breaking the bluetooth pairing fixed coordinate invalid
play

Breaking the Bluetooth Pairing Fixed Coordinate Invalid Curve - PowerPoint PPT Presentation

Mar 20, 2023 •34 likes •784 views

Breaking the Bluetooth Pairing Fixed Coordinate Invalid Curve Attack Eli Biham Lior Neumann Department of Computer Science Technion Israel Institute of Technology Cryptoday 2018 Eli Biham, Lior Neumann (Technion) Breaking the

  1. Breaking the Bluetooth Pairing – Fixed Coordinate Invalid Curve Attack Eli Biham Lior Neumann Department of Computer Science Technion – Israel Institute of Technology Cryptoday 2018 Eli Biham, Lior Neumann (Technion) Breaking the Bluetooth Pairing Cryptoday 2018 1 / 44

  2. Overview Bluetooth is a widely deployed platform for wireless communication between mobile devices. Examples: Mobile computers – mobile-phones and laptops. Computer peripherals – mouses and keyboards. Wearable smart devices – fitness tracker and smart watches. Audio equipments – wireless headphones and speakers. IoT – smart door locks and smart lights. Eli Biham, Lior Neumann (Technion) Breaking the Bluetooth Pairing Cryptoday 2018 2 / 44

  3. Overview The Bluetooth standard is comprised of two main protocols Bluetooth BR/EDR, and Bluetooth Low Energy (aka. Bluetooth Smart) Both protocols promise to provide confidentiality and MitM protection. In this talk we show that none of these protocols provided the promised protections. Eli Biham, Lior Neumann (Technion) Breaking the Bluetooth Pairing Cryptoday 2018 3 / 44

  4. Bluetooth Pairing The Bluetooth pairing establishes connection between two devices. The latest pairing protocols are Bluetooth BR/EDR – Secure Simple Pairing (SSP) Bluetooth Low Energy – Low Energy Secure Connections (LE SC) Both LE SC and SSP are variants of authenticated Elliptic-Curve Diffie-Hellman protocol for key-exchange. Eli Biham, Lior Neumann (Technion) Breaking the Bluetooth Pairing Cryptoday 2018 4 / 44

  5. Legacy Pairing Eavesdropping Attack A paper published in 2013 by Mike Ryan pointed out that BTLE “Legacy Pairing” is vulnerable to an eavesdropping attack. Legacy Pairing is protected by a 6-digit decimal mutual temporary key. The attack recovers the session key by exhaustively searching through all million possible temporary keys. This vulnerability was mitigated by LE SC using ECDH. Mike Ryan also published CrackLE, an open-source software that recovers the session key from captured Legacy Pairing traffic. Eli Biham, Lior Neumann (Technion) Breaking the Bluetooth Pairing Cryptoday 2018 5 / 44

  6. Introduction to Elliptic Curves Elliptic curves over finite fields are defined by group equation and the underlying field F q . Consider curves in Weierstrass form y 2 = x 3 + ax + b . y 2 = x 3 + ax + b The elements of the group are: All pairs ( x , y ) ∈ F 2 q that satisfy the curve equation. An identity element called point-at-infinity denoted by ∞ . We denote points that satisfy the equation as P = ( Px , Py ) . The figures are drawn over R for intuition, while the formulae are defined over F q as used in cryptography. Eli Biham, Lior Neumann (Technion) Breaking the Bluetooth Pairing Cryptoday 2018 6 / 44

  7. Introduction to Elliptic Curves The group operation is point addition. The use the following notations: Point Addition – Adding two group elements P , Q ∈ E , st. P � = Q . Point Doubling – Adding a group element P ∈ E to itself. Repeated Addition – Denote [ α ] P to be the sum of α times repeated additions of P to itself. Eli Biham, Lior Neumann (Technion) Breaking the Bluetooth Pairing Cryptoday 2018 7 / 44

  8. Point Inversion Given a point P = ( Px , Py ) the inverse of P is computed by reflecting it across the x-axis P − 1 = ( Px , − Py ) . y 2 = x 3 + ax + b P P − 1 Eli Biham, Lior Neumann (Technion) Breaking the Bluetooth Pairing Cryptoday 2018 8 / 44

  9. Point Addition y 2 = x 3 + ax + b Q P R=P+Q s ≡ ( Py − Qy )( Px − Qx ) − 1 ( mod q ) Rx ≡ s 2 − Px − Qx ( mod q ) Ry ≡ Py − s ( Rx − Px ) ( mod q ) It can be seen that these formulae do not involve the curve parameter b. Eli Biham, Lior Neumann (Technion) Breaking the Bluetooth Pairing Cryptoday 2018 9 / 44

