ETH 780 Information Security
advertisement
FSATIE TELECOMMUNICATION WORKSHOP Bluetooth technology survey Presented by David Johnson Mobile platform technology leader Icomtek CSIR 1 Contents of Bluetooth lecture Origins and history of Bluetooth What Bluetooth can do Building blocks of Bluetooth – the bluetooth stack Bluetooth ad-hoc networking Bluetooth Security Bluetooth profiles Bluetooth products on the market Bluetooth in South Africa Competing technology The future of Bluetooth Author: D L Johnson 2 Contents of Bluetooth lecture Origins and history of Bluetooth What Bluetooth can do Building blocks of Bluetooth – the bluetooth stack Bluetooth ad-hoc networking Bluetooth Security Bluetooth profiles Bluetooth products on the market Bluetooth in South Africa Competing technology The future of Bluetooth Author: D L Johnson 3 Origins of Bluetooth In 1994 Ericsson initiated a study to investigate the feasibility of a low-power low-cost radio interface between mobile phones and their accessories In Feb 1998, five companies Ericsson, Nokia, IBM, Toshiba and Intel formed a Special Interest Group (SIG) In July 1999 the first bluetooth specification 1.0 was released The bluetooth consortium today is comprised of 9 promoter companies who are leaders in telecomms, computing and networking and more than 2000 adopter companies Bluetooth is the fastest growing technology since the internet or the cellular phone, incredible considering that its first public outing was in mid 1998. Author: D L Johnson 4 Origins of Bluetooth Author: D L Johnson 5 History of Bluetooth Harald I Bluetooth (Danish Harald Blåtand) was the King of Denmark between 940 and 985 AD who united Denmark and Norway As Harald Bluetooth united Denmark and Norway, Bluetooth of today will unite the many worlds of personal devices around us Rune stone in Danish town, Jelling depicting Harold Bluetooth Author: D L Johnson 6 Contents of Bluetooth lecture Origins and history of Bluetooth What Bluetooth can do Building blocks of Bluetooth – the bluetooth stack Bluetooth ad-hoc networking Bluetooth Security Bluetooth profiles Bluetooth products on the market Bluetooth in South Africa Competing technology The future of Bluetooth Author: D L Johnson 7 What Bluetooth can do - definition Bluetooth is a low-power, low-cost short range radio system intended to replace cables between fixed and portable devices. It is intended to replace many propriety cables with one universal radio link. Author: D L Johnson 8 What Bluetooth can do - domains Landline Cable Replacement Data/Voice Access Points Personal Ad-hoc Connectivity Author: D L Johnson 9 What Bluetooth can do – user level Hot spot scenario: Let your laptop or PDA connect wireless to Internet or office while at the airport, hotel etc Automatically sync mail, calendar, notes etc. between your PDA and PC, as soon as you get into your office Physical access control Let your PC, Stereo and TV all connect without cables to your loudspeakers. Let the PC, phone or PDA control them all Take a picture with a digital camera, and send it via BT to a mobile phone, which forwards the picture to an email recipient via WAP Pay the cab driver via the phone. Withdrawal of money at ATMs Setup ad-hoc wireless network at a conference Author: D L Johnson 10 What Bluetooth can do – technical level Data links: Can establish up to 7 simultaneous data connections between a master and it’s slaves (piconet) Voice links: Can establish up to 3 simultaneous voice connections between a master it’s slaves (piconet) Maximum asymmetrical data rate of 723 kbps (57.6 kbps return channel) Maximum Symmetrical data rate of 432.6 kbps Can have up to ten multiple self contained networks (piconets) sharing spectrum in the same area (scatternet) Range can be up to 10m for 10mw bluetooth devices and up to 100m for 100mw bluetooth devices Very low power consumption Ability to discover available services on another device Author: D L Johnson 11 Contents of Bluetooth lecture Origins and history of Bluetooth What Bluetooth can do Building blocks of Bluetooth – the bluetooth stack Bluetooth ad-hoc networking Bluetooth Security Bluetooth profiles Bluetooth products on the market Bluetooth in South Africa Competing technology The future of Bluetooth Author: D L Johnson 12 Building blocks of Bluetooth – the Bluetooth stack The Bluetooth Stack Overview Bluetooth Stack – Radio Bluetooth Stack – Baseband Bluetooth Stack – Link controller Bluetooth Stack – Link Manager Bluetooth Stack – HCI Bluetooth Stack – L2CAP Bluetooth Stack – RFCOMM Bluetooth Stack – SDP Author: D L Johnson 13 The Bluetooth Stack Overview Author: D L Johnson 14 The Bluetooth Stack Overview Author: D L Johnson 15 Bluetooth Stack - Overview Headset Bluetooth Stack Author: D L Johnson 16 Bluetooth Stack - Overview Access Point Bluetooth Stack Author: D L Johnson 17 Building blocks of Bluetooth – the Bluetooth stack The Bluetooth Stack Overview Bluetooth Stack – Radio Bluetooth Stack – Baseband Bluetooth Stack – Link controller Bluetooth Stack – Link Manager Bluetooth Stack – HCI Bluetooth Stack – L2CAP Bluetooth Stack – RFCOMM Bluetooth Stack – SDP Author: D L Johnson 18 Bluetooth Stack - Radio Bluetooth radio is a short range radio link capable of data and voice Three classes of operating range are defined ( Class3: 1mw ~ 10cm, Class2: 10mw ~ 10m, Class1: 100mw ~ 100m ) Uses a radio link at 2.4Ghz (2400-2483.5MHz ) which is the unlicensed ISM band also used by WLAN GFSK (Guassian Frequency Shift Keying) modulation scheme Uses frequency hopping spread spectrum technology (1600 hops/s) The signal hops among 79 frequencies which have a bandwidth of 1MHz which improves interference immunity Channel has a symbol rate of 1 Mb/s Author: D L Johnson 19 Building blocks of Bluetooth – the Bluetooth stack The Bluetooth Stack Overview Bluetooth Stack – Radio Bluetooth Stack – Baseband Bluetooth Stack – Link controller Bluetooth Stack – Link Manager Bluetooth Stack – HCI Bluetooth Stack – L2CAP Bluetooth Stack – RFCOMM Bluetooth Stack – SDP Author: D L Johnson 20 Bluetooth Stack - Baseband Baseband is responsible for channel coding and decoding and low level timing control and management of the link within the domain of a single data packet transfer Each registered device has a unique 48-bit device address Bluetooth uses TDM where the duration of a slot is 625µs A Master and Slave transmit on alternate time slots with the master always initiating data exchange Larger packets can use multiple slots The Master and slave devices need to synchronize their clocks to enable reliable communication to take place Author: D L Johnson 21 Bluetooth Stack - Baseband Timing diagrams for data packets Author: D L Johnson 22 Bluetooth Stack - Baseband Bluetooth is able to form point-to-point links and point-tomultipoint links The network of bluetooth devices is defined as a Personal Area network (PAN) A Piconet is an arbitrary collection of Bluetooth enabled devices which are physically close enough to communicate A Scatternet is formed when there are two overlapping Piconets, where one of the Slaves of one Piconet also forms the Master/Slave of another Piconet A supervision timeout ensures that links are closed down when Bluetooth devices move out of range of the Piconet. Author: D L Johnson 23 Bluetooth Stack - Baseband Piconets (a & b) and Scatternets ( c ) Author: D L Johnson 24 Bluetooth Stack - Baseband Author: D L Johnson 25 Bluetooth Stack - Baseband Two types of links are defined + Data Links - ACL (Asynchronous Connection-Less) + Voice Links – SCO (Synchronous Connection Orientated) An ACL link is a packet switched data link which is established between a Master and Slave as soon as a connection has been established. ACL Data is carried in DH (Data High rate) packets with no FEC (Forward Error Correction) or DM (Data Medium rate) packets with FEC A SCO link provides a circuit switched link between a Master and Slave with reserved channel bandwidth. SCO Data is carried in HV (High Quality Voice) packets a number of selectable error correction packets Author: D L Johnson 26 Bluetooth Stack - Baseband Packet Types Author: D L Johnson 27 Building blocks of Bluetooth – the Bluetooth stack The Bluetooth Stack Overview Bluetooth Stack – Radio Bluetooth Stack – Baseband Bluetooth Stack – Link controller Bluetooth Stack – Link Manager Bluetooth Stack – HCI Bluetooth Stack – L2CAP Bluetooth Stack – RFCOMM Bluetooth Stack – SDP Author: D L Johnson 28 Bluetooth Stack – Link Controller The Link Control Layer is a state machine which drives the baseband through various stages to establish links. It is responsible for managing device discoverability, establishing connections and once connected, maintaining the on-air links It can drive a device through the following stages + Host Inquiry + Inquiry Scan + FHS (Frequency Hop Synchronization) packet response + Paging + Page Scan + Connection Author: D L Johnson 29 