What is Bluetooth encryption and how does it work?

Many of our electronic devices have switched to wireless technology for connectivity over the years. Instead of long, tangled wires on our mouse, keyboard, headphones, and speakers, we have easy-to-use and convenient wireless elements that let us get even more out of technology.

Since many of these wireless devices rely on Bluetooth technology, Bluetooth SIG (the Bluetooth Technology Authority) has added a variety of security protocols while maintaining convenience and reliability.

What makes Bluetooth security possible are its encryption methods and smart algorithms. Keep reading if you’re interested in how Bluetooth security is designed and uses encryption.

Latest Bluetooth Versions and Low Energy Privacy

Bluetooth security aims to provide standard protocols for Bluetooth-enabled devices regarding authentication, integrity, privacy, and privacy, all of which use encryption. It has been in use since 1998 and has already had several iterations.

In 2010, with the growing need for better short-range wireless technology, Bluetooth SIG developed a new version of Bluetooth: Bluetooth 4.0. The most significant difference between older generations of Bluetooth and Bluetooth 4.0 is the addition of BLE (Bluetooth Low Energy).

Note that “Low Energy” in BLE does not necessarily mean that it uses less power; it just means that it works well with low-power devices like wireless headphones, which have minimal battery capacity.

Since most devices run on Bluetooth 4.0 and later, we will specifically discuss the design stack of these new versions. Additionally, this release resolved many of the security issues of previous Bluetooth generations.

Current versions of Bluetooth currently use the BLE stack shown below:

We are interested in a piece of the fourth layer of the stack known as Security Manager, which handles everything related to authentication, security, confidentiality and privacy. The security manager implements its protocols through device pairing and bonding.

BLE pairing methods

Pairing is an integral part of the Bluetooth Security Manager. It authenticates the device you are connecting to if it is the intended device, then generates an encryption key that both devices will use throughout the session.

Your devices can use multiple authentication methods to ensure that you are signed in to the intended device. These methods would include the following:

• Just works: The fastest but least secure method of transmitting encryption keys for both devices
• OOB (out of band): Uses other authentication methods (besides Bluetooth) to send encryption keys. An example would include connecting via NFC or using your device’s camera to scan a QR code on the other device’s screen
• Passport : Users authenticate by giving the correct password when prompted
• Numerical comparison: Works like Passkey, but devices automatically send passkeys. Users only need to confirm if both devices have the same passkeys

BLE encryption key algorithms

Now that your devices have authenticated the identity of the connecting device. They would then send encryption keys that your devices would use to encrypt and decrypt data throughout the session.

The Bluetooth security manager has different phases where it uses various encryption key algorithms to work properly. The most common encryption key algorithms used by the latest version of Bluetooth (4.0 and above) would be:

• Symmetric key ciphers: this type of encryption uses a single key to decrypt hashes or ciphers
• Asymmetric key ciphers: this type of encryption uses what is called a public key and a private key. A public key is used to encrypt the data, while a private key decrypts the encrypted data
• Elliptic Curve Cryptography (ECC): uses an elliptic curve equation to create keys that are much shorter than symmetric or asymmetric keys, but just as secure
• Advanced Encryption Standard (AES): is a symmetric block cipher with a size of 128 bits

The security manager pairing and binding process

The Security Manager layer is designed to handle everything security related within Bluetooth through what are known as pairing and bonding processes. There will always be a master device and a slave device in a Bluetooth connection.

The master device is the device that searches for Bluetooth enabled devices. In contrast, a slave is a device that broadcasts its location for the world to know.

An example of a master-slave relationship would be your phone and a wireless headset. Your phone is the master device because it searches for Bluetooth devices, while your wireless headset is the slave because it broadcasts its signals for your phone to find.

The pairing process includes the first two of three phases of the security manager’s security phases. The pairing process involves the initial connection of devices attempting to connect.

• For the initial pairing, the master and slave devices would share a list of each device’s features and the version of Bluetooth they are running. These capabilities would include whether or not the device has a screen, keyboard, camera, and NFC.

• After briefing each other on their capabilities, the slave and master devices would decide which security protocol and encryption algorithms to use.

• The shared encryption for the initial pairing of the two devices is known as STK (Short Term Key). As the name suggests, an STK would be the encryption key that the master and slave devices would use until the session ended.

• When the two devices have been successfully paired, they use the STK to encrypt every packet of data they would share. And with encrypted data, anyone trying to monitor your session won’t have an STK to decrypt the data.

• The problem with an STK is that it is only suitable for one session. Both devices will need to keep pairing to generate a new STK for each session. For this reason, an additional optional step called gluing has been developed.
• The bind stage is the third phase of the Bluetooth security manager. This is the optional prompt you get on your device asking if you trust the paired device and want to connect to it whenever it sees the device broadcasting.
• Since the two devices are already paired (have a secure connection via an STK), the pairing process will not require any further security checks. What this step would do is generate an LTK (Long-Term Key) and an IRK (Identity Resolve Key). Both devices will then use these keys to decrypt the data and automatically identify your device whenever Bluetooth is enabled.

• An LTK is an encryption key similar to an STK in that devices use it to encrypt and decrypt data. The difference is that an LTK is generated via ECC instead of AES-120 and is used long term.

To understand an IRK, let’s briefly talk about the Bluetooth MAC address. All Bluetooth enabled devices are equipped with a NIC (Network Interface Controller). Each NIC comes with a unique MAC (Media Access Control) address. You cannot change these MAC addresses because the given addresses are hard-coded into the physical hardware of the network card.

While you can spoof a MAC address through software, it’s not a viable option when you want your device to be identified by related devices. With this in mind, Bluetooth SIG has added an IRK system that allows your device to be recognized by paired devices and unidentifiable by unknown Bluetooth devices.

dig deep

Bluetooth is a complex mix of technologies that offers a wide range of device compatibility, convenience and reliability. The nature of Bluetooth makes Bluetooth security a somewhat tricky subject.

The points given above are simplified and intended to give a general idea of ​​how encryption and Bluetooth security work. Hopefully, this serves as a gateway for those interested in security to dig deeper and learn more about the inner workings of Bluetooth. Those interested, welcome to the rabbit hole!

Read more

About the Author