  10. Point Doubling y 2 = x 3 + ax + b P R=[2]P s ≡ ( 3 Px 2 + a )( 2 Py ) − 1 ( mod q ) Rx ≡ s 2 − 2 Px ( mod q ) Ry ≡ Py − s ( Rx − Px ) ( mod q ) It can be seen that these formulae do not involve the curve parameter b. Eli Biham, Lior Neumann (Technion) Breaking the Bluetooth Pairing Cryptoday 2018 10 / 44

  11. Order Two Points An important observation is that every point of the form P = ( Px , 0 ) equals its own inverse, thus has order two [ 2 ] P = ∞ . 10 x = − 3 y 2 = x 3 − 3 x + 18 5 − 15 − 10 − 5 –3 5 10 15 0 − 5 − 10 Eli Biham, Lior Neumann (Technion) Breaking the Bluetooth Pairing Cryptoday 2018 11 / 44

  12. Elliptic Curve Diffie-Hellman The Elliptic Curve Diffie-Hellman ( ECDH ) protocol is a variant of the Diffie-Hellman key exchange protocol. Both parties agree on an Elliptic Curve E and a generator point P ∈ E . Then they communicate as follows: Alice Bob Eli Biham, Lior Neumann (Technion) Breaking the Bluetooth Pairing Cryptoday 2018 12 / 44

  13. Elliptic Curve Diffie-Hellman The Elliptic Curve Diffie-Hellman ( ECDH ) protocol is a variant of the Diffie-Hellman key exchange protocol. Both parties agree on an Elliptic Curve E and a generator point P ∈ E . Then they communicate as follows: Alice Bob Select a random private key SKa ∈ [ 2, n − 2 ] Select a random private key SKb ∈ [ 2, n − 2 ] Eli Biham, Lior Neumann (Technion) Breaking the Bluetooth Pairing Cryptoday 2018 12 / 44

  14. Elliptic Curve Diffie-Hellman The Elliptic Curve Diffie-Hellman ( ECDH ) protocol is a variant of the Diffie-Hellman key exchange protocol. Both parties agree on an Elliptic Curve E and a generator point P ∈ E . Then they communicate as follows: Alice Bob Select a random private key SKa ∈ [ 2, n − 2 ] Select a random private key SKb ∈ [ 2, n − 2 ] Compute the appropriate public key Compute the appropriate public key PKa = [ SKa ] P PKb = [ SKb ] P Eli Biham, Lior Neumann (Technion) Breaking the Bluetooth Pairing Cryptoday 2018 12 / 44

  15. Elliptic Curve Diffie-Hellman The Elliptic Curve Diffie-Hellman ( ECDH ) protocol is a variant of the Diffie-Hellman key exchange protocol. Both parties agree on an Elliptic Curve E and a generator point P ∈ E . Then they communicate as follows: Alice Bob Select a random private key SKa ∈ [ 2, n − 2 ] Select a random private key SKb ∈ [ 2, n − 2 ] Compute the appropriate public key Compute the appropriate public key PKa = [ SKa ] P PKb = [ SKb ] P PKa Eli Biham, Lior Neumann (Technion) Breaking the Bluetooth Pairing Cryptoday 2018 12 / 44

  16. Elliptic Curve Diffie-Hellman The Elliptic Curve Diffie-Hellman ( ECDH ) protocol is a variant of the Diffie-Hellman key exchange protocol. Both parties agree on an Elliptic Curve E and a generator point P ∈ E . Then they communicate as follows: Alice Bob Select a random private key SKa ∈ [ 2, n − 2 ] Select a random private key SKb ∈ [ 2, n − 2 ] Compute the appropriate public key Compute the appropriate public key PKa = [ SKa ] P PKb = [ SKb ] P PKa PKb Eli Biham, Lior Neumann (Technion) Breaking the Bluetooth Pairing Cryptoday 2018 12 / 44

  17. Elliptic Curve Diffie-Hellman The Elliptic Curve Diffie-Hellman ( ECDH ) protocol is a variant of the Diffie-Hellman key exchange protocol. Both parties agree on an Elliptic Curve E and a generator point P ∈ E . Then they communicate as follows: Alice Bob Select a random private key SKa ∈ [ 2, n − 2 ] Select a random private key SKb ∈ [ 2, n − 2 ] Compute the appropriate public key Compute the appropriate public key PKa = [ SKa ] P PKb = [ SKb ] P PKa PKb Compute the shared secret DHkey = [ SKa ] PKb Compute the shared secret DHkey = [ SKb ] PKa Eli Biham, Lior Neumann (Technion) Breaking the Bluetooth Pairing Cryptoday 2018 12 / 44