Bluetooth Stack - Link Controller State Diagram for Link Controller Author: D L Johnson 30 Bluetooth Stack - Link Controller Inquiry procedure (typical time ~ 2s) Author: D L Johnson 31 Bluetooth Stack - Link Controller Inquiry procedure (continued) Author: D L Johnson 32 Bluetooth stack – Link Controller Bluetooth Inquiry procedure at packet level Author: D L Johnson 33 Bluetooth Stack - Link Controller Paging Procedure (typical time ~0.6s) Author: D L Johnson 34 Bluetooth Stack - Link Controller The frequency hop sequence used in the connected state is calculated from the Master BD Address and Clock A connection is established once the Slave has received the Masters native clock and bluetooth address and a poll packet has been sent to confirm the connection is working Author: D L Johnson 35 Bluetooth stack – Link Controller Bluetooth Paging procedure at packet level Author: D L Johnson 36 Bluetooth Stack - Link Controller Low Power connected states (Can re-establish connection in 2ms) + Connection – Hold: Device ceases to support ACL traffic for a defined period of time to free up bandwidth for other operations such as paging or inquiring, maintains AM address, after hold time expires the device resynchronizes to the CAC and listens for traffic again + Connection – Sniff: Device is given a predefined slot time and periodicity to listen for traffic, on reception of a packet during this time it will continue to listen until packets with its AM address stop and the timeout period ceases, it then waits until the next sniff period + Connection – Park: Slave gives up its AM address and only listens for traffic at predefined beacon intervals – between this it can enter a low power state. At these intervals even if there is no traffic it will synchronize its clock to the CAC. Author: D L Johnson 37 Building blocks of Bluetooth – the Bluetooth stack The Bluetooth Stack Overview Bluetooth Stack – Radio Bluetooth Stack – Baseband Bluetooth Stack – Link controller Bluetooth Stack – Link Manager Bluetooth Stack – HCI Bluetooth Stack – L2CAP Bluetooth Stack – RFCOMM Bluetooth Stack – SDP Author: D L Johnson 38 Bluetooth Stack – Link Manager Commands the Link Controller/Baseband Attaches/Detaches slaves to a piconet and allocates their Active Member addresses Configures the link which inlcudes a master-slave switch Establishes ACL (data) and SCO (voice) links Puts connections in low-power modes: Hold, Sniff, Park Controls Power levels Communicates with Link Managers on other Bluetooth devices using the Link Management Protocol (LMP) + These LMP commands are used to exchange information necessary for security negotiation + Requesting a SCO connection or Master/Slave switch is also done through LMP commands Author: D L Johnson 39 Bluetooth Stack – Link Manager Author: D L Johnson 40 Building blocks of Bluetooth – the Bluetooth stack The Bluetooth Stack Overview Bluetooth Stack – Radio Bluetooth Stack – Baseband Bluetooth Stack – Link controller Bluetooth Stack – Link Manager Bluetooth Stack – HCI Bluetooth Stack – L2CAP Bluetooth Stack – RFCOMM Bluetooth Stack – SDP Bluetooth Stack – Other Higher Layers Author: D L Johnson 41 Bluetooth Stack - HCI The Host Controller Interface is necessary when there is system partitioning between the baseband and Link Manager on one processor and the higher layers such as L2CAP, SDP and RFCOMM running on a serperate host processor This can reduce the processing power needed by the bluetooth device and hence reduce cost Creates a standard interface that can be used by different manufactures of Bluetooth devices Three types of HCI packets are used + Command packets used by host to control the module + Event packets used by the module to inform the host + Data packets used to pass voice and data between host and module A transport layer (USB, RS-232) is also required to carry HCI packets Author: D L Johnson 42 Bluetooth Stack - HCI Position of the HCI in the Bluetooth Stack Author: D L Johnson 43 Building blocks of Bluetooth – the Bluetooth stack The Bluetooth Stack Overview Bluetooth Stack – Radio Bluetooth Stack – Baseband Bluetooth Stack – Link controller Bluetooth Stack – Link Manager Bluetooth Stack – HCI Bluetooth Stack – L2CAP Bluetooth Stack – RFCOMM Bluetooth Stack – SDP Bluetooth Stack – Other Higher Layers Author: D L Johnson 44 Bluetooth Stack – Logical Link Control and Adaptation Protocol (L2CAP) Takes data from higher layers of the stack and from applications and