When encryption is desired, a ciphering key must be computed. In Bluetooth, the link key is not directly used as the key for the encryption mechanisms. Instead, the ciphering key is determined in several additional steps from the link key and is logically linked to the last authentication that has occurred between two devices through the ACO. In addition, the ciphering key is refreshed for each package that is transmitted. Since we want to explain the ciphering process in its entirety, we will in this section go stepwise through each detail of the ciphering key generation until the final key is fed into theE0stream cipher.
3.6.1 Encryption keyKC
Before encryption can commence, the encryption key must be computed. The encryption key KC can be seen as a high-level encryption key from which the
other ciphering keys are derived. The value ofKCis computed by using the algo-
rithm E3 from the current link key K, a 96-bit ciphering offset (COF), and a
128-bit random numberEN_RAND. The value of COF equals the value of the authentication ciphering offset ACO, except when the current link key is a mas- ter key. In the latter case, COF is derived from theBD_ADDRof the master as
Table 3.1
An Example of Two UTF-8 Encoded Pass-Keys
User-Entered String Pass-Key (Hexadecimal) ‘0123’ 0x30313233 ’Ärlig’ 0xC384726C67
COF when link is master key ACO oth = BD ADDR BD ADDR_ || _ , erwise (3.15) NowKCis given by
(
)
KC =E3 K EN RAND, _ , COF (3.16)The ciphering activation always starts with a new computation ofKCand
is a result of an explicit LM command. As a result, the encryption key is changed every time the encryption is activated. The algorithmE3is described in more
detail in Section 4.2.4.
3.6.2 Constraint keyKC′
Bluetooth has a key strength constraining mechanism that reduces the 128-bitKC
to a 128-bit key whose effective key length may be less than 128 bits. Here, effec- tive key length refers to the number of unknown (bit) combinations in the key. The constraining mechanism was introduced in Bluetooth as a result of export restrictions on encryption hardware. The resulting key is here called the constraint key and is denoted byKC′.KC′ is determined for a givenLby the computation
( ){
( )
[
( )]}
′ = KC x gL x K x g x C L ( ) 2 mod 1 (3.17)whereKC=(KC, 0,…,KC, 127),KC,i∈{0,1} andKC′= (KC′,0,K,KC′,127) andKC i′,
∈{0,1},
( )
( )
K x K x K x K x C C i i i C C i i i = ′ = ′ = =∑
∑
, , 0 127 0 127and (g1L( ),x g2L( ))x is a pair of polynomials over GF(2), that is, polynomials with coefficients that are elements of the finite field (Galois field) with 2 ele- ments. Since the polynomialsKC(x) andKC′(x) can also be viewed as polynomi-
als over GF(2), the computation in (3.17) is performed using the arithmetic of polynomials over GF(2)2. The modulo computation byg1(x) reducesKC(x) to a
polynomial h(x) of a degree less than the degree of g1(x). Thus the effective
2. Mathematicians would say that arithmetic is carried out in GF(2)[x] the ring of polynomials over GF(2).
number of unknown keys is reduced to at most 2degree[g1( )]x . The multiplication of h(x) by g2(x) results in a polynomial of a degree less than 128. Yet only
2degree[g1( )]x products can occur. Thus, depending on the degree of g
1(x), this
might be considerably less than 2128, the number of all possible polynomials of degree less than 128. The polynomialsg2(x) are chosen with an additional prop-
erty that guarantees that if two different values of KC result in two different
′
KC(x), the number of coefficients in which they differ is at least some given value. The latter value is denoted by Dmin. There are 16 pairs of polynomials
[g1L( ),x g2L( )]x . Table 3.2 lists the pairs and the DLmin of the resulting con-
strained key. The effective key length is≤8L.
Although the computations in (3.17) seem to be complicated, they are in fact very easily realized in a hardware circuit using a linear feedback/feedforward shift register with controllable taps. This fact, combined with the slight advan- tage of the guaranteed differences in the distinctKC′s, motivated the use of this way of constraining the encryption key.