  18. Invalid Curve Attack The Invalid Curve Attack, introduced by Biehl et al., is a cryptographic attack where invalid group elements (points) are used in order to manipulate the group operations to reveal secret information. Eli Biham, Lior Neumann (Technion) Breaking the Bluetooth Pairing Cryptoday 2018 13 / 44

  19. Invalid Curve Attack Let SK be the secret key of the victim device and let PK = [ SK ] P its public key. Let E ′ be a different group defined by the curve equation y 2 = x 3 + ax + b ′ with the same a and a different b ′ parameter. Victim Attacker Select a curve E ′ with a point Q 1 ∈ E ′ of a small prime order | Q 1 | = p 1 Eli Biham, Lior Neumann (Technion) Breaking the Bluetooth Pairing Cryptoday 2018 14 / 44

  20. Invalid Curve Attack Let SK be the secret key of the victim device and let PK = [ SK ] P its public key. Let E ′ be a different group defined by the curve equation y 2 = x 3 + ax + b ′ with the same a and a different b ′ parameter. Victim Attacker Select a curve E ′ with a point Q 1 ∈ E ′ of a small prime order | Q 1 | = p 1 PK Eli Biham, Lior Neumann (Technion) Breaking the Bluetooth Pairing Cryptoday 2018 14 / 44

  21. Invalid Curve Attack Let SK be the secret key of the victim device and let PK = [ SK ] P its public key. Let E ′ be a different group defined by the curve equation y 2 = x 3 + ax + b ′ with the same a and a different b ′ parameter. Victim Attacker Select a curve E ′ with a point Q 1 ∈ E ′ of a small prime order | Q 1 | = p 1 PK Q 1 Eli Biham, Lior Neumann (Technion) Breaking the Bluetooth Pairing Cryptoday 2018 14 / 44

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

An Examination of the Impact of Mixed Variable & Fixed Non-Content-Based Invalid Responding

An Examination of the Impact of Mixed Variable & Fixed Non-Content-Based Invalid Responding

An Examination of the Impact of Mixed Variable & Fixed Non-Content-Based Invalid Responding on the MMPI-3 Validity Scales Maddie Cardellio 1 , Amanda N. Hansen 1 , Akshata Melanahalli 1 , Danielle Burchett 1 , & Yossef S. Ben-Porath 2 1

269 views • 15 slides
An Examination of the Impact of Mixed Variable & Fixed Non-Content-Based Invalid Responding

An Examination of the Impact of Mixed Variable & Fixed Non-Content-Based Invalid Responding

An Examination of the Impact of Mixed Variable & Fixed Non-Content-Based Invalid Responding on the MMPI-3 Substantive Scales Amanda N. Hansen 1 , Maddie Cardellio 1 , Akshata Melanahalli 1 , Danielle Burchett 1 , & Yossef S. Ben-Porath 2

349 views • 10 slides
Bluetooth Team 1 What is Bluetooth? Origins Ericsson, 1994 Harald Bluetooth

Bluetooth Team 1 What is Bluetooth? Origins Ericsson, 1994 Harald Bluetooth

Bluetooth Team 1 What is Bluetooth? Origins Ericsson, 1994 Harald Bluetooth Today Bluetooth Special Interests Group Compatible with a multitude of devices Widespread IEEE Standard Secure

230 views • 7 slides
Pairing Pairing is the process by which we condition ourselves, the teaching materials, and

Pairing Pairing is the process by which we condition ourselves, the teaching materials, and

Pairing & Manding Vincent J. Carbone Ed.D., BCBA-D NYS Licensed Behavior Analyst Carbone Clinic New York Boston Dubai www.CarboneClinic.com www.TheCarboneclinic.ae IESCUM Parma, Italy December 1,2 & 3, 2016 1 Pairing

622 views • 35 slides
Using Bluetooth Low Energy for Location What is BLE? Bluetooth Low Energy Originally designed by

Using Bluetooth Low Energy for Location What is BLE? Bluetooth Low Energy Originally designed by

Using Bluetooth Low Energy for Location What is BLE? Bluetooth Low Energy Originally designed by Nokia as Wibree (2001) Bluetooth Smart Why has BLE been so Successful? Rapid adoption by vendors Apple Samsung Simple design Cheap in

