Bluetooth leaves room for security

Before passing judgment on the quality of Bluetooth security, we need to understand what security is and its purpose. Let us begin by examining some basic requirements for a secure, wire-free system and then compare our findings with what Bluetooth currently has to offer.

A security policy is a well-defined set of rules that determines what access a subject has and to which objects. Subjects are people and objects are defined by what the system protects-that is, the data maintained by the computer system. The set of security rules must be well-defined and deterministic. "Only employees are allowed access to 'Company Confidential' data" is an example of a security rule. This type of rule is called a Mandatory A ccess Control rule. Another type of rule called a Discretionary Access Control can also be used to enforce "need to know" on a selected subject basis. In some cases, a computer system may only implement the Discretionary Access Control, but rely on the people to implement the Mandatory Access Control portion of an overall policy.

To establish accountability to a subject (person), the subject must be identified and authenticated. Strong security mandates that we reliably know who the subject is in order to effect a mandatory rule or a discretionary selection. If we do not know who the subject is, how do we know if the subject is an employee or someone who has been selected on a need-to-know basis?

Security-relevant actions

Another crucial element of accountability is auditing. Auditing selectively records the security-relevant actions of subjects, allowing these events to be traced to the responsible party and thus verifying the trust placed in the party.

The security features of a system must be complete and free from tampering and modifications. The system must be able to protect itself from attempts to change its behaviors or to monitor its internal processes. These issues are called secrecy and integrity. Secrecy means the data the system handles on behalf of a subject with proper access is not exposed to someone who lacks proper access. Integrity means the data has not been changed by a subject without proper access, while the system is processing the data on behalf of a subject who has it. For example, secrecy and integrity are an issue when the system is transferring data over a network that is shared by both authorized and unauthorized subjects.

Bluetooth security is properly classified as link-layer encryption. Bluetooth can establish an encrypted link between two Bluetooth devices. It also provides what is typically misrepresented as authentication.

Bluetooth can establish link encryption between two devices when a symme tric encryption key is created in both of them. This process, called pairing, uses a shared secret known as a PIN that is passed out-of-band, as opposed to over a Bluetooth channel. The shared symmetric encryption keys are then created and exchanged in a secure manner with the use of the PIN. The pairing process would be properly classified as a key-management or a key-exchange mechanism.

Bluetooth authentication is the process of verifying that the other device has the same encryption key before enabling encryption on the connection. This is a connection-management issue designed to prevent the confusion that would result if the nodes on the connection used different encryption keys.

If Bluetooth security is mapped to a security policy requirement, Bluetooth would provide a definition of its subjects, objects, and the rules and selections it enforces. Bluetooth does not currently provide this capability, so it does not enforce a system security policy.

In the case that Bluet ooth is mapped to the accountability requirement, Bluetooth would provide subject authentication and auditing. While Bluetooth claims to provide authentication, its authentication does not determine the identity of a subject (person), but only verifies that the nodes on a connection have the same encryption key that was exchanged in a pairing process. Bluetooth does not establish accountability to a person and therefore does not meet the accountability requirement.

And if Bluetooth security is mapped to the assurance requirement, it would provide secrecy and integrity for data being passed over the air, thus preventing eavesdropping and tampering with the data in transit. This is precisely what Bluetooth does. Since the communications channel cannot be physically protected, Bluetooth provides cryptographic protection of the channel.

Accountability

Bluetooth security supports only the assurance requirement and does not support the policy and accountability requirements. Therefore it is not a complete security story. To complete the picture, user authentication, auditing and mandatory or discretionary access control must be added.

As a simple case study, let's use a hotel to examine how Bluetooth security could be used and improved. Our subjects could be defined as people in the hotel with Bluetooth-enabled personal digital assistant (PDAs). The subjects could be classified as visitors, guests or employees. A guest is defined as someone who is currently registered in the hotel and has an open account called a room number. A visitor is someone in the hotel with a Bluetooth-enabled PDA who is not registered and does not have an open account. The objects could be defined as the rooms in the hotel, and the shared facilities such as the pool, exercise room, spa and so forth. Other objects may be printers and vending machines.

The policy rules can now be defined. For example, only guests and employees have access to the pool, exercise room and spa. Only the guest registered to a particular room and employees have access to that room. Guests have access to printers and vending machines, with services charged to the room account number. Visitors have access to printers and vending machines when a credit card number is provided.

Each device has to implement the part of the policy that governs the use of the object the device manages. Each also must authenticate the subject requesting services and may also audit the access (for billing services). The access control and auditing occur within the device and are not visible to Bluetooth. Authentication is, however, an interaction that occurs between a subject and the device and as such, Bluetooth will be involved.

Bluetooth could be just the transport of an authentication protocol. That is, an authentication protocol is implemented that has nothing specifically to do with Bluetooth other than to establish a communications link between the subject's PDA and the device.

Another approach would be to bind user identities to the cryptographic keys used in Bluetooth link-layer encryption. When a hotel vending machine does Bluetooth pairing and authentication to a user PDA, it knows the room account number that has been associated with the user's BD_ADDR and PIN. If the requesting device did not know the unique PIN associated with a particular hotel guest, Bluetooth pairing and authentication would fail. If the PIN were known, the subject would then be classified as a guest and his room number would be his identity. If a generic visitor PIN was used, limited access would be provided or a credit card number would be requested.

Acquiring the PIN would be accomplished at a kiosk that registers the person, acquires a credit card number and then assigns a room number.