The effective key lengthL(number of octets) is established via the encryp- tion key size negotiation. As of Bluetooth version 1.2, there are two supported
Table 3.2
Table of Pairs of Key Constraining Polynomials andDminL Values (Or Upper Limits When Marked with an *)
L Deg g1L Deg gL2 DminL
1 8 00000000 00000000 00000000 0000011d 119 00e275a0 abd218d4 cf928b9b bf6cb08f 63 2 16 00000000 00000000 00000000 0001003f 112 0001e3f6 3d7659b3 7f18c258 cff6efef 48 3 24 00000000 00000000 00000000 010100db 104 000001be f66c6c3a b1030a5a 1919808b 44 4 32 00000000 00000000 00000001 000000af 96 00000001 6ab89969 de17467f d3736ad9 32 5 40 00000000 00000000 00000100 00000039 88 00000000 01630632 91da50ec 55715247 32* 6 48 00000000 00000000 00010000 00000291 77 00000000 00002c93 52aa6cc0 54468311 27* 7 56 00000000 00000000 01000000 00000095 71 00000000 000000b3 f7fffce2 79f3a073 24* 8 64 00000000 00000001 00000000 0000001b 63 00000000 00000000 a1ab815b c7ec8025 21* 9 72 00000000 00000100 00000000 00000609 49 00000000 00000000 0002c980 11d8b04d 15* 10 80 00000000 00010000 00000000 00000215 42 00000000 00000000 0000058e 24f9a4bb 14* 11 88 00000000 01000000 00000000 0000013b 35 00000000 00000000 0000000c a76024d7 11* 12 96 00000001 00000000 00000000 000000dd 28 00000000 00000000 00000000 1c9c26d9 9* 13 104 00000100 00000000 00000000 0000049d 21 00000000 00000000 00000000 0026d9e3 7* 14 112 00010000 00000000 00000000 0000014f 14 00000000 00000000 00000000 00004377 5* 15 120 01000000 00000000 00000000 000000e7 7 00000000 00000000 00000000 00000089 3 16 128 1 00000000 00000000 00000000 00000000 0 00000000 00000000 00000000 00000001 1
ways of doing this. The new and simple way is for the master to ask the slave what key lengths are supported using a bit vector (see Section 5.2). This is par- ticularly useful in the case of broadcast encryption key negotiation. Alterna- tively, the master can proceed according to the procedure outlined below.
Each approved Bluetooth device must implement a maximal key size value
Lmax, 1 ≤ Lmax ≤ 16. In addition, each Bluetooth application should specify a
lower value ofLdenoted asLmin. The effective key sizeLthat the two devicesA
andBwill use is determined through a negotiation that tries to find the largest key size that satisfies all the constraints on L between the master and slave devices. The negotiation starts with the master suggesting a lengthLsugto a slave
that equals the highest possible value for the master. If the constraints at the slave allow this suggested value ofL, the suggested value is accepted as the value to be used. If the slave is not allowed to use the suggested value ofL, the slave will send itsLmaxback to the master. Again, if the master allows this key length it
will be used; otherwise, the master proposes the closest acceptable length that is smaller than this. The procedure is repeated with the master and slave alternat- ing proposing the largest remaining key length. This hopefully leads finally to a key length that both master and slave can accept. However, it could be that the constraints are such that no key length exists that meets the size requirements of the slave and the master.
3.6.3 Payload keyKP
The payload key is the actual key that is used to (de)cipher the (incoming) out- going packages. The value ofKPis computed per packet using the constraint key
′
KC, and by a short run forE0loaded withKC′, 26 bits of the current clock value,
BD_ADDR, and a 128-bit random EN_RAND, Figure 3.6 shows that KP is
computed by the algorithm E0(see Section 4.4). In fact, KP is formed by the
state of the 4-bit register in the feedback path ofE0and the last 128 bits of the
key stream generated byE0when initialized with its input data and clocking the
EN_RAND BD_ADDR Clock K’C
E0 KP
cipher to produce 240 symbols. Altogether, KP is 132 bits in size. In Section
4.4.1 we return to the exact details.