Bluetooth Security Manager based on the Open Bluetooth stack Dec. 18. 2001 Jongbae Park (+82-42-866-6162 ) (jbpark@icu.ac.kr)

Contents • Bluetooth Introduction • Bluetooth security architecture • Axis Bluetooth stack • Simple Security Manager Implementation • Result

What Is A Emerging Technology Called bluetooth ?

Bluetooth : a short-range radio technology for integration into mobile and handheld devices that is targeted to replace cables. • Forget Plug and Play - just Play • 1Mbps(Sync), 723kbps(Async) • 2.4GHz ISM band • 1 or 100mW, 10 m, $4 @2003 ~ 4 • 3 voice channels • 8 participants in a piconet Nobody loves wires!

Landline Cable Replacement Data/Voice Access Points Personal Ad-hoc Networks What Does Bluetooth Wireless Technology Do For You?

PAN WG

Baseband (BT1/BT2) IF/RF (BT1/BT2) Bluetooth Protocol Stack

Bluetooth Products R520 T39 T28 w/ Adapter

Products • 3Com PC Card, • USB Adapter • - CSR, Parthus • ATO Headset • - Ericsson • Axis AP • Brain Boxes – PC Card, RS232 Adapter, CF Card • - CSR, Socket Comm.

Bluetooth security architecture

Bluetooth security architecture • 3 Security modes are defined • Security Mode 1: non-secure • Security Mode 2: service level enforced security • Security Mode 3: link level enforced security • Security Mode 2 • Bluetooth device initiates security procedures after the channel is established (at the higher layers) • Security Mode 3 • Bluetooth device initiates security procedures before the channel is established (at the lower layers).

Example Bluetooth Security Architecture Bluetooth security architecture

Bluetooth security architecture • Store security-related information on services & devices • Answer access requests by protocol implementations or applications (either access granted or refused) • Enforce authentication and/or encryption before connecting to the application. • Initiate or process input from the device user to set-up trusted relationships on device level. • Initiate pairing and query PIN entry by the user. PIN entry might also be done by an application.

AXIS BLUETOOTH STACK • The AXIS OpenBT Stack • Implementation of Bluetooth stack for Linux. • Bluetooth Driver for Linux Kernel v2.0, v2.2 and v2.4 • http://sourceforge.net/projects/openbt/

AXIS BLUETOOTH STACK • Structure of AXIS Openbt bluetooth Stack

AXIS BLUETOOTH STACK- Security

AXIS BLUETOOTH STACK- Sec_manager 함수명 설명 sec_client_shutdown static void sec_client_shutdown() security_query.originator = KERNEL Kernel version이 정의되어 있을 경우 “wake_up process~~”문장을 출력 sec_man_init static void sec_man_init(enum security_requests user) Kernel version이 정의되어 있을 경우 open_socket()함수를 호출.

AXIS BLUETOOTH STACK- Sec_manager sec_man_check static void sec_man_check(enum security_requests user, BD_ADDR bd_addr, u32 service_data, u32 user_data) Kernel version이 정의되어 있을 경우 sec_man_sock이 0보다 작을 경우(security manager가 있지 않을 경우 error 메시지를 출력) Kernel version이 정의되어 있지 않은 경우 sec_man_doquery()함수를 호출. sec_man_event static void sec_man_event(enum security_requests user, BD_ADDR bd_addr, u8 event, u8 *param, u8 param_len)

AXIS BLUETOOTH STACK- Sec_manager param_len과 MAX_EVENT_DATA_LENGTH의 크기를 비교해서 param_len이 더 큰 경우는 “event data length too long”을 찍고 param의 MAX_EVENT_DATA_ LENGTH값만큼을 security_query.event_param에 memcpy해줌. 그 반대의 경우는 param_len을 memcpy. sec_man_doquery()함수를 호출 open_socket int open_socket(char *name) Socket을 open함. Connection이 0보다 작으면 socket을 열수 없으므로 security manager를 사용할 수 없다는 에러 메시지를 출력. sec_man_proc_dir_entry_read

AXIS BLUETOOTH STACK- Sec_manager static s32 sec_man_proc_dir_entry_read(char *buf, char **start, off_t offset, s32 len, s32 unused) sec_man_read()함수를 호출. sec_man_read static s32 sec_man_read(struct inode *inode, struct file * file, char * buf, s32 count) security_query.originator가 BT_SEC_MAN이 아닌 경우 no response라는 메시지를 출력하고 interruptible_sleep_on() 함수를 호출.