422 views • 20 slides
Secure Device Pairing What is device pairing? What is

Secure Device Pairing What is device pairing? What is

Secure Device Pairing What is device pairing? What is device pairing? What is the problem? The wireless communica8on channel is rela8vely easy to

298 views • 9 slides
Using Bluetooth to Determine Using Bluetooth to Determine Travel Times www.kmjinc.com 1 Agenda

Using Bluetooth to Determine Using Bluetooth to Determine Travel Times www.kmjinc.com 1 Agenda

ITE Mid-Colonial District Annual Meeting April 29, 2010 Using Bluetooth to Determine Using Bluetooth to Determine Travel Times www.kmjinc.com 1 Agenda Bluetooth and How It Works The BlueTOAD TM Device Evaluation Project

270 views • 22 slides
T2Pair: Secure and Usable Pairing for Heterogeneous IoT Devices Xiaopeng Li, Qiang Zeng , Lannan

T2Pair: Secure and Usable Pairing for Heterogeneous IoT Devices Xiaopeng Li, Qiang Zeng , Lannan

T2Pair: Secure and Usable Pairing for Heterogeneous IoT Devices Xiaopeng Li, Qiang Zeng , Lannan Luo, Tongbo Luo CCS 2020 IoT Pairing Pairing is supposed to establish a secure communication channel IoT pairing is important for adding

345 views • 21 slides
Pairing-Based Cryptography & Generic Groups Lecture 22 Bilinear Pairing Bilinear Pairing

Pairing-Based Cryptography & Generic Groups Lecture 22 Bilinear Pairing Bilinear Pairing

Pairing-Based Cryptography & Generic Groups Lecture 22 Bilinear Pairing Bilinear Pairing Two (or three) groups with an efficient pairing operation, e: G x G G T that is bilinear Bilinear Pairing Two (or three) groups with an

1.44k views • 105 slides
Pairing-Based Cryptography & Generic Groups Lecture 21 Bilinear Pairing Bilinear Pairing

Pairing-Based Cryptography & Generic Groups Lecture 21 Bilinear Pairing Bilinear Pairing

Pairing-Based Cryptography & Generic Groups Lecture 21 Bilinear Pairing Bilinear Pairing Two (or three) groups with an efficient pairing operation, e: G x G G T that is bilinear Bilinear Pairing Two (or three) groups with an

1.67k views • 118 slides
Team X B Bhooma Reddy (200601224) Koundinya (200601201) Bluetooth wireless technology is a

Team X B Bhooma Reddy (200601224) Koundinya (200601201) Bluetooth wireless technology is a

Team X B Bhooma Reddy (200601224) Koundinya (200601201) Bluetooth wireless technology is a short-range communications technology intended to replace the cables connecting portable and/or fixed devices while maintaining high levels of

467 views • 18 slides
Pairing time-reversal states J = 0 + (a) +m -m k F k F K k F + L.N.

Pairing time-reversal states J = 0 + (a) +m -m k F k F K k F + L.N.

Nuclear pairing from microscopic forces (with applications) Paolo Finelli Dept. of Physics and Astronomy, University of Bologna paolo. fj nelli@bo.infn.it Based on Phys. Rev. C 90, 044003 Published 21 October 2014 Pairing time-reversal

674 views • 22 slides
Presented By: Paul Misticawi VP of Sales, TrafficCast What is Bluetooth How are

Presented By: Paul Misticawi VP of Sales, TrafficCast What is Bluetooth How are

Presented By: Paul Misticawi VP of Sales, TrafficCast What is Bluetooth How are traveltimes derived from Bluetooth devices Turning Raw Data into Information Applications Using Bluetooth TravelTimes Using

198 views • 16 slides
IoTSSC Bluetooth Bluetooth Classic (Basic Rate BR/Enhanced Data Rate EDR) In 1990s

IoTSSC Bluetooth Bluetooth Classic (Basic Rate BR/Enhanced Data Rate EDR) In 1990s

IoTSSC Bluetooth Bluetooth Classic (Basic Rate BR/Enhanced Data Rate EDR) In 1990s Ericsson wanted to connect other devices to mobile phone without cables Established a consortium which accumulated over the years 20k members (!)