sends it over the lower layers of the stack Achieved by multiplexing using dedicated channel numbers and associated (Protocol Service Multiplexers) PSM’s Segmentation and reassembly to transfer packets larger than the lower layers support Quality of service management for high layer protocols Author: D L Johnson 45 Bluetooth Stack – Logical Link Control and Adaptation Protocol (L2CAP) Example setting up an L2CAP connection over HCI Author: D L Johnson 46 Bluetooth Stack – Logical Link Control and Adaptation Protocol (L2CAP) Segmentation and transport of L2CAP packets Author: D L Johnson 47 Building blocks of Bluetooth – the Bluetooth stack The Bluetooth Stack Overview Bluetooth Stack – Radio Bluetooth Stack – Baseband Bluetooth Stack – Link controller Bluetooth Stack – Link Manager Bluetooth Stack – HCI Bluetooth Stack – L2CAP Bluetooth Stack – RFCOMM Bluetooth Stack – SDP Bluetooth Stack – Other Higher Layers Author: D L Johnson 48 Bluetooth Stack - RFCOMM RFCOMM is a simple reliable transport protocol which can emulate the serial cable link settings and status of an RS232 serial port It can handle multiple concurrent connections by relying on the multiplexing features of L2CAP It provides the following provisions + Modem status – RTS/CTS, DSR/DTR, DCD and RI + Remote line status – Break, Overrun, Parity + Remote port settings – Baud rate, parity, data bits etc. + Parameter negotiation (frame size) + Optional credit based flow control Author: D L Johnson 49 Building blocks of Bluetooth – the Bluetooth stack The Bluetooth Stack Overview Bluetooth Stack – Radio Bluetooth Stack – Baseband Bluetooth Stack – Link controller Bluetooth Stack – Link Manager Bluetooth Stack – HCI Bluetooth Stack – L2CAP Bluetooth Stack – RFCOMM Bluetooth Stack – SDP Bluetooth Stack – Other Higher Layers Author: D L Johnson 50 Bluetooth Stack – Service Discovery Protocol Provides a means for an SDP client to access information about service offered by SDP servers (examples: printing services, Dial-up networking, LAN access) SDP servers maintain a database of service records which provide information that a client needs to access a service (This will be the service name, protocols needed for this service and even URL’s for executables and documentation) Services have UUID’s (Universally Unique Identifiers) which have been allocated for the standard bluetooth profiles but service providers can define their own using a method that guarantees they cannot be duplicated (there is no need for a central authority to allocate these) Fits in well with Universal Plug and Play architecture Author: D L Johnson 51 Contents of Bluetooth lecture Origins and history of Bluetooth What Bluetooth can do Building blocks of Bluetooth – the bluetooth stack Bluetooth ad-hoc networking Bluetooth Security Example applications – Bluetooth profiles Bluetooth products on the market Bluetooth in South Africa Competing technology The future of Bluetooth Author: D L Johnson 52 Bluetooth ad-hoc networking Ad-hoc wireless networks are defined as a network where each node operates not only as a host but also as a router Network is dynamically self-organizing and selfconfiguring Nodes in the network automatically establish and maintain routing among themselves as they move about There is no requirement for existing infrastructure such as access points or administration Bluetooth is a natural choice over 802.11 for ad-hoc networking due to its good performance under high levels of contention 802.11 uses a carrier sense, collion detection & back off scheme which requires no central arbiter whereas bluetooth uses a master node as a bandwidth arbiter Author: D L Johnson 53 Bluetooth ad-hoc networking When the underlying technology for ad-hoc networking is bluetooth, the technology specific name is scatternet formation A scatternet is formed when two or more bluetooth piconets are joined The bluetooth 1.1 specification does not describe a method for forming scatternets This is currently a key area of research and there is a dedicated working group in the bluetooth SIG looking at scatternet formation Author: D L Johnson 54 Bluetooth ad-hoc networking Author: D L Johnson 55 Bluetooth ad-hoc networking Example of self routing strategy - Bluetree Author: D L Johnson 56 Contents of Bluetooth lecture Origins and history of Bluetooth What Bluetooth can do Building blocks of Bluetooth – the bluetooth stack Bluetooth ad-hoc networking Bluetooth Security Example