AXIS BLUETOOTH STACK- Sec_manager sec_man_write static s32 sec_man_write(struct inode *inode, struct file * file, const char * buf, s32 count) sec_hdl->originator == BT_SEC_MAN(새로운 request를 받을 수 있으면) 인 경우 security_query.originator = SEC_CLIENT로 하고 sec_hdl->request_type가 L2CAP인 경우 l2cap_process_sec_man_response() 함수 호출 sec_hdl->request_type가 RFCOMM 경우 rfcomm_process_sec_man_response() 함수 호출 sec_man_doquery static s32 sec_man_doquery(s32 fd, u8 *request) sec_man_sock에서 security_query 크기만큼 읽어서 request에 저장

AXIS BLUETOOTH STACK- Sec_manager n= sec_man_sock에서 BUFFER_SIZE만큼 읽어와서 tmpbuf에 저장 한 수. n이 security_query의 크기보다 작으면 db_hdl len만큼 response했다고 출력 sec_hdl->request_type가 L2CAP인 경우 l2cap_process_sec_man_response() 함수 호출 sec_hdl->request_type가 RFCOMM 경우 rfcomm_process_sec_man_response() 함수 호출 sec_client_shutdown static void sec_client_shutdown ( ) Wait_up process가 awaikening하다는 문장을 출력

AXIS BLUETOOTH STACK- Sec_manager init_link_key_list static void init_link_key_list ( ) link_key_list.first = NULL; link_key_list.last = NULL; link_key_list.cur = NULL; link_key_list.count = 0; free_link_key_list static void free_link_key_list ( ) delete_link_key ( )함수를 호출

AXIS BLUETOOTH STACK- Sec_manager create_link_key link_key_information_type* create_link_key(unsigned char *bd_addr, unsigned char *link_key_str) Link key list 크기를 보고 새로운 link key element를 할당할 수 있는지 없는지를 출력 link_key_list.count값이 MAX_LINKKEYLISTSIZE면 connection list full 에러 메시지가 뜸 get_next_link_key link_key_information_type* get_next_link_key(link_key_information_type* link_key) link_key_list.first값이 link_key->next값과 같으면 Null을 return

AXIS BLUETOOTH STACK- Sec_manager insert_link_key static void insert_link_key(link_key_information_type *new_link_key) List가 빈 경우 link_key_list.first = new_link_key; link_key_list.cur = new_link_key; link_key_list.last = new_link_key; link_key_list.count++; new_link_key->next = link_key_list.first; /* Pos32 at itself new_link_key->prev = link_key_list.first

AXIS BLUETOOTH STACK- Sec_manager List가 비어있지 않은 경우 old_link_key = link_key_list.first; /* mark oldlink_key first new_link_key->next = old_link_key; link_key_list.last->next = new_link_key; old_link_key->prev = new_link_key; new_link_key->prev = link_key_list.last; link_key_list.cur = new_link_key; /* Set current to new element */ link_key_list.first = new_link_key; /* Set first to new element */ link_key_list.count++; delete_link_key Static s32 delete_link_key(link_key_information_type *link_key)

AXIS BLUETOOTH STACK- Sec_manager Element를 지우고 pointer를 update함 Last element인 경우 (link_key_list.count == 1) link_key_list.count--; link_key_list.first = NULL; link_key_list.cur = NULL; link_key_list.last = NULL; kfree(link_key);

AXIS BLUETOOTH STACK- Sec_manager sec_man_create_proc_file Static s32 sec_man_create_proc_file(void) Wait queue를 초기화시켜줌. init_waitqueue_head () 함수를 호출 Proc entry 가 성공적으로 register되면 (create_proc_entry () 함수 호출) 필요한 structure 정보를 set함 sec_man_remove_proc_file Static s32 sec_man_remove_proc_file (void) LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,0)인 경우 remove_proc_entry () 함수를 호출. 그렇지 않은 경우 proc_unregister() 함수를 호출.