933 views • 46 slides
Pairing-Based Cryptography & Generic Groups Lecture 22 1 Bilinear Pairing 2 Bilinear

Pairing-Based Cryptography & Generic Groups Lecture 22 1 Bilinear Pairing 2 Bilinear

Pairing-Based Cryptography & Generic Groups Lecture 22 1 Bilinear Pairing 2 Bilinear Pairing Two (or three) groups with an efficient pairing operation, e: G x G G T that is bilinear 2 Bilinear Pairing Two (or three) groups

1.06k views • 102 slides
Next Generation BlueZ & Bluetooth Smart Devices Johan Hedberg (Intel) Bluetooth Short

Next Generation BlueZ & Bluetooth Smart Devices Johan Hedberg (Intel) Bluetooth Short

Next Generation BlueZ & Bluetooth Smart Devices Johan Hedberg (Intel) Bluetooth Short Introduction Short range wireless technology operating at 2.4 GHz Originally announced in 1998 as a replacement for RS-232 but has evolved

346 views • 21 slides
Bluetooth Mesh under the Microscope: How much ICN is Inside? Hauke Petersen, Peter Kietzmann,

Bluetooth Mesh under the Microscope: How much ICN is Inside? Hauke Petersen, Peter Kietzmann,

Bluetooth Mesh under the Microscope: How much ICN is Inside? Hauke Petersen, Peter Kietzmann, Cenk G undo gan, Thomas C. Schmidt and Matthias W ahlisch peter.kietzmann@haw-hamburg.de 6th ACM Conference on Information-Centric Networking

639 views • 44 slides
Capstone 2020 Presentation BlueDentist Project Summary Develop a portable, wideband SDR module

Capstone 2020 Presentation BlueDentist Project Summary Develop a portable, wideband SDR module

Capstone 2020 Presentation BlueDentist Project Summary Develop a portable, wideband SDR module that utilizes a GPU for digital signal processing Develop firmware and software to monitor and analyze Bluetooth signals Team Jeff Longo Chris

748 views • 23 slides
Comprehensive,Experimental, Analysis,of,Automotive, Attack,Surfaces, Checkoway,et,al ,

Comprehensive,Experimental, Analysis,of,Automotive, Attack,Surfaces, Checkoway,et,al ,

Comprehensive,Experimental, Analysis,of,Automotive, Attack,Surfaces, Checkoway,et,al , Presented(By(Lucas(Copi( Overview, Introduction, Automotive,Threat,Models, Vulnerability,analysis, Conclusion, Introduction,

464 views • 18 slides
+ eDiscovery: Energy Ef fi cient Device Discovery for Mobile Opportunistic Communications Bo Han

+ eDiscovery: Energy Ef fi cient Device Discovery for Mobile Opportunistic Communications Bo Han

+ eDiscovery: Energy Ef fi cient Device Discovery for Mobile Opportunistic Communications Bo Han AT&T Labs Research Aravind Srinivasan University of Maryland Presented by Xin Gao NJIT + Summary 2 Background Introduction

256 views • 12 slides
Explosive percolation in random Bluetooth graphs G abor Lugosi ICREA and Pompeu Fabra

Explosive percolation in random Bluetooth graphs G abor Lugosi ICREA and Pompeu Fabra

Explosive percolation in random Bluetooth graphs G abor Lugosi ICREA and Pompeu Fabra University, Barcleona joint work with Nicolas Broutin (INRIA) Luc Devroye (McGill) irrigation graphs Start with a connected graph on n vertices.

982 views • 61 slides
iot.schema.org Michael Koster Darko Anicic W3C WoT Open Day July 10, 2017 The Problem Many

iot.schema.org Michael Koster Darko Anicic W3C WoT Open Day July 10, 2017 The Problem Many

iot.schema.org Michael Koster Darko Anicic W3C WoT Open Day July 10, 2017 The Problem Many standards organizations for connected things: OCF, Zigbee, Z-Wave, Bluetooth, Fairhair Focus on Device Certification Exclusive, require

668 views • 22 slides
Bowsense - A minimalistic Approach to Wireless Motion Sensing Hans Wilmers Norwegian Centre for

Bowsense - A minimalistic Approach to Wireless Motion Sensing Hans Wilmers Norwegian Centre for

Bowsense - A minimalistic Approach to Wireless Motion Sensing Hans Wilmers Norwegian Centre for Technology in Music and the Arts (NOTAM) hans.wilmers@notam02.no Soundprocessing, how we do it in Norway notam . . notam bowsense - LAC2009,

582 views • 27 slides
AE in Radio Standards Kaisa Nyberg Aalto University, School of Science Department of Information

AE in Radio Standards Kaisa Nyberg Aalto University, School of Science Department of Information

AE in Radio Standards Kaisa Nyberg Aalto University, School of Science Department of Information and Computer Science and Nokia Research Center Finland July 2012 Mobile Algorithms GSM A5/1 A5/3 (Kasumi-based) UMTS UEA1

542 views • 14 slides

More recommend