applications – Bluetooth profiles Bluetooth products on the market Bluetooth in South Africa Competing technology The future of Bluetooth Author: D L Johnson 57 Bluetooth Security - Overview Wireless signals can be easily intercepted and are vulnerable to spoofing and eavesdropping Bluetooth offers the following inherent security features + Two different modes of accessibility (confidentiality) – Discoverable mode – Anyone can discover the device – Non-discoverable, Limited discoverability, General discoverability – Connectible mode – Only trusted devices can connect to the devices + Frequency hopping + Limited Range Bluetooth offers the following specific security services + Authentication to verify the device’s identity + Authorization to allow a device access to specific services + Encryption to protect the link privacy Author: D L Johnson 58 Bluetooth Security – Security Levels Not all applications warrant the use of security Bluetooth defines three levels of security + Mode 1: Absence of security for users accessing non-critical applications in public areas such as airports or for example exchanging business cards + Mode2: Service level security which will enable or disable security depending on the particular application which in run. For example a hotel bluetooth network could have no security for accessing local town information but could add security if you wanted to access your email. + Mode3: Link-level security where security is enforced at a common level for all applications – for example if ATM transactions were done via bluetooth. Author: D L Johnson 59 Bluetooth Security - Components Security is based on the SAFER+ security protocol All link-level security is based on 128-bit link keys A secret PIN number (variable from 4 to 16 octets) which is common to the two devices wishing to communicate forms one of the key inputs into forming the initial link key. Authentication in Bluetooth uses a device-to-device challenge and response scheme to determine if the two devices share a common link key Encryption generates a cipher stream based on an encryption key which is generated from a common link key – encryption is symmetrical Author: D L Johnson 60 Contents of Bluetooth lecture Origins and history of Bluetooth What Bluetooth can do Building blocks of Bluetooth – the bluetooth stack Bluetooth ad-hoc networking Bluetooth Security Bluetooth profiles Bluetooth products on the market Bluetooth in South Africa Competing technology The future of Bluetooth Author: D L Johnson 61 Bluetooth Profiles The blueooth SIG has created profiles which give a clear description of how the bluetooth specification should be used for a given end-user function – this is to ease interoperation between different bluetooth devices Author: D L Johnson 62 Contents of Bluetooth lecture Origins and history of Bluetooth What Bluetooth can do Building blocks of Bluetooth – the bluetooth stack Bluetooth ad-hoc networking Bluetooth Security Example applications – Bluetooth profiles Bluetooth products on the market Bluetooth in South Africa Competing technology The future of Bluetooth Author: D L Johnson 63 Bluetooth Products Notebooks Printers and keyboards Camcorders Access points PC and flash cards Phones and accessories Headsets PDA’s and accessories USB and serial ports Author: D L Johnson 64 Bluetooth Products - Bluetags Track: Registration of the tagged item leaving a predefined area or range. Search: Registration of the tagged item entering a predefined area or range Write: Information can be written and stored directly in the BlueTag Read: Information stored in the BlueTag can be accessed and read Author: D L Johnson 65 Bluetooth Products – Ericsson Chatpen Used together with patterned paper it enables you to store and transmit basically anything you write or draw Can store several pages of information The information is transmitted by the Bluetooth transceiver, either directly to your computer, or forwarded to someone via a relay device such as a cell phone Author: D L Johnson 66 Bluetooth Products – Commil’s Cellarion system Your mobile phone with Bluetooth inside becomes your “all-inone” handset: a cellular phone outdoors and a cordless extension of your desk phone at your office Your Bluetooth PDA becomes an extension of your PC, continuously connected to the Internet and to the office LAN Author: D L Johnson 67 Contents of Bluetooth lecture Origins and history of Bluetooth What Bluetooth can do Building blocks of