AXIS BLUETOOTH STACK- Sec_manager sec_man_get_cached_link_key Static void sec_man_get_cached_link_key(u8 *param) get_first_link_key () 함수를 호출 link key가 null이 아닐 경우 link_key->bd_addr를 param으로 BD_ADDRESS_SIZE만큼 memcpy해 줌. 그 후 link_key->link_key를 param + BD_ADDRESS_SIZE에다 LINK_KEY_SIZE만큼 memcpy해 줌. Link key가 null인 경우는 memset을 해줌.

AXIS BLUETOOTH STACK- Sec_manager • HCI: process_event, REMOTE_NAME_REQUEST_COMPLETE AXIS 9010 (129.132.164.116) HCI: send_cmd_queue, start: Num_HCI_Command_Packets=1 BT DATA <--|X| 8 HCI: send_cmd_queue, end : 0 cmds left in queue HCI: send_acl_data_task, 0 bytes BT DATA -->|X| 9 hci_receive_data, hci-9 HCI: hci_receive_data, WAIT_FOR_PACKET_TYPE HCI: hci_receive_data, WAIT_FOR_EVENT_TYPE HCI: hci_receive_data, WAIT_FOR_EVENT_LENGTH HCI: process_event, COMMAND_COMPLETE HCI: <CC> process_return_param, WRITE_LINK_POLICY_SETTINGS HCI: update_nhcp, Num_HCI_Command_Packets=1 HCI: send_cmd_queue, start: Num_HCI_Command_Packets=1 HCI: send_cmd_queue, end : 0 cmds

Result • left in queue BT DATA -->|X| 9 hci_receive_data, hci-9 HCI: hci_receive_data, WAIT_FOR_PACKET_TYPE HCI: hci_receive_data, WAIT_FOR_EVENT_TYPE HCI: hci_receive_data, WAIT_FOR_EVENT_LENGTH HCI: process_event, • PIN_CODE_REQUEST forwarding event to security manager Called my_sec_man We are in SEC_MAN_LOOPBACK mode ...

Result • We are in SEC_MAN_LOOPBACK mode ... hci_pin_code_request_reply New pin is (3): 0x31 0x32 0x33 hci_pin_code_request_reply BD_addr (6): 0x73 0x85 0x58 0x8c 0x40 0x00 hci_pin_code_request_reply, pin (3): 0x31 0x32 0x33 HCI: start_cmd_timer HCI: insert_cmd Aiee: scheduling in interrupt 90066664 Aiee: scheduling in interrupt 90066664 Aiee: scheduling in interrupt 90066664 Aiee: scheduling in interrupt 90066664 Aiee: scheduling in interrupt 90066664 Aiee: scheduling in interrupt 90066664 Aiee: scheduling in interrupt 90066664

Result • my sec_manager: -----------------------------------------------------void my_sec_man(BD_ADDR bd_addr) { BD_ADDR address; char pin[ ]="123"; char len = 3; printk("We are in SEC_MAN_LOOPBACK mode ...\n"); memcpy(address, bd_addr, BD_ADDRESS_SIZE); hci_pin_code_request_reply(address, pin, len); }

Simple Bluetooth Security Manager based on the Open Bluetooth stack

Simple Bluetooth Security Manager based on the Open Bluetooth stack

Presentation Transcript

Bluetooth

Bluetooth Security

BLUETOOTH

Bluetooth Security

BLUETOOTH

Bluetooth

Bluetooth

Embedded Bluetooth Stack

bluetooth

Bluetooth

Bluetooth Security

Security Weaknesses in Bluetooth

Security of Bluetooth

Service Discovery based on the Bluetooth standard

Bluetooth

BLUETOOTH

Bluetooth

Java Bluetooth stack