Bluetooth – the bluetooth stack Bluetooth ad-hoc networking Bluetooth Security Example applications – Bluetooth profiles Bluetooth products on the market Bluetooth in South Africa Competing technology The future of Bluetooth Author: D L Johnson 68 Bluetooth in South Africa Bluetooth is still in its infancy in South Africa Red-M have representation in South Afirca – they specialize in bluetooth networking solutions for buildings (supply bluetooth access nodes and servers) Axis are represented in South Africa and also provide access points ATIO piloted bluetooth networking in a hospital Electrowave in Durban have produced two qualified bluetooth products + Cabchat hands-free car kit + GSM and bluetooth based road emergency SOS system Author: D L Johnson 69 Bluetooth in South Africa Very little low level design work and R&D is currently being carried out in bluetooth but a need exists Author: D L Johnson 70 Bluetooth in South African CSIR has been carrying out research and created Bluetooth prototype systems for the past 2 years + Bluetooth Serial port adapters + Heart rate over Bluetooth system + Assistive communication device + Low cost fixed and mobile access point Non- OFS (Off The Shelf) solutions are needed for the Transport sector, Energy sector, Emergency services and Scientists Currently a bluetooth chip costs between $4 and $5 when purchased in bulk South African markets need to create indigenous solutions based on the raw chipset and not only purchase OTS solutions from overseas suppliers Author: D L Johnson 71 Bluetooth in South Africa Current potential markets are + Home and industrial security + Home automation + Emergency services + Motor vehicle industry + Industrial control and automation + Military + Scientific instrumentation Author: D L Johnson 72 Contents of Bluetooth lecture Origins and history of Bluetooth What Bluetooth can do Building blocks of Bluetooth – the bluetooth stack Bluetooth ad-hoc networking Bluetooth Security Example applications – Bluetooth profiles Bluetooth products on the market Bluetooth in South Africa Competing technology The future of Bluetooth Author: D L Johnson 73 Competing Technology Author: D L Johnson 74 Competing Technology HomeRF Bluetooth 802.11b Physical layer FHSS FHSS FHSS, DSSS Hop frequency 50 hops/s 1600 hops/s 2.5 hops/s Transmitting power 100mW 10mW-100mW 100mW Power consumption (100mW device) Approx 200mA 720kbps 53mA Standby 57uA Sleep 20uA TX <420mA RX <260mA Data rates 1 or 2 Mbps 1 Mbps 11 Mbps Range 50m 10m-100m 100m (Legal!) Cost R1000 USB R238 Chipset $4 - $5 Pcmcia R256 to R1000 Terminals Laptop and Desktop Anything electronic Laptop and desktop Author: D L Johnson 75 Contents of Bluetooth lecture Origins and history of Bluetooth What Bluetooth can do Building blocks of Bluetooth – the bluetooth stack Bluetooth ad-hoc networking Bluetooth Security Example applications – Bluetooth profiles Bluetooth products on the market Bluetooth in South Africa Competing technology The future of Bluetooth Author: D L Johnson 76 The Future Version 1.2 draft has been released +Backward compatible with 1.1 +Improves wifi co-existence with Adaptive Frequency Hopping (AFH) +Improved connection times +Higher quality audio link Current version 2.0 working group + High rate bluetooth 10 Mb/s + HI_FI quality non-compressed audio, video suitable for video conferencing + Local positioning for indoor and built-up areas Author: D L Johnson 77 The Future Despite the delays, Bluetooth is still projected to be a $5 billion market within the next five years (Merrill Lynch February 8, 2001). The majority of market forecasting for Bluetooth applications remain in mobile phones, headsets, PDAs, and PCs, accounting for over 80% of units by 2006. Bluetooth penetration rate for digital still cameras is expected to be 60% in 2006 and the same rate for digital TV is expected to hit 65% in 2006 (Merrill Lynch, February 8, 2001). Cost per bluetooth chip is expected to fall to $5 by 2003 Based on analysts pricing estimates, this could translate to $18.5 billion of data access revenues, $2.4 billion of m-commerce, and $1.2 billion of advertising revenues by 2005 (Goldman Sachs, “Mobile Internet Primer,” July 14, 2000 Bluetooth remains a chicken or egg game – where the benefits of Bluetooth only begin to reach their zenith as a function of manufacturers’ willingness to introduce new products and make Bluetooth a persistent element in the industry Author: D L Johnson 78
